emotet | 9b6c4f769f85731411f4989b4708a4ec675680954ec02c4f4f6cff23a44a4ef6

Analysis

max time kernel
138s
max time network
138s
platform
windows7_x64
resource
win7-en-20211208
submitted
20-01-2022 15:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

se1.png.ps1
Size

1KB
MD5

a8dd1b2e06f787607dbbd3f5fd619e80
SHA1

0682c65611fba1a86544b05b397d79f526c4a19c
SHA256

9b6c4f769f85731411f4989b4708a4ec675680954ec02c4f4f6cff23a44a4ef6
SHA512

9bb703f6e359b21541ffd5975cc879266e5ec41907d378ddd143a2334c3d2b5473f6b995dd4671e0e934dcd1f0e1203fe4bd2fa951dad8e6768291d5c6e6d905

Score

10^/10

emotet epoch5 banker suricata trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch5

45.138.98.34:80

69.16.218.101:8080

51.210.242.234:8080

185.148.168.220:8080

142.4.219.173:8080

54.38.242.185:443

191.252.103.16:80

104.131.62.48:8080

62.171.178.147:8080

217.182.143.207:443

168.197.250.14:80

37.44.244.177:8080

66.42.57.149:443

210.57.209.142:8080

159.69.237.188:443

116.124.128.206:8080

128.199.192.135:8080

195.154.146.35:443

185.148.168.15:8080

195.77.239.39:8080

eck1.plain

ecs1.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata

Blocklisted process makes network request 9 IoCs

Processes:

powershell.exerundll32.exe

flow	pid	process
5	1592	powershell.exe
7	1592	powershell.exe
9	1592	powershell.exe
11	1592	powershell.exe
13	1592	powershell.exe
15	1896	rundll32.exe
16	1896	rundll32.exe
17	1896	rundll32.exe
18	1896	rundll32.exe

Downloads MZ/PE file
Loads dropped DLL 8 IoCs

Processes:

rundll32.exerundll32.exe

pid process

336 rundll32.exe
336 rundll32.exe
336 rundll32.exe
336 rundll32.exe
1816 rundll32.exe
1816 rundll32.exe
1816 rundll32.exe
1816 rundll32.exe
Drops file in System32 directory 1 IoCs

Processes:

rundll32.exe

description ioc process

File opened for modification C:\Windows\SysWOW64\Esskloenve\pqdqupcxror.ytd rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

rundll32.exe

pid process

336 rundll32.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exerundll32.exe

pid process

1592 powershell.exe
1896 rundll32.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 1592 powershell.exe

pid	process
336	rundll32.exe
336	rundll32.exe
336	rundll32.exe
336	rundll32.exe
1816	rundll32.exe
1816	rundll32.exe
1816	rundll32.exe
1816	rundll32.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\Esskloenve\pqdqupcxror.ytd	rundll32.exe

pid	process
336	rundll32.exe

pid	process
1592	powershell.exe
1896	rundll32.exe

description	pid	process
Token: SeDebugPrivilege	1592	powershell.exe

Suspicious use of WriteProcessMemory 31 IoCs

Processes:

powershell.execmd.exerundll32.exerundll32.exerundll32.exe

description	pid	process	target process
PID 1592 wrote to memory of 624	1592	powershell.exe	cmd.exe
PID 1592 wrote to memory of 624	1592	powershell.exe	cmd.exe
PID 1592 wrote to memory of 624	1592	powershell.exe	cmd.exe
PID 624 wrote to memory of 336	624	cmd.exe	rundll32.exe
PID 624 wrote to memory of 336	624	cmd.exe	rundll32.exe
PID 624 wrote to memory of 336	624	cmd.exe	rundll32.exe
PID 624 wrote to memory of 336	624	cmd.exe	rundll32.exe
PID 624 wrote to memory of 336	624	cmd.exe	rundll32.exe
PID 624 wrote to memory of 336	624	cmd.exe	rundll32.exe
PID 624 wrote to memory of 336	624	cmd.exe	rundll32.exe
PID 336 wrote to memory of 1816	336	rundll32.exe	rundll32.exe
PID 336 wrote to memory of 1816	336	rundll32.exe	rundll32.exe
PID 336 wrote to memory of 1816	336	rundll32.exe	rundll32.exe
PID 336 wrote to memory of 1816	336	rundll32.exe	rundll32.exe
PID 336 wrote to memory of 1816	336	rundll32.exe	rundll32.exe
PID 336 wrote to memory of 1816	336	rundll32.exe	rundll32.exe
PID 336 wrote to memory of 1816	336	rundll32.exe	rundll32.exe
PID 1816 wrote to memory of 1776	1816	rundll32.exe	rundll32.exe
PID 1816 wrote to memory of 1776	1816	rundll32.exe	rundll32.exe
PID 1816 wrote to memory of 1776	1816	rundll32.exe	rundll32.exe
PID 1816 wrote to memory of 1776	1816	rundll32.exe	rundll32.exe
PID 1816 wrote to memory of 1776	1816	rundll32.exe	rundll32.exe
PID 1816 wrote to memory of 1776	1816	rundll32.exe	rundll32.exe
PID 1816 wrote to memory of 1776	1816	rundll32.exe	rundll32.exe
PID 1776 wrote to memory of 1896	1776	rundll32.exe	rundll32.exe
PID 1776 wrote to memory of 1896	1776	rundll32.exe	rundll32.exe
PID 1776 wrote to memory of 1896	1776	rundll32.exe	rundll32.exe
PID 1776 wrote to memory of 1896	1776	rundll32.exe	rundll32.exe
PID 1776 wrote to memory of 1896	1776	rundll32.exe	rundll32.exe
PID 1776 wrote to memory of 1896	1776	rundll32.exe	rundll32.exe
PID 1776 wrote to memory of 1896	1776	rundll32.exe	rundll32.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\se1.png.ps1
1⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1592

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Windows\SysWow64\rundll32.exe C:\Users\Public\Documents\ssd.dll AnyString
2⤵
- Suspicious use of WriteProcessMemory
PID:624

C:\Windows\SysWow64\rundll32.exe
C:\Windows\SysWow64\rundll32.exe C:\Users\Public\Documents\ssd.dll AnyString
3⤵
- Loads dropped DLL
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of WriteProcessMemory
PID:336

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe "C:\Users\Public\Documents\ssd.dll",DllRegisterServer
4⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1816

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Esskloenve\pqdqupcxror.ytd",uYfGd
5⤵
- Suspicious use of WriteProcessMemory
PID:1776

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Esskloenve\pqdqupcxror.ytd",DllRegisterServer
6⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:1896

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
4e509a401ec29b4d09ddef9b7d3659c2

SHA1
bc3fe582e326b1daa808c6189154259c41e28cf6

SHA256
6b9a2695ab9f639eb36ab3a76d5b911fb2c18acce20331355b80979a4a351486

SHA512
8ad790ee24dc4ec7ead75e9bcbc7bf536ea3b2dba8c2d5535e7fb3fddf7cae389033cb4f478917f0be3c6094525fa9a1338263dfaa38dfd5dac1ace32437b7d6

Download Submit
C:\Users\Public\Documents\ssd.dll
MD5
1fe0271586407b68aaafe5215cebce12

SHA1
0748dd734b4848c43a75cbd2d0647c1bae27c4b4

SHA256
0648dc98932e4d08e2a3f38870f09d1186bda953e26e84aa1578b51b3192f3ce

SHA512
2fc63c24311be0b11bb815174c91cba1fab3f28b2431bfe8ccc8ae31df44f7e494e1381d9e2cd512953a018f21a8ea974b5ea3255ac57fb283619b5e25085695

Download Submit
\Users\Public\Documents\ssd.dll
MD5
1fe0271586407b68aaafe5215cebce12

SHA1
0748dd734b4848c43a75cbd2d0647c1bae27c4b4

SHA256
0648dc98932e4d08e2a3f38870f09d1186bda953e26e84aa1578b51b3192f3ce

SHA512
2fc63c24311be0b11bb815174c91cba1fab3f28b2431bfe8ccc8ae31df44f7e494e1381d9e2cd512953a018f21a8ea974b5ea3255ac57fb283619b5e25085695

Download Submit
\Users\Public\Documents\ssd.dll
MD5
1fe0271586407b68aaafe5215cebce12

SHA1
0748dd734b4848c43a75cbd2d0647c1bae27c4b4

SHA256
0648dc98932e4d08e2a3f38870f09d1186bda953e26e84aa1578b51b3192f3ce

SHA512
2fc63c24311be0b11bb815174c91cba1fab3f28b2431bfe8ccc8ae31df44f7e494e1381d9e2cd512953a018f21a8ea974b5ea3255ac57fb283619b5e25085695

Download Submit
\Users\Public\Documents\ssd.dll
MD5
1fe0271586407b68aaafe5215cebce12

SHA1
0748dd734b4848c43a75cbd2d0647c1bae27c4b4

SHA256
0648dc98932e4d08e2a3f38870f09d1186bda953e26e84aa1578b51b3192f3ce

SHA512
2fc63c24311be0b11bb815174c91cba1fab3f28b2431bfe8ccc8ae31df44f7e494e1381d9e2cd512953a018f21a8ea974b5ea3255ac57fb283619b5e25085695

Download Submit
\Users\Public\Documents\ssd.dll
MD5
1fe0271586407b68aaafe5215cebce12

SHA1
0748dd734b4848c43a75cbd2d0647c1bae27c4b4

SHA256
0648dc98932e4d08e2a3f38870f09d1186bda953e26e84aa1578b51b3192f3ce

SHA512
2fc63c24311be0b11bb815174c91cba1fab3f28b2431bfe8ccc8ae31df44f7e494e1381d9e2cd512953a018f21a8ea974b5ea3255ac57fb283619b5e25085695

Download Submit
\Users\Public\Documents\ssd.dll
MD5
1fe0271586407b68aaafe5215cebce12

