94c793c741698a75da4246ef790ce366534ddf5d620533c68f004b1f142de218

General
Target

94c793c741698a75da4246ef790ce366534ddf5d620533c68f004b1f142de218.dll

Filesize

653KB

Completed

25-11-2021 16:49

Score
10/10
MD5

4a2de25016b471b380c4eb430f61ef0d

SHA1

ed79dc00e10ff969bb35322e023f1f9c1750b602

SHA256

94c793c741698a75da4246ef790ce366534ddf5d620533c68f004b1f142de218

Malware Config

Extracted

Family emotet
Botnet Epoch5
C2

51.178.61.60:443

168.197.250.14:80

45.79.33.48:8080

196.44.98.190:8080

177.72.80.14:7080

51.210.242.234:8080

185.148.169.10:8080

142.4.219.173:8080

78.47.204.80:443

78.46.73.125:443

37.44.244.177:8080

37.59.209.141:8080

191.252.103.16:80

54.38.242.185:443

85.214.67.203:8080

54.37.228.122:443

207.148.81.119:8080

195.77.239.39:8080

66.42.57.149:443

195.154.146.35:443

eck1.plain
ecs1.plain
Signatures 9

Filter: none

Discovery
  • Emotet

    Description

    Emotet is a trojan that is primarily spread through spam emails.

  • suricata: ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex/Trickbot CnC)

    Description

    suricata: ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex/Trickbot CnC)

    Tags

  • suricata: ET MALWARE W32/Emotet CnC Beacon 3

    Description

    suricata: ET MALWARE W32/Emotet CnC Beacon 3

    Tags

  • Blocklisted process makes network request
    rundll32.exe

    Reported IOCs

    flowpidprocess
    182776rundll32.exe
  • Drops file in System32 directory
    rundll32.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Windows\SysWOW64\Lyaxhhsbw\vlbkzgcuftjpa.sfmrundll32.exe
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Suspicious behavior: EnumeratesProcesses
    rundll32.exe

    Reported IOCs

    pidprocess
    2776rundll32.exe
    2776rundll32.exe
  • Suspicious behavior: RenamesItself
    rundll32.exe

    Reported IOCs

    pidprocess
    4664rundll32.exe
  • Suspicious use of WriteProcessMemory
    rundll32.exerundll32.exerundll32.exerundll32.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1636 wrote to memory of 45761636rundll32.exerundll32.exe
    PID 1636 wrote to memory of 45761636rundll32.exerundll32.exe
    PID 1636 wrote to memory of 45761636rundll32.exerundll32.exe
    PID 4576 wrote to memory of 46644576rundll32.exerundll32.exe
    PID 4576 wrote to memory of 46644576rundll32.exerundll32.exe
    PID 4576 wrote to memory of 46644576rundll32.exerundll32.exe
    PID 4664 wrote to memory of 22244664rundll32.exerundll32.exe
    PID 4664 wrote to memory of 22244664rundll32.exerundll32.exe
    PID 4664 wrote to memory of 22244664rundll32.exerundll32.exe
    PID 2224 wrote to memory of 27762224rundll32.exerundll32.exe
    PID 2224 wrote to memory of 27762224rundll32.exerundll32.exe
    PID 2224 wrote to memory of 27762224rundll32.exerundll32.exe
Processes 5
  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\94c793c741698a75da4246ef790ce366534ddf5d620533c68f004b1f142de218.dll,#1
    Suspicious use of WriteProcessMemory
    PID:1636
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\94c793c741698a75da4246ef790ce366534ddf5d620533c68f004b1f142de218.dll,#1
      Suspicious use of WriteProcessMemory
      PID:4576
      • C:\Windows\SysWOW64\rundll32.exe
        C:\Windows\SysWOW64\rundll32.exe "C:\Users\Admin\AppData\Local\Temp\94c793c741698a75da4246ef790ce366534ddf5d620533c68f004b1f142de218.dll",Control_RunDLL
        Drops file in System32 directory
        Suspicious behavior: RenamesItself
        Suspicious use of WriteProcessMemory
        PID:4664
        • C:\Windows\SysWOW64\rundll32.exe
          C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Lyaxhhsbw\vlbkzgcuftjpa.sfm",nUIbtGnRx
          Suspicious use of WriteProcessMemory
          PID:2224
          • C:\Windows\SysWOW64\rundll32.exe
            C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Lyaxhhsbw\vlbkzgcuftjpa.sfm",Control_RunDLL
            Blocklisted process makes network request
            Suspicious behavior: EnumeratesProcesses
            PID:2776
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Persistence
                      Privilege Escalation
                        Replay Monitor
                        00:00 00:00
                        Downloads
                        • memory/2224-138-0x0000000000000000-mapping.dmp

                        • memory/2224-140-0x0000000004A60000-0x0000000004A88000-memory.dmp

                        • memory/2776-155-0x00000000057A0000-0x00000000057C8000-memory.dmp

                        • memory/2776-152-0x00000000056C0000-0x00000000056E8000-memory.dmp

                        • memory/2776-149-0x00000000053C0000-0x00000000053E8000-memory.dmp

                        • memory/2776-146-0x0000000004E40000-0x0000000004E68000-memory.dmp

                        • memory/2776-145-0x0000000000000000-mapping.dmp

                        • memory/2776-158-0x0000000005880000-0x00000000058A8000-memory.dmp

                        • memory/2776-161-0x0000000005960000-0x0000000005988000-memory.dmp

                        • memory/4576-119-0x0000000002D40000-0x0000000002D68000-memory.dmp

                        • memory/4576-118-0x0000000000000000-mapping.dmp

                        • memory/4664-135-0x0000000004A20000-0x0000000004A48000-memory.dmp

                        • memory/4664-129-0x0000000004820000-0x0000000004848000-memory.dmp

                        • memory/4664-126-0x0000000004640000-0x0000000004668000-memory.dmp

                        • memory/4664-123-0x0000000004110000-0x0000000004138000-memory.dmp

                        • memory/4664-122-0x0000000000000000-mapping.dmp

                        • memory/4664-139-0x0000000004B80000-0x0000000004BA8000-memory.dmp

                        • memory/4664-132-0x00000000049C0000-0x00000000049E8000-memory.dmp