emotet | 06c6442d5bb110140ac1cdbcf1be52388441b9a0750d59b743acc6b52d19582b

General

Target

task1.exe
Size

188KB
MD5

2ba73d2d47cf2d388446b781613b7eff
SHA1

c75c7eb4814835388881d1b4c2db67e64a023e1e
SHA256

06c6442d5bb110140ac1cdbcf1be52388441b9a0750d59b743acc6b52d19582b
SHA512

667ddc16765d8c3c3596bb734174862db1f2ac24037c361a2e37ec9824c35a8926728400025d62c62c361b1b1e1a9d1e3b4c38c2c5989eee832e083481e50caa

Score

10^/10

emotet epoch2 banker persistence trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch2

C2

74.219.172.26:80

134.209.36.254:8080

104.156.59.7:8080

120.138.30.150:8080

194.187.133.160:443

104.236.246.93:8080

74.208.45.104:8080

78.187.156.31:80

187.161.206.24:80

94.23.216.33:80

172.91.208.86:80

91.211.88.52:7080

50.91.114.38:80

200.123.150.89:443

121.124.124.40:7080

62.75.141.82:80

5.196.74.210:8080

24.137.76.62:80

85.105.205.77:8080

139.130.242.43:80

rsa_pubkey.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Emotet Payload 3 IoCs

Detects Emotet payload in memory.

trojan banker

Processes:

resource	yara_rule
behavioral1/memory/2172-130-0x0000000002240000-0x0000000002252000-memory.dmp	emotet
behavioral1/memory/2172-134-0x0000000000540000-0x0000000000550000-memory.dmp	emotet
behavioral1/memory/2172-137-0x0000000000530000-0x000000000053F000-memory.dmp	emotet

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

msedge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

task1.exemsedge.exemsedge.exe

pid	process
2172	task1.exe
2172	task1.exe
2172	task1.exe
2172	task1.exe
896	msedge.exe
896	msedge.exe
3208	msedge.exe
3208	msedge.exe
2172	task1.exe
2172	task1.exe
2172	task1.exe
2172	task1.exe
2172	task1.exe
2172	task1.exe
2172	task1.exe
2172	task1.exe
2172	task1.exe
2172	task1.exe
2172	task1.exe
2172	task1.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

msedge.exe

pid process

3208 msedge.exe
3208 msedge.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

AUDIODG.EXE

description pid process

Token: 33 3020 AUDIODG.EXE
Token: SeIncBasePriorityPrivilege 3020 AUDIODG.EXE
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

msedge.exe

pid process

3208 msedge.exe
3208 msedge.exe
3208 msedge.exe
3208 msedge.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

task1.exe

pid process

2172 task1.exe
2172 task1.exe

pid	process
3208	msedge.exe
3208	msedge.exe

description	pid	process
Token: 33	3020	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3020	AUDIODG.EXE

pid	process
3208	msedge.exe
3208	msedge.exe
3208	msedge.exe
3208	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 3208 wrote to memory of 1432	3208	msedge.exe	msedge.exe
PID 3208 wrote to memory of 1432	3208	msedge.exe	msedge.exe
PID 3208 wrote to memory of 4136	3208	msedge.exe	msedge.exe
PID 3208 wrote to memory of 4136	3208	msedge.exe	msedge.exe
PID 3208 wrote to memory of 4136	3208	msedge.exe	msedge.exe
PID 3208 wrote to memory of 4136	3208	msedge.exe	msedge.exe
PID 3208 wrote to memory of 4136	3208	msedge.exe	msedge.exe
PID 3208 wrote to memory of 4136	3208	msedge.exe	msedge.exe
PID 3208 wrote to memory of 4136	3208	msedge.exe	msedge.exe
PID 3208 wrote to memory of 4136	3208	msedge.exe	msedge.exe
PID 3208 wrote to memory of 4136	3208	msedge.exe	msedge.exe
PID 3208 wrote to memory of 4136	3208	msedge.exe	msedge.exe
PID 3208 wrote to memory of 4136	3208	msedge.exe	msedge.exe
PID 3208 wrote to memory of 4136	3208	msedge.exe	msedge.exe
PID 3208 wrote to memory of 4136	3208	msedge.exe	msedge.exe
PID 3208 wrote to memory of 4136	3208	msedge.exe	msedge.exe
PID 3208 wrote to memory of 4136	3208	msedge.exe	msedge.exe
PID 3208 wrote to memory of 4136	3208	msedge.exe	msedge.exe
PID 3208 wrote to memory of 4136	3208	msedge.exe	msedge.exe
PID 3208 wrote to memory of 4136	3208	msedge.exe	msedge.exe
PID 3208 wrote to memory of 4136	3208	msedge.exe	msedge.exe
PID 3208 wrote to memory of 4136	3208	msedge.exe	msedge.exe
PID 3208 wrote to memory of 4136	3208	msedge.exe	msedge.exe
PID 3208 wrote to memory of 4136	3208	msedge.exe	msedge.exe
PID 3208 wrote to memory of 4136	3208	msedge.exe	msedge.exe
PID 3208 wrote to memory of 4136	3208	msedge.exe	msedge.exe
PID 3208 wrote to memory of 4136	3208	msedge.exe	msedge.exe
PID 3208 wrote to memory of 4136	3208	msedge.exe	msedge.exe
PID 3208 wrote to memory of 4136	3208	msedge.exe	msedge.exe
PID 3208 wrote to memory of 4136	3208	msedge.exe	msedge.exe
PID 3208 wrote to memory of 4136	3208	msedge.exe	msedge.exe
PID 3208 wrote to memory of 4136	3208	msedge.exe	msedge.exe
PID 3208 wrote to memory of 4136	3208	msedge.exe	msedge.exe
PID 3208 wrote to memory of 4136	3208	msedge.exe	msedge.exe
PID 3208 wrote to memory of 4136	3208	msedge.exe	msedge.exe
PID 3208 wrote to memory of 4136	3208	msedge.exe	msedge.exe
PID 3208 wrote to memory of 4136	3208	msedge.exe	msedge.exe
PID 3208 wrote to memory of 4136	3208	msedge.exe	msedge.exe
PID 3208 wrote to memory of 4136	3208	msedge.exe	msedge.exe
PID 3208 wrote to memory of 4136	3208	msedge.exe	msedge.exe
PID 3208 wrote to memory of 4136	3208	msedge.exe	msedge.exe
PID 3208 wrote to memory of 4136	3208	msedge.exe	msedge.exe
PID 3208 wrote to memory of 896	3208	msedge.exe	msedge.exe
PID 3208 wrote to memory of 896	3208	msedge.exe	msedge.exe
PID 3208 wrote to memory of 2056	3208	msedge.exe	msedge.exe
PID 3208 wrote to memory of 2056	3208	msedge.exe	msedge.exe
PID 3208 wrote to memory of 2056	3208	msedge.exe	msedge.exe
PID 3208 wrote to memory of 2056	3208	msedge.exe	msedge.exe
PID 3208 wrote to memory of 2056	3208	msedge.exe	msedge.exe
PID 3208 wrote to memory of 2056	3208	msedge.exe	msedge.exe
PID 3208 wrote to memory of 2056	3208	msedge.exe	msedge.exe
PID 3208 wrote to memory of 2056	3208	msedge.exe	msedge.exe
PID 3208 wrote to memory of 2056	3208	msedge.exe	msedge.exe
PID 3208 wrote to memory of 2056	3208	msedge.exe	msedge.exe
PID 3208 wrote to memory of 2056	3208	msedge.exe	msedge.exe
PID 3208 wrote to memory of 2056	3208	msedge.exe	msedge.exe
PID 3208 wrote to memory of 2056	3208	msedge.exe	msedge.exe
PID 3208 wrote to memory of 2056	3208	msedge.exe	msedge.exe
PID 3208 wrote to memory of 2056	3208	msedge.exe	msedge.exe
PID 3208 wrote to memory of 2056	3208	msedge.exe	msedge.exe
PID 3208 wrote to memory of 2056	3208	msedge.exe	msedge.exe
PID 3208 wrote to memory of 2056	3208	msedge.exe	msedge.exe
PID 3208 wrote to memory of 2056	3208	msedge.exe	msedge.exe
PID 3208 wrote to memory of 2056	3208	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\task1.exe
"C:\Users\Admin\AppData\Local\Temp\task1.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2172

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x320 0x4fc
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3020

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument microsoft-edge:?launchContext1=Microsoft.Windows.Cortana_cw5n1h2txyewy&url=https%3A%2F%2Fwww.bing.com%2Fsearch%3Fq%3Dtask1%26form%3DWNSGPH%26qs%3DSW%26cvid%3Db8c631b6d34041f08d4d4f6ce54b027c%26pq%3Dtask1%26cc%3DUS%26setlang%3Den-US%26nclid%3DAC132211E844C53C821E601A23766E16%26ts%3D1643418612710%26nclidts%3D1643418612%26tsms%3D710
1⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xb0,0x104,0x7ffc85f746f8,0x7ffc85f74708,0x7ffc85f74718
  2⤵
  PID:1432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,14045904640327396730,48871416298266658,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2184 /prefetch:2
  2⤵
  PID:4136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2160,14045904640327396730,48871416298266658,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2288 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2160,14045904640327396730,48871416298266658,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2708 /prefetch:8
  2⤵
  PID:2056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,14045904640327396730,48871416298266658,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3856 /prefetch:1
  2⤵
  PID:1404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,14045904640327396730,48871416298266658,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3864 /prefetch:1
  2⤵
  PID:4024

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3628

C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Windows\system32\PcaSvc.dll,PcaPatchSdbTask
1⤵
PID:4256

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4380

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\pipe\LOCAL\crashpad_3208_LXDRYCBPUNLTMTDQ

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2172-130-0x0000000002240000-0x0000000002252000-memory.dmp

Filesize
72KB

Download
memory/2172-134-0x0000000000540000-0x0000000000550000-memory.dmp

Filesize
64KB

Download
memory/2172-137-0x0000000000530000-0x000000000053F000-memory.dmp

Filesize
60KB

Download
memory/4136-139-0x00007FFCA8710000-0x00007FFCA8711000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads