emotet | 44bcf11f0ea0f7abb29cf5ab332319f1ee001f3b15972d7ec13bc255ad011098

General

Target

44bcf11f0ea0f7abb29cf5ab332319f1ee001f3b15972d7ec13bc255ad011098.xls
Size

217KB
MD5

1004b0863be0a3b8cd170364665d7a93
SHA1

988d78c42274621be353cafc5a1c45dadf4e9ebf
SHA256

44bcf11f0ea0f7abb29cf5ab332319f1ee001f3b15972d7ec13bc255ad011098
SHA512

0bcd21a0e4664dbc89400000d717ae4f1464822ad991ab6eaf852a6b46ba51a57f694af7f111bc95b9543c540e3e72f42b8612a29f98fa6d5d82814ee0ddee01
SSDEEP

6144:OKpb8rGYrMPe3q7Q0XV5xtuEsi8/dg8yY+TAQXTHGUMEyP5p6f5jQmN:nbGUMVWlbN

Score

10^/10

emotet banker persistence trojan

Malware Config

Extracted

Language

xlm4.0

Source

URLs

xlm40.dropper

http://kabaruntukrakyat.com/wp-content/B9oJ0jh/

xlm40.dropper

http://coinkub.com/wp-content/WwrJvjumS/

xlm40.dropper

https://aberractivity.hu/iqq/Dmtv/

xlm40.dropper

https://anamafegarcia.es/css/HfFXMTXvc40t/

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Process spawned unexpected child process 4 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	3824	2704	regsvr32.exe	65
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4584	2704	regsvr32.exe	65
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4300	2704	regsvr32.exe	65
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4668	2704	regsvr32.exe	65

Downloads MZ/PE file

Loads dropped DLL 4 IoCs

pid	Process
3824	regsvr32.exe
4584	regsvr32.exe
4300	regsvr32.exe
4668	regsvr32.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KjrkcjX.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\RgpQCPHbQ\\KjrkcjX.dll\""	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GyAoOUPLyKAgFHs.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\BbOfbdoCdl\\GyAoOUPLyKAgFHs.dll\""	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\eVOBmwbcPfl.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\OzKkbqpstnzeKvhg\\eVOBmwbcPfl.dll\""	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QFcRvRq.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\ADrYrpxubFwrwVbF\\QFcRvRq.dll\""	regsvr32.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2704	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
3824	regsvr32.exe
3824	regsvr32.exe
2532	regsvr32.exe
2532	regsvr32.exe
2532	regsvr32.exe
2532	regsvr32.exe
4584	regsvr32.exe
4584	regsvr32.exe
4512	regsvr32.exe
4512	regsvr32.exe
4512	regsvr32.exe
4512	regsvr32.exe
4300	regsvr32.exe
4300	regsvr32.exe
4620	regsvr32.exe
4620	regsvr32.exe
4620	regsvr32.exe
4620	regsvr32.exe
4668	regsvr32.exe
4668	regsvr32.exe
676	regsvr32.exe
676	regsvr32.exe
676	regsvr32.exe
676	regsvr32.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2704	EXCEL.EXE
2704	EXCEL.EXE
2704	EXCEL.EXE
2704	EXCEL.EXE
2704	EXCEL.EXE
2704	EXCEL.EXE
2704	EXCEL.EXE
2704	EXCEL.EXE
2704	EXCEL.EXE
2704	EXCEL.EXE
2704	EXCEL.EXE
2704	EXCEL.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2704 wrote to memory of 3824	2704	EXCEL.EXE	68
PID 2704 wrote to memory of 3824	2704	EXCEL.EXE	68
PID 3824 wrote to memory of 2532	3824	regsvr32.exe	70
PID 3824 wrote to memory of 2532	3824	regsvr32.exe	70
PID 2704 wrote to memory of 4584	2704	EXCEL.EXE	71
PID 2704 wrote to memory of 4584	2704	EXCEL.EXE	71
PID 4584 wrote to memory of 4512	4584	regsvr32.exe	72
PID 4584 wrote to memory of 4512	4584	regsvr32.exe	72
PID 2704 wrote to memory of 4300	2704	EXCEL.EXE	73
PID 2704 wrote to memory of 4300	2704	EXCEL.EXE	73
PID 4300 wrote to memory of 4620	4300	regsvr32.exe	74
PID 4300 wrote to memory of 4620	4300	regsvr32.exe	74
PID 2704 wrote to memory of 4668	2704	EXCEL.EXE	75
PID 2704 wrote to memory of 4668	2704	EXCEL.EXE	75
PID 4668 wrote to memory of 676	4668	regsvr32.exe	76
PID 4668 wrote to memory of 676	4668	regsvr32.exe	76

