emotet | 61bf1453572a11da0b81364eaf6b11db46f8a4568c8d939baf5dcd541e6fe18f

General

Target

61bf1453572a11da0b81364eaf6b11db46f8a4568c8d939baf5dcd541e6fe18f.xls
Size

217KB
MD5

4de17a7f5f149382f4a7632dfce6e079
SHA1

046191f043e23361217a1805f28144cb91314f25
SHA256

61bf1453572a11da0b81364eaf6b11db46f8a4568c8d939baf5dcd541e6fe18f
SHA512

1dd5d95e23ce1afb29420fe2e3bfdec833d9a0d2a3dde8829f4723e74db0f559d8a838948cf4b3e2dcd3b23700056aaff1b9d9754b40bfa514b52f04e7905d28
SSDEEP

6144:OKpb8rGYrMPe3q7Q0XV5xtuEsi8/dgIyY+TAQXTHGUMEyP5p6f5jQmH:bbGUMVWlbH

Score

10^/10

emotet banker persistence trojan

Malware Config

Extracted

Language

xlm4.0

Source

URLs

xlm40.dropper

https://aprendeconmireia.com/images/wBu/

xlm40.dropper

http://updailymail.com/cgi-bin/gBYmfqRi2utIS2n/

xlm40.dropper

https://akuntansi.itny.ac.id/asset/9aVFvYeaSKOhGBSLx/

xlm40.dropper

http://swiftwebbox.com/cgi-bin/vNqoMtQilpysJYRwtGu/

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Process spawned unexpected child process 4 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4800	2676	regsvr32.exe	65
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	1788	2676	regsvr32.exe	65
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	1420	2676	regsvr32.exe	65
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	1684	2676	regsvr32.exe	65

Downloads MZ/PE file

Loads dropped DLL 4 IoCs

pid	Process
4800	regsvr32.exe
1788	regsvr32.exe
1420	regsvr32.exe
1684	regsvr32.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RQOffus.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\YjxpIVxUOHC\\RQOffus.dll\""	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zsKHnSlOfslpzm.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\JYzgLSrVHupL\\zsKHnSlOfslpzm.dll\""	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gaqlLv.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\ERPhOdwxqloNr\\gaqlLv.dll\""	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xRZoWmZlocLB.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\QwVLsCnvCGJK\\xRZoWmZlocLB.dll\""	regsvr32.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2676	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
4800	regsvr32.exe
4800	regsvr32.exe
4772	regsvr32.exe
4772	regsvr32.exe
4772	regsvr32.exe
4772	regsvr32.exe
1788	regsvr32.exe
1788	regsvr32.exe
1720	regsvr32.exe
1720	regsvr32.exe
1720	regsvr32.exe
1720	regsvr32.exe
1420	regsvr32.exe
1420	regsvr32.exe
728	regsvr32.exe
728	regsvr32.exe
728	regsvr32.exe
728	regsvr32.exe
1684	regsvr32.exe
1684	regsvr32.exe
2720	regsvr32.exe
2720	regsvr32.exe
2720	regsvr32.exe
2720	regsvr32.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2676	EXCEL.EXE
2676	EXCEL.EXE

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2676	EXCEL.EXE
2676	EXCEL.EXE
2676	EXCEL.EXE
2676	EXCEL.EXE
2676	EXCEL.EXE
2676	EXCEL.EXE
2676	EXCEL.EXE
2676	EXCEL.EXE
2676	EXCEL.EXE
2676	EXCEL.EXE
2676	EXCEL.EXE
2676	EXCEL.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2676 wrote to memory of 4800	2676	EXCEL.EXE	73
PID 2676 wrote to memory of 4800	2676	EXCEL.EXE	73
PID 4800 wrote to memory of 4772	4800	regsvr32.exe	74
PID 4800 wrote to memory of 4772	4800	regsvr32.exe	74
PID 2676 wrote to memory of 1788	2676	EXCEL.EXE	75
PID 2676 wrote to memory of 1788	2676	EXCEL.EXE	75
PID 1788 wrote to memory of 1720	1788	regsvr32.exe	76
PID 1788 wrote to memory of 1720	1788	regsvr32.exe	76
PID 2676 wrote to memory of 1420	2676	EXCEL.EXE	77
PID 2676 wrote to memory of 1420	2676	EXCEL.EXE	77
PID 1420 wrote to memory of 728	1420	regsvr32.exe	78
PID 1420 wrote to memory of 728	1420	regsvr32.exe	78
PID 2676 wrote to memory of 1684	2676	EXCEL.EXE	79
PID 2676 wrote to memory of 1684	2676	EXCEL.EXE	79
PID 1684 wrote to memory of 2720	1684	regsvr32.exe	80
PID 1684 wrote to memory of 2720	1684	regsvr32.exe	80

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\61bf1453572a11da0b81364eaf6b11db46f8a4568c8d939baf5dcd541e6fe18f.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2676
- C:\Windows\System32\regsvr32.exe
  C:\Windows\System32\regsvr32.exe /S ..\oxnv1.ooccxx
  2⤵
  - Process spawned unexpected child process
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4800
- - C:\Windows\system32\regsvr32.exe
    C:\Windows\system32\regsvr32.exe "C:\Windows\system32\JYzgLSrVHupL\zsKHnSlOfslpzm.dll"
    3⤵
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    PID:4772
- C:\Windows\System32\regsvr32.exe
  C:\Windows\System32\regsvr32.exe /S ..\oxnv2.ooccxx
  2⤵
  - Process spawned unexpected child process
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1788
- - C:\Windows\system32\regsvr32.exe
    C:\Windows\system32\regsvr32.exe "C:\Windows\system32\ERPhOdwxqloNr\gaqlLv.dll"
    3⤵
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    PID:1720
- C:\Windows\System32\regsvr32.exe
  C:\Windows\System32\regsvr32.exe /S ..\oxnv3.ooccxx
  2⤵
  - Process spawned unexpected child process
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1420
- - C:\Windows\system32\regsvr32.exe
    C:\Windows\system32\regsvr32.exe "C:\Windows\system32\QwVLsCnvCGJK\xRZoWmZlocLB.dll"
    3⤵
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    PID:728
- C:\Windows\System32\regsvr32.exe
  C:\Windows\System32\regsvr32.exe /S ..\oxnv4.ooccxx
  2⤵
  - Process spawned unexpected child process
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1684
- - C:\Windows\system32\regsvr32.exe
    C:\Windows\system32\regsvr32.exe "C:\Windows\system32\YjxpIVxUOHC\RQOffus.dll"
    3⤵
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    PID:2720

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\oxnv1.ooccxx

Filesize
712KB

MD5
970a02ac662e5ccbf9d99fd583b777cb

SHA1
15c3bddbf0b8ea002e76a2ba6b87b34f7615ce05

SHA256
a42235b6927b07f605e3e1753021d18b74a5ee1297624af4b08b42ffb7b13b76

SHA512
70d5f396885a78f95fbd2e9994ba14d90bae5f6adfc0e0a758897356d5288c2bc0032dda552a7dd9747855dcc41df0474d4e55ed007d5308d3a869ee72367ec6

Download Submit
C:\Users\Admin\oxnv2.ooccxx

Filesize
712KB

MD5
826f73dcb85305a9fe2cc2028e8b082b

SHA1
151caad5ec4d5b446b9db329c16d438ff727f26d

SHA256
a917e69797b57f3f55f33c563f80d8b861e53c1a0e8502a48401cd33e6c00465

SHA512
ea1cbdcdb5c3224a9ad6abbc0feef14e75f551c65a36e838732563d791cf696dafcebfccbffd4cca46e873452a196417ccb780db71523fa67af18d545d824690

Download Submit
C:\Users\Admin\oxnv3.ooccxx

Filesize
712KB

MD5
d0626fc0d92e2c0fe0a143e60a3f1862

SHA1
5e66eeed4bf30bea058a7cb70328db612b746847

SHA256
2ffad09e67029d44456e3897b52241fb2dbc0cd7cbe8f7b033f726e796840296

SHA512
3090658cc4913823bc7d64a5d12b32e91b26d6acda42800aa16d6024a65cfdb25877bca3a99e0226ae44e98e6226577a5dad1982b060c80ae3fa1fb00b2e4e2b

Download Submit
C:\Users\Admin\oxnv4.ooccxx

Filesize
712KB

MD5
3c24bf8c44cdc0ae2f4046dd9a0a3062

SHA1
07bc0618dcce8f98367c1d8e55a566025fc10c81

SHA256
34f1ee494f95b5c699088f8b3a2e835d16cb980c1b379538258ee4ea546d81ab

SHA512
1a180c5af8ba2aed6329921f637903e11f6f9a0340d514e40a39595b73b4a88b8b2f9484f9413e78f80ab4d47ef74f8482e0b7977ca2d2f1c2d499a934aedae5

Download Submit
\Users\Admin\oxnv1.ooccxx

Filesize
712KB

MD5
970a02ac662e5ccbf9d99fd583b777cb

SHA1
15c3bddbf0b8ea002e76a2ba6b87b34f7615ce05

SHA256
a42235b6927b07f605e3e1753021d18b74a5ee1297624af4b08b42ffb7b13b76

SHA512
70d5f396885a78f95fbd2e9994ba14d90bae5f6adfc0e0a758897356d5288c2bc0032dda552a7dd9747855dcc41df0474d4e55ed007d5308d3a869ee72367ec6

Download Submit
\Users\Admin\oxnv2.ooccxx

Filesize
712KB

MD5
826f73dcb85305a9fe2cc2028e8b082b

SHA1
151caad5ec4d5b446b9db329c16d438ff727f26d

SHA256
a917e69797b57f3f55f33c563f80d8b861e53c1a0e8502a48401cd33e6c00465

SHA512
ea1cbdcdb5c3224a9ad6abbc0feef14e75f551c65a36e838732563d791cf696dafcebfccbffd4cca46e873452a196417ccb780db71523fa67af18d545d824690

Download Submit
\Users\Admin\oxnv3.ooccxx

Filesize
712KB

MD5
d0626fc0d92e2c0fe0a143e60a3f1862

SHA1
5e66eeed4bf30bea058a7cb70328db612b746847

SHA256
2ffad09e67029d44456e3897b52241fb2dbc0cd7cbe8f7b033f726e796840296

SHA512
3090658cc4913823bc7d64a5d12b32e91b26d6acda42800aa16d6024a65cfdb25877bca3a99e0226ae44e98e6226577a5dad1982b060c80ae3fa1fb00b2e4e2b

Download Submit
\Users\Admin\oxnv4.ooccxx

Filesize
712KB

MD5
3c24bf8c44cdc0ae2f4046dd9a0a3062

SHA1
07bc0618dcce8f98367c1d8e55a566025fc10c81

SHA256
34f1ee494f95b5c699088f8b3a2e835d16cb980c1b379538258ee4ea546d81ab

SHA512
1a180c5af8ba2aed6329921f637903e11f6f9a0340d514e40a39595b73b4a88b8b2f9484f9413e78f80ab4d47ef74f8482e0b7977ca2d2f1c2d499a934aedae5

Download Submit
memory/2676-118-0x00007FF9E5F40000-0x00007FF9E5F50000-memory.dmp

Filesize
64KB

Download
memory/2676-337-0x00007FF9E5F40000-0x00007FF9E5F50000-memory.dmp

Filesize
64KB

Download
memory/2676-340-0x00007FF9E5F40000-0x00007FF9E5F50000-memory.dmp

Filesize
64KB

Download
memory/2676-127-0x00007FF9E3090000-0x00007FF9E30A0000-memory.dmp

Filesize
64KB

Download
memory/2676-339-0x00007FF9E5F40000-0x00007FF9E5F50000-memory.dmp

Filesize
64KB

Download
memory/2676-115-0x00007FF9E5F40000-0x00007FF9E5F50000-memory.dmp

Filesize
64KB

Download
memory/2676-338-0x00007FF9E5F40000-0x00007FF9E5F50000-memory.dmp

Filesize
64KB

Download
memory/2676-117-0x00007FF9E5F40000-0x00007FF9E5F50000-memory.dmp

Filesize
64KB

Download
memory/2676-116-0x00007FF9E5F40000-0x00007FF9E5F50000-memory.dmp

Filesize
64KB

Download
memory/2676-128-0x00007FF9E3090000-0x00007FF9E30A0000-memory.dmp

Filesize
64KB

Download
memory/4800-261-0x0000000180000000-0x0000000180030000-memory.dmp

Filesize
192KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads