7c01b2282ef8cdd23758e8bf9aa220d37c7acbda22f2a0f7f6d59ba2885af5e6

General
Target

7c01b2282ef8cdd23758e8bf9aa220d37c7acbda22f2a0f7f6d59ba2885af5e6.dll

Filesize

653KB

Completed

25-11-2021 16:42

Score
10/10
MD5

d8d928ffb1934d779b089893b386ae2d

SHA1

4aa168719fefa92abc0d3a5217f0bed9da5c59db

SHA256

7c01b2282ef8cdd23758e8bf9aa220d37c7acbda22f2a0f7f6d59ba2885af5e6

Malware Config

Extracted

Family emotet
Botnet Epoch5
C2

51.178.61.60:443

168.197.250.14:80

45.79.33.48:8080

196.44.98.190:8080

177.72.80.14:7080

51.210.242.234:8080

185.148.169.10:8080

142.4.219.173:8080

78.47.204.80:443

78.46.73.125:443

37.44.244.177:8080

37.59.209.141:8080

191.252.103.16:80

54.38.242.185:443

85.214.67.203:8080

54.37.228.122:443

207.148.81.119:8080

195.77.239.39:8080

66.42.57.149:443

195.154.146.35:443

eck1.plain
ecs1.plain
Signatures 9

Filter: none

Discovery
Persistence
  • Emotet

    Description

    Emotet is a trojan that is primarily spread through spam emails.

  • Registers COM server for autorun

    TTPs

    Registry Run Keys / Startup Folder
  • Blocklisted process makes network request
    rundll32.exe

    Reported IOCs

    flowpidprocess
    203216rundll32.exe
  • Drops file in System32 directory
    rundll32.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Windows\SysWOW64\Xmtpd\discgezb.gcyrundll32.exe
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Modifies registry class
    FileSyncConfig.exe

    Reported IOCs

    descriptioniocprocess
    Key deleted\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_CLASSES\WOW6432NODE\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\INPROCSERVER32FileSyncConfig.exe
    Key deleted\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_CLASSES\WOW6432NODE\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\INSTANCE\INITPROPERTYBAGFileSyncConfig.exe
    Key created\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}FileSyncConfig.exe
    Key created\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\InstanceFileSyncConfig.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\System.IsPinnedToNameSpaceTree = "1"FileSyncConfig.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\SortOrderIndex = "66"FileSyncConfig.exe
    Set value (str)\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\InProcServer32\ = "%systemroot%\\system32\\shell32.dll"FileSyncConfig.exe
    Key deleted\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\InstanceFileSyncConfig.exe
    Key deleted\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_CLASSES\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\INPROCSERVER32FileSyncConfig.exe
    Key deleted\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_CLASSES\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\SHELLFOLDERFileSyncConfig.exe
    Set value (str)\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\CLSID = "{0E5AAE11-A475-4c5b-AB00-C66DE400274E}"FileSyncConfig.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolder\FolderValueFlags = "40"FileSyncConfig.exe
    Key deleted\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}FileSyncConfig.exe
    Key created\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\InProcServer32FileSyncConfig.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolder\FolderValueFlags = "40"FileSyncConfig.exe
    Key created\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}FileSyncConfig.exe
    Key created\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\InProcServer32FileSyncConfig.exe
    Key deleted\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_CLASSES\WOW6432NODE\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\SHELLFOLDERFileSyncConfig.exe
    Key deleted\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_CLASSES\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\DEFAULTICONFileSyncConfig.exe
    Key deleted\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}FileSyncConfig.exe
    Set value (str)\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\InProcServer32\ = "%systemroot%\\SysWow64\\shell32.dll"FileSyncConfig.exe
    Key created\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\InitPropertyBagFileSyncConfig.exe
    Key created\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolderFileSyncConfig.exe
    Set value (str)\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe,0"FileSyncConfig.exe
    Set value (str)\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\InitPropertyBag\TargetKnownFolder = "{a52bba46-e9e1-435f-b3d9-28daa648c0f6}"FileSyncConfig.exe
    Key deleted\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_CLASSES\WOW6432NODE\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\DEFAULTICONFileSyncConfig.exe
    Key deleted\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_CLASSES\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\INSTANCE\INITPROPERTYBAGFileSyncConfig.exe
    Set value (str)\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe,0"FileSyncConfig.exe
    Key created\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\DefaultIconFileSyncConfig.exe
    Key created\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\InstanceFileSyncConfig.exe
    Key created\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\InitPropertyBagFileSyncConfig.exe
    Key created\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolderFileSyncConfig.exe
    Key created\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\DefaultIconFileSyncConfig.exe
    Set value (str)\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\CLSID = "{0E5AAE11-A475-4c5b-AB00-C66DE400274E}"FileSyncConfig.exe
    Set value (str)\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\InitPropertyBag\TargetKnownFolder = "{a52bba46-e9e1-435f-b3d9-28daa648c0f6}"FileSyncConfig.exe
    Set value (str)\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ = "OneDrive"FileSyncConfig.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\InitPropertyBag\Attributes = "17"FileSyncConfig.exe
    Key deleted\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\InstanceFileSyncConfig.exe
    Set value (str)\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ = "OneDrive"FileSyncConfig.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\System.IsPinnedToNameSpaceTree = "1"FileSyncConfig.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\SortOrderIndex = "66"FileSyncConfig.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\InitPropertyBag\Attributes = "17"FileSyncConfig.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolder\Attributes = "4034920525"FileSyncConfig.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolder\Attributes = "4034920525"FileSyncConfig.exe
  • Suspicious behavior: EnumeratesProcesses
    rundll32.exe

    Reported IOCs

    pidprocess
    3216rundll32.exe
    3216rundll32.exe
  • Suspicious behavior: RenamesItself
    rundll32.exe

    Reported IOCs

    pidprocess
    4164rundll32.exe
  • Suspicious use of WriteProcessMemory
    rundll32.exerundll32.exerundll32.exerundll32.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 4472 wrote to memory of 44844472rundll32.exerundll32.exe
    PID 4472 wrote to memory of 44844472rundll32.exerundll32.exe
    PID 4472 wrote to memory of 44844472rundll32.exerundll32.exe
    PID 4484 wrote to memory of 41644484rundll32.exerundll32.exe
    PID 4484 wrote to memory of 41644484rundll32.exerundll32.exe
    PID 4484 wrote to memory of 41644484rundll32.exerundll32.exe
    PID 4164 wrote to memory of 7764164rundll32.exerundll32.exe
    PID 4164 wrote to memory of 7764164rundll32.exerundll32.exe
    PID 4164 wrote to memory of 7764164rundll32.exerundll32.exe
    PID 776 wrote to memory of 3216776rundll32.exerundll32.exe
    PID 776 wrote to memory of 3216776rundll32.exerundll32.exe
    PID 776 wrote to memory of 3216776rundll32.exerundll32.exe
Processes 6
  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\7c01b2282ef8cdd23758e8bf9aa220d37c7acbda22f2a0f7f6d59ba2885af5e6.dll,#1
    Suspicious use of WriteProcessMemory
    PID:4472
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\7c01b2282ef8cdd23758e8bf9aa220d37c7acbda22f2a0f7f6d59ba2885af5e6.dll,#1
      Suspicious use of WriteProcessMemory
      PID:4484
      • C:\Windows\SysWOW64\rundll32.exe
        C:\Windows\SysWOW64\rundll32.exe "C:\Users\Admin\AppData\Local\Temp\7c01b2282ef8cdd23758e8bf9aa220d37c7acbda22f2a0f7f6d59ba2885af5e6.dll",Control_RunDLL
        Drops file in System32 directory
        Suspicious behavior: RenamesItself
        Suspicious use of WriteProcessMemory
        PID:4164
        • C:\Windows\SysWOW64\rundll32.exe
          C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Xmtpd\discgezb.gcy",azct
          Suspicious use of WriteProcessMemory
          PID:776
          • C:\Windows\SysWOW64\rundll32.exe
            C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Xmtpd\discgezb.gcy",Control_RunDLL
            Blocklisted process makes network request
            Suspicious behavior: EnumeratesProcesses
            PID:3216
  • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncConfig.exe
    "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncConfig.exe"
    Modifies registry class
    PID:2740
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Privilege Escalation
                      Replay Monitor
                      00:00 00:00
                      Downloads
                      • memory/776-141-0x0000000004710000-0x0000000004738000-memory.dmp

                      • memory/776-138-0x0000000000000000-mapping.dmp

                      • memory/3216-161-0x0000000004DB0000-0x0000000004DD8000-memory.dmp

                      • memory/3216-152-0x0000000004B10000-0x0000000004B38000-memory.dmp

                      • memory/3216-149-0x0000000004930000-0x0000000004958000-memory.dmp

                      • memory/3216-146-0x0000000000A20000-0x0000000000A48000-memory.dmp

                      • memory/3216-145-0x0000000000000000-mapping.dmp

                      • memory/3216-158-0x0000000004CD0000-0x0000000004CF8000-memory.dmp

                      • memory/3216-155-0x0000000004BF0000-0x0000000004C18000-memory.dmp

                      • memory/4164-139-0x0000000005500000-0x0000000005528000-memory.dmp

                      • memory/4164-135-0x00000000053A0000-0x00000000053C8000-memory.dmp

                      • memory/4164-132-0x0000000005340000-0x0000000005368000-memory.dmp

                      • memory/4164-129-0x00000000051B0000-0x00000000051D8000-memory.dmp

                      • memory/4164-126-0x0000000004BC0000-0x0000000004BE8000-memory.dmp

                      • memory/4164-123-0x0000000003160000-0x0000000003188000-memory.dmp

                      • memory/4164-122-0x0000000000000000-mapping.dmp

                      • memory/4484-119-0x0000000004940000-0x0000000004968000-memory.dmp

                      • memory/4484-118-0x0000000000000000-mapping.dmp