emotet | a12515213a2c022e726b544d655bbd435b2063198c3de5c0a0335f14981bc10e

General

Target

a12515213a2c022e726b544d655bbd435b2063198c3de5c0a0335f14981bc10e
Sample

191112-q679f2ss1e
SHA256

a12515213a2c022e726b544d655bbd435b2063198c3de5c0a0335f14981bc10e

Score

N/A

Malware Config

Extracted

Family

emotet

C2

181.197.108.171:443

191.100.24.201:50000

211.110.229.161:443

193.34.144.138:8080

74.208.173.91:8080

46.105.131.68:8080

152.169.32.143:8080

189.252.102.40:8080

154.120.227.206:8080

178.249.187.150:7080

103.205.177.229:80

157.7.164.178:8081

138.197.140.163:8080

95.216.212.157:8080

216.75.37.196:8080

216.70.88.55:8080

189.218.243.150:443

124.150.175.129:8080

198.57.217.170:8080

212.112.113.235:80

rsa_pubkey.plain

Signatures

emotet family
family emotet

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4888 wrote to memory of 4916	4888	SppExtComObj.exe	74
PID 4808 wrote to memory of 5104	4808	a12515213a2c022e726b544d655bbd435b2063198c3de5c0a0335f14981bc10e.exe	77

Drops file in system dir 6 IoCs

description	ioc	pid	Process
File opened for modification	C:\Windows\Debug\ESE.TXT	356	svchost.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp	356	svchost.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp	356	svchost.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-2.tmp	356	svchost.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-2.tmp	356	svchost.exe
File renamed	C:\Users\Admin\AppData\Local\Temp\a12515213a2c022e726b544d655bbd435b2063198c3de5c0a0335f14981bc10e.exe => C:\Windows\SysWOW64\cipherwnd.exe	5104	a12515213a2c022e726b544d655bbd435b2063198c3de5c0a0335f14981bc10e.exe

Checks system information in the registry (likely anti-VM) 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	pid	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	4260	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	4260	svchost.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Modify Registry

T1112

description	ioc	pid	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\cval = "0"	4160	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\cval = "1"	4160	svchost.exe

Emotet Sync 1 IoCs

trojan banker

description	ioc	pid	Process
Event created	Global\EEE599D15	5104	a12515213a2c022e726b544d655bbd435b2063198c3de5c0a0335f14981bc10e.exe

Suspicious behavior: EmotetMutantsSpam 1 IoCs

pid	Process
5104	a12515213a2c022e726b544d655bbd435b2063198c3de5c0a0335f14981bc10e.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
5104	a12515213a2c022e726b544d655bbd435b2063198c3de5c0a0335f14981bc10e.exe

C:\Users\Admin\AppData\Local\Temp\a12515213a2c022e726b544d655bbd435b2063198c3de5c0a0335f14981bc10e.exe
"C:\Users\Admin\AppData\Local\Temp\a12515213a2c022e726b544d655bbd435b2063198c3de5c0a0335f14981bc10e.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4808

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:4888

C:\Windows\System32\SLUI.exe
"C:\Windows\System32\SLUI.exe" RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2de67392-b7a7-462a-b1ca-108dd189f588;NotificationInterval=1440;Trigger=TimerEvent
1⤵
PID:4916

C:\Users\Admin\AppData\Local\Temp\a12515213a2c022e726b544d655bbd435b2063198c3de5c0a0335f14981bc10e.exe
--6c24e410
1⤵
- Drops file in system dir
- Emotet Sync
- Suspicious behavior: EmotetMutantsSpam
- Suspicious behavior: RenamesItself
PID:5104

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s BITS
1⤵
- Drops file in system dir
PID:356

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV
1⤵
PID:4268

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s DoSvc
1⤵
- Checks system information in the registry (likely anti-VM)
PID:4260

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s wscsvc
1⤵
- Windows security modification
PID:4160

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup
1⤵
PID:2564

C:\Windows\SysWOW64\cipherwnd.exe
"C:\Windows\SysWOW64\cipherwnd.exe"
1⤵
PID:4464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

MITRE ATT&CK Additional techniques

T1089

Replay Monitor

Loading Replay Monitor...

Downloads

memory/356-8-0x000001BFFA8E0000-0x000001BFFA8E1000-memory.dmp

Filesize
4KB

Download
memory/5104-29-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download

Analysis

Sharing