emotet | 72511274f712bfd930c8431ae1e739f6d0940f59fd45dc2bbf148d5bc73dc983

Analysis

max time kernel
134s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
15-03-2023 23:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

n_277947747244.one
Size

130KB
MD5

6bead65ca651b31de7fe3433bc398ad5
SHA1

202963a59f15235f03585cc103b267e93fa09343
SHA256

72511274f712bfd930c8431ae1e739f6d0940f59fd45dc2bbf148d5bc73dc983
SHA512

c291f00125ee1563148d3fdb23d3699e58eda868e59d5e475491899e8d5391235e5ce9cc912701e9e273ab72eabefc6b87edff007e4ad7d5c053a8528b95b214
SSDEEP

3072:PrfWMINYf3K19kzCnEEQvSMVnte8ZP1Y6J0cTgGO:d6nInM8TXJ5O

Score

10^/10

emotet epoch5 banker persistence trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch5

103.85.95.4:8080

103.224.241.74:8080

178.238.225.252:8080

37.59.103.148:8080

78.47.204.80:443

138.197.14.67:8080

128.199.242.164:8080

54.37.228.122:443

37.44.244.177:8080

139.59.80.108:8080

218.38.121.17:443

82.98.180.154:7080

114.79.130.68:443

159.65.135.222:7080

174.138.33.49:7080

195.77.239.39:8080

193.194.92.175:443

198.199.70.22:8080

85.214.67.203:8080

93.84.115.205:7080

ecs1.plain

eck1.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

WScript.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\ONENOTE.EXE is not expected to spawn this process	4068	1204	WScript.exe	ONENOTE.EXE

Blocklisted process makes network request 1 IoCs

Processes:

WScript.exe

flow pid process

47 4068 WScript.exe
Downloads MZ/PE file
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

WScript.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation WScript.exe
Loads dropped DLL 2 IoCs

Processes:

regsvr32.exeregsvr32.exe

pid process

1260 regsvr32.exe
1472 regsvr32.exe

flow	pid	process
47	4068	WScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	WScript.exe

pid	process
1260	regsvr32.exe
1472	regsvr32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qiTDw.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\OuoARPMNlAejHitpH\\qiTDw.dll\""	regsvr32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3220 3444 WerFault.exe

pid	pid_target	process	target process
3220	3444	WerFault.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ONENOTE.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ONENOTE.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

ONENOTE.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	ONENOTE.EXE

Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 47 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

ONENOTE.EXE

pid process

1204 ONENOTE.EXE
1204 ONENOTE.EXE

description	flow	ioc
HTTP User-Agent header	47	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

ONENOTE.EXEregsvr32.exeregsvr32.exe

pid	process
1204	ONENOTE.EXE
1204	ONENOTE.EXE
1204	ONENOTE.EXE
1260	regsvr32.exe
1260	regsvr32.exe
1472	regsvr32.exe
1472	regsvr32.exe
1472	regsvr32.exe
1472	regsvr32.exe

Suspicious use of SetWindowsHookEx 14 IoCs

Processes:

ONENOTE.EXE

pid	process
1204	ONENOTE.EXE
1204	ONENOTE.EXE
1204	ONENOTE.EXE
1204	ONENOTE.EXE
1204	ONENOTE.EXE
1204	ONENOTE.EXE
1204	ONENOTE.EXE
1204	ONENOTE.EXE
1204	ONENOTE.EXE
1204	ONENOTE.EXE
1204	ONENOTE.EXE
1204	ONENOTE.EXE
1204	ONENOTE.EXE
1204	ONENOTE.EXE

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

ONENOTE.EXEWScript.exeregsvr32.exe

description	pid	process	target process
PID 1204 wrote to memory of 4068	1204	ONENOTE.EXE	WScript.exe
PID 1204 wrote to memory of 4068	1204	ONENOTE.EXE	WScript.exe
PID 4068 wrote to memory of 1260	4068	WScript.exe	regsvr32.exe
PID 4068 wrote to memory of 1260	4068	WScript.exe	regsvr32.exe
PID 1260 wrote to memory of 1472	1260	regsvr32.exe	regsvr32.exe
PID 1260 wrote to memory of 1472	1260	regsvr32.exe	regsvr32.exe

C:\Program Files\Microsoft Office\Root\Office16\ONENOTE.EXE
"C:\Program Files\Microsoft Office\Root\Office16\ONENOTE.EXE" "C:\Users\Admin\AppData\Local\Temp\n_277947747244.one"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1204

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\Exported\{4BB2FB6E-0E13-479F-A105-30F753A55D22}\NT\0\click.wsf"
2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4068

C:\Windows\System32\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" "C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\Exported\{4BB2FB6E-0E13-479F-A105-30F753A55D22}\NT\0\rad32B54.tmp.dll"
3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1260

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\OuoARPMNlAejHitpH\qiTDw.dll"
4⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:1472

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 480 -p 3444 -ip 3444
1⤵
PID:2500

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3444 -s 1980
1⤵
- Program crash
PID:3220

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000BL.bin
Filesize
61KB

MD5
45282862aeb428ffb5d4986704a8f4d5

SHA1
fa2b0a82f3ca6bc7c00704556c9494b303613972

SHA256
af0c7d355bb6a495d038fd05217209054107d31aa6199c491b74ae3d24b11c7e

SHA512
db6457af502f45665ce4cc6573c5746607d8ffc661f0dcb224beceed93886f6c6194561cacc0efa543f0b2f62db976742f42c6c8102c5b11b65329757110b1db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000BM.bin
Filesize
48KB

MD5
b7fc313714edd7866f4c76527282c2b5

SHA1
c86217b46956933fae4a30483a63b33f34b8c503

SHA256
b6d25f5eb52d5c24ef6c325bd25f18e413f3e23d20413a3693749275ba4b192c

SHA512
038a73b7a69dd976c964f1538f5b4f7c6c64721e4f2f1a831815598faae84cac53305c03f5cea6e66acdc110a9a5117eee191345ea004b9576c752122f8d88f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000BN.bin
Filesize
567B

MD5
d055ce625528e448c61315eaaef5bb71

SHA1
029df4c872b1c154f32e7fe94f434547c3ba6192

SHA256
85bf1e672b4e86e9af0c7874681ec9620dfdc78e0335b83eef38c17d813b6705

SHA512
705b6b729e967fa946469571109aa892f5cb55a01c74d40ae02140d10cbf9b65dd5e511c06ebfe494e407742f8c6f4fbbe88664b78b37abfb2f19db1f66f4247

Download Submit
C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\Exported\{4BB2FB6E-0E13-479F-A105-30F753A55D22}\NT\0\click.wsf
Filesize
61KB

MD5
45282862aeb428ffb5d4986704a8f4d5

SHA1
fa2b0a82f3ca6bc7c00704556c9494b303613972

SHA256
af0c7d355bb6a495d038fd05217209054107d31aa6199c491b74ae3d24b11c7e

SHA512
db6457af502f45665ce4cc6573c5746607d8ffc661f0dcb224beceed93886f6c6194561cacc0efa543f0b2f62db976742f42c6c8102c5b11b65329757110b1db

Download Submit
C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\Exported\{4BB2FB6E-0E13-479F-A105-30F753A55D22}\NT\0\click.wsf
Filesize
9B

MD5
07f5a0cffd9b2616ea44fb90ccc04480

SHA1
641b12c5ffa1a31bc367390e34d441a9ce1958ee

SHA256
a0430a038e7d879375c9ca5bf94cb440a3b9a002712118a7bccc1ff82f1ea896

SHA512
09e7488c138dead45343a79ad0cb37036c5444606cdfd8aa859ee70227a96964376a17f07e03d0fc353708ca9aaf979abf8bc917e6c2d005a0052575e074f531

Download Submit
C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\Exported\{4BB2FB6E-0E13-479F-A105-30F753A55D22}\NT\0\rad32B54.tmp.dll
Filesize
300KB

MD5
27c6e6bc4b46148fb4dcc6a6a9346914

SHA1
065d7e71a66ef077b07ea28d7e26b07ea5a26c86

SHA256
aa57889a91be96c5b5cae185792f5ad76eb5248abb66344a740266a1c297cfd7

SHA512
3b50da2b20c50c07d9ad916623ee9da5455f2724567a171943959226dee18bc359de10f0638a34b50c51ba7e539f4845167f52b9f083966dd8a3f3a3454bba26

Download Submit
C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\Exported\{4BB2FB6E-0E13-479F-A105-30F753A55D22}\NT\0\rad32B54.tmp.dll
Filesize
300KB

MD5
27c6e6bc4b46148fb4dcc6a6a9346914

SHA1
065d7e71a66ef077b07ea28d7e26b07ea5a26c86

SHA256
aa57889a91be96c5b5cae185792f5ad76eb5248abb66344a740266a1c297cfd7

SHA512
3b50da2b20c50c07d9ad916623ee9da5455f2724567a171943959226dee18bc359de10f0638a34b50c51ba7e539f4845167f52b9f083966dd8a3f3a3454bba26

Download Submit
C:\Users\Admin\AppData\Local\Temp\{1221091C-0F43-44D2-9386-4DDAA981C59C}.bin
Filesize
9B

MD5
07f5a0cffd9b2616ea44fb90ccc04480

SHA1
641b12c5ffa1a31bc367390e34d441a9ce1958ee

SHA256
a0430a038e7d879375c9ca5bf94cb440a3b9a002712118a7bccc1ff82f1ea896

SHA512
09e7488c138dead45343a79ad0cb37036c5444606cdfd8aa859ee70227a96964376a17f07e03d0fc353708ca9aaf979abf8bc917e6c2d005a0052575e074f531

Download Submit
C:\Windows\System32\OuoARPMNlAejHitpH\qiTDw.dll
Filesize
300KB

MD5
27c6e6bc4b46148fb4dcc6a6a9346914

SHA1
065d7e71a66ef077b07ea28d7e26b07ea5a26c86

SHA256
aa57889a91be96c5b5cae185792f5ad76eb5248abb66344a740266a1c297cfd7

SHA512
3b50da2b20c50c07d9ad916623ee9da5455f2724567a171943959226dee18bc359de10f0638a34b50c51ba7e539f4845167f52b9f083966dd8a3f3a3454bba26

Download Submit
memory/1204-139-0x00007FFAE71F0000-0x00007FFAE7200000-memory.dmp

Filesize
64KB

Download
memory/1204-138-0x00007FFAE71F0000-0x00007FFAE7200000-memory.dmp

Filesize
64KB

Download
memory/1204-137-0x00007FFAE9A50000-0x00007FFAE9A60000-memory.dmp

Filesize
64KB

Download
memory/1204-136-0x00007FFAE9A50000-0x00007FFAE9A60000-memory.dmp

Filesize
64KB

Download
memory/1204-135-0x00007FFAE9A50000-0x00007FFAE9A60000-memory.dmp

Filesize
64KB

Download
memory/1204-133-0x00007FFAE9A50000-0x00007FFAE9A60000-memory.dmp

Filesize
64KB

Download
memory/1204-134-0x00007FFAE9A50000-0x00007FFAE9A60000-memory.dmp

Filesize
64KB

Download
memory/1260-191-0x0000000000B30000-0x0000000000B5C000-memory.dmp

Filesize
176KB

Download
memory/1260-194-0x0000000000970000-0x0000000000971000-memory.dmp

Filesize
4KB

Download