emotet | 11b3d1564b12934489281250c9a683f076fe10254bfdd7da72307e538838ec56

Analysis

max time kernel
134s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20230220-it
resource tags

arch:x64arch:x86image:win10v2004-20230220-itlocale:it-itos:windows10-2004-x64systemwindows
submitted
23-03-2023 09:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file_0.wsf
Size

53KB
MD5

ae25f2104967b2708ac9dba80aac52fd
SHA1

7ac0150b43cbb5eeba9a0f956e1291df6790f3bf
SHA256

11b3d1564b12934489281250c9a683f076fe10254bfdd7da72307e538838ec56
SHA512

d4a7f95631e7eb88fdadbe66d31bf9c7459d0f80ca2c9174952aad42bff6262241b25916e6a089f778990be981a2cf220baa69ad261314247c286397553decca
SSDEEP

768:n9Te2jdcdTeNtu1t/nl8BFWVyeaNhvsbsS:9TVdaeNtuXndH

Score

10^/10

emotet epoch4 banker trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch4

164.68.99.3:8080

164.90.222.65:443

186.194.240.217:443

1.234.2.232:8080

103.75.201.2:443

187.63.160.88:80

147.139.166.154:8080

91.207.28.33:8080

5.135.159.50:443

153.92.5.27:8080

213.239.212.5:443

103.43.75.120:443

159.65.88.10:8080

167.172.253.162:8080

153.126.146.25:7080

119.59.103.152:8080

107.170.39.149:8080

183.111.227.137:8080

159.89.202.34:443

110.232.117.186:8080

eck1.plain

ecs1.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
Blocklisted process makes network request 4 IoCs

Processes:

WScript.exe

flow pid process

12 5096 WScript.exe
34 5096 WScript.exe
42 5096 WScript.exe
46 5096 WScript.exe
Downloads MZ/PE file

flow	pid	process
12	5096	WScript.exe
34	5096	WScript.exe
42	5096	WScript.exe
46	5096	WScript.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	WScript.exe

Loads dropped DLL 2 IoCs

Processes:

regsvr32.exeregsvr32.exe

pid process

1776 regsvr32.exe
4592 regsvr32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1776	regsvr32.exe
4592	regsvr32.exe

Script User-Agent 3 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	12	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	34	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	46	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

regsvr32.exeregsvr32.exe

pid process

1776 regsvr32.exe
1776 regsvr32.exe
4592 regsvr32.exe
4592 regsvr32.exe
4592 regsvr32.exe
4592 regsvr32.exe

pid	process
1776	regsvr32.exe
1776	regsvr32.exe
4592	regsvr32.exe
4592	regsvr32.exe
4592	regsvr32.exe
4592	regsvr32.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

WScript.exeregsvr32.exe

description	pid	process	target process
PID 5096 wrote to memory of 1776	5096	WScript.exe	regsvr32.exe
PID 5096 wrote to memory of 1776	5096	WScript.exe	regsvr32.exe
PID 1776 wrote to memory of 4592	1776	regsvr32.exe	regsvr32.exe
PID 1776 wrote to memory of 4592	1776	regsvr32.exe	regsvr32.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\file_0.wsf"
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5096

C:\Windows\System32\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" "C:\Users\Admin\AppData\Local\Temp\rad03D9E.tmp.dll"
2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1776

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\QesLGz\wlYBVCf.dll"
3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4592

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\rad03D9E.tmp.dll
Filesize
309KB

MD5
bfc060937dc90b273eccb6825145f298

SHA1
c156c00c7e918f0cb7363614fb1f177c90d8108a

SHA256
2f39c2879989ddd7f9ecf52b6232598e5595f8bf367846ff188c9dfbf1251253

SHA512
cc1fee19314b0a0f9e292fa84f6e98f087033d77db937848dda1da0c88f49997866cba5465df04bf929b810b42fdb81481341064c4565c9b6272fa7f3b473ac5

Download Submit
C:\Users\Admin\AppData\Local\Temp\rad03D9E.tmp.dll
Filesize
309KB

MD5
bfc060937dc90b273eccb6825145f298

SHA1
c156c00c7e918f0cb7363614fb1f177c90d8108a

SHA256
2f39c2879989ddd7f9ecf52b6232598e5595f8bf367846ff188c9dfbf1251253

SHA512
cc1fee19314b0a0f9e292fa84f6e98f087033d77db937848dda1da0c88f49997866cba5465df04bf929b810b42fdb81481341064c4565c9b6272fa7f3b473ac5

Download Submit
C:\Windows\System32\QesLGz\wlYBVCf.dll
Filesize
309KB

MD5
bfc060937dc90b273eccb6825145f298

SHA1
c156c00c7e918f0cb7363614fb1f177c90d8108a

SHA256
2f39c2879989ddd7f9ecf52b6232598e5595f8bf367846ff188c9dfbf1251253

SHA512
cc1fee19314b0a0f9e292fa84f6e98f087033d77db937848dda1da0c88f49997866cba5465df04bf929b810b42fdb81481341064c4565c9b6272fa7f3b473ac5

Download Submit
memory/1776-138-0x0000000002740000-0x000000000276D000-memory.dmp

Filesize
180KB

Download
memory/1776-141-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

Filesize
4KB

Download