emotet | caaaafe53a73a297db132357ed69fa2a9489bbdc134aeded11b7eb59a217c63f

General

Target

caaaafe53a73a297db132357ed69fa2a9489bbdc134aeded11b7eb59a217c63f.dll
Size

219KB
MD5

4568aa57fc74251221606f177b84da28
SHA1

a92a66210adfb27ccfeeef1dda1aa714fe51241d
SHA256

caaaafe53a73a297db132357ed69fa2a9489bbdc134aeded11b7eb59a217c63f
SHA512

674b0c658985c912fd7b96983cf8dae4cdc9b9fb63a646de55abdf9a84d2fad942f255b802b620cb7f3b4eebbc7b7d5c7c495fc72903c03bffa9cc7ec603f36a

Score

10^/10

emotet epoch2 banker trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch2

C2

173.70.61.180:80

59.21.235.119:80

50.116.111.59:8080

173.249.20.233:443

188.165.214.98:8080

72.188.173.74:80

74.40.205.197:443

64.207.182.168:8080

97.120.3.198:80

190.29.166.0:80

123.176.25.234:80

155.186.9.160:80

138.68.87.218:443

139.99.158.11:443

78.24.219.147:8080

58.1.242.115:80

108.21.72.56:443

188.219.31.12:80

70.180.33.202:80

181.171.209.241:443

rsa_pubkey.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Emotet3 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2404-134-0x0000000002740000-0x000000000275F000-memory.dmp	Emotet3
behavioral2/memory/1624-138-0x0000000002120000-0x000000000213F000-memory.dmp	Emotet3

Blocklisted process makes network request 5 IoCs

Processes:

rundll32.exe

flow pid process

38 1624 rundll32.exe
41 1624 rundll32.exe
43 1624 rundll32.exe
44 1624 rundll32.exe
48 1624 rundll32.exe
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

1624 rundll32.exe

flow	pid	process
38	1624	rundll32.exe
41	1624	rundll32.exe
43	1624	rundll32.exe
44	1624	rundll32.exe
48	1624	rundll32.exe

Drops file in System32 directory 3 IoCs

Processes:

svchost.exerundll32.exe

description	ioc	process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{A3A999A7-A468-4BF8-934B-704D6AC3B7F0}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{06952B28-6C67-4207-A3D9-694A235ED074}.catalogItem	svchost.exe
File opened for modification	C:\Windows\SysWOW64\Cdxf\pmnxzhs.hgx	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	svchost.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

rundll32.exe

pid	process
1624	rundll32.exe
1624	rundll32.exe
1624	rundll32.exe
1624	rundll32.exe
1624	rundll32.exe
1624	rundll32.exe
1624	rundll32.exe
1624	rundll32.exe
1624	rundll32.exe
1624	rundll32.exe
1624	rundll32.exe
1624	rundll32.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

rundll32.exe

pid process

2404 rundll32.exe

pid	process
2404	rundll32.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 4724 wrote to memory of 2404	4724	rundll32.exe	rundll32.exe
PID 4724 wrote to memory of 2404	4724	rundll32.exe	rundll32.exe
PID 4724 wrote to memory of 2404	4724	rundll32.exe	rundll32.exe
PID 2404 wrote to memory of 1624	2404	rundll32.exe	rundll32.exe
PID 2404 wrote to memory of 1624	2404	rundll32.exe	rundll32.exe
PID 2404 wrote to memory of 1624	2404	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\caaaafe53a73a297db132357ed69fa2a9489bbdc134aeded11b7eb59a217c63f.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4724
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\caaaafe53a73a297db132357ed69fa2a9489bbdc134aeded11b7eb59a217c63f.dll,#1
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:2404
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Cdxf\pmnxzhs.hgx",RunDLL
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:1624

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
PID:2484

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cdxf\pmnxzhs.hgx

MD5
4568aa57fc74251221606f177b84da28

SHA1
a92a66210adfb27ccfeeef1dda1aa714fe51241d

SHA256
caaaafe53a73a297db132357ed69fa2a9489bbdc134aeded11b7eb59a217c63f

SHA512
674b0c658985c912fd7b96983cf8dae4cdc9b9fb63a646de55abdf9a84d2fad942f255b802b620cb7f3b4eebbc7b7d5c7c495fc72903c03bffa9cc7ec603f36a

Download Submit
memory/1624-138-0x0000000002120000-0x000000000213F000-memory.dmp

Filesize
124KB

Download
memory/2404-134-0x0000000002740000-0x000000000275F000-memory.dmp

Filesize
124KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads