Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-03-2023 12:33

General

  • Target

    3.one

  • Size

    262KB

  • MD5

    4d7bc3b850efbc82f308c643baaeaeef

  • SHA1

    75331af62f293024148bf13166a167c5b7625634

  • SHA256

    6d6ea415b2fb071f362beba3a14de4afed9378d3e9e73380cac956f9541e1057

  • SHA512

    1b68387ff3aa92b91192c7b5de9d8c2de819e6426859f1d554a13ea8e332ef0ac957f4870988af76e57f9629d91418b53cd84b3e3600f760bdb3e6caa288b785

  • SSDEEP

    3072:kNjcvQx377FjDDRX4UzUfxJ3mY2IsGllOb3HPWaBtOzUfxJ3mY2IsGllOb3HPWa7:kmvQp1DRXKXm5ZGa3vRXm5ZGa3vuVw

Malware Config

Extracted

Family

emotet

Botnet

Epoch4

C2

213.239.212.5:443

129.232.188.93:443

103.43.75.120:443

197.242.150.244:8080

1.234.2.232:8080

110.232.117.186:8080

95.217.221.146:8080

159.89.202.34:443

159.65.88.10:8080

82.223.21.224:8080

169.57.156.166:8080

45.176.232.124:443

45.235.8.30:8080

173.212.193.249:8080

107.170.39.149:8080

119.59.103.152:8080

167.172.199.165:8080

91.207.28.33:8080

185.4.135.165:8080

104.168.155.143:8080

eck1.plain
ecs1.plain

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\ONENOTE.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\ONENOTE.EXE" "C:\Users\Admin\AppData\Local\Temp\3.one"
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4756
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\Exported\{533BB209-760D-488B-8AB6-868674A2E7DB}\NT\0\press to unblock document.vbs"
      2⤵
      • Process spawned unexpected child process
      • Checks computer location settings
      PID:4264
      • C:\Windows\System32\wscript.exe
        "C:\Windows\System32\wscript.exe" //E:vbscript C:\Users\Admin\AppData\Local\Temp\radCBE9233C1darrad5482FBBCEdar.txt
        3⤵
        • Blocklisted process makes network request
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:1224
        • C:\Windows\System32\regsvr32.exe
          "C:\Windows\System32\regsvr32.exe" "C:\Users\Admin\AppData\Local\Temp\radED3F7E362dar\E8E3fOMsIqHOmPoKp7K4AJz5dmBl.dll"
          4⤵
          • Loads dropped DLL
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:116
          • C:\Windows\system32\regsvr32.exe
            C:\Windows\system32\regsvr32.exe "C:\Windows\system32\RymjvqHiTBKWZ\cusTokZNOdzbR.dll"
            5⤵
            • Loads dropped DLL
            • Suspicious behavior: EnumeratesProcesses
            PID:3944

Network

MITRE ATT&CK Matrix ATT&CK v6

Discovery

Query Registry

3
T1012

System Information Discovery

4
T1082

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000BL.bin
    Filesize

    88KB

    MD5

    9eae6f49a02d6eb9f75af7bbf4349808

    SHA1

    2caf7ddeb9fc1d6076558661ef69b9638cfd2e7b

    SHA256

    31fb4bf411dcd7fcb860bdb1db26859290b047b39b94638a7d4fd2a46d323e98

    SHA512

    37b45c58efd8c2bee66c30bca4a3777d5b6ba39e97d34baa8e7bc27fb083397d818a2708cbcf7d4704398fdfff4cbc17abff68b33294292413527702c1ad7eef

  • C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000BM.bin
    Filesize

    75KB

    MD5

    f776dd0f1ae059fcf295ade6c5495080

    SHA1

    ed270bfe2edb7e571ba4acf4b4088aa2a111e57e

    SHA256

    2130a3bc8050310a7474be0b17a4ea8584e2105cb17316cb463d732665745749

    SHA512

    2558ab6465af8a782ad02295744cd2d554d03c1ee7aa1689f13e3507a0cec4e73b9f86d1ec9aef346b831ab58758285a8ceda63dc0f834e1378dfa0504490f65

  • C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000BN.bin
    Filesize

    567B

    MD5

    d055ce625528e448c61315eaaef5bb71

    SHA1

    029df4c872b1c154f32e7fe94f434547c3ba6192

    SHA256

    85bf1e672b4e86e9af0c7874681ec9620dfdc78e0335b83eef38c17d813b6705

    SHA512

    705b6b729e967fa946469571109aa892f5cb55a01c74d40ae02140d10cbf9b65dd5e511c06ebfe494e407742f8c6f4fbbe88664b78b37abfb2f19db1f66f4247

  • C:\Users\Admin\AppData\Local\Temp\radB4DDC.tmp.zip
    Filesize

    951KB

    MD5

    201268492f67b84d4c6a747a3bb3c5ed

    SHA1

    3d891ff2b5accb39007cc8f9b8bcd1c5dc8e9628

    SHA256

    14730408e69d2edb6ea360dd2528b3d06fc274b2625c129ad15510ec999994ab

    SHA512

    4361c713b5e10f7c587f8aef7d8c694e6c22f2bf9172393359f7f9343e844c9ab7a70c71486416f80148a7cbe0af919c51deacd59460304014966b15eaecaebe

  • C:\Users\Admin\AppData\Local\Temp\radED3F7E362dar\E8E3fOMsIqHOmPoKp7K4AJz5dmBl.dll
    Filesize

    440.3MB

    MD5

    8ae7eaa28060089b61501c7c22347f76

    SHA1

    a10f01dd8d961a0f411da3d5692be3a42316f25a

    SHA256

    4f2751ac92395f0269e6965bb6faea56caf64448a1ebcdb156da1745b33f1baf

    SHA512

    4d4acef339f260ac07f287876870c5a5747a026c6402cfa54b35af126ef46d0b2b9706158d25851f96c817e36c318d8da48db7dad78a138d50fe3a32a11fc4a9

  • C:\Users\Admin\AppData\Local\Temp\radED3F7E362dar\E8E3fOMsIqHOmPoKp7K4AJz5dmBl.dll
    Filesize

    511.9MB

    MD5

    0586fe01aea41856828a347dddf2121c

    SHA1

    3b3183691cede18ff4a8b35104c3dcc99c2583f8

    SHA256

    c8a777959691f310d36c30f18f10f523be55fe55c86f7d3b556bd31ebb5d6126

    SHA512

    37b99147f938426c81bd0628c99775ca8b94667bf4a2eab5660e301e01cad348c2552f74e9cdb97994e1f29aa7cd30d4c83e294f9e01a445034177f174a71c79

  • C:\Windows\System32\RymjvqHiTBKWZ\cusTokZNOdzbR.dll
    Filesize

    409.6MB

    MD5

    b3d059a946d1869dd07c16c4272f8deb

    SHA1

    27eaf912be6ba5543cac2ca19f8786478c275dc7

    SHA256

    2bdd9c01136559fe93484dc6a75ce5c452552a05406895f7a786a08db532d1a6

    SHA512

    2d89258b20cee3b1a36b6161e0c4bbcdfdf08030cf515ae99ed320a85ea294e175c3804116062afa8d53325cee0d0ca5d011a2fef7eb0c7005de9c63756abc3f

  • memory/116-217-0x0000000002710000-0x000000000276A000-memory.dmp
    Filesize

    360KB

  • memory/116-221-0x0000000000CA0000-0x0000000000CA1000-memory.dmp
    Filesize

    4KB

  • memory/4756-139-0x00007FFB14960000-0x00007FFB14970000-memory.dmp
    Filesize

    64KB

  • memory/4756-138-0x00007FFB14960000-0x00007FFB14970000-memory.dmp
    Filesize

    64KB

  • memory/4756-137-0x00007FFB16D90000-0x00007FFB16DA0000-memory.dmp
    Filesize

    64KB

  • memory/4756-136-0x00007FFB16D90000-0x00007FFB16DA0000-memory.dmp
    Filesize

    64KB

  • memory/4756-135-0x00007FFB16D90000-0x00007FFB16DA0000-memory.dmp
    Filesize

    64KB

  • memory/4756-134-0x00007FFB16D90000-0x00007FFB16DA0000-memory.dmp
    Filesize

    64KB

  • memory/4756-133-0x00007FFB16D90000-0x00007FFB16DA0000-memory.dmp
    Filesize

    64KB