emotet | 65db17f10ed1bf55073c122c9f558f433686dc8897434dea89f0f7e2e3a5fc55

General

Target

65db17f10ed1bf55073c122c9f558f433686dc8897434dea89f0f7e2e3a5fc55
Sample

191101-q36454pewa
SHA256

65db17f10ed1bf55073c122c9f558f433686dc8897434dea89f0f7e2e3a5fc55

Score

N/A

Malware Config

Extracted

Family

emotet

C2

192.241.220.155:8080

167.99.105.223:7080

176.31.200.130:8080

212.129.24.79:8080

94.177.216.217:8080

46.105.131.87:80

133.167.80.63:7080

167.71.10.37:8080

87.106.139.101:8080

144.139.247.220:80

217.160.182.191:8080

200.71.148.138:8080

186.4.172.5:8080

95.128.43.213:8080

27.147.163.188:8080

209.141.41.136:8080

186.4.172.5:20

115.78.95.230:443

104.236.246.93:8080

31.12.67.62:7080

rsa_pubkey.plain

Signatures

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4952 wrote to memory of 5048	4952	65db17f10ed1bf55073c122c9f558f433686dc8897434dea89f0f7e2e3a5fc55.exe	72
PID 4952 wrote to memory of 452	4952	65db17f10ed1bf55073c122c9f558f433686dc8897434dea89f0f7e2e3a5fc55.exe	75
PID 4440 wrote to memory of 4048	4440	SppExtComObj.exe	78
PID 4664 wrote to memory of 4648	4664	plainteapot.exe	81

Suspicious behavior: EmotetMutantsSpam 2 IoCs

pid	Process
452	65db17f10ed1bf55073c122c9f558f433686dc8897434dea89f0f7e2e3a5fc55.exe
4648	plainteapot.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
4648	plainteapot.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Modify Registry

T1112

description	ioc	pid	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\cval = "0"	4916	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\cval = "1"	4916	svchost.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4952	65db17f10ed1bf55073c122c9f558f433686dc8897434dea89f0f7e2e3a5fc55.exe
452	65db17f10ed1bf55073c122c9f558f433686dc8897434dea89f0f7e2e3a5fc55.exe
4664	plainteapot.exe
4648	plainteapot.exe

Modifies registry class 1 TTPs 28 IoCs

persistence

Modify Registry

T1112

description	ioc	pid	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Spiro.Document\ = "Spiro Document"	4952	65db17f10ed1bf55073c122c9f558f433686dc8897434dea89f0f7e2e3a5fc55.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Spiro.Document\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\65DB17~1.EXE,1"	4952	65db17f10ed1bf55073c122c9f558f433686dc8897434dea89f0f7e2e3a5fc55.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Spiro.Document\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\65DB17~1.EXE \"%1\""	4952	65db17f10ed1bf55073c122c9f558f433686dc8897434dea89f0f7e2e3a5fc55.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Spiro.Document\shell\print\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\65DB17~1.EXE /p \"%1\""	4952	65db17f10ed1bf55073c122c9f558f433686dc8897434dea89f0f7e2e3a5fc55.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Spiro.Document\shell\printto\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\65DB17~1.EXE /pt \"%1\" \"%2\" \"%3\" \"%4\""	4952	65db17f10ed1bf55073c122c9f558f433686dc8897434dea89f0f7e2e3a5fc55.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.spi\ = "Spiro.Document"	4952	65db17f10ed1bf55073c122c9f558f433686dc8897434dea89f0f7e2e3a5fc55.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.spi\ShellNew\NullFile	4952	65db17f10ed1bf55073c122c9f558f433686dc8897434dea89f0f7e2e3a5fc55.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Spiro.Document\ = "Spiro Document"	452	65db17f10ed1bf55073c122c9f558f433686dc8897434dea89f0f7e2e3a5fc55.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Spiro.Document\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\65DB17~1.EXE,1"	452	65db17f10ed1bf55073c122c9f558f433686dc8897434dea89f0f7e2e3a5fc55.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Spiro.Document\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\65DB17~1.EXE \"%1\""	452	65db17f10ed1bf55073c122c9f558f433686dc8897434dea89f0f7e2e3a5fc55.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Spiro.Document\shell\print\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\65DB17~1.EXE /p \"%1\""	452	65db17f10ed1bf55073c122c9f558f433686dc8897434dea89f0f7e2e3a5fc55.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Spiro.Document\shell\printto\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\65DB17~1.EXE /pt \"%1\" \"%2\" \"%3\" \"%4\""	452	65db17f10ed1bf55073c122c9f558f433686dc8897434dea89f0f7e2e3a5fc55.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.spi\ = "Spiro.Document"	452	65db17f10ed1bf55073c122c9f558f433686dc8897434dea89f0f7e2e3a5fc55.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.spi\ShellNew\NullFile	452	65db17f10ed1bf55073c122c9f558f433686dc8897434dea89f0f7e2e3a5fc55.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Spiro.Document\ = "Spiro Document"	4664	plainteapot.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Spiro.Document\DefaultIcon\ = "C:\\Windows\\SysWOW64\\PLAINT~1.EXE,1"	4664	plainteapot.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Spiro.Document\shell\open\command\ = "C:\\Windows\\SysWOW64\\PLAINT~1.EXE \"%1\""	4664	plainteapot.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Spiro.Document\shell\print\command\ = "C:\\Windows\\SysWOW64\\PLAINT~1.EXE /p \"%1\""	4664	plainteapot.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Spiro.Document\shell\printto\command\ = "C:\\Windows\\SysWOW64\\PLAINT~1.EXE /pt \"%1\" \"%2\" \"%3\" \"%4\""	4664	plainteapot.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.spi\ = "Spiro.Document"	4664	plainteapot.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.spi\ShellNew\NullFile	4664	plainteapot.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Spiro.Document\ = "Spiro Document"	4648	plainteapot.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Spiro.Document\DefaultIcon\ = "C:\\Windows\\SysWOW64\\PLAINT~1.EXE,1"	4648	plainteapot.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Spiro.Document\shell\open\command\ = "C:\\Windows\\SysWOW64\\PLAINT~1.EXE \"%1\""	4648	plainteapot.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Spiro.Document\shell\print\command\ = "C:\\Windows\\SysWOW64\\PLAINT~1.EXE /p \"%1\""	4648	plainteapot.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Spiro.Document\shell\printto\command\ = "C:\\Windows\\SysWOW64\\PLAINT~1.EXE /pt \"%1\" \"%2\" \"%3\" \"%4\""	4648	plainteapot.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.spi\ = "Spiro.Document"	4648	plainteapot.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.spi\ShellNew\NullFile	4648	plainteapot.exe

Emotet Sync 1 IoCs

trojan banker

description	ioc	pid	Process
Event created	Global\EEE599D15	452	65db17f10ed1bf55073c122c9f558f433686dc8897434dea89f0f7e2e3a5fc55.exe

Drops file in system dir 11 IoCs

description	ioc	pid	Process
File renamed	C:\Users\Admin\AppData\Local\Temp\65db17f10ed1bf55073c122c9f558f433686dc8897434dea89f0f7e2e3a5fc55.exe => C:\Windows\SysWOW64\plainteapot.exe	452	65db17f10ed1bf55073c122c9f558f433686dc8897434dea89f0f7e2e3a5fc55.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	4648	plainteapot.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	4648	plainteapot.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	4648	plainteapot.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	4648	plainteapot.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	4648	plainteapot.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	4396	svchost.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp	4396	svchost.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp	4396	svchost.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-2.tmp	4396	svchost.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-2.tmp	4396	svchost.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
452	65db17f10ed1bf55073c122c9f558f433686dc8897434dea89f0f7e2e3a5fc55.exe

Checks system information in the registry (likely anti-VM) 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	pid	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	4188	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	4188	svchost.exe

emotet family
family emotet

C:\Users\Admin\AppData\Local\Temp\65db17f10ed1bf55073c122c9f558f433686dc8897434dea89f0f7e2e3a5fc55.exe
"C:\Users\Admin\AppData\Local\Temp\65db17f10ed1bf55073c122c9f558f433686dc8897434dea89f0f7e2e3a5fc55.exe"
1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetWindowsHookEx
- Modifies registry class
PID:4952

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
1⤵
PID:5048

C:\Users\Admin\AppData\Local\Temp\65db17f10ed1bf55073c122c9f558f433686dc8897434dea89f0f7e2e3a5fc55.exe
--14ab4ccc
1⤵
- Suspicious behavior: EmotetMutantsSpam
- Suspicious use of SetWindowsHookEx
- Modifies registry class
- Emotet Sync
- Drops file in system dir
- Suspicious behavior: RenamesItself
PID:452

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:4440

C:\Windows\System32\SLUI.exe
"C:\Windows\System32\SLUI.exe" RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2de67392-b7a7-462a-b1ca-108dd189f588;NotificationInterval=1440;Trigger=TimerEvent
1⤵
PID:4048

C:\Windows\SysWOW64\plainteapot.exe
"C:\Windows\SysWOW64\plainteapot.exe"
1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetWindowsHookEx
- Modifies registry class
PID:4664

C:\Windows\SysWOW64\plainteapot.exe
--cdbfb265
1⤵
- Suspicious behavior: EmotetMutantsSpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Modifies registry class
- Drops file in system dir
PID:4648

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s BITS
1⤵
- Drops file in system dir
PID:4396

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV
1⤵
PID:3932

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s DoSvc
1⤵
- Checks system information in the registry (likely anti-VM)
PID:4188

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup
1⤵
PID:4924

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s wscsvc
1⤵
- Windows security modification
PID:4916

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

MITRE ATT&CK Additional techniques

T1089

Replay Monitor

Loading Replay Monitor...

Downloads

memory/452-2-0x00000000029E0000-0x00000000029F7000-memory.dmp

Filesize
92KB

Download
memory/452-3-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4648-6-0x00000000005F0000-0x0000000000607000-memory.dmp

Filesize
92KB

Download
memory/4648-7-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4664-4-0x0000000000DF0000-0x0000000000E07000-memory.dmp

Filesize
92KB

Download
memory/4952-0-0x00000000022D0000-0x00000000022E7000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v16

MITRE ATT&CK Additional techniques

Replay Monitor

Loading Replay Monitor...

Downloads