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\44bcf11f0ea0f7abb29cf5ab332319f1ee001f3b15972d7ec13bc255ad011098.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2704
- C:\Windows\System32\regsvr32.exe
  C:\Windows\System32\regsvr32.exe /S ..\oxnv1.ooccxx
  2⤵
  - Process spawned unexpected child process
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3824
- - C:\Windows\system32\regsvr32.exe
    C:\Windows\system32\regsvr32.exe "C:\Windows\system32\OzKkbqpstnzeKvhg\eVOBmwbcPfl.dll"
    3⤵
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    PID:2532
- C:\Windows\System32\regsvr32.exe
  C:\Windows\System32\regsvr32.exe /S ..\oxnv2.ooccxx
  2⤵
  - Process spawned unexpected child process
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4584
- - C:\Windows\system32\regsvr32.exe
    C:\Windows\system32\regsvr32.exe "C:\Windows\system32\ADrYrpxubFwrwVbF\QFcRvRq.dll"
    3⤵
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    PID:4512
- C:\Windows\System32\regsvr32.exe
  C:\Windows\System32\regsvr32.exe /S ..\oxnv3.ooccxx
  2⤵
  - Process spawned unexpected child process
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4300
- - C:\Windows\system32\regsvr32.exe
    C:\Windows\system32\regsvr32.exe "C:\Windows\system32\RgpQCPHbQ\KjrkcjX.dll"
    3⤵
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    PID:4620
- C:\Windows\System32\regsvr32.exe
  C:\Windows\System32\regsvr32.exe /S ..\oxnv4.ooccxx
  2⤵
  - Process spawned unexpected child process
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4668
- - C:\Windows\system32\regsvr32.exe
    C:\Windows\system32\regsvr32.exe "C:\Windows\system32\BbOfbdoCdl\GyAoOUPLyKAgFHs.dll"
    3⤵
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    PID:676

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\oxnv1.ooccxx

Filesize
818KB

MD5
7f82dbcb61386b3b6664a4f896d4e46f

SHA1
00a2e10b42f39f6a391af857579557adda1f34aa

SHA256
39500ba4aa31a0d72bcf4141580e883b7fe0c3ca077dbbf7a03da433a58986a1

SHA512
0862f3753ce02193cfdba7b513d1b6c4be79a40a0ef43694b356c21d22fd0d2a4a5823443107ffbccc188e11d85dd7ffc76ed1af3c505dd387bc0540c8575158

Download Submit
C:\Users\Admin\oxnv2.ooccxx

Filesize
818KB

MD5
137e3abf78d8a2e02f11e7679e7a33ec

SHA1
4a73428964d2c7f42d690e4dfa2a8eef69db77b3

SHA256
8ff2597206c2ae2e318ae50af52175e695bfcee0f618a8fd441f1eb31d6a39d5

SHA512
df11feb495f3afb1a7292cc440794e9bddebff19461c9e54aea760fc7ca352d5061d51699b0af03969e469ad89976dc3c9e295bae1daf91feaf3a1b847e3b331

Download Submit
C:\Users\Admin\oxnv3.ooccxx

Filesize
818KB

MD5
9662b826092f03cb868a42151c4a991d

SHA1
0650b169d1e9fabe145b7ea15650b08d4e7665ff

SHA256
85c5e952dad18cedf2edf2a3c4433d86890393f64479657b4733ee2cbefc4887

SHA512
ecae1bc7294dc0e0bf3bd6b5c1814ca8ccee2b23b29c1bac6e0f3432de696bccda6817df50c3528034f6a6b4051ffb0ad30465b86f34858b1c3dc7b1c8ff524c

Download Submit
C:\Users\Admin\oxnv4.ooccxx

Filesize
818KB

MD5
a5383ce5b92c0774300493ee1be3fb97

SHA1
54ffdfc7a752a77166060db0f380637d6f667a37

SHA256
f3d758cad894f6f8f1e9fbc3c3ce5629d3d9a8810373a53e3f1b21657fddcbc2

SHA512
2c61935ad7a13df8c2d2c46bc2cea8299064394359f9dc934590ca74d12a2131904be8723dafa2d2a7a018e2b2b905fed21752350bb83a144385bbf1a7e28075

Download Submit
\Users\Admin\oxnv1.ooccxx

Filesize
818KB

MD5
7f82dbcb61386b3b6664a4f896d4e46f

SHA1
00a2e10b42f39f6a391af857579557adda1f34aa

SHA256
39500ba4aa31a0d72bcf4141580e883b7fe0c3ca077dbbf7a03da433a58986a1

SHA512
0862f3753ce02193cfdba7b513d1b6c4be79a40a0ef43694b356c21d22fd0d2a4a5823443107ffbccc188e11d85dd7ffc76ed1af3c505dd387bc0540c8575158

Download Submit
\Users\Admin\oxnv2.ooccxx

Filesize
818KB

MD5
137e3abf78d8a2e02f11e7679e7a33ec

SHA1
4a73428964d2c7f42d690e4dfa2a8eef69db77b3

SHA256
8ff2597206c2ae2e318ae50af52175e695bfcee0f618a8fd441f1eb31d6a39d5

SHA512
df11feb495f3afb1a7292cc440794e9bddebff19461c9e54aea760fc7ca352d5061d51699b0af03969e469ad89976dc3c9e295bae1daf91feaf3a1b847e3b331

Download Submit
\Users\Admin\oxnv3.ooccxx

Filesize
818KB

MD5
9662b826092f03cb868a42151c4a991d

SHA1
0650b169d1e9fabe145b7ea15650b08d4e7665ff

SHA256
85c5e952dad18cedf2edf2a3c4433d86890393f64479657b4733ee2cbefc4887

SHA512
ecae1bc7294dc0e0bf3bd6b5c1814ca8ccee2b23b29c1bac6e0f3432de696bccda6817df50c3528034f6a6b4051ffb0ad30465b86f34858b1c3dc7b1c8ff524c

Download Submit
\Users\Admin\oxnv4.ooccxx

Filesize
818KB

MD5
a5383ce5b92c0774300493ee1be3fb97

SHA1
54ffdfc7a752a77166060db0f380637d6f667a37

SHA256
f3d758cad894f6f8f1e9fbc3c3ce5629d3d9a8810373a53e3f1b21657fddcbc2

SHA512
2c61935ad7a13df8c2d2c46bc2cea8299064394359f9dc934590ca74d12a2131904be8723dafa2d2a7a018e2b2b905fed21752350bb83a144385bbf1a7e28075

Download Submit
memory/2704-133-0x00007FFC4B4B0000-0x00007FFC4B4C0000-memory.dmp

Filesize
64KB

Download
memory/2704-120-0x00007FFC4E220000-0x00007FFC4E230000-memory.dmp

Filesize
64KB

Download
memory/2704-132-0x00007FFC4B4B0000-0x00007FFC4B4C0000-memory.dmp

Filesize
64KB

Download
memory/2704-123-0x00007FFC4E220000-0x00007FFC4E230000-memory.dmp

Filesize
64KB

Download
memory/2704-122-0x00007FFC4E220000-0x00007FFC4E230000-memory.dmp

Filesize
64KB

Download
memory/2704-121-0x00007FFC4E220000-0x00007FFC4E230000-memory.dmp

Filesize
64KB

Download
memory/3824-265-0x0000000180000000-0x0000000180030000-memory.dmp

Filesize
192KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads