6271467933302784.zip

General
Target

381fe5b3c4d640baf1495ad7f3e111af78c88df250895d87979834f952953580.exe

Filesize

474KB

Completed

16-09-2021 12:00

Score
10/10
MD5

604a044f20590d8486489d2b736e47fa

SHA1

8152a4a20292751f381b4a6d0bbce1c2f04739af

SHA256

381fe5b3c4d640baf1495ad7f3e111af78c88df250895d87979834f952953580

Malware Config

Extracted

Family emotet
Botnet Epoch2
C2

124.240.198.66:80

186.75.241.230:80

181.143.194.138:443

45.79.188.67:8080

77.237.248.136:8080

185.142.236.163:443

63.142.253.122:8080

178.254.6.27:7080

190.211.207.11:443

78.188.105.159:21

182.176.106.43:995

178.79.161.166:443

206.189.98.125:8080

87.230.19.21:8080

80.11.163.139:443

101.187.237.217:20

190.18.146.70:80

86.98.25.30:53

92.222.125.16:7080

186.4.172.5:443

169.239.182.217:8080

189.209.217.49:80

104.236.246.93:8080

190.228.72.244:53

88.247.163.44:80

45.123.3.54:443

91.205.215.66:8080

190.106.97.230:443

199.19.237.192:80

186.4.172.5:20

94.205.247.10:80

104.131.11.150:8080

144.139.247.220:80

119.15.153.237:80

173.212.203.26:8080

136.243.177.26:8080

5.196.74.210:8080

85.104.59.244:20

190.186.203.55:80

187.144.189.58:50000

78.24.219.147:8080

186.4.172.5:8080

46.105.131.87:80

149.167.86.174:990

222.214.218.192:8080

88.156.97.210:80

185.94.252.13:443

190.226.44.20:21

217.145.83.44:80

80.11.163.139:21

rsa_pubkey.plain
Signatures 8

Filter: none

Discovery
  • Emotet

    Description

    Emotet is a trojan that is primarily spread through spam emails.

  • Drops file in System32 directory
    shellcues.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.datshellcues.exe
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Modifies data under HKEY_USERS
    shellcues.exe

    Reported IOCs

    descriptioniocprocess
    Key created\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settingsshellcues.exe
    Set value (str)\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"shellcues.exe
    Set value (str)\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"shellcues.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpadshellcues.exe
    Set value (str)\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3A33DB50-CC69-497D-AB93-6EAB524EB9A7}\WpadNetworkName = "Network"shellcues.exe
    Key created\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3A33DB50-CC69-497D-AB93-6EAB524EB9A7}\de-33-32-3b-7f-b9shellcues.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connectionsshellcues.exe
    Set value (data)\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000shellcues.exe
    Set value (int)\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"shellcues.exe
    Key created\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\de-33-32-3b-7f-b9shellcues.exe
    Set value (int)\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\de-33-32-3b-7f-b9\WpadDecisionReason = "1"shellcues.exe
    Set value (data)\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\de-33-32-3b-7f-b9\WpadDecisionTime = 80c8e3dd02abd701shellcues.exe
    Set value (str)\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefixshellcues.exe
    Set value (data)\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a070027000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000shellcues.exe
    Set value (int)\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3A33DB50-CC69-497D-AB93-6EAB524EB9A7}\WpadDecision = "0"shellcues.exe
    Set value (int)\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\de-33-32-3b-7f-b9\WpadDecision = "0"shellcues.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settingsshellcues.exe
    Set value (data)\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000shellcues.exe
    Key created\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3A33DB50-CC69-497D-AB93-6EAB524EB9A7}shellcues.exe
    Set value (int)\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3A33DB50-CC69-497D-AB93-6EAB524EB9A7}\WpadDecisionReason = "1"shellcues.exe
    Set value (data)\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3A33DB50-CC69-497D-AB93-6EAB524EB9A7}\WpadDecisionTime = 80c8e3dd02abd701shellcues.exe
  • Suspicious behavior: EnumeratesProcesses
    shellcues.exe

    Reported IOCs

    pidprocess
    1120shellcues.exe
    1120shellcues.exe
    1120shellcues.exe
  • Suspicious behavior: RenamesItself
    381fe5b3c4d640baf1495ad7f3e111af78c88df250895d87979834f952953580.exe

    Reported IOCs

    pidprocess
    1988381fe5b3c4d640baf1495ad7f3e111af78c88df250895d87979834f952953580.exe
  • Suspicious use of UnmapMainImage
    381fe5b3c4d640baf1495ad7f3e111af78c88df250895d87979834f952953580.exe381fe5b3c4d640baf1495ad7f3e111af78c88df250895d87979834f952953580.exeshellcues.exeshellcues.exe

    Reported IOCs

    pidprocess
    2020381fe5b3c4d640baf1495ad7f3e111af78c88df250895d87979834f952953580.exe
    1988381fe5b3c4d640baf1495ad7f3e111af78c88df250895d87979834f952953580.exe
    1032shellcues.exe
    1120shellcues.exe
  • Suspicious use of WriteProcessMemory
    381fe5b3c4d640baf1495ad7f3e111af78c88df250895d87979834f952953580.exeshellcues.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 2020 wrote to memory of 19882020381fe5b3c4d640baf1495ad7f3e111af78c88df250895d87979834f952953580.exe381fe5b3c4d640baf1495ad7f3e111af78c88df250895d87979834f952953580.exe
    PID 2020 wrote to memory of 19882020381fe5b3c4d640baf1495ad7f3e111af78c88df250895d87979834f952953580.exe381fe5b3c4d640baf1495ad7f3e111af78c88df250895d87979834f952953580.exe
    PID 2020 wrote to memory of 19882020381fe5b3c4d640baf1495ad7f3e111af78c88df250895d87979834f952953580.exe381fe5b3c4d640baf1495ad7f3e111af78c88df250895d87979834f952953580.exe
    PID 2020 wrote to memory of 19882020381fe5b3c4d640baf1495ad7f3e111af78c88df250895d87979834f952953580.exe381fe5b3c4d640baf1495ad7f3e111af78c88df250895d87979834f952953580.exe
    PID 1032 wrote to memory of 11201032shellcues.exeshellcues.exe
    PID 1032 wrote to memory of 11201032shellcues.exeshellcues.exe
    PID 1032 wrote to memory of 11201032shellcues.exeshellcues.exe
    PID 1032 wrote to memory of 11201032shellcues.exeshellcues.exe
Processes 4
  • C:\Users\Admin\AppData\Local\Temp\381fe5b3c4d640baf1495ad7f3e111af78c88df250895d87979834f952953580.exe
    "C:\Users\Admin\AppData\Local\Temp\381fe5b3c4d640baf1495ad7f3e111af78c88df250895d87979834f952953580.exe"
    Suspicious use of UnmapMainImage
    Suspicious use of WriteProcessMemory
    PID:2020
    • C:\Users\Admin\AppData\Local\Temp\381fe5b3c4d640baf1495ad7f3e111af78c88df250895d87979834f952953580.exe
      --f8e7cfe6
      Suspicious behavior: RenamesItself
      Suspicious use of UnmapMainImage
      PID:1988
  • C:\Windows\SysWOW64\shellcues.exe
    "C:\Windows\SysWOW64\shellcues.exe"
    Suspicious use of UnmapMainImage
    Suspicious use of WriteProcessMemory
    PID:1032
    • C:\Windows\SysWOW64\shellcues.exe
      --6e5b42c6
      Drops file in System32 directory
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of UnmapMainImage
      PID:1120
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Persistence
                      Privilege Escalation
                        Replay Monitor
                        00:00 00:00
                        Downloads
                        • memory/1120-66-0x0000000000000000-mapping.dmp

                        • memory/1988-62-0x0000000000000000-mapping.dmp

                        • memory/2020-60-0x00000000754F1000-0x00000000754F3000-memory.dmp

                        • memory/2020-61-0x00000000002D0000-0x00000000002E5000-memory.dmp

                        • memory/2020-64-0x0000000000400000-0x0000000000478000-memory.dmp