emotet | 1296d8774c5c1fdfd849570b8ed42dca035348e1d3f59a846c80f2c49a80db49

General

Target

1296d8774c5c1fdfd849570b8ed42dca035348e1d3f59a846c80f2c49a80db49
Sample

191114-7ywlhp733s
SHA256

1296d8774c5c1fdfd849570b8ed42dca035348e1d3f59a846c80f2c49a80db49

Score

N/A

Malware Config

Extracted

Family

emotet

C2

105.226.188.128:8090

91.205.173.54:8080

163.172.97.112:8080

72.47.202.235:8080

46.17.6.116:8080

46.105.131.68:8080

37.59.24.25:8080

152.169.32.143:8080

178.249.187.150:7080

23.253.207.142:8080

201.196.15.79:990

187.177.155.123:990

189.154.130.167:443

176.58.93.123:80

191.100.24.201:50000

192.163.221.191:8080

190.128.222.14:80

51.38.134.203:8080

157.7.164.178:8081

95.216.212.157:8080

rsa_pubkey.plain

Signatures

Emotet Sync 1 IoCs
trojan banker

Processes:

1296d8774c5c1fdfd849570b8ed42dca035348e1d3f59a846c80f2c49a80db49.exe

description ioc pid process

Event created Global\EEE599D15 4832 1296d8774c5c1fdfd849570b8ed42dca035348e1d3f59a846c80f2c49a80db49.exe
Suspicious behavior: EmotetMutantsSpam 2 IoCs

Processes:

1296d8774c5c1fdfd849570b8ed42dca035348e1d3f59a846c80f2c49a80db49.exerawattrib.exe

pid process

4832 1296d8774c5c1fdfd849570b8ed42dca035348e1d3f59a846c80f2c49a80db49.exe
328 rawattrib.exe

description	ioc	pid	process
Event created	Global\EEE599D15	4832	1296d8774c5c1fdfd849570b8ed42dca035348e1d3f59a846c80f2c49a80db49.exe

pid	process
4832	1296d8774c5c1fdfd849570b8ed42dca035348e1d3f59a846c80f2c49a80db49.exe
328	rawattrib.exe

Drops file in system dir 11 IoCs

Processes:

1296d8774c5c1fdfd849570b8ed42dca035348e1d3f59a846c80f2c49a80db49.exerawattrib.exesvchost.exe

description	ioc	pid	process
File renamed	C:\Users\Admin\AppData\Local\Temp\1296d8774c5c1fdfd849570b8ed42dca035348e1d3f59a846c80f2c49a80db49.exe => C:\Windows\SysWOW64\rawattrib.exe	4832	1296d8774c5c1fdfd849570b8ed42dca035348e1d3f59a846c80f2c49a80db49.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	328	rawattrib.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	328	rawattrib.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	328	rawattrib.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	328	rawattrib.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	328	rawattrib.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	3164	svchost.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp	3164	svchost.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp	3164	svchost.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-2.tmp	3164	svchost.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-2.tmp	3164	svchost.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	pid	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\cval = "0"	4156	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\cval = "1"	4156	svchost.exe

emotet family
family emotet

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

1296d8774c5c1fdfd849570b8ed42dca035348e1d3f59a846c80f2c49a80db49.exeSppExtComObj.exerawattrib.exe

description	pid	process	target process
PID 4808 wrote to memory of 4832	4808	1296d8774c5c1fdfd849570b8ed42dca035348e1d3f59a846c80f2c49a80db49.exe	1296d8774c5c1fdfd849570b8ed42dca035348e1d3f59a846c80f2c49a80db49.exe
PID 4920 wrote to memory of 4948	4920	SppExtComObj.exe	SLUI.exe
PID 5104 wrote to memory of 328	5104	rawattrib.exe	rawattrib.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

1296d8774c5c1fdfd849570b8ed42dca035348e1d3f59a846c80f2c49a80db49.exe

pid process

4832 1296d8774c5c1fdfd849570b8ed42dca035348e1d3f59a846c80f2c49a80db49.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

rawattrib.exe

pid process

328 rawattrib.exe

pid	process
4832	1296d8774c5c1fdfd849570b8ed42dca035348e1d3f59a846c80f2c49a80db49.exe

pid	process
328	rawattrib.exe

Checks system information in the registry (likely anti-VM) 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	pid	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	4132	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	4132	svchost.exe

C:\Users\Admin\AppData\Local\Temp\1296d8774c5c1fdfd849570b8ed42dca035348e1d3f59a846c80f2c49a80db49.exe
"C:\Users\Admin\AppData\Local\Temp\1296d8774c5c1fdfd849570b8ed42dca035348e1d3f59a846c80f2c49a80db49.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4808

C:\Users\Admin\AppData\Local\Temp\1296d8774c5c1fdfd849570b8ed42dca035348e1d3f59a846c80f2c49a80db49.exe
--7549115c
1⤵
- Emotet Sync
- Suspicious behavior: EmotetMutantsSpam
- Drops file in system dir
- Suspicious behavior: RenamesItself
PID:4832

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:4920

C:\Windows\System32\SLUI.exe
"C:\Windows\System32\SLUI.exe" RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2de67392-b7a7-462a-b1ca-108dd189f588;NotificationInterval=1440;Trigger=TimerEvent
1⤵
PID:4948

C:\Windows\SysWOW64\rawattrib.exe
"C:\Windows\SysWOW64\rawattrib.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5104

C:\Windows\SysWOW64\rawattrib.exe
--9e8f6508
1⤵
- Suspicious behavior: EmotetMutantsSpam
- Drops file in system dir
- Suspicious behavior: EnumeratesProcesses
PID:328

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s BITS
1⤵
- Drops file in system dir
PID:3164

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV
1⤵
PID:3620

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s DoSvc
1⤵
- Checks system information in the registry (likely anti-VM)
PID:4132

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s wscsvc
1⤵
- Windows security modification
PID:4156

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup
1⤵
PID:2568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

MITRE ATT&CK Additional techniques

T1089

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\403f0cc78adafaecdb503a6c6424923d_293fa5bd-edfb-4bba-800e-a7dce3ea3438

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-634046074-2673730973-2644684987-1000\0f5007522459c86e95ffcc62f32308f1_293fa5bd-edfb-4bba-800e-a7dce3ea3438

Download Submit
memory/328-6-0x0000000000790000-0x00000000007A4000-memory.dmp

Filesize
80KB

Download
memory/328-7-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/4808-0-0x00000000001C0000-0x00000000001D4000-memory.dmp

Filesize
80KB

Download
memory/4832-2-0x00000000007B0000-0x00000000007C4000-memory.dmp

Filesize
80KB

Download
memory/4832-3-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/5104-4-0x0000000000C80000-0x0000000000C94000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

MITRE ATT&CK Additional techniques

Replay Monitor

Loading Replay Monitor...

Downloads