Overview

overview

10

Static

static

emotet_pe_1min

windows10_x64

10

Analysis

  • max time kernel
    60s
  • max time network
    62s
  • platform
    windows10_x64
  • resource
    win10-de-20211104
  • submitted
    25-11-2021 16:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    358c5b31c3352bfb0ec8b488e11e943ef70594b00acc16ee53c3af4729fedc49.dll

  • Size

    653KB

  • MD5

    74254a37cb8132aa5ec0aa2ddd471981

  • SHA1

    e52f52eff2d88fc126084875255c52c8282e50e2

  • SHA256

    358c5b31c3352bfb0ec8b488e11e943ef70594b00acc16ee53c3af4729fedc49

  • SHA512

    c6b316d909539edb849340bbcd2931f2591f99c0b38be5a1cf92627c59578c40f44255de659501c0223f4475df943820835961a33a5ac68124f77a20358ae8bc

Score
10/10
emotetepoch5bankerpersistencesuricatatrojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch5

C2

51.178.61.60:443

168.197.250.14:80

45.79.33.48:8080

196.44.98.190:8080

177.72.80.14:7080

51.210.242.234:8080

185.148.169.10:8080

142.4.219.173:8080

78.47.204.80:443

78.46.73.125:443

37.44.244.177:8080

37.59.209.141:8080

191.252.103.16:80

54.38.242.185:443

85.214.67.203:8080

54.37.228.122:443

207.148.81.119:8080

195.77.239.39:8080

66.42.57.149:443

195.154.146.35:443
eck1.plain
ecs1.plain

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

    trojanbankeremotet
  • Registers COM server for autorun 1 TTPs
    persistence
  • suricata: ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex/Trickbot CnC)

    suricata: ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex/Trickbot CnC)

    suricata
  • suricata: ET MALWARE W32/Emotet CnC Beacon 3

    suricata: ET MALWARE W32/Emotet CnC Beacon 3

    suricata
  • Blocklisted process makes network request 1 IoCs
  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 21 IoCs
  • Modifies registry class 44 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\358c5b31c3352bfb0ec8b488e11e943ef70594b00acc16ee53c3af4729fedc49.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4448
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\358c5b31c3352bfb0ec8b488e11e943ef70594b00acc16ee53c3af4729fedc49.dll,#1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4540
      • C:\Windows\SysWOW64\rundll32.exe
        C:\Windows\SysWOW64\rundll32.exe "C:\Users\Admin\AppData\Local\Temp\358c5b31c3352bfb0ec8b488e11e943ef70594b00acc16ee53c3af4729fedc49.dll",Control_RunDLL
        3⤵
        • Drops file in System32 directory
        • Suspicious behavior: RenamesItself
        • Suspicious use of WriteProcessMemory
        PID:4188
        • C:\Windows\SysWOW64\rundll32.exe
          C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Ewlrsexdkiu\bszfbtpomt.lbz",rCdImYOEWqSU
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:360
          • C:\Windows\SysWOW64\rundll32.exe
            C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Ewlrsexdkiu\bszfbtpomt.lbz",Control_RunDLL
            5⤵
            • Blocklisted process makes network request
            • Suspicious behavior: EnumeratesProcesses
            PID:3240
  • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncConfig.exe
    "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncConfig.exe"
    1⤵
    • Modifies registry class
    PID:4240
  • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe
    "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe" /frequentupdate SCHEDULEDTASK displaylevel=False
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    PID:2280

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/360-138-0x0000000000000000-mapping.dmp
    Download
  • memory/360-140-0x0000000000F10000-0x0000000000F38000-memory.dmp
    Filesize

    160KB

    Download
  • memory/3240-146-0x0000000000EE0000-0x0000000000F08000-memory.dmp
    Filesize

    160KB

    Download
  • memory/3240-145-0x0000000000000000-mapping.dmp
    Download
  • memory/3240-161-0x0000000004DC0000-0x0000000004DE8000-memory.dmp
    Filesize

    160KB

    Download
  • memory/3240-158-0x0000000004CE0000-0x0000000004D08000-memory.dmp
    Filesize

    160KB

    Download
  • memory/3240-155-0x0000000004C00000-0x0000000004C28000-memory.dmp
    Filesize

    160KB

    Download
  • memory/3240-152-0x0000000004B20000-0x0000000004B48000-memory.dmp
    Filesize

    160KB

    Download
  • memory/3240-149-0x00000000044B0000-0x00000000044D8000-memory.dmp
    Filesize

    160KB

    Download
  • memory/4188-139-0x0000000004FB0000-0x0000000004FD8000-memory.dmp
    Filesize

    160KB

    Download
  • memory/4188-123-0x0000000000F20000-0x0000000000F48000-memory.dmp
    Filesize

    160KB

    Download
  • memory/4188-122-0x0000000000000000-mapping.dmp
    Download
  • memory/4188-135-0x0000000004E50000-0x0000000004E78000-memory.dmp
    Filesize

    160KB

    Download
  • memory/4188-132-0x0000000004DF0000-0x0000000004E18000-memory.dmp
    Filesize

    160KB

    Download
  • memory/4188-129-0x0000000004C70000-0x0000000004C98000-memory.dmp
    Filesize

    160KB

    Download
  • memory/4188-126-0x0000000004710000-0x0000000004738000-memory.dmp
    Filesize

    160KB

    Download
  • memory/4540-119-0x0000000004800000-0x0000000004828000-memory.dmp
    Filesize

    160KB

    Download
  • memory/4540-118-0x0000000000000000-mapping.dmp
    Download