emotet | 32b77d3e76a05de49b77a701551220c2884f294c453f7e2c644adda47a95b463

General

Target

32b77d3e76a05de49b77a701551220c2884f294c453f7e2c644adda47a95b463.xls
Size

217KB
MD5

e32f0521b0d507a25997e3feef71f090
SHA1

bdd537bfae6233b83e9793cc3519f8a2a2f64b62
SHA256

32b77d3e76a05de49b77a701551220c2884f294c453f7e2c644adda47a95b463
SHA512

1d20990cd1e6cf83f29f8a6f11e8dc2f4ca3dae38dbef466d27186d2216e26ab25a126bd0c3e98e2d0ab5628058ad50c9b481116126ce8c6b12e73c5998ef226
SSDEEP

6144:OKpb8rGYrMPe3q7Q0XV5xtuEsi8/dg8yY+TAQXTHGUMEyP5p6f5jQmt:nbGUMVWlbt

Score

10^/10

emotet banker persistence trojan

Malware Config

Extracted

Language

xlm4.0

Source

URLs

xlm40.dropper

http://kabaruntukrakyat.com/wp-content/B9oJ0jh/

xlm40.dropper

http://coinkub.com/wp-content/WwrJvjumS/

xlm40.dropper

https://aberractivity.hu/iqq/Dmtv/

xlm40.dropper

https://anamafegarcia.es/css/HfFXMTXvc40t/

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Process spawned unexpected child process 4 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4320	1748	regsvr32.exe	65
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4536	1748	regsvr32.exe	65
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	3256	1748	regsvr32.exe	65
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4780	1748	regsvr32.exe	65

Downloads MZ/PE file

Loads dropped DLL 4 IoCs

pid	Process
4320	regsvr32.exe
4536	regsvr32.exe
3256	regsvr32.exe
4780	regsvr32.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntvijbO.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\QxGePupSbCCjqD\\ntvijbO.dll\""	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\oIUasOacoMkLlXIc.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\BTRPNrdUIAEKV\\oIUasOacoMkLlXIc.dll\""	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RAAKFJsUxNt.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\ACtgJBqrxqxkmCCZk\\RAAKFJsUxNt.dll\""	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tjbsmd.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\SKnfujFgPbdkrmIv\\tjbsmd.dll\""	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	regsvr32.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1748	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
4320	regsvr32.exe
4320	regsvr32.exe
4500	regsvr32.exe
4500	regsvr32.exe
4500	regsvr32.exe
4500	regsvr32.exe
4536	regsvr32.exe
4536	regsvr32.exe
2372	regsvr32.exe
2372	regsvr32.exe
2372	regsvr32.exe
2372	regsvr32.exe
3256	regsvr32.exe
3256	regsvr32.exe
1528	regsvr32.exe
1528	regsvr32.exe
1528	regsvr32.exe
1528	regsvr32.exe
4780	regsvr32.exe
4780	regsvr32.exe
640	regsvr32.exe
640	regsvr32.exe
640	regsvr32.exe
640	regsvr32.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1748	EXCEL.EXE
1748	EXCEL.EXE

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
1748	EXCEL.EXE
1748	EXCEL.EXE
1748	EXCEL.EXE
1748	EXCEL.EXE
1748	EXCEL.EXE
1748	EXCEL.EXE
1748	EXCEL.EXE
1748	EXCEL.EXE
1748	EXCEL.EXE
1748	EXCEL.EXE
1748	EXCEL.EXE
1748	EXCEL.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1748 wrote to memory of 4320	1748	EXCEL.EXE	68
PID 1748 wrote to memory of 4320	1748	EXCEL.EXE	68
PID 4320 wrote to memory of 4500	4320	regsvr32.exe	70
PID 4320 wrote to memory of 4500	4320	regsvr32.exe	70
PID 1748 wrote to memory of 4536	1748	EXCEL.EXE	71
PID 1748 wrote to memory of 4536	1748	EXCEL.EXE	71
PID 4536 wrote to memory of 2372	4536	regsvr32.exe	72
PID 4536 wrote to memory of 2372	4536	regsvr32.exe	72
PID 1748 wrote to memory of 3256	1748	EXCEL.EXE	73
PID 1748 wrote to memory of 3256	1748	EXCEL.EXE	73
PID 3256 wrote to memory of 1528	3256	regsvr32.exe	74
PID 3256 wrote to memory of 1528	3256	regsvr32.exe	74
PID 1748 wrote to memory of 4780	1748	EXCEL.EXE	75
PID 1748 wrote to memory of 4780	1748	EXCEL.EXE	75
PID 4780 wrote to memory of 640	4780	regsvr32.exe	76
PID 4780 wrote to memory of 640	4780	regsvr32.exe	76

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\32b77d3e76a05de49b77a701551220c2884f294c453f7e2c644adda47a95b463.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1748
- C:\Windows\System32\regsvr32.exe
  C:\Windows\System32\regsvr32.exe /S ..\oxnv1.ooccxx
  2⤵
  - Process spawned unexpected child process
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4320
- - C:\Windows\system32\regsvr32.exe
    C:\Windows\system32\regsvr32.exe "C:\Windows\system32\SKnfujFgPbdkrmIv\tjbsmd.dll"
    3⤵
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    PID:4500
- C:\Windows\System32\regsvr32.exe
  C:\Windows\System32\regsvr32.exe /S ..\oxnv2.ooccxx
  2⤵
  - Process spawned unexpected child process
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4536
- - C:\Windows\system32\regsvr32.exe
    C:\Windows\system32\regsvr32.exe "C:\Windows\system32\QxGePupSbCCjqD\ntvijbO.dll"
    3⤵
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    PID:2372
- C:\Windows\System32\regsvr32.exe
  C:\Windows\System32\regsvr32.exe /S ..\oxnv3.ooccxx
  2⤵
  - Process spawned unexpected child process
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3256
- - C:\Windows\system32\regsvr32.exe
    C:\Windows\system32\regsvr32.exe "C:\Windows\system32\BTRPNrdUIAEKV\oIUasOacoMkLlXIc.dll"
    3⤵
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    PID:1528
- C:\Windows\System32\regsvr32.exe
  C:\Windows\System32\regsvr32.exe /S ..\oxnv4.ooccxx
  2⤵
  - Process spawned unexpected child process
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4780
- - C:\Windows\system32\regsvr32.exe
    C:\Windows\system32\regsvr32.exe "C:\Windows\system32\ACtgJBqrxqxkmCCZk\RAAKFJsUxNt.dll"
    3⤵
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    PID:640

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\oxnv1.ooccxx

Filesize
818KB

MD5
120a5a2e3dca951384adf314a7ef91f2

SHA1
f639805e795c4032c2f9fe0643a32d18f7b7b349

SHA256
85f581d58a7cfe274f308e6b3083da110364695c3da5216294df6d62dbf12c71

SHA512
c646b6168b24afbeaa3431afaafbb1bdb5718bb15157594b1d3c9e98bfe9570f8bf32f77e439ab8f1ce8e65007450bd7dfbd77adffbe8fef115063b5ed0a5e62

Download Submit
C:\Users\Admin\oxnv2.ooccxx

Filesize
818KB

MD5
d48b65337fa63662fa57e8e2e276b474

SHA1
8322f6061d5487b48d9115704aa7482fcde63efa

SHA256
89d894afb73fac6d4d9a2c7eee0bdfcd0f350f3681a4548d53491ec7e9ef8e8b

SHA512
41e111d0251106cde71e260a679582a0fb63b2a1b1da2c31f3aac0fe826aebcca4f9112342928e547b044723b7890741c200f202084c20bf17d7cbcc23bf2cbe

Download Submit
C:\Users\Admin\oxnv3.ooccxx

Filesize
818KB

MD5
065d7f77829fc37998a6a377a655ed2a

SHA1
479c8116398522db5d9a3e85677de1610f4062ed

SHA256
03938288c4a7efb821589da7f083627d8d2740cc040d665f12c5ecc81e5764a6

SHA512
96b98dadddb348852d3bd083b29d69995183dc8a0b4573aea53a188994d79a124dcc81e2265e36a5b7ead7107ccaa9cbf1438abbe7410f292172d6a8a7d85caa

Download Submit
C:\Users\Admin\oxnv4.ooccxx

Filesize
818KB

MD5
6ab0c3720dcc22140a7ab1362cd8e29a

SHA1
7551f977b43bb1e46cfaf714b22652dbcc640527

SHA256
006b64b4c2f9d25537b56a641b4f3057e113b82612ca11c7f45512ddc58b5456

SHA512
8ff8ba1823d68a603938e4971f5c6e6567bf6d646c3ab85def4f80ec8eec1148edbcf034b8f47ee3604a755089742610cc3358e606349b47e5554ddc5f3e7fc2

Download Submit
\Users\Admin\oxnv1.ooccxx

Filesize
818KB

MD5
120a5a2e3dca951384adf314a7ef91f2

SHA1
f639805e795c4032c2f9fe0643a32d18f7b7b349

SHA256
85f581d58a7cfe274f308e6b3083da110364695c3da5216294df6d62dbf12c71

SHA512
c646b6168b24afbeaa3431afaafbb1bdb5718bb15157594b1d3c9e98bfe9570f8bf32f77e439ab8f1ce8e65007450bd7dfbd77adffbe8fef115063b5ed0a5e62

Download Submit
\Users\Admin\oxnv2.ooccxx

Filesize
818KB

MD5
d48b65337fa63662fa57e8e2e276b474

SHA1
8322f6061d5487b48d9115704aa7482fcde63efa

SHA256
89d894afb73fac6d4d9a2c7eee0bdfcd0f350f3681a4548d53491ec7e9ef8e8b

SHA512
41e111d0251106cde71e260a679582a0fb63b2a1b1da2c31f3aac0fe826aebcca4f9112342928e547b044723b7890741c200f202084c20bf17d7cbcc23bf2cbe

Download Submit
\Users\Admin\oxnv3.ooccxx

Filesize
818KB

MD5
065d7f77829fc37998a6a377a655ed2a

SHA1
479c8116398522db5d9a3e85677de1610f4062ed

SHA256
03938288c4a7efb821589da7f083627d8d2740cc040d665f12c5ecc81e5764a6

SHA512
96b98dadddb348852d3bd083b29d69995183dc8a0b4573aea53a188994d79a124dcc81e2265e36a5b7ead7107ccaa9cbf1438abbe7410f292172d6a8a7d85caa

Download Submit
\Users\Admin\oxnv4.ooccxx

Filesize
818KB

MD5
6ab0c3720dcc22140a7ab1362cd8e29a

SHA1
7551f977b43bb1e46cfaf714b22652dbcc640527

SHA256
006b64b4c2f9d25537b56a641b4f3057e113b82612ca11c7f45512ddc58b5456

SHA512
8ff8ba1823d68a603938e4971f5c6e6567bf6d646c3ab85def4f80ec8eec1148edbcf034b8f47ee3604a755089742610cc3358e606349b47e5554ddc5f3e7fc2

Download Submit
memory/1748-133-0x00007FFF68B90000-0x00007FFF68BA0000-memory.dmp

Filesize
64KB

Download
memory/1748-132-0x00007FFF68B90000-0x00007FFF68BA0000-memory.dmp

Filesize
64KB

Download
memory/1748-123-0x00007FFF6B6E0000-0x00007FFF6B6F0000-memory.dmp

Filesize
64KB

Download
memory/1748-122-0x00007FFF6B6E0000-0x00007FFF6B6F0000-memory.dmp

Filesize
64KB

Download
memory/1748-120-0x00007FFF6B6E0000-0x00007FFF6B6F0000-memory.dmp

Filesize
64KB

Download
memory/1748-121-0x00007FFF6B6E0000-0x00007FFF6B6F0000-memory.dmp

Filesize
64KB

Download
memory/4320-273-0x0000000180000000-0x0000000180030000-memory.dmp

Filesize
192KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads