emotet | bcc005b1fa0edebb17871c2d8df362422caab81970c484929bfd040e6042f58a

General

Target

bcc005b1fa0edebb17871c2d8df362422caab81970c484929bfd040e6042f58a.xls
Size

217KB
MD5

396f838fb9129a54f1ef878cc85fe3b4
SHA1

efca518dea7d902fc71422f87c17967d9fe8983b
SHA256

bcc005b1fa0edebb17871c2d8df362422caab81970c484929bfd040e6042f58a
SHA512

7de42455d89800238f16258d429d4966c834d1dd3d235e3568155d781a5333c7167e91808d720f73654fc650bd42756465a8c27bc94c53ce27d9a27bf76a388d
SSDEEP

6144:OKpb8rGYrMPe3q7Q0XV5xtuEsi8/dgzyY+TAQXTHGUMEyP5p6f5jQm:WbGUMVWlb

Score

10^/10

emotet banker persistence trojan

Malware Config

Extracted

Language

xlm4.0

Source

URLs

xlm40.dropper

https://atlantia.sca.org/php_fragments/D8Nwm2F80BL4s/

xlm40.dropper

https://amorecuidados.com.br/wp-admin/t3D/

xlm40.dropper

http://aibwireless.com/cgi-bin/zR2mG25Ssk8dH/

xlm40.dropper

http://thuybaohuy.com/wp-content/u3MJwXSP9tmiaTCyZD/

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Process spawned unexpected child process 4 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4620	2732	regsvr32.exe	65
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4716	2732	regsvr32.exe	65
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4088	2732	regsvr32.exe	65
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	1512	2732	regsvr32.exe	65

Loads dropped DLL 2 IoCs

pid	Process
4620	regsvr32.exe
4716	regsvr32.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QZQTjJxr.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\FLEzWJLynPyAV\\QZQTjJxr.dll\""	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ZGSHmmsb.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\LzocJWOcUoOF\\ZGSHmmsb.dll\""	regsvr32.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2732	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4620	regsvr32.exe
4620	regsvr32.exe
3184	regsvr32.exe
3184	regsvr32.exe
3184	regsvr32.exe
3184	regsvr32.exe
4716	regsvr32.exe
4716	regsvr32.exe
4696	regsvr32.exe
4696	regsvr32.exe
4696	regsvr32.exe
4696	regsvr32.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2732	EXCEL.EXE
2732	EXCEL.EXE

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2732	EXCEL.EXE
2732	EXCEL.EXE
2732	EXCEL.EXE
2732	EXCEL.EXE
2732	EXCEL.EXE
2732	EXCEL.EXE
2732	EXCEL.EXE
2732	EXCEL.EXE
2732	EXCEL.EXE
2732	EXCEL.EXE
2732	EXCEL.EXE
2732	EXCEL.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2732 wrote to memory of 4620	2732	EXCEL.EXE	69
PID 2732 wrote to memory of 4620	2732	EXCEL.EXE	69
PID 4620 wrote to memory of 3184	4620	regsvr32.exe	70
PID 4620 wrote to memory of 3184	4620	regsvr32.exe	70
PID 2732 wrote to memory of 4716	2732	EXCEL.EXE	71
PID 2732 wrote to memory of 4716	2732	EXCEL.EXE	71
PID 4716 wrote to memory of 4696	4716	regsvr32.exe	72
PID 4716 wrote to memory of 4696	4716	regsvr32.exe	72
PID 2732 wrote to memory of 4088	2732	EXCEL.EXE	73
PID 2732 wrote to memory of 4088	2732	EXCEL.EXE	73
PID 2732 wrote to memory of 1512	2732	EXCEL.EXE	74
PID 2732 wrote to memory of 1512	2732	EXCEL.EXE	74

