emotet | 6b7ebd5fb9b2a26568d63d9ae3fe9b35ea2ea50e030a24a6b49b0e95ba291729

General

Target

187a117c79f7da7350737d0a1f4733dcbb01769f.exe
Size

528KB
MD5

91069647824563dce4341d42eab3f536
SHA1

187a117c79f7da7350737d0a1f4733dcbb01769f
SHA256

6b7ebd5fb9b2a26568d63d9ae3fe9b35ea2ea50e030a24a6b49b0e95ba291729
SHA512

ced73f6fae5094540074ecc5578a7a1c5c6483b98e345548b4d85a66a6db2091bd25a77ecf15f719038ecf0afbe6405bc97f6c01d464ec73fb281c00ed2dc95a

Score

10^/10

emotet epoch1 banker suricata trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch1

C2

186.92.11.143:8080

200.30.227.135:80

178.249.187.151:8080

81.169.140.14:443

94.177.183.28:8080

89.188.124.145:443

185.86.148.222:8080

82.196.15.205:8080

77.245.101.134:8080

217.199.160.224:8080

76.69.29.42:80

181.59.253.20:21

46.28.111.142:7080

149.62.173.247:8080

200.58.83.179:80

190.230.60.129:80

181.36.42.205:443

190.97.30.167:990

46.29.183.211:8080

87.106.77.40:7080

rsa_pubkey.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
suricata: ET MALWARE Win32/Emotet CnC Activity (POST) M2
suricata: ET MALWARE Win32/Emotet CnC Activity (POST) M2
suricata
suricata: ET MALWARE Win32/Emotet CnC Activity (POST) M3
suricata: ET MALWARE Win32/Emotet CnC Activity (POST) M3
suricata
suricata: ET MALWARE Win32/Emotet CnC Activity (POST) M4
suricata: ET MALWARE Win32/Emotet CnC Activity (POST) M4
suricata

Drops file in System32 directory 1 IoCs

Processes:

iellrus.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	iellrus.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 21 IoCs

Processes:

iellrus.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00a8000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	iellrus.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A2CCC9B5-A479-408A-ADB6-6DA9A1AE41DE}\WpadDecisionReason = "1"	iellrus.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\7a-10-a0-71-21-12\WpadDecisionTime = 40ce4d0a1695d801	iellrus.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	iellrus.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	iellrus.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	iellrus.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	iellrus.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A2CCC9B5-A479-408A-ADB6-6DA9A1AE41DE}	iellrus.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A2CCC9B5-A479-408A-ADB6-6DA9A1AE41DE}\WpadDecisionTime = 40ce4d0a1695d801	iellrus.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A2CCC9B5-A479-408A-ADB6-6DA9A1AE41DE}\7a-10-a0-71-21-12	iellrus.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\7a-10-a0-71-21-12\WpadDecisionReason = "1"	iellrus.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	iellrus.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	iellrus.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	iellrus.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A2CCC9B5-A479-408A-ADB6-6DA9A1AE41DE}\WpadNetworkName = "Network 3"	iellrus.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\7a-10-a0-71-21-12\WpadDecision = "0"	iellrus.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	iellrus.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	iellrus.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\7a-10-a0-71-21-12	iellrus.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	iellrus.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A2CCC9B5-A479-408A-ADB6-6DA9A1AE41DE}\WpadDecision = "0"	iellrus.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

iellrus.exe

pid process

844 iellrus.exe
844 iellrus.exe
844 iellrus.exe
844 iellrus.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

187a117c79f7da7350737d0a1f4733dcbb01769f.exe

pid process

1888 187a117c79f7da7350737d0a1f4733dcbb01769f.exe

pid	process
844	iellrus.exe
844	iellrus.exe
844	iellrus.exe
844	iellrus.exe

pid	process
1888	187a117c79f7da7350737d0a1f4733dcbb01769f.exe

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

187a117c79f7da7350737d0a1f4733dcbb01769f.exe187a117c79f7da7350737d0a1f4733dcbb01769f.exeiellrus.exeiellrus.exe

pid	process
1084	187a117c79f7da7350737d0a1f4733dcbb01769f.exe
1084	187a117c79f7da7350737d0a1f4733dcbb01769f.exe
1888	187a117c79f7da7350737d0a1f4733dcbb01769f.exe
1888	187a117c79f7da7350737d0a1f4733dcbb01769f.exe
1360	iellrus.exe
1360	iellrus.exe
844	iellrus.exe
844	iellrus.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

187a117c79f7da7350737d0a1f4733dcbb01769f.exeiellrus.exe

description	pid	process	target process
PID 1084 wrote to memory of 1888	1084	187a117c79f7da7350737d0a1f4733dcbb01769f.exe	187a117c79f7da7350737d0a1f4733dcbb01769f.exe
PID 1084 wrote to memory of 1888	1084	187a117c79f7da7350737d0a1f4733dcbb01769f.exe	187a117c79f7da7350737d0a1f4733dcbb01769f.exe
PID 1084 wrote to memory of 1888	1084	187a117c79f7da7350737d0a1f4733dcbb01769f.exe	187a117c79f7da7350737d0a1f4733dcbb01769f.exe
PID 1084 wrote to memory of 1888	1084	187a117c79f7da7350737d0a1f4733dcbb01769f.exe	187a117c79f7da7350737d0a1f4733dcbb01769f.exe
PID 1360 wrote to memory of 844	1360	iellrus.exe	iellrus.exe
PID 1360 wrote to memory of 844	1360	iellrus.exe	iellrus.exe
PID 1360 wrote to memory of 844	1360	iellrus.exe	iellrus.exe
PID 1360 wrote to memory of 844	1360	iellrus.exe	iellrus.exe

C:\Users\Admin\AppData\Local\Temp\187a117c79f7da7350737d0a1f4733dcbb01769f.exe
"C:\Users\Admin\AppData\Local\Temp\187a117c79f7da7350737d0a1f4733dcbb01769f.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1084

C:\Users\Admin\AppData\Local\Temp\187a117c79f7da7350737d0a1f4733dcbb01769f.exe
--34c90f66
2⤵
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
PID:1888

C:\Windows\SysWOW64\iellrus.exe
"C:\Windows\SysWOW64\iellrus.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1360

C:\Windows\SysWOW64\iellrus.exe
--68e352a
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:844

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/844-74-0x0000000000000000-mapping.dmp

Download
memory/844-76-0x0000000000910000-0x0000000000926000-memory.dmp

Filesize
88KB

Download
memory/1084-54-0x0000000075CF1000-0x0000000075CF3000-memory.dmp

Filesize
8KB

Download
memory/1084-55-0x0000000000260000-0x0000000000276000-memory.dmp

Filesize
88KB

Download
memory/1084-61-0x0000000000250000-0x0000000000260000-memory.dmp

Filesize
64KB

Download
memory/1360-69-0x0000000000980000-0x0000000000996000-memory.dmp

Filesize
88KB

Download
memory/1888-60-0x0000000000000000-mapping.dmp

Download
memory/1888-63-0x0000000000280000-0x0000000000296000-memory.dmp

Filesize
88KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads