emotet | e2dee1d55c2627c0130f9bd086dad906430111e5fb5475ad5d0ca1c04b7d3bd1

General

Target

e2dee1d55c2627c0130f9bd086dad906430111e5fb5475ad5d0ca1c04b7d3bd1.xls
Size

217KB
MD5

3a5b04209fd302f301e77aafda7cf1e7
SHA1

b61497c6fcc2cfb7f79fd8c3f24a35d662c1c5f5
SHA256

e2dee1d55c2627c0130f9bd086dad906430111e5fb5475ad5d0ca1c04b7d3bd1
SHA512

93346396b7e06735be3610509dc41bf0e32c1e3c8101369c3aedbb423343e20ecd6da6a2fe758bc7c0b20e23307b1e64cc9f30436829f9ab8b6bbd112a987c6b
SSDEEP

6144:OKpb8rGYrMPe3q7Q0XV5xtuEsi8/dg8yY+TAQXTHGUMEyP5p6f5jQmB:nbGUMVWlbB

Score

10^/10

emotet banker persistence trojan

Malware Config

Extracted

Language

xlm4.0

Source

URLs

xlm40.dropper

http://kabaruntukrakyat.com/wp-content/B9oJ0jh/

xlm40.dropper

http://coinkub.com/wp-content/WwrJvjumS/

xlm40.dropper

https://aberractivity.hu/iqq/Dmtv/

xlm40.dropper

https://anamafegarcia.es/css/HfFXMTXvc40t/

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Process spawned unexpected child process 4 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4656	4944	regsvr32.exe	65
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	5064	4944	regsvr32.exe	65
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	2180	4944	regsvr32.exe	65
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	2712	4944	regsvr32.exe	65

Downloads MZ/PE file

Loads dropped DLL 4 IoCs

pid	Process
4656	regsvr32.exe
5064	regsvr32.exe
2180	regsvr32.exe
2712	regsvr32.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FLETPPVFS.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\YeHTC\\FLETPPVFS.dll\""	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TgxnBR.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\NVZqlEqUxxmQGUwF\\TgxnBR.dll\""	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QdoOyeW.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\ZPXUghaUwoBbMuyJ\\QdoOyeW.dll\""	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lAUilWdriyHopz.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\TWSFcfMfJGMA\\lAUilWdriyHopz.dll\""	regsvr32.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4944	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
4656	regsvr32.exe
4656	regsvr32.exe
4676	regsvr32.exe
4676	regsvr32.exe
4676	regsvr32.exe
4676	regsvr32.exe
5064	regsvr32.exe
5064	regsvr32.exe
4928	regsvr32.exe
4928	regsvr32.exe
4928	regsvr32.exe
4928	regsvr32.exe
2180	regsvr32.exe
2180	regsvr32.exe
4700	regsvr32.exe
4700	regsvr32.exe
4700	regsvr32.exe
4700	regsvr32.exe
2712	regsvr32.exe
2712	regsvr32.exe
4100	regsvr32.exe
4100	regsvr32.exe
4100	regsvr32.exe
4100	regsvr32.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4944	EXCEL.EXE
4944	EXCEL.EXE

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
4944	EXCEL.EXE
4944	EXCEL.EXE
4944	EXCEL.EXE
4944	EXCEL.EXE
4944	EXCEL.EXE
4944	EXCEL.EXE
4944	EXCEL.EXE
4944	EXCEL.EXE
4944	EXCEL.EXE
4944	EXCEL.EXE
4944	EXCEL.EXE
4944	EXCEL.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 4944 wrote to memory of 4656	4944	EXCEL.EXE	68
PID 4944 wrote to memory of 4656	4944	EXCEL.EXE	68
PID 4656 wrote to memory of 4676	4656	regsvr32.exe	70
PID 4656 wrote to memory of 4676	4656	regsvr32.exe	70
PID 4944 wrote to memory of 5064	4944	EXCEL.EXE	71
PID 4944 wrote to memory of 5064	4944	EXCEL.EXE	71
PID 5064 wrote to memory of 4928	5064	regsvr32.exe	72
PID 5064 wrote to memory of 4928	5064	regsvr32.exe	72
PID 4944 wrote to memory of 2180	4944	EXCEL.EXE	73
PID 4944 wrote to memory of 2180	4944	EXCEL.EXE	73
PID 2180 wrote to memory of 4700	2180	regsvr32.exe	74
PID 2180 wrote to memory of 4700	2180	regsvr32.exe	74
PID 4944 wrote to memory of 2712	4944	EXCEL.EXE	75
PID 4944 wrote to memory of 2712	4944	EXCEL.EXE	75
PID 2712 wrote to memory of 4100	2712	regsvr32.exe	76
PID 2712 wrote to memory of 4100	2712	regsvr32.exe	76

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\e2dee1d55c2627c0130f9bd086dad906430111e5fb5475ad5d0ca1c04b7d3bd1.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4944
- C:\Windows\System32\regsvr32.exe
  C:\Windows\System32\regsvr32.exe /S ..\oxnv1.ooccxx
  2⤵
  - Process spawned unexpected child process
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4656
- - C:\Windows\system32\regsvr32.exe
    C:\Windows\system32\regsvr32.exe "C:\Windows\system32\TWSFcfMfJGMA\lAUilWdriyHopz.dll"
    3⤵
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    PID:4676
- C:\Windows\System32\regsvr32.exe
  C:\Windows\System32\regsvr32.exe /S ..\oxnv2.ooccxx
  2⤵
  - Process spawned unexpected child process
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:5064
- - C:\Windows\system32\regsvr32.exe
    C:\Windows\system32\regsvr32.exe "C:\Windows\system32\YeHTC\FLETPPVFS.dll"
    3⤵
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    PID:4928
- C:\Windows\System32\regsvr32.exe
  C:\Windows\System32\regsvr32.exe /S ..\oxnv3.ooccxx
  2⤵
  - Process spawned unexpected child process
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2180
- - C:\Windows\system32\regsvr32.exe
    C:\Windows\system32\regsvr32.exe "C:\Windows\system32\NVZqlEqUxxmQGUwF\TgxnBR.dll"
    3⤵
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    PID:4700
- C:\Windows\System32\regsvr32.exe
  C:\Windows\System32\regsvr32.exe /S ..\oxnv4.ooccxx
  2⤵
  - Process spawned unexpected child process
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2712
- - C:\Windows\system32\regsvr32.exe
    C:\Windows\system32\regsvr32.exe "C:\Windows\system32\ZPXUghaUwoBbMuyJ\QdoOyeW.dll"
    3⤵
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    PID:4100

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\oxnv1.ooccxx

Filesize
712KB

MD5
895e11ac1fb5cf7206f9e5fd3cde3e33

SHA1
937fb8b78a28caa2bdcd60f53981375abdb86b17

SHA256
86c3fd454436c21b8ca7ef3b9a10c95b3afcf79107b7e393e0eba1e4192ae6a1

SHA512
1f5c7f1d26bd294d52f429d746aab67b2d1b68c5e960dffccc4de16d2e65c5eba562e321b1affd54abf664e50144c28adc73eb4379c64b2ae2df1fb3d4979cb9

Download Submit
C:\Users\Admin\oxnv2.ooccxx

Filesize
712KB

MD5
2de0722935441c50d1f3462519ad819e

SHA1
c26d24f0cf1fca99c3ce4347f39e07629d48cc3d

SHA256
4d7194ff286d001145a1082ee4902417651fccfbd56811529c6c0468e7bb8cda

SHA512
516e55cc2565637af7cb57a54575626b148a6b3dc557d9b2cdb7deccd9b600dc7c1b7f64e6b356c73c3f261006b24370ece36953e7ebd60a77ade8edc436a9b7

Download Submit
C:\Users\Admin\oxnv3.ooccxx

Filesize
712KB

MD5
015305f9a2e760a38cea9bec760edc5c

SHA1
79d6777f02d808909f772d87e318cc6b7a707fe3

SHA256
524675440399f4bb1d7682177237d52ae8e8d6b7cf00ac99f2253a0f08376c98

SHA512
7493236db943ba28b6221ff2621629d883dcf848c2b2809a4df770d13a9b9bd5342c90de63c7531f8f51c31669e37f0cdbb4f359b6fd60cc049645b130e8c81a

