Threat Research

Emotet Downloader Document Uses Regsvr32 for Execution

Securonix

This analysis details how Emotet intrusion employs obfuscated Excel macros to download and run an Emotet loader, which is then executed via regsvr32 for payload deployment. It highlights how the loader stores an encrypted payload in its resources, uses a Windows service for persistence, and continues to evolve its delivery and obfuscation techniques.
#Emotet #TA542 #MummySpider #Regsvr32 #ExcelMacros

Keypoints

  • Obfuscated Excel macros in a spam-delivered XLS document initiate the infection chain.
  • The macro downloads the Emotet loader and attempts to execute it via regsvr32.exe, with multiple download/execution attempts.
  • The Emotet loader embeds the encrypted payload in its .rsrc section (resource named 7732) and loads it into memory.
  • The payload is decrypted, written to memory, and persisted by moving to a system DLL (qbknpcdiwaui.dll) and creating a Windows service.
  • Persistence is achieved through Windows service creation and regsvr32-based execution, enabling remote access and module loading.
  • Emotet continues to evolve its delivery and obfuscation techniques to reduce detection and has historically dropped other malware families (e.g., Qakbot, Cobalt Strike).
  • MITRE ATT&CK techniques identified include phishing, user execution, obfuscation, deobfuscation, regsvr32 proxy execution, and web protocol usage; associated indicators and download URLs are provided.

MITRE Techniques

  • [T1566.001] Phishing Spearphishing Attachment – The initial email delivery uses a spam email delivering a Microsoft Office XLS document as an attachment. ‘The first stage of an attack likely begins with a spam email delivering a Microsoft Office XLS document as an attachment.’
  • [T1204.002] User Execution: Malicious File – The user is prompted to Enable Content; ‘When opened, the document asks the user to ‘Enable Content’, when enabled the macro will execute.’
  • [T1543.003] Create or Modify System Process: Windows Service – Windows service used for Emotet payload persistence. ‘Windows service used for Emotet payload persistence.’
  • [T1027] Obfuscated Files or Information – The Excel macro obfuscated to hinder analysis. ‘The actor uses various methods to obfuscate the Excel macro making static analysis of the file harder.’
  • [T1140] Deobfuscate/Decode Files or Information – The macro reveals deobfuscated functionality. ‘This formula de-obfuscates the functionality of the macro revealing four CALL and EXEC functions.’
  • [T1218.010] System Binary Proxy Execution: Regsvr32 – The loader is executed via regsvr32.exe. ‘execute the downloaded Emotet loader using regsvr32.exe with the /S parameter.’
  • [T1071.001] Application Layer Protocol: Web Protocols – The loader downloads the Emotet loader from web-enabled channels (URLDownloadToFileA). ‘The macro will then try to download the Emotet Loader using the URLDownloadToFileA function…’

Indicators of Compromise

  • [Hash] Excel document – 625121dba58742d70d59010af2a452649101cc0d6a3c956352e0c19bf31c7fc3
  • [URL] Download URL – https://cointrade[.]world/receipts/0LjXVwpQrhw/
  • [URL] Download URL – http://www.garantihaliyikama[.]com/wp-admin/jp64lssPHEe2ii/
  • [URL] Download URL – http://haircutbar[.]com/cgi-bin/BC3WAQ8zJY4ALXA4/
  • [URL] Download URL – http://airhobi[.]com/system/WLvH1ygkOYQO/
  • [File] soci2.ocx – Loader downloaded and saved as soci2.ocx in the current directory
  • [File] qbknpcdiwaui.dll – Decrypted payload mapped into memory and persisted as qbknpcdiwaui.dll

Read more: https://blog.eclecticiq.com/emotet-downloader-document-uses-regsvr32-for-execution

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint