026e78b6d86a672e4649d2241ca6c13ec8c5f2c6eaae8e6de7b6616cb586de7f

max time kernel50s
max time network44s
platformwindows10_x64
resourcewin10-de-20211104
submitted25-11-2021 16:52

Report
Files
Registry
Network
Processes
Mutex
Misc

Target

026e78b6d86a672e4649d2241ca6c13ec8c5f2c6eaae8e6de7b6616cb586de7f.dll

Filesize

653KB

Completed

25-11-2021 16:53

Score

10^/10

MD5

2a1d89ff8b4c9381fc734d62fa01f686

SHA1

1f0e1cb7e5fd7eace7180f8a33d4c8f24a1e5221

SHA256

026e78b6d86a672e4649d2241ca6c13ec8c5f2c6eaae8e6de7b6616cb586de7f

Extracted

Family	emotet
Botnet	Epoch5
C2	51.178.61.60:443 168.197.250.14:80 45.79.33.48:8080 196.44.98.190:8080 177.72.80.14:7080 51.210.242.234:8080 185.148.169.10:8080 142.4.219.173:8080 78.47.204.80:443 78.46.73.125:443 37.44.244.177:8080 37.59.209.141:8080 191.252.103.16:80 54.38.242.185:443 85.214.67.203:8080 54.37.228.122:443 207.148.81.119:8080 195.77.239.39:8080 66.42.57.149:443 195.154.146.35:443 51.178.61.60:443 168.197.250.14:80 45.79.33.48:8080 196.44.98.190:8080 177.72.80.14:7080 51.210.242.234:8080 185.148.169.10:8080 142.4.219.173:8080 78.47.204.80:443 78.46.73.125:443 37.44.244.177:8080 37.59.209.141:8080 191.252.103.16:80 54.38.242.185:443 85.214.67.203:8080 54.37.228.122:443 207.148.81.119:8080 195.77.239.39:8080 66.42.57.149:443 195.154.146.35:443
eck1.plain
ecs1.plain

Persistence

Emotet

Description

Emotet is a trojan that is primarily spread through spam emails.

Tags

trojan banker emotet
Registers COM server for autorun

Tags

persistence

TTPs

Registry Run Keys / Startup Folder
suricata: ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex/Trickbot CnC)

Description

suricata: ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex/Trickbot CnC)

Tags

suricata
suricata: ET MALWARE W32/Emotet CnC Beacon 3

Description

suricata: ET MALWARE W32/Emotet CnC Beacon 3

Tags

suricata
Blocklisted process makes network request
rundll32.exe

Reported IOCs

flow pid process

10 1928 rundll32.exe
31 1928 rundll32.exe
32 1928 rundll32.exe

flow	pid	process
10	1928	rundll32.exe
31	1928	rundll32.exe
32	1928	rundll32.exe

Modifies registry class

FileSyncConfig.exe

Reported IOCs

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\InProcServer32\ = "%systemroot%\\SysWow64\\shell32.dll"	FileSyncConfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\InitPropertyBag\TargetKnownFolder = "{a52bba46-e9e1-435f-b3d9-28daa648c0f6}"	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\DefaultIcon	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	FileSyncConfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\CLSID = "{0E5AAE11-A475-4c5b-AB00-C66DE400274E}"	FileSyncConfig.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\InitPropertyBag\Attributes = "17"	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_CLASSES\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\SHELLFOLDER	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_CLASSES\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\INSTANCE\INITPROPERTYBAG	FileSyncConfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ = "OneDrive"	FileSyncConfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe,0"	FileSyncConfig.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\InitPropertyBag\Attributes = "17"	FileSyncConfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ = "OneDrive"	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_CLASSES\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\DEFAULTICON	FileSyncConfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe,0"	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\InProcServer32	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\InitPropertyBag	FileSyncConfig.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\System.IsPinnedToNameSpaceTree = "1"	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\InitPropertyBag	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_CLASSES\WOW6432NODE\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\DEFAULTICON	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolder	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_CLASSES\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\INPROCSERVER32	FileSyncConfig.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\SortOrderIndex = "66"	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_CLASSES\WOW6432NODE\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\SHELLFOLDER	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}	FileSyncConfig.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\System.IsPinnedToNameSpaceTree = "1"	FileSyncConfig.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\SortOrderIndex = "66"	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\DefaultIcon	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_CLASSES\WOW6432NODE\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\INPROCSERVER32	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_CLASSES\WOW6432NODE\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\INSTANCE\INITPROPERTYBAG	FileSyncConfig.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolder\FolderValueFlags = "40"	FileSyncConfig.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolder\FolderValueFlags = "40"	FileSyncConfig.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolder\Attributes = "4034920525"	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolder	FileSyncConfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\InitPropertyBag\TargetKnownFolder = "{a52bba46-e9e1-435f-b3d9-28daa648c0f6}"	FileSyncConfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\CLSID = "{0E5AAE11-A475-4c5b-AB00-C66DE400274E}"	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\InProcServer32	FileSyncConfig.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolder\Attributes = "4034920525"	FileSyncConfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\InProcServer32\ = "%systemroot%\\system32\\shell32.dll"	FileSyncConfig.exe

Suspicious behavior: EnumeratesProcesses
rundll32.exe

Reported IOCs

pid process

1928 rundll32.exe
1928 rundll32.exe

pid	process
1928	rundll32.exe
1928	rundll32.exe

Suspicious use of WriteProcessMemory

rundll32.exerundll32.exe

Reported IOCs

description	pid	process	target process
PID 1348 wrote to memory of 1200	1348	rundll32.exe	rundll32.exe
PID 1348 wrote to memory of 1200	1348	rundll32.exe	rundll32.exe
PID 1348 wrote to memory of 1200	1348	rundll32.exe	rundll32.exe
PID 1200 wrote to memory of 1928	1200	rundll32.exe	rundll32.exe
PID 1200 wrote to memory of 1928	1200	rundll32.exe	rundll32.exe
PID 1200 wrote to memory of 1928	1200	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\026e78b6d86a672e4649d2241ca6c13ec8c5f2c6eaae8e6de7b6616cb586de7f.dll,#1

Suspicious use of WriteProcessMemory

PID:1348

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\026e78b6d86a672e4649d2241ca6c13ec8c5f2c6eaae8e6de7b6616cb586de7f.dll,#1

Suspicious use of WriteProcessMemory

PID:1200

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\SysWOW64\rundll32.exe "C:\Users\Admin\AppData\Local\Temp\026e78b6d86a672e4649d2241ca6c13ec8c5f2c6eaae8e6de7b6616cb586de7f.dll",Control_RunDLL

Blocklisted process makes network request
Suspicious behavior: EnumeratesProcesses

PID:1928

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncConfig.exe

"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncConfig.exe"

Modifies registry class

PID:924

Collection

Command and Control

Credential Access

Defense Evasion

Discovery

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

00:00 00:00

memory/1200-118-0x0000000000000000-mapping.dmp

Download
memory/1200-119-0x0000000004A00000-0x0000000004A28000-memory.dmp

Download
memory/1928-122-0x0000000000000000-mapping.dmp

Download
memory/1928-124-0x0000000002BD0000-0x0000000002BF8000-memory.dmp

Download
memory/1928-126-0x0000000004B70000-0x0000000004B98000-memory.dmp

Download
memory/1928-129-0x0000000004D50000-0x0000000004D78000-memory.dmp

Download
memory/1928-132-0x0000000004E30000-0x0000000004E58000-memory.dmp

Download
memory/1928-135-0x0000000004F10000-0x0000000004F38000-memory.dmp

Download
memory/1928-138-0x0000000004FF0000-0x0000000005018000-memory.dmp

Download
memory/1928-141-0x00000000050D0000-0x00000000050F8000-memory.dmp

Download

026e78b6d86a672e4649d2241ca6c13ec8c5f2c6eaae8e6de7b6616cb586de7f

Extracted

Filter: none

Description

Tags

Tags

TTPs

Description

Tags

Description

Tags

Reported IOCs

Reported IOCs

Reported IOCs

Reported IOCs

Title