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\bcc005b1fa0edebb17871c2d8df362422caab81970c484929bfd040e6042f58a.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2732
- C:\Windows\System32\regsvr32.exe
  C:\Windows\System32\regsvr32.exe /S ..\oxnv1.ooccxx
  2⤵
  - Process spawned unexpected child process
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4620
- - C:\Windows\system32\regsvr32.exe
    C:\Windows\system32\regsvr32.exe "C:\Windows\system32\FLEzWJLynPyAV\QZQTjJxr.dll"
    3⤵
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    PID:3184
- C:\Windows\System32\regsvr32.exe
  C:\Windows\System32\regsvr32.exe /S ..\oxnv2.ooccxx
  2⤵
  - Process spawned unexpected child process
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4716
- - C:\Windows\system32\regsvr32.exe
    C:\Windows\system32\regsvr32.exe "C:\Windows\system32\LzocJWOcUoOF\ZGSHmmsb.dll"
    3⤵
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    PID:4696
- C:\Windows\System32\regsvr32.exe
  C:\Windows\System32\regsvr32.exe /S ..\oxnv3.ooccxx
  2⤵
  - Process spawned unexpected child process
  PID:4088
- C:\Windows\System32\regsvr32.exe
  C:\Windows\System32\regsvr32.exe /S ..\oxnv4.ooccxx
  2⤵
  - Process spawned unexpected child process
  PID:1512

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\oxnv1.ooccxx

Filesize
629KB

MD5
7ad666c27f0b902b24f300d107df9391

SHA1
df59eefe30bb5588dc9325f8ad8e5e09a6983153

SHA256
930c2b8d4bf540d3b4ded5e6c0f05f11a74acd95700ffd2d873d5ae6eed57e3f

SHA512
90a1c53e1194016b900f6779d3080a48fb4a539d023c856240a1931aff1214815c9f87c3d0cc55c752e621d8af2cb7a8fffbfdd3dc79f7614c8b5782d25e31a8

Download Submit
C:\Users\Admin\oxnv2.ooccxx

Filesize
629KB

MD5
67d554fe4356fa4c7f669d68259c09da

SHA1
e4591612ee8c00bb7fa707c0ab3c5910d6d91c45

SHA256
2b3126c4ff756d1225d579266c34e2485fa920e80d7a932970a2f32dc6b160f0

SHA512
ac84a5aed53bb821a3739089d8e11c5637f86b056c208904d7cd2da343ea6e52ba730a1b1feb604ca199113efa41339783885884565715edd469d9e02a45303e

Download Submit
\Users\Admin\oxnv1.ooccxx

Filesize
629KB

MD5
7ad666c27f0b902b24f300d107df9391

SHA1
df59eefe30bb5588dc9325f8ad8e5e09a6983153

SHA256
930c2b8d4bf540d3b4ded5e6c0f05f11a74acd95700ffd2d873d5ae6eed57e3f

SHA512
90a1c53e1194016b900f6779d3080a48fb4a539d023c856240a1931aff1214815c9f87c3d0cc55c752e621d8af2cb7a8fffbfdd3dc79f7614c8b5782d25e31a8

Download Submit
\Users\Admin\oxnv2.ooccxx

Filesize
629KB

MD5
67d554fe4356fa4c7f669d68259c09da

SHA1
e4591612ee8c00bb7fa707c0ab3c5910d6d91c45

SHA256
2b3126c4ff756d1225d579266c34e2485fa920e80d7a932970a2f32dc6b160f0

SHA512
ac84a5aed53bb821a3739089d8e11c5637f86b056c208904d7cd2da343ea6e52ba730a1b1feb604ca199113efa41339783885884565715edd469d9e02a45303e

Download Submit
memory/2732-120-0x00007FFC91840000-0x00007FFC91850000-memory.dmp

Filesize
64KB

Download
memory/2732-123-0x00007FFC91840000-0x00007FFC91850000-memory.dmp

Filesize
64KB

Download
memory/2732-132-0x00007FFC8E0F0000-0x00007FFC8E100000-memory.dmp

Filesize
64KB

Download
memory/2732-133-0x00007FFC8E0F0000-0x00007FFC8E100000-memory.dmp

Filesize
64KB

Download
memory/2732-122-0x00007FFC91840000-0x00007FFC91850000-memory.dmp

Filesize
64KB

Download
memory/2732-121-0x00007FFC91840000-0x00007FFC91850000-memory.dmp

Filesize
64KB

Download
memory/4620-282-0x0000000180000000-0x000000018002F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads