a472a3b1e4280b74c67614b379f3b245007915a66583dad9c20b0e90aee72dd8
General
Target
Filesize
Completed
a472a3b1e4280b74c67614b379f3b245007915a66583dad9c20b0e90aee72dd8.dll
653KB
25-11-2021 16:51
Score
10/10
MD5
SHA1
SHA256
6125da2cb4393f67faa6f29e1bed714d
85092143d56ea4b1529d23810efffa854f2e4c39
a472a3b1e4280b74c67614b379f3b245007915a66583dad9c20b0e90aee72dd8
Malware Config
Extracted
| Family | emotet |
| Botnet | Epoch5 |
| C2 |
51.178.61.60:443 168.197.250.14:80 45.79.33.48:8080 196.44.98.190:8080 177.72.80.14:7080 51.210.242.234:8080 185.148.169.10:8080 142.4.219.173:8080 78.47.204.80:443 78.46.73.125:443 37.44.244.177:8080 37.59.209.141:8080 191.252.103.16:80 54.38.242.185:443 85.214.67.203:8080 54.37.228.122:443 207.148.81.119:8080 195.77.239.39:8080 66.42.57.149:443 195.154.146.35:443 |
| eck1.plain |
|
| ecs1.plain |
|
Signatures 8
Filter: none
Persistence
-
Emotet
Description
Emotet is a trojan that is primarily spread through spam emails.
Tags
-
Registers COM server for autorun
Tags
TTPs
-
suricata: ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex/Trickbot CnC)
Description
suricata: ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex/Trickbot CnC)
Tags
-
suricata: ET MALWARE W32/Emotet CnC Beacon 3
Description
suricata: ET MALWARE W32/Emotet CnC Beacon 3
Tags
-
Blocklisted process makes network requestrundll32.exe
Reported IOCs
flow pid process 12 1084 rundll32.exe 13 1084 rundll32.exe -
Modifies registry classFileSyncConfig.exe
Reported IOCs
description ioc process Key deleted \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_CLASSES\WOW6432NODE\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\INSTANCE\INITPROPERTYBAG FileSyncConfig.exe Set value (int) \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolder\Attributes = "4034920525" FileSyncConfig.exe Set value (str) \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\InProcServer32\ = "%systemroot%\\system32\\shell32.dll" FileSyncConfig.exe Key created \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\InitPropertyBag FileSyncConfig.exe Key deleted \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_CLASSES\WOW6432NODE\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\SHELLFOLDER FileSyncConfig.exe Key deleted \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_CLASSES\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\INPROCSERVER32 FileSyncConfig.exe Key deleted \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_CLASSES\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\SHELLFOLDER FileSyncConfig.exe Set value (int) \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\System.IsPinnedToNameSpaceTree = "1" FileSyncConfig.exe Set value (str) \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ = "OneDrive" FileSyncConfig.exe Key deleted \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance FileSyncConfig.exe Key created \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6} FileSyncConfig.exe Key created \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\DefaultIcon FileSyncConfig.exe Key created \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\InitPropertyBag FileSyncConfig.exe Set value (int) \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolder\FolderValueFlags = "40" FileSyncConfig.exe Set value (str) \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\InitPropertyBag\TargetKnownFolder = "{a52bba46-e9e1-435f-b3d9-28daa648c0f6}" FileSyncConfig.exe Set value (int) \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\SortOrderIndex = "66" FileSyncConfig.exe Set value (str) \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe,0" FileSyncConfig.exe Key deleted \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_CLASSES\WOW6432NODE\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\DEFAULTICON FileSyncConfig.exe Set value (str) \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\CLSID = "{0E5AAE11-A475-4c5b-AB00-C66DE400274E}" FileSyncConfig.exe Key created \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\DefaultIcon FileSyncConfig.exe Set value (int) \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolder\Attributes = "4034920525" FileSyncConfig.exe Key deleted \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_CLASSES\WOW6432NODE\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\INPROCSERVER32 FileSyncConfig.exe Key created \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\InProcServer32 FileSyncConfig.exe Key created \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolder FileSyncConfig.exe Set value (int) \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\System.IsPinnedToNameSpaceTree = "1" FileSyncConfig.exe Set value (str) \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\CLSID = "{0E5AAE11-A475-4c5b-AB00-C66DE400274E}" FileSyncConfig.exe Set value (str) \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe,0" FileSyncConfig.exe Key created \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance FileSyncConfig.exe Key created \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\InProcServer32 FileSyncConfig.exe Key deleted \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6} FileSyncConfig.exe Key deleted \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_CLASSES\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\DEFAULTICON FileSyncConfig.exe Key deleted \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_CLASSES\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\INSTANCE\INITPROPERTYBAG FileSyncConfig.exe Key deleted \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6} FileSyncConfig.exe Set value (int) \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\SortOrderIndex = "66" FileSyncConfig.exe Set value (str) \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\InitPropertyBag\TargetKnownFolder = "{a52bba46-e9e1-435f-b3d9-28daa648c0f6}" FileSyncConfig.exe Key created \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolder FileSyncConfig.exe Set value (int) \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolder\FolderValueFlags = "40" FileSyncConfig.exe Key created \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance FileSyncConfig.exe Set value (int) \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\InitPropertyBag\Attributes = "17" FileSyncConfig.exe Key deleted \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance FileSyncConfig.exe Set value (str) \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ = "OneDrive" FileSyncConfig.exe Set value (str) \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\InProcServer32\ = "%systemroot%\\SysWow64\\shell32.dll" FileSyncConfig.exe Set value (int) \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\InitPropertyBag\Attributes = "17" FileSyncConfig.exe Key created \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6} FileSyncConfig.exe -
Suspicious behavior: EnumeratesProcessesrundll32.exe
Reported IOCs
pid process 1084 rundll32.exe 1084 rundll32.exe -
Suspicious use of WriteProcessMemoryrundll32.exerundll32.exe
Reported IOCs
description pid process target process PID 1268 wrote to memory of 652 1268 rundll32.exe rundll32.exe PID 1268 wrote to memory of 652 1268 rundll32.exe rundll32.exe PID 1268 wrote to memory of 652 1268 rundll32.exe rundll32.exe PID 652 wrote to memory of 1084 652 rundll32.exe rundll32.exe PID 652 wrote to memory of 1084 652 rundll32.exe rundll32.exe PID 652 wrote to memory of 1084 652 rundll32.exe rundll32.exe
Processes 4
-
C:\Windows\system32\rundll32.exePID:1268rundll32.exe C:\Users\Admin\AppData\Local\Temp\a472a3b1e4280b74c67614b379f3b245007915a66583dad9c20b0e90aee72dd8.dll,#1Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exePID:652rundll32.exe C:\Users\Admin\AppData\Local\Temp\a472a3b1e4280b74c67614b379f3b245007915a66583dad9c20b0e90aee72dd8.dll,#1Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exePID:1084C:\Windows\SysWOW64\rundll32.exe "C:\Users\Admin\AppData\Local\Temp\a472a3b1e4280b74c67614b379f3b245007915a66583dad9c20b0e90aee72dd8.dll",Control_RunDLLBlocklisted process makes network requestSuspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncConfig.exePID:2212"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncConfig.exe"Modifies registry class
Network
MITRE ATT&CK Matrix
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Replay Monitor
00:00
00:00
Downloads
-
memory/652-118-0x0000000000000000-mapping.dmp
-
memory/652-119-0x0000000004500000-0x0000000004528000-memory.dmp
-
memory/1084-122-0x0000000000000000-mapping.dmp
-
memory/1084-123-0x0000000000B90000-0x0000000000BB8000-memory.dmp
-
memory/1084-126-0x0000000004220000-0x0000000004248000-memory.dmp
-
memory/1084-129-0x00000000046B0000-0x00000000046D8000-memory.dmp
-
memory/1084-132-0x00000000048A0000-0x00000000048C8000-memory.dmp
-
memory/1084-135-0x0000000004980000-0x00000000049A8000-memory.dmp
-
memory/1084-138-0x0000000004A60000-0x0000000004A88000-memory.dmp
Title
Loading data