Overview

overview

10

Static

static

emotet_pe_1min

windows10_x64

10

Analysis

  • max time kernel
    60s
  • max time network
    55s
  • platform
    windows10_x64
  • resource
    win10-de-20211104
  • submitted
    25-11-2021 16:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cc0e99acb1d5181d9b56eb4f50570ace512e6c76fa8f95dc2e3f6fcdcd22c600.dll

  • Size

    653KB

  • MD5

    e4d82fa6e7d7ccdd414ee09fd7fc9f8d

  • SHA1

    198050a59f47efab0189b1b3d847b44cd9118463

  • SHA256

    cc0e99acb1d5181d9b56eb4f50570ace512e6c76fa8f95dc2e3f6fcdcd22c600

  • SHA512

    8e8ba73c0d73a23f6875c47464f1db03bc65a8db114018abed48091e5cba954e652f7808c46bb8a43aeb50c45bb0fd7c5b7c9bdf31c3f7939a2604228770f86c

Score
10/10
emotetepoch5bankerpersistencetrojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch5

C2

51.178.61.60:443

168.197.250.14:80

45.79.33.48:8080

196.44.98.190:8080

177.72.80.14:7080

51.210.242.234:8080

185.148.169.10:8080

142.4.219.173:8080

78.47.204.80:443

78.46.73.125:443

37.44.244.177:8080

37.59.209.141:8080

191.252.103.16:80

54.38.242.185:443

85.214.67.203:8080

54.37.228.122:443

207.148.81.119:8080

195.77.239.39:8080

66.42.57.149:443

195.154.146.35:443
eck1.plain
ecs1.plain

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

    trojanbankeremotet
  • Registers COM server for autorun 1 TTPs
    persistence
  • Blocklisted process makes network request 2 IoCs
  • Modifies data under HKEY_USERS 21 IoCs
  • Modifies registry class 44 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\cc0e99acb1d5181d9b56eb4f50570ace512e6c76fa8f95dc2e3f6fcdcd22c600.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2568
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\cc0e99acb1d5181d9b56eb4f50570ace512e6c76fa8f95dc2e3f6fcdcd22c600.dll,#1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1256
      • C:\Windows\SysWOW64\rundll32.exe
        C:\Windows\SysWOW64\rundll32.exe "C:\Users\Admin\AppData\Local\Temp\cc0e99acb1d5181d9b56eb4f50570ace512e6c76fa8f95dc2e3f6fcdcd22c600.dll",Control_RunDLL
        3⤵
        • Blocklisted process makes network request
        • Suspicious behavior: EnumeratesProcesses
        PID:348
  • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncConfig.exe
    "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncConfig.exe"
    1⤵
    • Modifies registry class
    PID:2080
  • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe
    "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe" /frequentupdate SCHEDULEDTASK displaylevel=False
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    PID:2540

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/348-122-0x0000000000000000-mapping.dmp
    Download
  • memory/348-123-0x0000000002CD0000-0x0000000002CF8000-memory.dmp
    Filesize

    160KB

    Download
  • memory/348-126-0x0000000004BF0000-0x0000000004C18000-memory.dmp
    Filesize

    160KB

    Download
  • memory/348-129-0x0000000004DD0000-0x0000000004DF8000-memory.dmp
    Filesize

    160KB

    Download
  • memory/348-132-0x0000000004EB0000-0x0000000004ED8000-memory.dmp
    Filesize

    160KB

    Download
  • memory/348-135-0x0000000004F90000-0x0000000004FB8000-memory.dmp
    Filesize

    160KB

    Download
  • memory/348-138-0x0000000005070000-0x0000000005098000-memory.dmp
    Filesize

    160KB

    Download
  • memory/1256-118-0x0000000000000000-mapping.dmp
    Download
  • memory/1256-119-0x0000000003110000-0x0000000003138000-memory.dmp
    Filesize

    160KB

    Download