SHA1
0748dd734b4848c43a75cbd2d0647c1bae27c4b4

SHA256
0648dc98932e4d08e2a3f38870f09d1186bda953e26e84aa1578b51b3192f3ce

SHA512
2fc63c24311be0b11bb815174c91cba1fab3f28b2431bfe8ccc8ae31df44f7e494e1381d9e2cd512953a018f21a8ea974b5ea3255ac57fb283619b5e25085695

Download Submit
\Users\Public\Documents\ssd.dll
MD5
1fe0271586407b68aaafe5215cebce12

SHA1
0748dd734b4848c43a75cbd2d0647c1bae27c4b4

SHA256
0648dc98932e4d08e2a3f38870f09d1186bda953e26e84aa1578b51b3192f3ce

SHA512
2fc63c24311be0b11bb815174c91cba1fab3f28b2431bfe8ccc8ae31df44f7e494e1381d9e2cd512953a018f21a8ea974b5ea3255ac57fb283619b5e25085695

Download Submit
\Users\Public\Documents\ssd.dll
MD5
1fe0271586407b68aaafe5215cebce12

SHA1
0748dd734b4848c43a75cbd2d0647c1bae27c4b4

SHA256
0648dc98932e4d08e2a3f38870f09d1186bda953e26e84aa1578b51b3192f3ce

SHA512
2fc63c24311be0b11bb815174c91cba1fab3f28b2431bfe8ccc8ae31df44f7e494e1381d9e2cd512953a018f21a8ea974b5ea3255ac57fb283619b5e25085695

Download Submit
\Users\Public\Documents\ssd.dll
MD5
1fe0271586407b68aaafe5215cebce12

SHA1
0748dd734b4848c43a75cbd2d0647c1bae27c4b4

SHA256
0648dc98932e4d08e2a3f38870f09d1186bda953e26e84aa1578b51b3192f3ce

SHA512
2fc63c24311be0b11bb815174c91cba1fab3f28b2431bfe8ccc8ae31df44f7e494e1381d9e2cd512953a018f21a8ea974b5ea3255ac57fb283619b5e25085695

Download Submit
memory/336-61-0x0000000076151000-0x0000000076153000-memory.dmp

Filesize
8KB

Download
memory/336-67-0x0000000000290000-0x00000000002B8000-memory.dmp

Filesize
160KB

Download
memory/1592-60-0x00000000027CB000-0x00000000027EA000-memory.dmp

Filesize
124KB

Download
memory/1592-59-0x000000001B6E0000-0x000000001B9DF000-memory.dmp

Filesize
3.0MB

Download
memory/1592-57-0x00000000027C2000-0x00000000027C4000-memory.dmp

Filesize
8KB

Download
memory/1592-58-0x00000000027C4000-0x00000000027C7000-memory.dmp

Filesize
12KB

Download
memory/1592-55-0x000007FEF2FB0000-0x000007FEF3B0D000-memory.dmp

Filesize
11.4MB

Download
memory/1592-56-0x00000000027C0000-0x00000000027C2000-memory.dmp

Filesize
8KB

Download
memory/1592-54-0x000007FEFBC11000-0x000007FEFBC13000-memory.dmp

Filesize
8KB

Download
memory/1776-89-0x00000000002F0000-0x0000000000318000-memory.dmp

Filesize
160KB

Download
memory/1816-82-0x0000000002540000-0x0000000002568000-memory.dmp

Filesize
160KB

Download
memory/1816-80-0x0000000000C40000-0x0000000000C68000-memory.dmp

Filesize
160KB

Download
memory/1816-78-0x0000000000A30000-0x0000000000A58000-memory.dmp

Filesize
160KB

Download
memory/1816-84-0x0000000002710000-0x0000000002738000-memory.dmp

Filesize
160KB

Download
memory/1816-76-0x0000000000840000-0x0000000000868000-memory.dmp

Filesize
160KB

Download
memory/1816-87-0x0000000002880000-0x00000000028A8000-memory.dmp

Filesize
160KB

Download
memory/1816-74-0x0000000000320000-0x0000000000348000-memory.dmp

Filesize
160KB

Download
memory/1896-102-0x0000000002730000-0x0000000002758000-memory.dmp

Filesize
160KB

Download
memory/1896-100-0x00000000026D0000-0x00000000026F8000-memory.dmp

Filesize
160KB

Download
memory/1896-98-0x0000000002570000-0x0000000002598000-memory.dmp

Filesize
160KB

Download
memory/1896-104-0x00000000027F0000-0x0000000002818000-memory.dmp

Filesize
160KB

Download
memory/1896-106-0x0000000002850000-0x0000000002878000-memory.dmp

Filesize
160KB

Download
memory/1896-108-0x0000000002960000-0x0000000002988000-memory.dmp

Filesize
160KB

Download
memory/1896-110-0x0000000002AA0000-0x0000000002AC8000-memory.dmp

Filesize
160KB

Download
memory/1896-96-0x00000000009B0000-0x00000000009D8000-memory.dmp

Filesize
160KB

Download
memory/1896-113-0x0000000002B01000-0x0000000002B25000-memory.dmp

Filesize
144KB

Download
memory/1896-114-0x0000000002B60000-0x0000000002B88000-memory.dmp

Filesize
160KB

Download