emotet | 2b96a73c331374ca1a4c176638e13b4d6317f8bac8f98a08663c818f6e62e217

General

Target

2b96a73c331374ca1a4c176638e13b4d6317f8bac8f98a08663c818f6e62e217.xls
Size

217KB
MD5

f44f0589b939dbca044d25700963a437
SHA1

92dfc5b57eedfec9ac4a0eb38bc3a0b2b06cc546
SHA256

2b96a73c331374ca1a4c176638e13b4d6317f8bac8f98a08663c818f6e62e217
SHA512

f6605ba7867f60ed8954a86a679f63e44913c7804dae96ae8624a7cac22e03502be7dd0153ee56d3e365658351409f209169f5968ef4557d18021966fc29f2bf
SSDEEP

6144:OKpb8rGYrMPe3q7Q0XV5xtuEsi8/dg8yY+TAQXTHGUMEyP5p6f5jQmh:nbGUMVWlbh

Score

10^/10

emotet banker persistence trojan

Malware Config

Extracted

Language

xlm4.0

Source

URLs

xlm40.dropper

http://kabaruntukrakyat.com/wp-content/B9oJ0jh/

xlm40.dropper

http://coinkub.com/wp-content/WwrJvjumS/

xlm40.dropper

https://aberractivity.hu/iqq/Dmtv/

xlm40.dropper

https://anamafegarcia.es/css/HfFXMTXvc40t/

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Process spawned unexpected child process 4 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4336	2692	regsvr32.exe	65
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4484	2692	regsvr32.exe	65
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	1276	2692	regsvr32.exe	65
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	3320	2692	regsvr32.exe	65

Downloads MZ/PE file

Loads dropped DLL 4 IoCs

pid	Process
4336	regsvr32.exe
4484	regsvr32.exe
1276	regsvr32.exe
3320	regsvr32.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PCfVLdXlFJVLzz.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\JMxqfkOskgJ\\PCfVLdXlFJVLzz.dll\""	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fhfEQVjOLLQ.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\PFlrEzZjaIANbNTUI\\fhfEQVjOLLQ.dll\""	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ycJGYzSVmmjz.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\IrQUGdWYuXODUan\\ycJGYzSVmmjz.dll\""	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KKaS.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\IZKpQ\\KKaS.dll\""	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	regsvr32.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2692	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
4336	regsvr32.exe
4336	regsvr32.exe
4372	regsvr32.exe
4372	regsvr32.exe
4372	regsvr32.exe
4372	regsvr32.exe
4484	regsvr32.exe
4484	regsvr32.exe
1596	regsvr32.exe
1596	regsvr32.exe
1596	regsvr32.exe
1596	regsvr32.exe
1276	regsvr32.exe
1276	regsvr32.exe
588	regsvr32.exe
588	regsvr32.exe
588	regsvr32.exe
588	regsvr32.exe
3320	regsvr32.exe
3320	regsvr32.exe
2088	regsvr32.exe
2088	regsvr32.exe
2088	regsvr32.exe
2088	regsvr32.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2692	EXCEL.EXE
2692	EXCEL.EXE

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2692	EXCEL.EXE
2692	EXCEL.EXE
2692	EXCEL.EXE
2692	EXCEL.EXE
2692	EXCEL.EXE
2692	EXCEL.EXE
2692	EXCEL.EXE
2692	EXCEL.EXE
2692	EXCEL.EXE
2692	EXCEL.EXE
2692	EXCEL.EXE
2692	EXCEL.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2692 wrote to memory of 4336	2692	EXCEL.EXE	70
PID 2692 wrote to memory of 4336	2692	EXCEL.EXE	70
PID 4336 wrote to memory of 4372	4336	regsvr32.exe	73
PID 4336 wrote to memory of 4372	4336	regsvr32.exe	73
PID 2692 wrote to memory of 4484	2692	EXCEL.EXE	76
PID 2692 wrote to memory of 4484	2692	EXCEL.EXE	76
PID 4484 wrote to memory of 1596	4484	regsvr32.exe	77
PID 4484 wrote to memory of 1596	4484	regsvr32.exe	77
PID 2692 wrote to memory of 1276	2692	EXCEL.EXE	78
PID 2692 wrote to memory of 1276	2692	EXCEL.EXE	78
PID 1276 wrote to memory of 588	1276	regsvr32.exe	79
PID 1276 wrote to memory of 588	1276	regsvr32.exe	79
PID 2692 wrote to memory of 3320	2692	EXCEL.EXE	80
PID 2692 wrote to memory of 3320	2692	EXCEL.EXE	80
PID 3320 wrote to memory of 2088	3320	regsvr32.exe	81
PID 3320 wrote to memory of 2088	3320	regsvr32.exe	81

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\2b96a73c331374ca1a4c176638e13b4d6317f8bac8f98a08663c818f6e62e217.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2692
- C:\Windows\System32\regsvr32.exe
  C:\Windows\System32\regsvr32.exe /S ..\oxnv1.ooccxx
  2⤵
  - Process spawned unexpected child process
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4336
- - C:\Windows\system32\regsvr32.exe
    C:\Windows\system32\regsvr32.exe "C:\Windows\system32\JMxqfkOskgJ\PCfVLdXlFJVLzz.dll"
    3⤵
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    PID:4372
- C:\Windows\System32\regsvr32.exe
  C:\Windows\System32\regsvr32.exe /S ..\oxnv2.ooccxx
  2⤵
  - Process spawned unexpected child process
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4484
- - C:\Windows\system32\regsvr32.exe
    C:\Windows\system32\regsvr32.exe "C:\Windows\system32\PFlrEzZjaIANbNTUI\fhfEQVjOLLQ.dll"
    3⤵
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    PID:1596
- C:\Windows\System32\regsvr32.exe
  C:\Windows\System32\regsvr32.exe /S ..\oxnv3.ooccxx
  2⤵
  - Process spawned unexpected child process
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1276
- - C:\Windows\system32\regsvr32.exe
    C:\Windows\system32\regsvr32.exe "C:\Windows\system32\IrQUGdWYuXODUan\ycJGYzSVmmjz.dll"
    3⤵
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    PID:588
- C:\Windows\System32\regsvr32.exe
  C:\Windows\System32\regsvr32.exe /S ..\oxnv4.ooccxx
  2⤵
  - Process spawned unexpected child process
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3320
- - C:\Windows\system32\regsvr32.exe
    C:\Windows\system32\regsvr32.exe "C:\Windows\system32\IZKpQ\KKaS.dll"
    3⤵
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    PID:2088

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\oxnv1.ooccxx

Filesize
712KB

MD5
32c45df531e9471273b543acb290acee

SHA1
e2b57e14c4913c652832d60a6634758aa0a261e7

SHA256
a12ebc1c256883ba7796b3ceeddc71a4136ac95c3a7ca0a52e1ed744ea280940

SHA512
1737a91d8afaeea222f81894696dffa9076915664a8749e6f45de3aca0d4adfd12ffe3be6b3962884561a7980ba366ea8e863c66f5a8b380ca78cddacc8d76a7

Download Submit
C:\Users\Admin\oxnv2.ooccxx

Filesize
712KB

MD5
cf603cab109f57cfb86993904419853b

SHA1
2bff43f93512d0d263bec31c2362e0b6c5c65fae

SHA256
e86640f39cf948882b5279211899a3adddd70645d23bacd042cc259a9478507b

SHA512
58e89a49c6a911869a641e944eb456b97d8f51abfe9e8cd3cbe4577dbfc5b260a01f755f60903a452c271080380b8b5356523b320427d09ff5bd60d2d680dd4e

Download Submit
C:\Users\Admin\oxnv3.ooccxx

Filesize
712KB

MD5
a70f389a5e21caf2058755023d352205

SHA1
e23c167b1e40def49be75da572a246b1538202c2

SHA256
fc4abf959e5e3b439e9ad851c8b18994356b31aea65f17ce7be47aeb27550bbf

SHA512
f307fc7293fd757509fc91e6691a613b21aa236b39199346eb3f282ef122fa0c7c420f41e1a3eac032861ddd8276da459f961d1670f6403fadf49e0bdbf59f08

Download Submit
C:\Users\Admin\oxnv4.ooccxx

Filesize
712KB

MD5
0652001976b99a08a37249b36c525885

SHA1
2d52741e321c88e8283d2de6ff1c0e4d5fcdd158

SHA256
7e273ef9ee5e9e7c74a9f03a367de261aaed9a2437a83bda7bba966cf5cad6f2

SHA512
4c18a1acdba2798801afe43dd7ad7898b3ee9d1ba9083c7b2597d177bf2ea95f5d6b2fc2e8d002d8243a17324076dcecd1abbeda2d2c67b4a262d52d7b711f45

Download Submit
\Users\Admin\oxnv1.ooccxx

Filesize
712KB

MD5
32c45df531e9471273b543acb290acee

SHA1
e2b57e14c4913c652832d60a6634758aa0a261e7

SHA256
a12ebc1c256883ba7796b3ceeddc71a4136ac95c3a7ca0a52e1ed744ea280940

SHA512
1737a91d8afaeea222f81894696dffa9076915664a8749e6f45de3aca0d4adfd12ffe3be6b3962884561a7980ba366ea8e863c66f5a8b380ca78cddacc8d76a7

Download Submit
\Users\Admin\oxnv2.ooccxx

Filesize
712KB

MD5
cf603cab109f57cfb86993904419853b

SHA1
2bff43f93512d0d263bec31c2362e0b6c5c65fae

SHA256
e86640f39cf948882b5279211899a3adddd70645d23bacd042cc259a9478507b

SHA512
58e89a49c6a911869a641e944eb456b97d8f51abfe9e8cd3cbe4577dbfc5b260a01f755f60903a452c271080380b8b5356523b320427d09ff5bd60d2d680dd4e

Download Submit
\Users\Admin\oxnv3.ooccxx

Filesize
712KB

MD5
a70f389a5e21caf2058755023d352205

SHA1
e23c167b1e40def49be75da572a246b1538202c2

SHA256
fc4abf959e5e3b439e9ad851c8b18994356b31aea65f17ce7be47aeb27550bbf

SHA512
f307fc7293fd757509fc91e6691a613b21aa236b39199346eb3f282ef122fa0c7c420f41e1a3eac032861ddd8276da459f961d1670f6403fadf49e0bdbf59f08

Download Submit
\Users\Admin\oxnv4.ooccxx

Filesize
712KB

MD5
0652001976b99a08a37249b36c525885

SHA1
2d52741e321c88e8283d2de6ff1c0e4d5fcdd158

SHA256
7e273ef9ee5e9e7c74a9f03a367de261aaed9a2437a83bda7bba966cf5cad6f2

SHA512
4c18a1acdba2798801afe43dd7ad7898b3ee9d1ba9083c7b2597d177bf2ea95f5d6b2fc2e8d002d8243a17324076dcecd1abbeda2d2c67b4a262d52d7b711f45

Download Submit
memory/2692-118-0x00007FF871D50000-0x00007FF871D60000-memory.dmp

Filesize
64KB

Download
memory/2692-361-0x00007FF871D50000-0x00007FF871D60000-memory.dmp

Filesize
64KB

Download
memory/2692-364-0x00007FF871D50000-0x00007FF871D60000-memory.dmp

Filesize
64KB

Download
memory/2692-363-0x00007FF871D50000-0x00007FF871D60000-memory.dmp

Filesize
64KB

Download
memory/2692-127-0x00007FF86E3D0000-0x00007FF86E3E0000-memory.dmp

Filesize
64KB

Download
memory/2692-362-0x00007FF871D50000-0x00007FF871D60000-memory.dmp

Filesize
64KB

Download
memory/2692-115-0x00007FF871D50000-0x00007FF871D60000-memory.dmp

Filesize
64KB

Download
memory/2692-128-0x00007FF86E3D0000-0x00007FF86E3E0000-memory.dmp

Filesize
64KB

Download
memory/2692-117-0x00007FF871D50000-0x00007FF871D60000-memory.dmp

Filesize
64KB

Download
memory/2692-116-0x00007FF871D50000-0x00007FF871D60000-memory.dmp

Filesize
64KB

Download
memory/4336-273-0x0000000180000000-0x0000000180030000-memory.dmp

Filesize
192KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads