emotet | 5aaa31da026146d5d138c79ece5c5b609c043250d9642fa9a7b6288f5f3b13e4

General

Target

5aaa31da026146d5d138c79ece5c5b609c043250d9642fa9a7b6288f5f3b13e4
Sample

191031-fl2t4k1m42
SHA256

5aaa31da026146d5d138c79ece5c5b609c043250d9642fa9a7b6288f5f3b13e4

Score

N/A

Malware Config

Extracted

Family

emotet

C2

192.241.220.155:8080

167.99.105.223:7080

176.31.200.130:8080

212.129.24.79:8080

94.177.216.217:8080

46.105.131.87:80

133.167.80.63:7080

167.71.10.37:8080

87.106.139.101:8080

144.139.247.220:80

217.160.182.191:8080

200.71.148.138:8080

186.4.172.5:8080

95.128.43.213:8080

27.147.163.188:8080

209.141.41.136:8080

186.4.172.5:20

115.78.95.230:443

104.236.246.93:8080

31.12.67.62:7080

rsa_pubkey.plain

Signatures

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

5aaa31da026146d5d138c79ece5c5b609c043250d9642fa9a7b6288f5f3b13e4.exeSppExtComObj.exeplainteapot.exe

description	pid	process	target process
PID 5048 wrote to memory of 5076	5048	5aaa31da026146d5d138c79ece5c5b609c043250d9642fa9a7b6288f5f3b13e4.exe	5aaa31da026146d5d138c79ece5c5b609c043250d9642fa9a7b6288f5f3b13e4.exe
PID 3024 wrote to memory of 404	3024	SppExtComObj.exe	SLUI.exe
PID 4532 wrote to memory of 4604	4532	plainteapot.exe	plainteapot.exe

Emotet Sync 1 IoCs
trojan banker

Processes:

5aaa31da026146d5d138c79ece5c5b609c043250d9642fa9a7b6288f5f3b13e4.exe

description ioc pid process

Event created Global\EEE599D15 5076 5aaa31da026146d5d138c79ece5c5b609c043250d9642fa9a7b6288f5f3b13e4.exe
Suspicious behavior: EmotetMutantsSpam 2 IoCs

Processes:

5aaa31da026146d5d138c79ece5c5b609c043250d9642fa9a7b6288f5f3b13e4.exeplainteapot.exe

pid process

5076 5aaa31da026146d5d138c79ece5c5b609c043250d9642fa9a7b6288f5f3b13e4.exe
4604 plainteapot.exe

description	ioc	pid	process
Event created	Global\EEE599D15	5076	5aaa31da026146d5d138c79ece5c5b609c043250d9642fa9a7b6288f5f3b13e4.exe

pid	process
5076	5aaa31da026146d5d138c79ece5c5b609c043250d9642fa9a7b6288f5f3b13e4.exe
4604	plainteapot.exe

Drops file in system dir 6 IoCs

Processes:

5aaa31da026146d5d138c79ece5c5b609c043250d9642fa9a7b6288f5f3b13e4.exeplainteapot.exe

description	ioc	pid	process
File renamed	C:\Users\Admin\AppData\Local\Temp\5aaa31da026146d5d138c79ece5c5b609c043250d9642fa9a7b6288f5f3b13e4.exe => C:\Windows\SysWOW64\plainteapot.exe	5076	5aaa31da026146d5d138c79ece5c5b609c043250d9642fa9a7b6288f5f3b13e4.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	4604	plainteapot.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	4604	plainteapot.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	4604	plainteapot.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	4604	plainteapot.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	4604	plainteapot.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

5aaa31da026146d5d138c79ece5c5b609c043250d9642fa9a7b6288f5f3b13e4.exe

pid process

5076 5aaa31da026146d5d138c79ece5c5b609c043250d9642fa9a7b6288f5f3b13e4.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

plainteapot.exe

pid process

4604 plainteapot.exe
emotet family
family emotet

pid	process
5076	5aaa31da026146d5d138c79ece5c5b609c043250d9642fa9a7b6288f5f3b13e4.exe

pid	process
4604	plainteapot.exe

C:\Users\Admin\AppData\Local\Temp\5aaa31da026146d5d138c79ece5c5b609c043250d9642fa9a7b6288f5f3b13e4.exe
"C:\Users\Admin\AppData\Local\Temp\5aaa31da026146d5d138c79ece5c5b609c043250d9642fa9a7b6288f5f3b13e4.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5048

C:\Users\Admin\AppData\Local\Temp\5aaa31da026146d5d138c79ece5c5b609c043250d9642fa9a7b6288f5f3b13e4.exe
--be2b027a
1⤵
- Emotet Sync
- Suspicious behavior: EmotetMutantsSpam
- Drops file in system dir
- Suspicious behavior: RenamesItself
PID:5076

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:3024

C:\Windows\System32\SLUI.exe
"C:\Windows\System32\SLUI.exe" RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2de67392-b7a7-462a-b1ca-108dd189f588;NotificationInterval=1440;Trigger=TimerEvent
1⤵
PID:404

C:\Windows\SysWOW64\plainteapot.exe
"C:\Windows\SysWOW64\plainteapot.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4532

C:\Windows\SysWOW64\plainteapot.exe
--cdbfb265
1⤵
- Suspicious behavior: EmotetMutantsSpam
- Drops file in system dir
- Suspicious behavior: EnumeratesProcesses
PID:4604

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s BITS
1⤵
PID:4664

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV
1⤵
PID:4756

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\403f0cc78adafaecdb503a6c6424923d_293fa5bd-edfb-4bba-800e-a7dce3ea3438

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-634046074-2673730973-2644684987-1000\0f5007522459c86e95ffcc62f32308f1_293fa5bd-edfb-4bba-800e-a7dce3ea3438

Download Submit
memory/4604-6-0x00000000001A0000-0x00000000001B7000-memory.dmp

Filesize
92KB

Download
memory/4604-7-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5048-0-0x0000000000F90000-0x0000000000FA7000-memory.dmp

Filesize
92KB

Download
memory/5076-2-0x00000000006A0000-0x00000000006B7000-memory.dmp

Filesize
92KB

Download
memory/5076-3-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download

Analysis

Sharing