emotet | 0a712277286bdb83dee39bd389e1ad65e079bdb53b9255fa4b26283b30c9da72

Resubmissions

03/11/2022, 21:07

221103-zyn6safbg6 10

03/11/2022, 21:01

221103-ztzfyshccm 10

03/11/2022, 15:09

221103-sjnhdabfg4 10

Analysis

max time kernel
145s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
03/11/2022, 15:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ef2ce641a4e9f270eea626e8e4800b0b97b4a436c40e7af30aeb6f02566b809c.xls
Size

216KB
MD5

2486374800299563ab8934122234242a
SHA1

47bfe94aa96ef43231890f04ccd286b0888e10c8
SHA256

ef2ce641a4e9f270eea626e8e4800b0b97b4a436c40e7af30aeb6f02566b809c
SHA512

74e52e1e1317908447340cbba32949321ed435f17a524224af80236ecdf67187c83908cca514e82a49b9abe9495125ba741e01ed8f30663124c13fce339c63e5
SSDEEP

6144:bKpb8rGYrMPe3q7Q0XV5xtuEsi8/dgAyY+TAQXTHGUMEyP5p6f5jQmK:GbGUMVWlbK

Score

10^/10

emotet banker persistence trojan

Malware Config

Extracted

Language

xlm4.0

Source

URLs

xlm40.dropper

https://audioselec.com/about/dDw5ggtyMojggTqhc/

xlm40.dropper

https://geringer-muehle.de/wp-admin/G/

xlm40.dropper

http://intolove.co.uk/wp-admin/FbGhiWtrEzrQ/

xlm40.dropper

http://isc.net.ua/themes/3rU/

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Process spawned unexpected child process 4 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	1232	5016	regsvr32.exe	80
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	5088	5016	regsvr32.exe	80
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	2852	5016	regsvr32.exe	80
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	2000	5016	regsvr32.exe	80

Downloads MZ/PE file

Loads dropped DLL 8 IoCs

pid	Process
1232	regsvr32.exe
924	regsvr32.exe
5088	regsvr32.exe
2852	regsvr32.exe
3864	regsvr32.exe
2112	regsvr32.exe
2000	regsvr32.exe
5028	regsvr32.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lwyFTKzYW.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\MziIaSfZQClPQpp\\lwyFTKzYW.dll\""	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vnuOPbuWO.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\UUGILVMr\\vnuOPbuWO.dll\""	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KIgCBYMFgh.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\AxsMKxbOpizAKyrxC\\KIgCBYMFgh.dll\""	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aaClzaTrhna.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\LQPPmuf\\aaClzaTrhna.dll\""	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	regsvr32.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
5016	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
1232	regsvr32.exe
1232	regsvr32.exe
924	regsvr32.exe
924	regsvr32.exe
5088	regsvr32.exe
5088	regsvr32.exe
924	regsvr32.exe
924	regsvr32.exe
2852	regsvr32.exe
2852	regsvr32.exe
3864	regsvr32.exe
3864	regsvr32.exe
3864	regsvr32.exe
3864	regsvr32.exe
2112	regsvr32.exe
2112	regsvr32.exe
2000	regsvr32.exe
2000	regsvr32.exe
2112	regsvr32.exe
2112	regsvr32.exe
5028	regsvr32.exe
5028	regsvr32.exe
5028	regsvr32.exe
5028	regsvr32.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
5016	EXCEL.EXE
5016	EXCEL.EXE
5016	EXCEL.EXE
5016	EXCEL.EXE
5016	EXCEL.EXE
5016	EXCEL.EXE
5016	EXCEL.EXE
5016	EXCEL.EXE
5016	EXCEL.EXE
5016	EXCEL.EXE
5016	EXCEL.EXE
5016	EXCEL.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 5016 wrote to memory of 1232	5016	EXCEL.EXE	86
PID 5016 wrote to memory of 1232	5016	EXCEL.EXE	86
PID 1232 wrote to memory of 924	1232	regsvr32.exe	87
PID 1232 wrote to memory of 924	1232	regsvr32.exe	87
PID 5016 wrote to memory of 5088	5016	EXCEL.EXE	89
PID 5016 wrote to memory of 5088	5016	EXCEL.EXE	89
PID 5016 wrote to memory of 2852	5016	EXCEL.EXE	91
PID 5016 wrote to memory of 2852	5016	EXCEL.EXE	91
PID 5088 wrote to memory of 3864	5088	regsvr32.exe	92
PID 5088 wrote to memory of 3864	5088	regsvr32.exe	92
PID 2852 wrote to memory of 2112	2852	regsvr32.exe	93
PID 2852 wrote to memory of 2112	2852	regsvr32.exe	93
PID 5016 wrote to memory of 2000	5016	EXCEL.EXE	94
PID 5016 wrote to memory of 2000	5016	EXCEL.EXE	94
PID 2000 wrote to memory of 5028	2000	regsvr32.exe	95
PID 2000 wrote to memory of 5028	2000	regsvr32.exe	95

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\ef2ce641a4e9f270eea626e8e4800b0b97b4a436c40e7af30aeb6f02566b809c.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5016
- C:\Windows\System32\regsvr32.exe
  C:\Windows\System32\regsvr32.exe ..\oxnv1.ooccxx
  2⤵
  - Process spawned unexpected child process
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1232
- - C:\Windows\system32\regsvr32.exe
    C:\Windows\system32\regsvr32.exe "C:\Windows\system32\LQPPmuf\aaClzaTrhna.dll"
    3⤵
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    PID:924
- C:\Windows\System32\regsvr32.exe
  C:\Windows\System32\regsvr32.exe ..\oxnv2.ooccxx
  2⤵
  - Process spawned unexpected child process
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:5088
- - C:\Windows\system32\regsvr32.exe
    C:\Windows\system32\regsvr32.exe "C:\Windows\system32\MziIaSfZQClPQpp\lwyFTKzYW.dll"
    3⤵
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    PID:3864
- C:\Windows\System32\regsvr32.exe
  C:\Windows\System32\regsvr32.exe ..\oxnv3.ooccxx
  2⤵
  - Process spawned unexpected child process
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2852
- - C:\Windows\system32\regsvr32.exe
    C:\Windows\system32\regsvr32.exe "C:\Windows\system32\UUGILVMr\vnuOPbuWO.dll"
    3⤵
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    PID:2112
- C:\Windows\System32\regsvr32.exe
  C:\Windows\System32\regsvr32.exe ..\oxnv4.ooccxx
  2⤵
  - Process spawned unexpected child process
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2000
- - C:\Windows\system32\regsvr32.exe
    C:\Windows\system32\regsvr32.exe "C:\Windows\system32\AxsMKxbOpizAKyrxC\KIgCBYMFgh.dll"
    3⤵
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    PID:5028

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\oxnv1.ooccxx

Filesize
814KB

MD5
12a81d42416771d412f249e318088d24

SHA1
b7d865bd7c3479c6efcf05c4a53cb442ab6eaa7b

SHA256
49f40a56dee471071d04545612cafc909f029a8c147b7591706c6831b2d16c02

SHA512
13e711d4255d33b948d5e97b0f0b27adec2be9ccc3e71158b8badac9b5268ff0a6cea5533cad8c7f4795b0ad42a85ea401c63f3f3f341bb1eafe070de1c37015

Download Submit
C:\Users\Admin\oxnv1.ooccxx

Filesize
814KB

MD5
12a81d42416771d412f249e318088d24

SHA1
b7d865bd7c3479c6efcf05c4a53cb442ab6eaa7b

SHA256
49f40a56dee471071d04545612cafc909f029a8c147b7591706c6831b2d16c02

SHA512
13e711d4255d33b948d5e97b0f0b27adec2be9ccc3e71158b8badac9b5268ff0a6cea5533cad8c7f4795b0ad42a85ea401c63f3f3f341bb1eafe070de1c37015

Download Submit
C:\Users\Admin\oxnv2.ooccxx

Filesize
814KB

MD5
ae115e4046c9d2ce5a6a079022ca6310

SHA1
8c246a79f9c7ff3c471312f405e6ac136fa499ad

SHA256
65247664f4eae69e1116be787f334fffe2bad6c537bcbe64a745696e94a0240a

SHA512
2a89b59421d9cd3438b669621521ad849b45d681e902081179f53cd3fce9b93afbcb6e93f8c613487192b482821ef68de3597e0d3d3067000bd69d7b3590d7d1

Download Submit
C:\Users\Admin\oxnv2.ooccxx

Filesize
814KB

MD5
ae115e4046c9d2ce5a6a079022ca6310

SHA1
8c246a79f9c7ff3c471312f405e6ac136fa499ad

SHA256
65247664f4eae69e1116be787f334fffe2bad6c537bcbe64a745696e94a0240a

SHA512
2a89b59421d9cd3438b669621521ad849b45d681e902081179f53cd3fce9b93afbcb6e93f8c613487192b482821ef68de3597e0d3d3067000bd69d7b3590d7d1

Download Submit
C:\Users\Admin\oxnv3.ooccxx

Filesize
814KB

MD5
4bda16479818d2ffd47417c24753aed4

SHA1
3ee06f7717755ab7fa658c32b068bda22cf56335

SHA256
9916457a0db1d62de30d9625ccad91b872962eb24001613a835a0e04e3ff97d6

SHA512
6edb5cf6294df6bd2e8f3fbe95fb877c15f225a5615079a73ea83ac45e00af13b6d1bb24a47dae85d00a2453643f6b2879d1d1bef43c46b4f67cefb0abe81bd0

Download Submit
C:\Users\Admin\oxnv3.ooccxx

Filesize
814KB

MD5
4bda16479818d2ffd47417c24753aed4

SHA1
3ee06f7717755ab7fa658c32b068bda22cf56335

SHA256
9916457a0db1d62de30d9625ccad91b872962eb24001613a835a0e04e3ff97d6

SHA512
6edb5cf6294df6bd2e8f3fbe95fb877c15f225a5615079a73ea83ac45e00af13b6d1bb24a47dae85d00a2453643f6b2879d1d1bef43c46b4f67cefb0abe81bd0

Download Submit
C:\Users\Admin\oxnv4.ooccxx

Filesize
814KB

MD5
e42bdf6ad74b4731b93dfd50d848f806

SHA1
60201206aeef299a08279257cc8ee24a528d8fb1

SHA256
bf0a768afa812263e1d7cae61c5c4f6bb1c1ad8e902fff0a35e1f5014b01302f

SHA512
0190eb9d3f21b1b10a29b490ecf293b7376902f7f0b78c699499887a9bb2cc8e28f44d9258fae983ae2c44b2e61c5629437ab379e17b42370fbcaab30623d9c2

Download Submit
C:\Users\Admin\oxnv4.ooccxx

Filesize
814KB

MD5
e42bdf6ad74b4731b93dfd50d848f806

SHA1
60201206aeef299a08279257cc8ee24a528d8fb1

SHA256
bf0a768afa812263e1d7cae61c5c4f6bb1c1ad8e902fff0a35e1f5014b01302f

SHA512
0190eb9d3f21b1b10a29b490ecf293b7376902f7f0b78c699499887a9bb2cc8e28f44d9258fae983ae2c44b2e61c5629437ab379e17b42370fbcaab30623d9c2

Download Submit
C:\Windows\System32\AxsMKxbOpizAKyrxC\KIgCBYMFgh.dll

Filesize
814KB

MD5
e42bdf6ad74b4731b93dfd50d848f806

SHA1
60201206aeef299a08279257cc8ee24a528d8fb1

SHA256
bf0a768afa812263e1d7cae61c5c4f6bb1c1ad8e902fff0a35e1f5014b01302f

SHA512
0190eb9d3f21b1b10a29b490ecf293b7376902f7f0b78c699499887a9bb2cc8e28f44d9258fae983ae2c44b2e61c5629437ab379e17b42370fbcaab30623d9c2

Download Submit
C:\Windows\System32\LQPPmuf\aaClzaTrhna.dll

Filesize
814KB

MD5
12a81d42416771d412f249e318088d24

SHA1
b7d865bd7c3479c6efcf05c4a53cb442ab6eaa7b

SHA256
49f40a56dee471071d04545612cafc909f029a8c147b7591706c6831b2d16c02

SHA512
13e711d4255d33b948d5e97b0f0b27adec2be9ccc3e71158b8badac9b5268ff0a6cea5533cad8c7f4795b0ad42a85ea401c63f3f3f341bb1eafe070de1c37015

Download Submit
C:\Windows\System32\MziIaSfZQClPQpp\lwyFTKzYW.dll

Filesize
814KB

MD5
ae115e4046c9d2ce5a6a079022ca6310

SHA1
8c246a79f9c7ff3c471312f405e6ac136fa499ad

SHA256
65247664f4eae69e1116be787f334fffe2bad6c537bcbe64a745696e94a0240a

SHA512
2a89b59421d9cd3438b669621521ad849b45d681e902081179f53cd3fce9b93afbcb6e93f8c613487192b482821ef68de3597e0d3d3067000bd69d7b3590d7d1

Download Submit
C:\Windows\System32\UUGILVMr\vnuOPbuWO.dll

Filesize
814KB

MD5
4bda16479818d2ffd47417c24753aed4

SHA1
3ee06f7717755ab7fa658c32b068bda22cf56335

SHA256
9916457a0db1d62de30d9625ccad91b872962eb24001613a835a0e04e3ff97d6

SHA512
6edb5cf6294df6bd2e8f3fbe95fb877c15f225a5615079a73ea83ac45e00af13b6d1bb24a47dae85d00a2453643f6b2879d1d1bef43c46b4f67cefb0abe81bd0

Download Submit
memory/1232-142-0x0000000180000000-0x000000018002F000-memory.dmp

Filesize
188KB

Download
memory/5016-138-0x00007FF7C4B50000-0x00007FF7C4B60000-memory.dmp

Filesize
64KB

Download
memory/5016-137-0x00007FF7C4B50000-0x00007FF7C4B60000-memory.dmp

Filesize
64KB

Download
memory/5016-132-0x00007FF7C7010000-0x00007FF7C7020000-memory.dmp

Filesize
64KB

Download
memory/5016-136-0x00007FF7C7010000-0x00007FF7C7020000-memory.dmp

Filesize
64KB

Download
memory/5016-135-0x00007FF7C7010000-0x00007FF7C7020000-memory.dmp

Filesize
64KB

Download
memory/5016-134-0x00007FF7C7010000-0x00007FF7C7020000-memory.dmp

Filesize
64KB

Download
memory/5016-133-0x00007FF7C7010000-0x00007FF7C7020000-memory.dmp

Filesize
64KB

Download