emotet | f652524ac5e433d6debdbdd7832ab99d119c572314e157cc5858095ddca23153

General

Target

f652524ac5e433d6debdbdd7832ab99d119c572314e157cc5858095ddca23153.xls
Size

217KB
MD5

9ff837252c8480f5bed617ffea3ceb4b
SHA1

8e300e69f3de75c78d4be89310519a7ab3f7c712
SHA256

f652524ac5e433d6debdbdd7832ab99d119c572314e157cc5858095ddca23153
SHA512

376bb451aa8c5bcd642053601109f7383bbadcded8a6ca645d323a8b15e61e3c33dce971325fb16a31023071536ca145d77f0a7b4df1995e611d7f9945cf930b
SSDEEP

6144:OKpb8rGYrMPe3q7Q0XV5xtuEsi8/dgIyY+TAQXTHGUMEyP5p6f5jQmb:bbGUMVWlbb

Score

10^/10

emotet banker persistence trojan

Malware Config

Extracted

Language

xlm4.0

Source

URLs

xlm40.dropper

https://aprendeconmireia.com/images/wBu/

xlm40.dropper

http://updailymail.com/cgi-bin/gBYmfqRi2utIS2n/

xlm40.dropper

https://akuntansi.itny.ac.id/asset/9aVFvYeaSKOhGBSLx/

xlm40.dropper

http://swiftwebbox.com/cgi-bin/vNqoMtQilpysJYRwtGu/

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Process spawned unexpected child process 4 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4920	3528	regsvr32.exe	65
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	416	3528	regsvr32.exe	65
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	304	3528	regsvr32.exe	65
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	916	3528	regsvr32.exe	65

Downloads MZ/PE file

Loads dropped DLL 4 IoCs

pid	Process
4920	regsvr32.exe
416	regsvr32.exe
304	regsvr32.exe
916	regsvr32.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DPKyFwHZ.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\AgZzhBKonfEeGMOVW\\DPKyFwHZ.dll\""	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ZQtjdxhwnqqUqzm.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\NTGxboer\\ZQtjdxhwnqqUqzm.dll\""	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aexLWyYK.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\VhhhSVvKKbHfAESFy\\aexLWyYK.dll\""	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\joKSLFxXxtehN.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\XVcYYVZLvvnPuqN\\joKSLFxXxtehN.dll\""	regsvr32.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3528	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
4920	regsvr32.exe
4920	regsvr32.exe
1012	regsvr32.exe
1012	regsvr32.exe
1012	regsvr32.exe
1012	regsvr32.exe
416	regsvr32.exe
416	regsvr32.exe
1748	regsvr32.exe
1748	regsvr32.exe
1748	regsvr32.exe
1748	regsvr32.exe
304	regsvr32.exe
304	regsvr32.exe
2812	regsvr32.exe
2812	regsvr32.exe
2812	regsvr32.exe
2812	regsvr32.exe
916	regsvr32.exe
916	regsvr32.exe
2016	regsvr32.exe
2016	regsvr32.exe
2016	regsvr32.exe
2016	regsvr32.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
3528	EXCEL.EXE
3528	EXCEL.EXE
3528	EXCEL.EXE
3528	EXCEL.EXE
3528	EXCEL.EXE
3528	EXCEL.EXE
3528	EXCEL.EXE
3528	EXCEL.EXE
3528	EXCEL.EXE
3528	EXCEL.EXE
3528	EXCEL.EXE
3528	EXCEL.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 3528 wrote to memory of 4920	3528	EXCEL.EXE	70
PID 3528 wrote to memory of 4920	3528	EXCEL.EXE	70
PID 4920 wrote to memory of 1012	4920	regsvr32.exe	74
PID 4920 wrote to memory of 1012	4920	regsvr32.exe	74
PID 3528 wrote to memory of 416	3528	EXCEL.EXE	75
PID 3528 wrote to memory of 416	3528	EXCEL.EXE	75
PID 416 wrote to memory of 1748	416	regsvr32.exe	77
PID 416 wrote to memory of 1748	416	regsvr32.exe	77
PID 3528 wrote to memory of 304	3528	EXCEL.EXE	78
PID 3528 wrote to memory of 304	3528	EXCEL.EXE	78
PID 304 wrote to memory of 2812	304	regsvr32.exe	79
PID 304 wrote to memory of 2812	304	regsvr32.exe	79
PID 3528 wrote to memory of 916	3528	EXCEL.EXE	80
PID 3528 wrote to memory of 916	3528	EXCEL.EXE	80
PID 916 wrote to memory of 2016	916	regsvr32.exe	81
PID 916 wrote to memory of 2016	916	regsvr32.exe	81

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\f652524ac5e433d6debdbdd7832ab99d119c572314e157cc5858095ddca23153.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3528
- C:\Windows\System32\regsvr32.exe
  C:\Windows\System32\regsvr32.exe /S ..\oxnv1.ooccxx
  2⤵
  - Process spawned unexpected child process
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4920
- - C:\Windows\system32\regsvr32.exe
    C:\Windows\system32\regsvr32.exe "C:\Windows\system32\XVcYYVZLvvnPuqN\joKSLFxXxtehN.dll"
    3⤵
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    PID:1012
- C:\Windows\System32\regsvr32.exe
  C:\Windows\System32\regsvr32.exe /S ..\oxnv2.ooccxx
  2⤵
  - Process spawned unexpected child process
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:416
- - C:\Windows\system32\regsvr32.exe
    C:\Windows\system32\regsvr32.exe "C:\Windows\system32\AgZzhBKonfEeGMOVW\DPKyFwHZ.dll"
    3⤵
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    PID:1748
- C:\Windows\System32\regsvr32.exe
  C:\Windows\System32\regsvr32.exe /S ..\oxnv3.ooccxx
  2⤵
  - Process spawned unexpected child process
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:304
- - C:\Windows\system32\regsvr32.exe
    C:\Windows\system32\regsvr32.exe "C:\Windows\system32\NTGxboer\ZQtjdxhwnqqUqzm.dll"
    3⤵
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    PID:2812
- C:\Windows\System32\regsvr32.exe
  C:\Windows\System32\regsvr32.exe /S ..\oxnv4.ooccxx
  2⤵
  - Process spawned unexpected child process
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:916
- - C:\Windows\system32\regsvr32.exe
    C:\Windows\system32\regsvr32.exe "C:\Windows\system32\VhhhSVvKKbHfAESFy\aexLWyYK.dll"
    3⤵
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    PID:2016

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\oxnv1.ooccxx

Filesize
712KB

MD5
e023587bb2d54228df1a82810e24d687

SHA1
02322b54242b8204c4fd94fca39334f9a851b514

SHA256
7fe6a92e994ab11c2abafb21ead3d35fcc260c443784029e9682b3b832657630

SHA512
01e049b894495fc50cadb301a96bfa9793e12167fb6e380da363e7f412f16fa47f3eee9872fe6300cdbbd5e59e0b2711d834e070b5c1d84755d73cb609dbfe6b

Download Submit
C:\Users\Admin\oxnv2.ooccxx

Filesize
712KB

MD5
f3ca58088f88fb622b3b972f120b924b

SHA1
7fb7c0c97df8abd3e83df0dd2c75e11a09579b52

SHA256
cd4f8463e4b2bcb6e57339317821bd527f0ba85212507bb4efcfd16dd82c8224

SHA512
265fb89396fdb2b0fdb366a633d87e903b8a8b8ac2546562c1de3dc9ae90c0b80a987cc1850f028bdf6a263b5d808314c8c7e58faada6992d7c7a3199513a455

Download Submit
C:\Users\Admin\oxnv3.ooccxx

Filesize
712KB

MD5
299bd2bff16c0ad811b9b9e822f96789

SHA1
cbd9b68c1edc2ea9faa82beb35e54e9ad2ae1919

SHA256
3d0477391780d587effb3a5cf7015e27a1ed0f96656ff08ca67f4177fb33f53e

SHA512
64e2243dcb05b48edff1f9d75e487fbb9314f2021ce1b98843e3d3178b8c6479f8abf44fc0fc2c14c2ec22a0f4490c5272f2d30e93579e0572437170b8385159

Download Submit
C:\Users\Admin\oxnv4.ooccxx

Filesize
712KB

MD5
e277c2152f833cddd273eff6120e2352

SHA1
a29280d004d15cfc19eac41f2323bf67f1e0d86d

SHA256
179c5db160043b5a67b94a9083d543dd53265bf8fb6f7027cbf380e828ab0136

SHA512
44fdfd6d749fe01002584cb7bd98f145915f77e4d3ab2a4908a72600000bed486ded8dcc7e6d94e0af4b063dbd1c13755155ff82b39f892235f3bae65f9d50a3

Download Submit
\Users\Admin\oxnv1.ooccxx

Filesize
712KB

MD5
e023587bb2d54228df1a82810e24d687

SHA1
02322b54242b8204c4fd94fca39334f9a851b514

SHA256
7fe6a92e994ab11c2abafb21ead3d35fcc260c443784029e9682b3b832657630

SHA512
01e049b894495fc50cadb301a96bfa9793e12167fb6e380da363e7f412f16fa47f3eee9872fe6300cdbbd5e59e0b2711d834e070b5c1d84755d73cb609dbfe6b

Download Submit
\Users\Admin\oxnv2.ooccxx

Filesize
712KB

MD5
f3ca58088f88fb622b3b972f120b924b

SHA1
7fb7c0c97df8abd3e83df0dd2c75e11a09579b52

SHA256
cd4f8463e4b2bcb6e57339317821bd527f0ba85212507bb4efcfd16dd82c8224

SHA512
265fb89396fdb2b0fdb366a633d87e903b8a8b8ac2546562c1de3dc9ae90c0b80a987cc1850f028bdf6a263b5d808314c8c7e58faada6992d7c7a3199513a455

Download Submit
\Users\Admin\oxnv3.ooccxx

Filesize
712KB

MD5
299bd2bff16c0ad811b9b9e822f96789

SHA1
cbd9b68c1edc2ea9faa82beb35e54e9ad2ae1919

SHA256
3d0477391780d587effb3a5cf7015e27a1ed0f96656ff08ca67f4177fb33f53e

SHA512
64e2243dcb05b48edff1f9d75e487fbb9314f2021ce1b98843e3d3178b8c6479f8abf44fc0fc2c14c2ec22a0f4490c5272f2d30e93579e0572437170b8385159

Download Submit
\Users\Admin\oxnv4.ooccxx

Filesize
712KB

MD5
e277c2152f833cddd273eff6120e2352

SHA1
a29280d004d15cfc19eac41f2323bf67f1e0d86d

SHA256
179c5db160043b5a67b94a9083d543dd53265bf8fb6f7027cbf380e828ab0136

SHA512
44fdfd6d749fe01002584cb7bd98f145915f77e4d3ab2a4908a72600000bed486ded8dcc7e6d94e0af4b063dbd1c13755155ff82b39f892235f3bae65f9d50a3

Download Submit
memory/3528-131-0x00007FF84DFE0000-0x00007FF84DFF0000-memory.dmp

Filesize
64KB

Download
memory/3528-118-0x00007FF851770000-0x00007FF851780000-memory.dmp

Filesize
64KB

Download
memory/3528-130-0x00007FF84DFE0000-0x00007FF84DFF0000-memory.dmp

Filesize
64KB

Download
memory/3528-121-0x00007FF851770000-0x00007FF851780000-memory.dmp

Filesize
64KB

Download
memory/3528-120-0x00007FF851770000-0x00007FF851780000-memory.dmp

Filesize
64KB

Download
memory/3528-119-0x00007FF851770000-0x00007FF851780000-memory.dmp

Filesize
64KB

Download
memory/3528-366-0x00007FF851770000-0x00007FF851780000-memory.dmp

Filesize
64KB

Download
memory/3528-367-0x00007FF851770000-0x00007FF851780000-memory.dmp

Filesize
64KB

Download
memory/3528-368-0x00007FF851770000-0x00007FF851780000-memory.dmp

Filesize
64KB

Download
memory/3528-369-0x00007FF851770000-0x00007FF851780000-memory.dmp

Filesize
64KB

Download
memory/4920-286-0x0000000180000000-0x0000000180030000-memory.dmp

Filesize
192KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads