Analysis

  • max time kernel
    56s
  • max time network
    68s
  • platform
    windows10_x64
  • resource
    win10-de-20211104
  • submitted
    25-11-2021 16:50

General

  • Target

    a472a3b1e4280b74c67614b379f3b245007915a66583dad9c20b0e90aee72dd8.dll

  • Size

    653KB

  • MD5

    6125da2cb4393f67faa6f29e1bed714d

  • SHA1

    85092143d56ea4b1529d23810efffa854f2e4c39

  • SHA256

    a472a3b1e4280b74c67614b379f3b245007915a66583dad9c20b0e90aee72dd8

  • SHA512

    dd681fcb17b10ee9b00401b4e95488cfc73c558f584df5b20522121e1360aca85315904569180bd57ba54d1bca3eb0825f770fe8c372aa39a1c39ac95731256e

Malware Config

Extracted

Family

emotet

Botnet

Epoch5

C2

51.178.61.60:443

168.197.250.14:80

45.79.33.48:8080

196.44.98.190:8080

177.72.80.14:7080

51.210.242.234:8080

185.148.169.10:8080

142.4.219.173:8080

78.47.204.80:443

78.46.73.125:443

37.44.244.177:8080

37.59.209.141:8080

191.252.103.16:80

54.38.242.185:443

85.214.67.203:8080

54.37.228.122:443

207.148.81.119:8080

195.77.239.39:8080

66.42.57.149:443

195.154.146.35:443

eck1.plain
ecs1.plain

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

  • Registers COM server for autorun 1 TTPs
  • suricata: ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex/Trickbot CnC)

    suricata: ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex/Trickbot CnC)

  • suricata: ET MALWARE W32/Emotet CnC Beacon 3

    suricata: ET MALWARE W32/Emotet CnC Beacon 3

  • Blocklisted process makes network request 2 IoCs
  • Modifies registry class 44 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\a472a3b1e4280b74c67614b379f3b245007915a66583dad9c20b0e90aee72dd8.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1268
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\a472a3b1e4280b74c67614b379f3b245007915a66583dad9c20b0e90aee72dd8.dll,#1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:652
      • C:\Windows\SysWOW64\rundll32.exe
        C:\Windows\SysWOW64\rundll32.exe "C:\Users\Admin\AppData\Local\Temp\a472a3b1e4280b74c67614b379f3b245007915a66583dad9c20b0e90aee72dd8.dll",Control_RunDLL
        3⤵
        • Blocklisted process makes network request
        • Suspicious behavior: EnumeratesProcesses
        PID:1084
  • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncConfig.exe
    "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncConfig.exe"
    1⤵
    • Modifies registry class
    PID:2212

Network

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/652-118-0x0000000000000000-mapping.dmp
  • memory/652-119-0x0000000004500000-0x0000000004528000-memory.dmp
    Filesize

    160KB

  • memory/1084-122-0x0000000000000000-mapping.dmp
  • memory/1084-123-0x0000000000B90000-0x0000000000BB8000-memory.dmp
    Filesize

    160KB

  • memory/1084-126-0x0000000004220000-0x0000000004248000-memory.dmp
    Filesize

    160KB

  • memory/1084-129-0x00000000046B0000-0x00000000046D8000-memory.dmp
    Filesize

    160KB

  • memory/1084-132-0x00000000048A0000-0x00000000048C8000-memory.dmp
    Filesize

    160KB

  • memory/1084-135-0x0000000004980000-0x00000000049A8000-memory.dmp
    Filesize

    160KB

  • memory/1084-138-0x0000000004A60000-0x0000000004A88000-memory.dmp
    Filesize

    160KB