emotet | e6291bb49f93187ed1fb42c5898f0359455bef38e0cb449f128c485e900eabe3

General

Target

e6291bb49f93187ed1fb42c5898f0359455bef38e0cb449f128c485e900eabe3.dll
Size

653KB
MD5

4aea748576c6f7a7e77ed0d20e16d7a1
SHA1

42344e8d3fb5c3c4323daca880334b332e11bf11
SHA256

e6291bb49f93187ed1fb42c5898f0359455bef38e0cb449f128c485e900eabe3
SHA512

61d3c113dc2f2e8204dc487053b7bb600cd0ca55f3a0db38a731f54234f846409a0a75f7fd5dea5f48febcfa1238ce4077dd05ab8b015e18ccaf8ede711eb58e

Score

10^/10

emotet epoch5 banker persistence trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch5

C2

51.178.61.60:443

168.197.250.14:80

45.79.33.48:8080

196.44.98.190:8080

177.72.80.14:7080

51.210.242.234:8080

185.148.169.10:8080

142.4.219.173:8080

78.47.204.80:443

78.46.73.125:443

37.44.244.177:8080

37.59.209.141:8080

191.252.103.16:80

54.38.242.185:443

85.214.67.203:8080

54.37.228.122:443

207.148.81.119:8080

195.77.239.39:8080

66.42.57.149:443

195.154.146.35:443

eck1.plain

ecs1.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
Registers COM server for autorun 1 TTPs
persistence

Registry Run Keys / Startup Folder
T1060
Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exe

flow pid process

16 2004 rundll32.exe
17 2004 rundll32.exe

flow	pid	process
16	2004	rundll32.exe
17	2004	rundll32.exe

Modifies registry class 44 IoCs

Processes:

FileSyncConfig.exe

description	ioc	process
Key deleted	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_CLASSES\WOW6432NODE\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\DEFAULTICON	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_CLASSES\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\INSTANCE\INITPROPERTYBAG	FileSyncConfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ = "OneDrive"	FileSyncConfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\InProcServer32\ = "%systemroot%\\system32\\shell32.dll"	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_CLASSES\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\DEFAULTICON	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	FileSyncConfig.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\SortOrderIndex = "66"	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\InProcServer32	FileSyncConfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\InProcServer32\ = "%systemroot%\\SysWow64\\shell32.dll"	FileSyncConfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe,0"	FileSyncConfig.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolder\FolderValueFlags = "40"	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolder	FileSyncConfig.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolder\FolderValueFlags = "40"	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_CLASSES\WOW6432NODE\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\SHELLFOLDER	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_CLASSES\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\INPROCSERVER32	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\InProcServer32	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\InitPropertyBag	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_CLASSES\WOW6432NODE\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\INPROCSERVER32	FileSyncConfig.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\System.IsPinnedToNameSpaceTree = "1"	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\DefaultIcon	FileSyncConfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe,0"	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}	FileSyncConfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\CLSID = "{0E5AAE11-A475-4c5b-AB00-C66DE400274E}"	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	FileSyncConfig.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\InitPropertyBag\Attributes = "17"	FileSyncConfig.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolder\Attributes = "4034920525"	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_CLASSES\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\SHELLFOLDER	FileSyncConfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\InitPropertyBag\TargetKnownFolder = "{a52bba46-e9e1-435f-b3d9-28daa648c0f6}"	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolder	FileSyncConfig.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolder\Attributes = "4034920525"	FileSyncConfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ = "OneDrive"	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_CLASSES\WOW6432NODE\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\INSTANCE\INITPROPERTYBAG	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\DefaultIcon	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}	FileSyncConfig.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\System.IsPinnedToNameSpaceTree = "1"	FileSyncConfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\CLSID = "{0E5AAE11-A475-4c5b-AB00-C66DE400274E}"	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\InitPropertyBag	FileSyncConfig.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\InitPropertyBag\Attributes = "17"	FileSyncConfig.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\SortOrderIndex = "66"	FileSyncConfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\InitPropertyBag\TargetKnownFolder = "{a52bba46-e9e1-435f-b3d9-28daa648c0f6}"	FileSyncConfig.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exe

pid process

2004 rundll32.exe
2004 rundll32.exe

pid	process
2004	rundll32.exe
2004	rundll32.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 432 wrote to memory of 656	432	rundll32.exe	rundll32.exe
PID 432 wrote to memory of 656	432	rundll32.exe	rundll32.exe
PID 432 wrote to memory of 656	432	rundll32.exe	rundll32.exe
PID 656 wrote to memory of 2004	656	rundll32.exe	rundll32.exe
PID 656 wrote to memory of 2004	656	rundll32.exe	rundll32.exe
PID 656 wrote to memory of 2004	656	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\e6291bb49f93187ed1fb42c5898f0359455bef38e0cb449f128c485e900eabe3.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:432

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\e6291bb49f93187ed1fb42c5898f0359455bef38e0cb449f128c485e900eabe3.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:656

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe "C:\Users\Admin\AppData\Local\Temp\e6291bb49f93187ed1fb42c5898f0359455bef38e0cb449f128c485e900eabe3.dll",Control_RunDLL
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:2004

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncConfig.exe
"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncConfig.exe"
1⤵
- Modifies registry class
PID:3900

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/656-115-0x0000000000000000-mapping.dmp

Download
memory/656-116-0x0000000004580000-0x00000000045A8000-memory.dmp

Filesize
160KB

Download
memory/2004-119-0x0000000000000000-mapping.dmp

Download
memory/2004-120-0x00000000033C0000-0x00000000033E8000-memory.dmp

Filesize
160KB

Download
memory/2004-123-0x00000000051E0000-0x0000000005208000-memory.dmp

Filesize
160KB

Download
memory/2004-126-0x00000000053C0000-0x00000000053E8000-memory.dmp

Filesize
160KB

Download
memory/2004-129-0x00000000054A0000-0x00000000054C8000-memory.dmp

Filesize
160KB

Download
memory/2004-132-0x0000000005580000-0x00000000055A8000-memory.dmp

Filesize
160KB

Download
memory/2004-135-0x0000000005660000-0x0000000005688000-memory.dmp

Filesize
160KB

Download
memory/2004-138-0x0000000005740000-0x0000000005768000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing