emotet | a43e0864905fe7afd6d8dbf26bd27d898a2effd386e81cfbc08cae9cf94ed968

Resubmissions

19-03-2023 14:20

230319-rnhbgsgg25 10

19-03-2023 14:09

230319-rf6dcaag3z 4

Analysis

max time kernel
80s
max time network
78s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
19-03-2023 14:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

14d2faa1-422d-40d1-8f05-1e7aed6834f7.one
Size

293KB
MD5

b951629aedffbabc180ee80f9725f024
SHA1

73c17369f2c4e3ce36d4f8917d011dde9a26eb07
SHA256

a43e0864905fe7afd6d8dbf26bd27d898a2effd386e81cfbc08cae9cf94ed968
SHA512

108efb4b68175a4f98f6153c6c88401255119b41ce7cf4224c571c587c3e4a145af1f999feb7dd9e2fe37324aae09cd367a3100c2d997c8836cf3120e395da29
SSDEEP

3072:Q7pvc2vetOepE76wtghUVkJlD1HUjCu/tewu4UhKg+012FYrQAwNLhbrUzJr9EQ3:Q1veXwtVElijRcwuzKg+NAw3bI/Z+9mX

Score

10^/10

emotet epoch5 banker trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch5

103.85.95.4:8080

103.224.241.74:8080

178.238.225.252:8080

37.59.103.148:8080

78.47.204.80:443

138.197.14.67:8080

128.199.242.164:8080

54.37.228.122:443

37.44.244.177:8080

139.59.80.108:8080

218.38.121.17:443

82.98.180.154:7080

114.79.130.68:443

159.65.135.222:7080

174.138.33.49:7080

195.77.239.39:8080

193.194.92.175:443

198.199.70.22:8080

85.214.67.203:8080

93.84.115.205:7080

ecs1.plain

eck1.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

WScript.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\ONENOTE.EXE is not expected to spawn this process	1672	3928	WScript.exe	ONENOTE.EXE

Blocklisted process makes network request 11 IoCs

Processes:

WScript.exe

flow	pid	process
52	1672	WScript.exe
54	1672	WScript.exe
56	1672	WScript.exe
61	1672	WScript.exe
66	1672	WScript.exe
74	1672	WScript.exe
79	1672	WScript.exe
83	1672	WScript.exe
98	1672	WScript.exe
101	1672	WScript.exe
103	1672	WScript.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

WScript.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation WScript.exe
Loads dropped DLL 2 IoCs

Processes:

regsvr32.exeregsvr32.exe

pid process

1932 regsvr32.exe
4972 regsvr32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	WScript.exe

pid	process
1932	regsvr32.exe
4972	regsvr32.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ONENOTE.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ONENOTE.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ONENOTE.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

ONENOTE.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	ONENOTE.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	ONENOTE.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

ONENOTE.EXE

pid process

3928 ONENOTE.EXE
3928 ONENOTE.EXE
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

ONENOTE.EXEregsvr32.exeregsvr32.exe

pid process

3928 ONENOTE.EXE
3928 ONENOTE.EXE
1932 regsvr32.exe
1932 regsvr32.exe
4972 regsvr32.exe
4972 regsvr32.exe
4972 regsvr32.exe
4972 regsvr32.exe

Suspicious use of SetWindowsHookEx 14 IoCs

Processes:

ONENOTE.EXE

pid	process
3928	ONENOTE.EXE
3928	ONENOTE.EXE
3928	ONENOTE.EXE
3928	ONENOTE.EXE
3928	ONENOTE.EXE
3928	ONENOTE.EXE
3928	ONENOTE.EXE
3928	ONENOTE.EXE
3928	ONENOTE.EXE
3928	ONENOTE.EXE
3928	ONENOTE.EXE
3928	ONENOTE.EXE
3928	ONENOTE.EXE
3928	ONENOTE.EXE

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

ONENOTE.EXEWScript.exeregsvr32.exe

description	pid	process	target process
PID 3928 wrote to memory of 1672	3928	ONENOTE.EXE	WScript.exe
PID 3928 wrote to memory of 1672	3928	ONENOTE.EXE	WScript.exe
PID 1672 wrote to memory of 1932	1672	WScript.exe	regsvr32.exe
PID 1672 wrote to memory of 1932	1672	WScript.exe	regsvr32.exe
PID 1932 wrote to memory of 4972	1932	regsvr32.exe	regsvr32.exe
PID 1932 wrote to memory of 4972	1932	regsvr32.exe	regsvr32.exe

C:\Program Files\Microsoft Office\Root\Office16\ONENOTE.EXE
"C:\Program Files\Microsoft Office\Root\Office16\ONENOTE.EXE" "C:\Users\Admin\AppData\Local\Temp\14d2faa1-422d-40d1-8f05-1e7aed6834f7.one"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3928
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\Exported\{5854B2DF-D87A-474D-90DD-09779685C2A5}\NT\0\output1.js"
  2⤵
  - Process spawned unexpected child process
  - Blocklisted process makes network request
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:1672
- - C:\Windows\System32\regsvr32.exe
    "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\0ioi4nr24\U5gLza.dll"
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1932
  - - C:\Windows\system32\regsvr32.exe
      C:\Windows\system32\regsvr32.exe "C:\Windows\system32\FSOVmblArgfhCgmqc\ojTDTwVkklqvueN.dll"
      4⤵
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      PID:4972

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000BM.bin

Filesize
124KB

MD5
9e346695bbc4291bc769f98be9e6a5e9

SHA1
3396a0f6e6270e798fadae572d1a914ebbbcd944

SHA256
f25f69c71066b18364cd405ae80048a8b615c4b0f2cc4cb51b916ef08ba246db

SHA512
60f9fe65730a3341d6147669b8dde56f0055b7e05f8150de4a3f316d8eeab22c5094dc70e252bd6667189fa28649a404a51deb8e92e4044d4a9d196bba1921cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000BN.bin

Filesize
85KB

MD5
b85e5767bf5001bd8c48ddad3250d1c0

SHA1
8e6f41ef924727493587494e0bf5facc9b40bbd0

SHA256
b83680379ac89b857c64e28eb7dfdeda7ebc1d83de5a25799926ad3860fdc0fe

SHA512
cb66f3441aeef054fda04c8f60d3e5406cde8ac24da81bd601425de5e4e96292cf9d902a9e7d9e23b45fd9d2d6fff4dcfdb2311963b14fb8cb6eb49a4dee0bc7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000BO.bin

Filesize
41KB

MD5
1beb6cb6862e215a84ee058f430b8036

SHA1
14562b101e8b0d1826da79bffb88633154c304b7

SHA256
31e98a8bfc9d5317f3f3fecd28d23b707756d3c3f106b41ba0570e31920ebc8a

SHA512
ef09ffd7ccb1c8a6a033358cfa40c65ba39a5c4c9d987792555e9956301763ab9382a0024070c4dd5f5e96bde8f10231a78a36fb697509cff2380028f4eacd7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\0ioi4nr24\U5gLza.dll

Filesize
85.2MB

MD5
67747b5f373ddc64715ff1d65363c544

SHA1
d5c1eb81b2bb0fae55b5ddd8fb09cb97dc71af24

SHA256
a5c0d39e4c7d87e2ac5d023f438526d27ae3b45a13a1561088ac883eeaf20c01

SHA512
4c5548a5a32fe98d77986b5314602b2faab76cc3b324a3bf7f17c05cdae8758fe4a9c3db0a14971afebe474ba685db0c595e807a16b341a61666ed1743376814

Download Submit
C:\Users\Admin\AppData\Local\Temp\0ioi4nr24\U5gLza.dll

Filesize
81.9MB

MD5
7c313e074dfd09b117e63aba94f19383

SHA1
4d0aa6f0a074bc68c34f4ece0a86bd4a77f94243

SHA256
d7d14f6e9340e37872c7c63d7c70d5f187305b6361811fb7a87f79512b73cc60

SHA512
177000e14b74bdd7ebf15b767dca1c155109c0173d7d1feca9a3025fbaa82adf834ba57ada314127781e72dde447548da22e46aef15ebb0fd008be7130d4375c

Download Submit
C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\Exported\{5854B2DF-D87A-474D-90DD-09779685C2A5}\NT\0\output1.js

Filesize
124KB

MD5
9e346695bbc4291bc769f98be9e6a5e9

SHA1
3396a0f6e6270e798fadae572d1a914ebbbcd944

SHA256
f25f69c71066b18364cd405ae80048a8b615c4b0f2cc4cb51b916ef08ba246db

SHA512
60f9fe65730a3341d6147669b8dde56f0055b7e05f8150de4a3f316d8eeab22c5094dc70e252bd6667189fa28649a404a51deb8e92e4044d4a9d196bba1921cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\ti2f1p336.zip

Filesize
845KB

MD5
00c1fb994efa5fcacbd4f0529a15d806

SHA1
11f05001b90c6870de7991735c192b2fde1f6cd4

SHA256
cb40f27d30303310dafe6ba1460bb7dd7ae66d49ecff28e6ad8a3c67b5321858

SHA512
795c095464838966728276b9f2736a8a7a02165d7099b236373b688f0c1779fdaafd87cb14cad3cec9dfa9e3fa16cdb887ef4837c853c8a58579fab33fe54777

Download Submit
C:\Users\Admin\AppData\Local\Temp\{8D8CE42E-D2B7-4D4E-B469-EFA3B32DD167}

Filesize
708B

MD5
25cc34afeb6ebbe685bb3d34ecf0ed03

SHA1
56e158953158721f21a70a523f3364e8989c10ac

SHA256
4c25aec7c690c54344e24261ea3e716d475537c3266e3859ca459dc68d7c905d

SHA512
efd6761d19db66855139912f3d29db8927035ad7e4ae4904a47748a52c5dfcc21b2cc77beed4befbeb67b1d085791cb3457a8c5bb8f94cc4ce015f09fb3a4134

Download Submit
C:\Windows\System32\FSOVmblArgfhCgmqc\ojTDTwVkklqvueN.dll

Filesize
75.8MB

MD5
e5037620c91a27827b2e366976df662b

SHA1
7a491aac44ec613a14d1cf28aa8b7add875a3d67

SHA256
9dc2faa82cd935d9e0ae86f070b05c897fc284130915a8593b52fa9f33e906db

SHA512
5521779f6e52442780f764fc4ecc3592f527e272012d67e05f3b0cbf8a3f680108c44634ad6b5955576cdbd60d50effe62ad943e363daa85bf166489615a7f97

Download Submit
memory/1932-228-0x00000000022D0000-0x00000000022FC000-memory.dmp

Filesize
176KB

Download
memory/1932-231-0x00000000005F0000-0x00000000005F1000-memory.dmp

Filesize
4KB

Download
memory/3928-139-0x00007FF9D95C0000-0x00007FF9D95D0000-memory.dmp

Filesize
64KB

Download
memory/3928-138-0x00007FF9D95C0000-0x00007FF9D95D0000-memory.dmp

Filesize
64KB

Download
memory/3928-137-0x00007FF9DB6D0000-0x00007FF9DB6E0000-memory.dmp

Filesize
64KB

Download
memory/3928-136-0x00007FF9DB6D0000-0x00007FF9DB6E0000-memory.dmp

Filesize
64KB

Download
memory/3928-133-0x00007FF9DB6D0000-0x00007FF9DB6E0000-memory.dmp

Filesize
64KB

Download
memory/3928-135-0x00007FF9DB6D0000-0x00007FF9DB6E0000-memory.dmp

Filesize
64KB

Download
memory/3928-134-0x00007FF9DB6D0000-0x00007FF9DB6E0000-memory.dmp

Filesize
64KB

Download