61e8cd6a34f6f9fe47722da70e1d7afd4bc1d218ab49158bf059d8339a583453

max time kernel46s
max time network45s
platformwindows10_x64
resourcewin10-de-20211014
submitted25-11-2021 16:49

Report
Files
Registry
Network
Processes
Mutex
Misc

Target

61e8cd6a34f6f9fe47722da70e1d7afd4bc1d218ab49158bf059d8339a583453.dll

Filesize

653KB

Completed

25-11-2021 16:50

Score

10^/10

MD5

d86d188a825706f04ce56aa86269c5ec

SHA1

6a5a0004e18e11aec4fd42dd7573d4d6e161496d

SHA256

61e8cd6a34f6f9fe47722da70e1d7afd4bc1d218ab49158bf059d8339a583453

Extracted

Family	emotet
Botnet	Epoch5
C2	51.178.61.60:443 168.197.250.14:80 45.79.33.48:8080 196.44.98.190:8080 177.72.80.14:7080 51.210.242.234:8080 185.148.169.10:8080 142.4.219.173:8080 78.47.204.80:443 78.46.73.125:443 37.44.244.177:8080 37.59.209.141:8080 191.252.103.16:80 54.38.242.185:443 85.214.67.203:8080 54.37.228.122:443 207.148.81.119:8080 195.77.239.39:8080 66.42.57.149:443 195.154.146.35:443 51.178.61.60:443 168.197.250.14:80 45.79.33.48:8080 196.44.98.190:8080 177.72.80.14:7080 51.210.242.234:8080 185.148.169.10:8080 142.4.219.173:8080 78.47.204.80:443 78.46.73.125:443 37.44.244.177:8080 37.59.209.141:8080 191.252.103.16:80 54.38.242.185:443 85.214.67.203:8080 54.37.228.122:443 207.148.81.119:8080 195.77.239.39:8080 66.42.57.149:443 195.154.146.35:443
eck1.plain
ecs1.plain

Discovery

Persistence

Emotet

Description

Emotet is a trojan that is primarily spread through spam emails.

Tags

trojan banker emotet
Registers COM server for autorun

Tags

persistence

TTPs

Registry Run Keys / Startup Folder
Blocklisted process makes network request
rundll32.exe

Reported IOCs

flow pid process

18 4728 rundll32.exe
Drops file in System32 directory
rundll32.exe

Reported IOCs

description ioc process

File opened for modification C:\Windows\SysWOW64\Ksnioihtiyqbod\dfchuyhlbrhy.naa rundll32.exe
Enumerates physical storage devices

Description

Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

TTPs

System Information Discovery

flow	pid	process
18	4728	rundll32.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\Ksnioihtiyqbod\dfchuyhlbrhy.naa	rundll32.exe

Modifies registry class

FileSyncConfig.exe

Reported IOCs

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\System.IsPinnedToNameSpaceTree = "1"	FileSyncConfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\CLSID = "{0E5AAE11-A475-4c5b-AB00-C66DE400274E}"	FileSyncConfig.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\System.IsPinnedToNameSpaceTree = "1"	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_CLASSES\WOW6432NODE\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\INPROCSERVER32	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}	FileSyncConfig.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\SortOrderIndex = "66"	FileSyncConfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\InitPropertyBag\TargetKnownFolder = "{a52bba46-e9e1-435f-b3d9-28daa648c0f6}"	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_CLASSES\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\INPROCSERVER32	FileSyncConfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\InitPropertyBag\TargetKnownFolder = "{a52bba46-e9e1-435f-b3d9-28daa648c0f6}"	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolder	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolder	FileSyncConfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ = "OneDrive"	FileSyncConfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe,0"	FileSyncConfig.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolder\FolderValueFlags = "40"	FileSyncConfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ = "OneDrive"	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\DefaultIcon	FileSyncConfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\CLSID = "{0E5AAE11-A475-4c5b-AB00-C66DE400274E}"	FileSyncConfig.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\InitPropertyBag\Attributes = "17"	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\InitPropertyBag	FileSyncConfig.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\InitPropertyBag\Attributes = "17"	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	FileSyncConfig.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolder\Attributes = "4034920525"	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\InitPropertyBag	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_CLASSES\WOW6432NODE\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\INSTANCE\INITPROPERTYBAG	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_CLASSES\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\SHELLFOLDER	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}	FileSyncConfig.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\SortOrderIndex = "66"	FileSyncConfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe,0"	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_CLASSES\WOW6432NODE\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\DEFAULTICON	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	FileSyncConfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\InProcServer32\ = "%systemroot%\\SysWow64\\shell32.dll"	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\InProcServer32	FileSyncConfig.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolder\FolderValueFlags = "40"	FileSyncConfig.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolder\Attributes = "4034920525"	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\InProcServer32	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_CLASSES\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\INSTANCE\INITPROPERTYBAG	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\DefaultIcon	FileSyncConfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\InProcServer32\ = "%systemroot%\\system32\\shell32.dll"	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_CLASSES\WOW6432NODE\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\SHELLFOLDER	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_CLASSES\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\DEFAULTICON	FileSyncConfig.exe

Suspicious behavior: EnumeratesProcesses
rundll32.exe

Reported IOCs

pid process

4728 rundll32.exe
4728 rundll32.exe
Suspicious behavior: RenamesItself
rundll32.exe

Reported IOCs

pid process

4676 rundll32.exe

pid	process
4728	rundll32.exe
4728	rundll32.exe

pid	process
4676	rundll32.exe

Suspicious use of WriteProcessMemory

rundll32.exerundll32.exerundll32.exerundll32.exe

Reported IOCs

description	pid	process	target process
PID 4572 wrote to memory of 4624	4572	rundll32.exe	rundll32.exe
PID 4572 wrote to memory of 4624	4572	rundll32.exe	rundll32.exe
PID 4572 wrote to memory of 4624	4572	rundll32.exe	rundll32.exe
PID 4624 wrote to memory of 4676	4624	rundll32.exe	rundll32.exe
PID 4624 wrote to memory of 4676	4624	rundll32.exe	rundll32.exe
PID 4624 wrote to memory of 4676	4624	rundll32.exe	rundll32.exe
PID 4676 wrote to memory of 3084	4676	rundll32.exe	rundll32.exe
PID 4676 wrote to memory of 3084	4676	rundll32.exe	rundll32.exe
PID 4676 wrote to memory of 3084	4676	rundll32.exe	rundll32.exe
PID 3084 wrote to memory of 4728	3084	rundll32.exe	rundll32.exe
PID 3084 wrote to memory of 4728	3084	rundll32.exe	rundll32.exe
PID 3084 wrote to memory of 4728	3084	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\61e8cd6a34f6f9fe47722da70e1d7afd4bc1d218ab49158bf059d8339a583453.dll,#1

Suspicious use of WriteProcessMemory

PID:4572

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\61e8cd6a34f6f9fe47722da70e1d7afd4bc1d218ab49158bf059d8339a583453.dll,#1

Suspicious use of WriteProcessMemory

PID:4624

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\SysWOW64\rundll32.exe "C:\Users\Admin\AppData\Local\Temp\61e8cd6a34f6f9fe47722da70e1d7afd4bc1d218ab49158bf059d8339a583453.dll",Control_RunDLL

Drops file in System32 directory
Suspicious behavior: RenamesItself
Suspicious use of WriteProcessMemory

PID:4676

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Ksnioihtiyqbod\dfchuyhlbrhy.naa",FQESBZkJZF

Suspicious use of WriteProcessMemory

PID:3084

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Ksnioihtiyqbod\dfchuyhlbrhy.naa",Control_RunDLL

Blocklisted process makes network request
Suspicious behavior: EnumeratesProcesses

PID:4728

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncConfig.exe

"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncConfig.exe"

Modifies registry class

PID:1104

Collection

Command and Control

Credential Access

Defense Evasion

Discovery

System Information Discovery

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

00:00 00:00

memory/3084-135-0x0000000000000000-mapping.dmp

Download
memory/3084-136-0x00000000030C0000-0x00000000030E8000-memory.dmp

Download
memory/4624-116-0x0000000000910000-0x0000000000938000-memory.dmp

Download
memory/4624-115-0x0000000000000000-mapping.dmp

Download
memory/4676-140-0x0000000005560000-0x0000000005588000-memory.dmp

Download
memory/4676-126-0x00000000051E0000-0x0000000005208000-memory.dmp

Download
memory/4676-129-0x00000000053A0000-0x00000000053C8000-memory.dmp

Download
memory/4676-132-0x0000000005400000-0x0000000005428000-memory.dmp

Download
memory/4676-120-0x0000000004B00000-0x0000000004B28000-memory.dmp

Download
memory/4676-119-0x0000000000000000-mapping.dmp

Download
memory/4676-123-0x0000000004FF0000-0x0000000005018000-memory.dmp

Download
memory/4728-139-0x0000000000000000-mapping.dmp

Download
memory/4728-141-0x0000000000820000-0x0000000000848000-memory.dmp

Download
memory/4728-146-0x0000000004240000-0x0000000004268000-memory.dmp

Download
memory/4728-149-0x0000000004880000-0x00000000048A8000-memory.dmp

Download
memory/4728-152-0x0000000004960000-0x0000000004988000-memory.dmp

Download
memory/4728-155-0x0000000004A40000-0x0000000004A68000-memory.dmp

Download
memory/4728-158-0x0000000004B20000-0x0000000004B48000-memory.dmp

Download
memory/4728-161-0x0000000004C30000-0x0000000004C58000-memory.dmp

Download

61e8cd6a34f6f9fe47722da70e1d7afd4bc1d218ab49158bf059d8339a583453

Extracted

Filter: none

Description

Tags

Tags

TTPs

Reported IOCs

Reported IOCs

Description

TTPs

Reported IOCs

Reported IOCs

Reported IOCs

Reported IOCs

Title