Download Submit
C:\Users\Admin\oxnv4.ooccxx

Filesize
712KB

MD5
431d2683822df1856eba08e5e38006d0

SHA1
77e74a340ddb6ed9c5219aaa46f663aa9a4c7749

SHA256
021e5d4a310e83eccdfe7ec940ca1b270e435c3b902581fd90a2a85685aff40c

SHA512
5668455923611eb2fbdf4494444fd944e5cd8a339354fce6bd3f93457c685ff46a2c205098d05cfb56ff84223c4d025c1ab6a81b04fee8f47f2a4c64abedf413

Download Submit
\Users\Admin\oxnv1.ooccxx

Filesize
712KB

MD5
895e11ac1fb5cf7206f9e5fd3cde3e33

SHA1
937fb8b78a28caa2bdcd60f53981375abdb86b17

SHA256
86c3fd454436c21b8ca7ef3b9a10c95b3afcf79107b7e393e0eba1e4192ae6a1

SHA512
1f5c7f1d26bd294d52f429d746aab67b2d1b68c5e960dffccc4de16d2e65c5eba562e321b1affd54abf664e50144c28adc73eb4379c64b2ae2df1fb3d4979cb9

Download Submit
\Users\Admin\oxnv2.ooccxx

Filesize
712KB

MD5
2de0722935441c50d1f3462519ad819e

SHA1
c26d24f0cf1fca99c3ce4347f39e07629d48cc3d

SHA256
4d7194ff286d001145a1082ee4902417651fccfbd56811529c6c0468e7bb8cda

SHA512
516e55cc2565637af7cb57a54575626b148a6b3dc557d9b2cdb7deccd9b600dc7c1b7f64e6b356c73c3f261006b24370ece36953e7ebd60a77ade8edc436a9b7

Download Submit
\Users\Admin\oxnv3.ooccxx

Filesize
712KB

MD5
015305f9a2e760a38cea9bec760edc5c

SHA1
79d6777f02d808909f772d87e318cc6b7a707fe3

SHA256
524675440399f4bb1d7682177237d52ae8e8d6b7cf00ac99f2253a0f08376c98

SHA512
7493236db943ba28b6221ff2621629d883dcf848c2b2809a4df770d13a9b9bd5342c90de63c7531f8f51c31669e37f0cdbb4f359b6fd60cc049645b130e8c81a

Download Submit
\Users\Admin\oxnv4.ooccxx

Filesize
712KB

MD5
431d2683822df1856eba08e5e38006d0

SHA1
77e74a340ddb6ed9c5219aaa46f663aa9a4c7749

SHA256
021e5d4a310e83eccdfe7ec940ca1b270e435c3b902581fd90a2a85685aff40c

SHA512
5668455923611eb2fbdf4494444fd944e5cd8a339354fce6bd3f93457c685ff46a2c205098d05cfb56ff84223c4d025c1ab6a81b04fee8f47f2a4c64abedf413

Download Submit
memory/4656-257-0x0000000180000000-0x0000000180030000-memory.dmp

Filesize
192KB

Download
memory/4944-120-0x00007FF9D0A10000-0x00007FF9D0A20000-memory.dmp

Filesize
64KB

Download
memory/4944-133-0x00007FF9CDEC0000-0x00007FF9CDED0000-memory.dmp

Filesize
64KB

Download
memory/4944-132-0x00007FF9CDEC0000-0x00007FF9CDED0000-memory.dmp

Filesize
64KB

Download
memory/4944-123-0x00007FF9D0A10000-0x00007FF9D0A20000-memory.dmp

Filesize
64KB

Download
memory/4944-122-0x00007FF9D0A10000-0x00007FF9D0A20000-memory.dmp

Filesize
64KB

Download
memory/4944-121-0x00007FF9D0A10000-0x00007FF9D0A20000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads