emotet | 2eb7daa6f3e753774558b2e4eb6582b7f439f19f552a97e909bb3975fc5a94e8

General

Target

2eb7daa6f3e753774558b2e4eb6582b7f439f19f552a97e909bb3975fc5a94e8.xls
Size

217KB
MD5

32e7f0bb00b184d8ad91589b45e51030
SHA1

4807666cae2e0b01654c5ee30beedf45abe294ff
SHA256

2eb7daa6f3e753774558b2e4eb6582b7f439f19f552a97e909bb3975fc5a94e8
SHA512

b75106d4f73cb47ef9d9b79193d02970c6de7f324a0e0d4d738a94771fd19884c26051fe1e5b5962923627b83ed555703087e001b1568af9a34d18cb076940e9
SSDEEP

6144:OKpb8rGYrMPe3q7Q0XV5xtuEsi8/dgIyY+TAQXTHGUMEyP5p6f5jQmL:bbGUMVWlbL

Score

10^/10

emotet banker persistence trojan

Malware Config

Extracted

Language

xlm4.0

Source

URLs

xlm40.dropper

https://aprendeconmireia.com/images/wBu/

xlm40.dropper

http://updailymail.com/cgi-bin/gBYmfqRi2utIS2n/

xlm40.dropper

https://akuntansi.itny.ac.id/asset/9aVFvYeaSKOhGBSLx/

xlm40.dropper

http://swiftwebbox.com/cgi-bin/vNqoMtQilpysJYRwtGu/

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Process spawned unexpected child process 4 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4616	3528	regsvr32.exe	65
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4600	3528	regsvr32.exe	65
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	1192	3528	regsvr32.exe	65
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	1944	3528	regsvr32.exe	65

Downloads MZ/PE file

Loads dropped DLL 4 IoCs

pid	Process
4616	regsvr32.exe
4600	regsvr32.exe
1192	regsvr32.exe
1944	regsvr32.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fHNcJPRC.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\RYELDDdlTIur\\fHNcJPRC.dll\""	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YbhyCAfLnLeZSmvr.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\CgRpWrLSsjk\\YbhyCAfLnLeZSmvr.dll\""	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gImfxWPCoFBqtT.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\EzrOkDpqurMRkMtX\\gImfxWPCoFBqtT.dll\""	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KsDcvzvLpSbER.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\UcJCcwQgLqTjYzyoI\\KsDcvzvLpSbER.dll\""	regsvr32.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3528	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
4616	regsvr32.exe
4616	regsvr32.exe
4360	regsvr32.exe
4360	regsvr32.exe
4360	regsvr32.exe
4360	regsvr32.exe
4600	regsvr32.exe
4600	regsvr32.exe
3168	regsvr32.exe
3168	regsvr32.exe
3168	regsvr32.exe
3168	regsvr32.exe
1192	regsvr32.exe
1192	regsvr32.exe
372	regsvr32.exe
372	regsvr32.exe
372	regsvr32.exe
372	regsvr32.exe
1944	regsvr32.exe
1944	regsvr32.exe
288	regsvr32.exe
288	regsvr32.exe
288	regsvr32.exe
288	regsvr32.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3528	EXCEL.EXE
3528	EXCEL.EXE

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
3528	EXCEL.EXE
3528	EXCEL.EXE
3528	EXCEL.EXE
3528	EXCEL.EXE
3528	EXCEL.EXE
3528	EXCEL.EXE
3528	EXCEL.EXE
3528	EXCEL.EXE
3528	EXCEL.EXE
3528	EXCEL.EXE
3528	EXCEL.EXE
3528	EXCEL.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 3528 wrote to memory of 4616	3528	EXCEL.EXE	70
PID 3528 wrote to memory of 4616	3528	EXCEL.EXE	70
PID 4616 wrote to memory of 4360	4616	regsvr32.exe	72
PID 4616 wrote to memory of 4360	4616	regsvr32.exe	72
PID 3528 wrote to memory of 4600	3528	EXCEL.EXE	73
PID 3528 wrote to memory of 4600	3528	EXCEL.EXE	73
PID 4600 wrote to memory of 3168	4600	regsvr32.exe	75
PID 4600 wrote to memory of 3168	4600	regsvr32.exe	75
PID 3528 wrote to memory of 1192	3528	EXCEL.EXE	76
PID 3528 wrote to memory of 1192	3528	EXCEL.EXE	76
PID 1192 wrote to memory of 372	1192	regsvr32.exe	77
PID 1192 wrote to memory of 372	1192	regsvr32.exe	77
PID 3528 wrote to memory of 1944	3528	EXCEL.EXE	78
PID 3528 wrote to memory of 1944	3528	EXCEL.EXE	78
PID 1944 wrote to memory of 288	1944	regsvr32.exe	79
PID 1944 wrote to memory of 288	1944	regsvr32.exe	79

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\2eb7daa6f3e753774558b2e4eb6582b7f439f19f552a97e909bb3975fc5a94e8.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3528
- C:\Windows\System32\regsvr32.exe
  C:\Windows\System32\regsvr32.exe /S ..\oxnv1.ooccxx
  2⤵
  - Process spawned unexpected child process
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4616
- - C:\Windows\system32\regsvr32.exe
    C:\Windows\system32\regsvr32.exe "C:\Windows\system32\RYELDDdlTIur\fHNcJPRC.dll"
    3⤵
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    PID:4360
- C:\Windows\System32\regsvr32.exe
  C:\Windows\System32\regsvr32.exe /S ..\oxnv2.ooccxx
  2⤵
  - Process spawned unexpected child process
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4600
- - C:\Windows\system32\regsvr32.exe
    C:\Windows\system32\regsvr32.exe "C:\Windows\system32\CgRpWrLSsjk\YbhyCAfLnLeZSmvr.dll"
    3⤵
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    PID:3168
- C:\Windows\System32\regsvr32.exe
  C:\Windows\System32\regsvr32.exe /S ..\oxnv3.ooccxx
  2⤵
  - Process spawned unexpected child process
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1192
- - C:\Windows\system32\regsvr32.exe
    C:\Windows\system32\regsvr32.exe "C:\Windows\system32\EzrOkDpqurMRkMtX\gImfxWPCoFBqtT.dll"
    3⤵
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    PID:372
- C:\Windows\System32\regsvr32.exe
  C:\Windows\System32\regsvr32.exe /S ..\oxnv4.ooccxx
  2⤵
  - Process spawned unexpected child process
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1944
- - C:\Windows\system32\regsvr32.exe
    C:\Windows\system32\regsvr32.exe "C:\Windows\system32\UcJCcwQgLqTjYzyoI\KsDcvzvLpSbER.dll"
    3⤵
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    PID:288

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\oxnv1.ooccxx

Filesize
818KB

MD5
0c4c6773e87831ea6a07e8cc9954214d

SHA1
962e9b651fb53a2797caea1a3d3ad1b6960c5c4f

SHA256
0e00ab78dd4e1922b3ac756bc14e3b8d3c96c8564e907ebc30b7c0067eda8daf

SHA512
0df7ca2bb1f5832c3a067da69775d022e4d0a416985c659cbc26fa51c5ef12bddcb715528f2b58ac3b11c43c23fea24c473a547cb506f385d780a28dc26ed41c

Download Submit
C:\Users\Admin\oxnv2.ooccxx

Filesize
818KB

MD5
8064bafc7eb625ff50a2439914c92256

SHA1
a9372f0c6a5af367b40c5d83a651e86c6baf8edb

SHA256
c9f195091530a894e34d12495772b7af8506179124c88748f34b521fc823e185

SHA512
3eac35f45a62f706f613f6e21289592748c00359436fc459a84bdcd92b7d3af40c25a78370ce0c4a1b9b1e9443ab550ea2c21cdd9cf5eb151cce0fbcf99b9556

Download Submit
C:\Users\Admin\oxnv3.ooccxx

Filesize
818KB

MD5
33e227c694cbedb1746c4ac6219d4b04

SHA1
2b6886e78e57a018a046a37216307c01b4593509

SHA256
aeb33bef031e44cbb61bef61a1bed28d3567d616c59707d2dcbb01ce7afa361e

SHA512
e00b4d6c5f32ba664c0248f4f390cc597a922ca455b0b0770c9e4cd1d65d2ef1c325b69ed27035b5dc77af6b46cd9a5eac9813f9dfd9ff877b56dd711c2727f0

Download Submit
C:\Users\Admin\oxnv4.ooccxx

Filesize
818KB

MD5
ac7198b49cd9b111fca8b4619cffd7f5

SHA1
a94296dbbdf6cc0b560675da82a3d6cf151ed933

SHA256
9cef9c95990363289cc118b76ccb0aa7335c26dde64a562d9387756869bdfa50

SHA512
fd8456f4cf174abd10ad51dddfc3fed41b62f8f4eaf44833b9e0145d8991761f21d8baa6a6ba6842b9fc59c26b49306643c5b6cd7366029bf0e42edfff630118

Download Submit
\Users\Admin\oxnv1.ooccxx

Filesize
818KB

MD5
0c4c6773e87831ea6a07e8cc9954214d

SHA1
962e9b651fb53a2797caea1a3d3ad1b6960c5c4f

SHA256
0e00ab78dd4e1922b3ac756bc14e3b8d3c96c8564e907ebc30b7c0067eda8daf

SHA512
0df7ca2bb1f5832c3a067da69775d022e4d0a416985c659cbc26fa51c5ef12bddcb715528f2b58ac3b11c43c23fea24c473a547cb506f385d780a28dc26ed41c

Download Submit
\Users\Admin\oxnv2.ooccxx

Filesize
818KB

MD5
8064bafc7eb625ff50a2439914c92256

SHA1
a9372f0c6a5af367b40c5d83a651e86c6baf8edb

SHA256
c9f195091530a894e34d12495772b7af8506179124c88748f34b521fc823e185

SHA512
3eac35f45a62f706f613f6e21289592748c00359436fc459a84bdcd92b7d3af40c25a78370ce0c4a1b9b1e9443ab550ea2c21cdd9cf5eb151cce0fbcf99b9556

Download Submit
\Users\Admin\oxnv3.ooccxx

Filesize
818KB

MD5
33e227c694cbedb1746c4ac6219d4b04

SHA1
2b6886e78e57a018a046a37216307c01b4593509

SHA256
aeb33bef031e44cbb61bef61a1bed28d3567d616c59707d2dcbb01ce7afa361e

SHA512
e00b4d6c5f32ba664c0248f4f390cc597a922ca455b0b0770c9e4cd1d65d2ef1c325b69ed27035b5dc77af6b46cd9a5eac9813f9dfd9ff877b56dd711c2727f0

Download Submit
\Users\Admin\oxnv4.ooccxx

Filesize
818KB

MD5
ac7198b49cd9b111fca8b4619cffd7f5

SHA1
a94296dbbdf6cc0b560675da82a3d6cf151ed933

SHA256
9cef9c95990363289cc118b76ccb0aa7335c26dde64a562d9387756869bdfa50

SHA512
fd8456f4cf174abd10ad51dddfc3fed41b62f8f4eaf44833b9e0145d8991761f21d8baa6a6ba6842b9fc59c26b49306643c5b6cd7366029bf0e42edfff630118

Download Submit
memory/288-315-0x0000000000000000-mapping.dmp

Download
memory/372-299-0x0000000000000000-mapping.dmp

Download
memory/1192-291-0x0000000000000000-mapping.dmp

Download
memory/1944-305-0x0000000000000000-mapping.dmp

Download
memory/3168-283-0x0000000000000000-mapping.dmp

Download
memory/3528-118-0x00007FF851770000-0x00007FF851780000-memory.dmp

Filesize
64KB

Download
memory/3528-121-0x00007FF851770000-0x00007FF851780000-memory.dmp

Filesize
64KB

Download
memory/3528-351-0x00007FF851770000-0x00007FF851780000-memory.dmp

Filesize
64KB

Download
memory/3528-131-0x00007FF84DFE0000-0x00007FF84DFF0000-memory.dmp

Filesize
64KB

Download
memory/3528-130-0x00007FF84DFE0000-0x00007FF84DFF0000-memory.dmp

Filesize
64KB

Download
memory/3528-350-0x00007FF851770000-0x00007FF851780000-memory.dmp

Filesize
64KB

Download
memory/3528-349-0x00007FF851770000-0x00007FF851780000-memory.dmp

Filesize
64KB

Download
memory/3528-348-0x00007FF851770000-0x00007FF851780000-memory.dmp

Filesize
64KB

Download
memory/3528-120-0x00007FF851770000-0x00007FF851780000-memory.dmp

Filesize
64KB

Download
memory/3528-119-0x00007FF851770000-0x00007FF851780000-memory.dmp

Filesize
64KB

Download
memory/4360-267-0x0000000000000000-mapping.dmp

Download
memory/4600-273-0x0000000000000000-mapping.dmp

Download
memory/4616-254-0x0000000000000000-mapping.dmp

Download
memory/4616-257-0x0000000180000000-0x0000000180030000-memory.dmp

Filesize
192KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads