emotet | f30d7d5b39245a6c2350c535d1b4d4dc5aeea540916bed4cef7fb61b39796326

Analysis

max time kernel
101s
max time network
149s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
03/11/2022, 14:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f30d7d5b39245a6c2350c535d1b4d4dc5aeea540916bed4cef7fb61b39796326.xls
Size

217KB
MD5

2b56de8c77b3cd04c40b246d9416180c
SHA1

d20f631ae1d10ca140460968f392613990b49caf
SHA256

f30d7d5b39245a6c2350c535d1b4d4dc5aeea540916bed4cef7fb61b39796326
SHA512

d2f455ebcae7377b304c4d204a71490d8fcbf54c5f7d281bc545dac1ecda2c4638f4a26d5bc1254b4e504644dd295866b8eb590dff5c0e6ea3ffb00333638828
SSDEEP

6144:OKpb8rGYrMPe3q7Q0XV5xtuEsi8/dgIyY+TAQXTHGUMEyP5p6f5jQmn:bbGUMVWlbn

Score

10^/10

emotet banker persistence trojan

Malware Config

Extracted

Language

xlm4.0

Source

URLs

xlm40.dropper

https://aprendeconmireia.com/images/wBu/

xlm40.dropper

http://updailymail.com/cgi-bin/gBYmfqRi2utIS2n/

xlm40.dropper

https://akuntansi.itny.ac.id/asset/9aVFvYeaSKOhGBSLx/

xlm40.dropper

http://swiftwebbox.com/cgi-bin/vNqoMtQilpysJYRwtGu/

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Process spawned unexpected child process 4 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	3124	2888	regsvr32.exe	65
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	2320	2888	regsvr32.exe	65
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	644	2888	regsvr32.exe	65
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	1560	2888	regsvr32.exe	65

Downloads MZ/PE file

Loads dropped DLL 5 IoCs

pid	Process
3124	regsvr32.exe
3124	regsvr32.exe
2320	regsvr32.exe
644	regsvr32.exe
1560	regsvr32.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yUIRJmByc.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\UDwInY\\yUIRJmByc.dll\""	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uJqy.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\RvezEAWChK\\uJqy.dll\""	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MQiimVR.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\TzWJfYwhsmCQl\\MQiimVR.dll\""	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HfhKkWbrUFej.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\GVeClulHert\\HfhKkWbrUFej.dll\""	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	regsvr32.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2888	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
3124	regsvr32.exe
3124	regsvr32.exe
5064	regsvr32.exe
5064	regsvr32.exe
5064	regsvr32.exe
5064	regsvr32.exe
2320	regsvr32.exe
2320	regsvr32.exe
4604	regsvr32.exe
4604	regsvr32.exe
4604	regsvr32.exe
4604	regsvr32.exe
644	regsvr32.exe
644	regsvr32.exe
1208	regsvr32.exe
1208	regsvr32.exe
1208	regsvr32.exe
1208	regsvr32.exe
1560	regsvr32.exe
1560	regsvr32.exe
904	regsvr32.exe
904	regsvr32.exe
904	regsvr32.exe
904	regsvr32.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2888	EXCEL.EXE
2888	EXCEL.EXE

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2888	EXCEL.EXE
2888	EXCEL.EXE
2888	EXCEL.EXE
2888	EXCEL.EXE
2888	EXCEL.EXE
2888	EXCEL.EXE
2888	EXCEL.EXE
2888	EXCEL.EXE
2888	EXCEL.EXE
2888	EXCEL.EXE
2888	EXCEL.EXE
2888	EXCEL.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2888 wrote to memory of 3124	2888	EXCEL.EXE	70
PID 2888 wrote to memory of 3124	2888	EXCEL.EXE	70
PID 3124 wrote to memory of 5064	3124	regsvr32.exe	72
PID 3124 wrote to memory of 5064	3124	regsvr32.exe	72
PID 2888 wrote to memory of 2320	2888	EXCEL.EXE	73
PID 2888 wrote to memory of 2320	2888	EXCEL.EXE	73
PID 2320 wrote to memory of 4604	2320	regsvr32.exe	75
PID 2320 wrote to memory of 4604	2320	regsvr32.exe	75
PID 2888 wrote to memory of 644	2888	EXCEL.EXE	76
PID 2888 wrote to memory of 644	2888	EXCEL.EXE	76
PID 644 wrote to memory of 1208	644	regsvr32.exe	77
PID 644 wrote to memory of 1208	644	regsvr32.exe	77
PID 2888 wrote to memory of 1560	2888	EXCEL.EXE	78
PID 2888 wrote to memory of 1560	2888	EXCEL.EXE	78
PID 1560 wrote to memory of 904	1560	regsvr32.exe	79
PID 1560 wrote to memory of 904	1560	regsvr32.exe	79

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\f30d7d5b39245a6c2350c535d1b4d4dc5aeea540916bed4cef7fb61b39796326.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2888
- C:\Windows\System32\regsvr32.exe
  C:\Windows\System32\regsvr32.exe /S ..\oxnv1.ooccxx
  2⤵
  - Process spawned unexpected child process
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3124
- - C:\Windows\system32\regsvr32.exe
    C:\Windows\system32\regsvr32.exe "C:\Windows\system32\UDwInY\yUIRJmByc.dll"
    3⤵
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    PID:5064
- C:\Windows\System32\regsvr32.exe
  C:\Windows\System32\regsvr32.exe /S ..\oxnv2.ooccxx
  2⤵
  - Process spawned unexpected child process
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2320
- - C:\Windows\system32\regsvr32.exe
    C:\Windows\system32\regsvr32.exe "C:\Windows\system32\RvezEAWChK\uJqy.dll"
    3⤵
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    PID:4604
- C:\Windows\System32\regsvr32.exe
  C:\Windows\System32\regsvr32.exe /S ..\oxnv3.ooccxx
  2⤵
  - Process spawned unexpected child process
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:644
- - C:\Windows\system32\regsvr32.exe
    C:\Windows\system32\regsvr32.exe "C:\Windows\system32\TzWJfYwhsmCQl\MQiimVR.dll"
    3⤵
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    PID:1208
- C:\Windows\System32\regsvr32.exe
  C:\Windows\System32\regsvr32.exe /S ..\oxnv4.ooccxx
  2⤵
  - Process spawned unexpected child process
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1560
- - C:\Windows\system32\regsvr32.exe
    C:\Windows\system32\regsvr32.exe "C:\Windows\system32\GVeClulHert\HfhKkWbrUFej.dll"
    3⤵
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    PID:904

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\oxnv1.ooccxx

Filesize
818KB

MD5
e3357ff3cf4262cdda7f10acee3d5547

SHA1
e30c7c1891739b59e71df97cd5329ec64310f379

SHA256
d4615d802d4edd2811411601c3c11933def161f23c1796b20e2f857ab86334bd

SHA512
b98242a674df3d1e2491f696090e9454f65c11d8f5823a06ff7d96b75e82784b1dd38619e3daa1f51f507a5bc0af157b0a15fd7d92f1590957f9634e829ba3f0

Download Submit
C:\Users\Admin\oxnv2.ooccxx

Filesize
818KB

MD5
75186b55e8003b67bda0ff19d6cc9489

SHA1
e8fcc5b3fb9fdc21904ce3ed5389511c54e2fd06

SHA256
bb2432759f2ef8c9607326db74133e2b810a91b4fcd14c57deeb520cae345846

SHA512
a0a44096a5be513e6e37a20c551f5918ee607cc8bdcdf058d9ba27f924090bfdb1f0498fa8970c421da2c48270b161aae2a898f2b87e9908fcc0391a798b1295

Download Submit
C:\Users\Admin\oxnv3.ooccxx

Filesize
818KB

MD5
504a276ef53e287c2ba935ec29e35ac8

SHA1
9f623736ee17c2946ea55341c90770636faf4fcc

SHA256
8a3a294f6914332f4ba737341c332d5400441ac40f11df3694c14bcddf1e3510

SHA512
29ec83c558434dda7f015161dbdaab7069575d184b9f831e953613ad02c12b6c373b4009ec40a4105e236ee31029107616caae34587c85b9185577e9021f23d5

Download Submit
C:\Users\Admin\oxnv4.ooccxx

Filesize
818KB

MD5
a749296efb9290da3d134fea8df4b272

SHA1
2b84d4c985e1a54a3e1b34cfcf44341bf110bcc8

SHA256
5b2a6a3ab952ebd6502fca0ab4a902e5982890040625de9359d7b7754b5337c0

SHA512
461d32e6a5a2091124b0cdf22de9be017344ed3ec3ba336bfeba3b3f90bc8dc70b56035e5112c93c5937951c91ac284419be59eecb58b1c3ef8e416e797aad56

Download Submit
\Users\Admin\oxnv1.ooccxx

Filesize
818KB

MD5
e3357ff3cf4262cdda7f10acee3d5547

SHA1
e30c7c1891739b59e71df97cd5329ec64310f379

SHA256
d4615d802d4edd2811411601c3c11933def161f23c1796b20e2f857ab86334bd

SHA512
b98242a674df3d1e2491f696090e9454f65c11d8f5823a06ff7d96b75e82784b1dd38619e3daa1f51f507a5bc0af157b0a15fd7d92f1590957f9634e829ba3f0

Download Submit
\Users\Admin\oxnv1.ooccxx

Filesize
818KB

MD5
e3357ff3cf4262cdda7f10acee3d5547

SHA1
e30c7c1891739b59e71df97cd5329ec64310f379

SHA256
d4615d802d4edd2811411601c3c11933def161f23c1796b20e2f857ab86334bd

SHA512
b98242a674df3d1e2491f696090e9454f65c11d8f5823a06ff7d96b75e82784b1dd38619e3daa1f51f507a5bc0af157b0a15fd7d92f1590957f9634e829ba3f0

Download Submit
\Users\Admin\oxnv2.ooccxx

Filesize
818KB

MD5
75186b55e8003b67bda0ff19d6cc9489

SHA1
e8fcc5b3fb9fdc21904ce3ed5389511c54e2fd06

SHA256
bb2432759f2ef8c9607326db74133e2b810a91b4fcd14c57deeb520cae345846

SHA512
a0a44096a5be513e6e37a20c551f5918ee607cc8bdcdf058d9ba27f924090bfdb1f0498fa8970c421da2c48270b161aae2a898f2b87e9908fcc0391a798b1295

Download Submit
\Users\Admin\oxnv3.ooccxx

Filesize
818KB

MD5
504a276ef53e287c2ba935ec29e35ac8

SHA1
9f623736ee17c2946ea55341c90770636faf4fcc

SHA256
8a3a294f6914332f4ba737341c332d5400441ac40f11df3694c14bcddf1e3510

SHA512
29ec83c558434dda7f015161dbdaab7069575d184b9f831e953613ad02c12b6c373b4009ec40a4105e236ee31029107616caae34587c85b9185577e9021f23d5

Download Submit
\Users\Admin\oxnv4.ooccxx

Filesize
818KB

MD5
a749296efb9290da3d134fea8df4b272

SHA1
2b84d4c985e1a54a3e1b34cfcf44341bf110bcc8

SHA256
5b2a6a3ab952ebd6502fca0ab4a902e5982890040625de9359d7b7754b5337c0

SHA512
461d32e6a5a2091124b0cdf22de9be017344ed3ec3ba336bfeba3b3f90bc8dc70b56035e5112c93c5937951c91ac284419be59eecb58b1c3ef8e416e797aad56

Download Submit
memory/2888-132-0x00007FFF06FD0000-0x00007FFF06FE0000-memory.dmp

Filesize
64KB

Download
memory/2888-352-0x00007FFF0A340000-0x00007FFF0A350000-memory.dmp

Filesize
64KB

Download
memory/2888-131-0x00007FFF06FD0000-0x00007FFF06FE0000-memory.dmp

Filesize
64KB

Download
memory/2888-120-0x00007FFF0A340000-0x00007FFF0A350000-memory.dmp

Filesize
64KB

Download
memory/2888-355-0x00007FFF0A340000-0x00007FFF0A350000-memory.dmp

Filesize
64KB

Download
memory/2888-122-0x00007FFF0A340000-0x00007FFF0A350000-memory.dmp

Filesize
64KB

Download
memory/2888-121-0x00007FFF0A340000-0x00007FFF0A350000-memory.dmp

Filesize
64KB

Download
memory/2888-119-0x00007FFF0A340000-0x00007FFF0A350000-memory.dmp

Filesize
64KB

Download
memory/2888-354-0x00007FFF0A340000-0x00007FFF0A350000-memory.dmp

Filesize
64KB

Download
memory/2888-353-0x00007FFF0A340000-0x00007FFF0A350000-memory.dmp

Filesize
64KB

Download
memory/3124-259-0x0000000180000000-0x0000000180030000-memory.dmp

Filesize
192KB

Download