a7d4e5a49d72ebfe3970d430a9dbeb51e548b8b25dfb8132af6dd2fe33ab36e2

General

Target

a7d4e5a49d72ebfe3970d430a9dbeb51e548b8b25dfb8132af6dd2fe33ab36e2
Sample

191008-5z1jsq6d9a
SHA256

a7d4e5a49d72ebfe3970d430a9dbeb51e548b8b25dfb8132af6dd2fe33ab36e2

Score

N/A

Malware Config

Extracted

Family

emotet

C2

http://173.249.157.58:8080/

http://91.109.5.28:8080/

http://108.179.216.46:8080/

http://70.45.30.28/

http://51.38.134.203:8080/

http://181.97.70.132:8080/

http://203.99.182.135:443/

http://176.58.93.123/

http://95.216.207.86:7080/

http://200.114.134.8:20/

http://138.197.140.163:8080/

http://212.112.113.235/

http://192.241.220.183:8080/

http://94.177.253.126/

http://186.10.16.244:53/

http://181.57.102.203:8080/

http://190.55.86.138:8443/

http://93.78.205.196:443/

http://181.53.252.85:990/

http://110.36.234.146/

Signatures

Suspicious use of WriteProcessMemory 6 IoCs

at	description	Process	procid_target
1641	PID 1020 wrote to memory of 2144	a7d4e5a49d72ebfe3970d430a9dbeb51e548b8b25dfb8132af6dd2fe33ab36e2.exe	38
12391	PID 1652 wrote to memory of 3624	tabletmspterm.exe	41
39734	PID 3624 wrote to memory of 2980	tabletmspterm.exe	42
41719	PID 2980 wrote to memory of 3856	cxy2VpXWtAA4MbmZs.exe	43
53203	PID 3856 wrote to memory of 3860	그다수특리고있즐래.exe	44
53219	PID 3856 wrote to memory of 3860	그다수특리고있즐래.exe	44

Emotet Sync 1 IoCs

trojan banker

description	ioc	Process
Event created	Global\E145925EC	a7d4e5a49d72ebfe3970d430a9dbeb51e548b8b25dfb8132af6dd2fe33ab36e2.exe

Suspicious behavior: EmotetMutantsSpam

Drops file in system dir 19 IoCs

at	description	ioc	Process
8281	File renamed	C:\Users\Admin\AppData\Local\Temp\a7d4e5a49d72ebfe3970d430a9dbeb51e548b8b25dfb8132af6dd2fe33ab36e2.exe => C:\Windows\SysWOW64\tabletmspterm.exe	a7d4e5a49d72ebfe3970d430a9dbeb51e548b8b25dfb8132af6dd2fe33ab36e2.exe
37156	File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	tabletmspterm.exe
37391	File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	tabletmspterm.exe
37391	File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	tabletmspterm.exe
37406	File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	tabletmspterm.exe
37406	File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	tabletmspterm.exe
39656	File created (read-only)	C:\Windows\TEMP\310D.tmp	tabletmspterm.exe
39656	File created (read-only)	C:\Windows\TEMP\310E.tmp	tabletmspterm.exe
39656	File deleted	C:\Windows\Temp\310D.tmp	tabletmspterm.exe
39656	File deleted	C:\Windows\Temp\310E.tmp	tabletmspterm.exe
39781	File created (read-only)	C:\Windows\TEMP\318C.tmp	tabletmspterm.exe
39781	File deleted	C:\Windows\Temp\318C.tmp	tabletmspterm.exe
39891	File created	C:\Windows\SysWOW64\tabletmsptermb.exe	tabletmspterm.exe
39891	File opened for modification	C:\Windows\SysWOW64\tabletmsptermb.exe	tabletmspterm.exe
39891	File created	C:\Windows\SysWOW64\tabletmspterma.exe	tabletmspterm.exe
39891	File opened for modification	C:\Windows\SysWOW64\tabletmspterma.exe	tabletmspterm.exe
39969	File deleted	C:\Windows\SysWOW64\tabletmsptermb.exe	tabletmspterm.exe
39969	File deleted	C:\Windows\SysWOW64\tabletmspterma.exe	tabletmspterm.exe
56594	File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe

Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken 1 IoCs

at	description	Process
53906	Token: SeTcbPrivilege	svchost.exe

Uses Task Scheduler COM API 1 TTPs 14 IoCs

persistence

Query Registry

T1012

at	description	ioc	Process
53922	Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	svchost.exe
53922	Key queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}	svchost.exe
53922	Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	svchost.exe
53922	Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\	svchost.exe
53922	Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	svchost.exe
53922	Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32\InprocServer32	svchost.exe
53922	Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32\	svchost.exe
53922	Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32\ThreadingModel	svchost.exe
53922	Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	svchost.exe
53922	Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	svchost.exe
53922	Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32	svchost.exe
53922	Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\AppID	svchost.exe
53922	Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer	svchost.exe
53922	Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation	svchost.exe

Trickbot persistence files 1 IoCs

trojan banker

at	ioc	Process
54828	C:\Users\Admin\AppData\Roaming\netcloud\Data\	svchost.exe

emotet family
family

C:\Users\Admin\AppData\Local\Temp\a7d4e5a49d72ebfe3970d430a9dbeb51e548b8b25dfb8132af6dd2fe33ab36e2.exe
"C:\Users\Admin\AppData\Local\Temp\a7d4e5a49d72ebfe3970d430a9dbeb51e548b8b25dfb8132af6dd2fe33ab36e2.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1020

C:\Users\Admin\AppData\Local\Temp\a7d4e5a49d72ebfe3970d430a9dbeb51e548b8b25dfb8132af6dd2fe33ab36e2.exe
--bcf840b8
1⤵
- Emotet Sync
- Drops file in system dir
PID:2144

C:\Windows\SysWOW64\tabletmspterm.exe
"C:\Windows\SysWOW64\tabletmspterm.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1652

C:\Windows\SysWOW64\tabletmspterm.exe
--356fff06
1⤵
- Suspicious use of WriteProcessMemory
- Drops file in system dir
PID:3624

C:\ProgramData\cxy2VpXWtAA4MbmZs.exe
"C:\ProgramData\cxy2VpXWtAA4MbmZs.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2980

C:\ProgramData\그다수특리고있즐래.exe
"C:\ProgramData\그다수특리고있즐래.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3856

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
1⤵
- Drops file in system dir
- Suspicious use of AdjustPrivilegeToken
- Uses Task Scheduler COM API
- Trickbot persistence files
PID:3860

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1652-3-0x0000000000D40000-0x0000000000D56000-memory.dmp

Filesize
88KB

Download
memory/2144-2-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3624-5-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3856-6-0x0000000000F00000-0x0000000000F2D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing