emotet | 5be3a53440a1422f853358cf0bf0b60cbb08ab943d989faaac2865207b8c5661

Resubmissions

20-04-2024 18:18

240420-wx4nasee59 10

20-04-2024 18:18

240420-wxyr2see57 1

Analysis

max time kernel
118s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
20-04-2024 18:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

run.ps1
Size

285B
MD5

79d5729de7996aefc02ce1f13579caaa
SHA1

263eb9ac39024ad390c369f5e51736801ee7178d
SHA256

5be3a53440a1422f853358cf0bf0b60cbb08ab943d989faaac2865207b8c5661
SHA512

3c82f11f72266d7a175c47ad7b4e39ed8ab5446b169358083f9848d7fdd762da15273b6793d710e2f253b058ebd31a6e2d4f135d126fea7af02231e981f056b4

Score

10^/10

emotet epoch5 banker trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch5

178.238.225.252:8080

139.196.72.155:8080

36.67.23.59:443

103.56.149.105:8080

37.44.244.177:8080

85.25.120.45:8080

202.134.4.210:7080

78.47.204.80:443

83.229.80.93:8080

93.104.209.107:8080

80.211.107.116:8080

165.22.254.236:8080

104.244.79.94:443

185.148.169.10:8080

190.145.8.4:443

175.126.176.79:8080

139.59.80.108:8080

188.165.79.151:443

128.199.217.206:443

64.227.55.231:8080

ecs1.plain

eck1.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow pid process

9 3516 powershell.exe
13 3516 powershell.exe
Loads dropped DLL 2 IoCs

Processes:

regsvr32.exeregsvr32.exe

pid process

1716 regsvr32.exe
1280 regsvr32.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

12 raw.githubusercontent.com
13 raw.githubusercontent.com
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

powershell.exeregsvr32.exeregsvr32.exe

pid process

3516 powershell.exe
3516 powershell.exe
1716 regsvr32.exe
1716 regsvr32.exe
1280 regsvr32.exe
1280 regsvr32.exe
1280 regsvr32.exe
1280 regsvr32.exe

flow	pid	process
9	3516	powershell.exe
13	3516	powershell.exe

pid	process
1716	regsvr32.exe
1280	regsvr32.exe

flow	ioc
12	raw.githubusercontent.com
13	raw.githubusercontent.com

pid	process
3516	powershell.exe
3516	powershell.exe
1716	regsvr32.exe
1716	regsvr32.exe
1280	regsvr32.exe
1280	regsvr32.exe
1280	regsvr32.exe
1280	regsvr32.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

powershell.exe7z.exe

description	pid	process
Token: SeDebugPrivilege	3516	powershell.exe
Token: SeRestorePrivilege	2060	7z.exe
Token: 35	2060	7z.exe
Token: SeSecurityPrivilege	2060	7z.exe
Token: SeSecurityPrivilege	2060	7z.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

powershell.execmd.execmd.execmd.exeregsvr32.exe

description	pid	process	target process
PID 3516 wrote to memory of 2060	3516	powershell.exe	7z.exe
PID 3516 wrote to memory of 2060	3516	powershell.exe	7z.exe
PID 3516 wrote to memory of 2700	3516	powershell.exe	cmd.exe
PID 3516 wrote to memory of 2700	3516	powershell.exe	cmd.exe
PID 2700 wrote to memory of 4996	2700	cmd.exe	regsvr32.exe
PID 2700 wrote to memory of 4996	2700	cmd.exe	regsvr32.exe
PID 3436 wrote to memory of 4784	3436	cmd.exe	regsvr32.exe
PID 3436 wrote to memory of 4784	3436	cmd.exe	regsvr32.exe
PID 2256 wrote to memory of 436	2256	cmd.exe	regsvr32.exe
PID 2256 wrote to memory of 436	2256	cmd.exe	regsvr32.exe
PID 2256 wrote to memory of 1716	2256	cmd.exe	regsvr32.exe
PID 2256 wrote to memory of 1716	2256	cmd.exe	regsvr32.exe
PID 2256 wrote to memory of 3912	2256	cmd.exe	regsvr32.exe
PID 2256 wrote to memory of 3912	2256	cmd.exe	regsvr32.exe
PID 1716 wrote to memory of 1280	1716	regsvr32.exe	regsvr32.exe
PID 1716 wrote to memory of 1280	1716	regsvr32.exe	regsvr32.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\run.ps1
1⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3516

C:\Program Files\7-Zip\7z.exe
"C:\Program Files\7-Zip\7z.exe" x -pinfected C:\Users\Admin\AppData\Local\Temp\emotet.zip -oC:\Users\Admin\AppData\Local\Temp
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2060

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "regsvr32.exe /s '%temp%\emotet.dll'"
2⤵
- Suspicious use of WriteProcessMemory
PID:2700

C:\Windows\system32\regsvr32.exe
regsvr32.exe /s 'C:\Users\Admin\AppData\Local\Temp\emotet.dll'
3⤵
PID:4996

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1200

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c "regsvr32 /s 'C:\Users\Admin\AppData\Local\Temp\emotet.dll'"
1⤵
- Suspicious use of WriteProcessMemory
PID:3436

C:\Windows\system32\regsvr32.exe
regsvr32 /s 'C:\Users\Admin\AppData\Local\Temp\emotet.dll'
2⤵
PID:4784

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k "regsvr32 /s 'C:\Users\Admin\AppData\Local\Temp\emotet.dll'"
1⤵
- Suspicious use of WriteProcessMemory
PID:2256

C:\Windows\system32\regsvr32.exe
regsvr32 /s 'C:\Users\Admin\AppData\Local\Temp\emotet.dll'
2⤵
PID:436

C:\Windows\system32\regsvr32.exe
regsvr32 /s "C:\Users\Admin\AppData\Local\Temp\emotet.dll"
2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1716

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\RdNhGeYLjVOuZ\lyVmvfVpyZ.dll"
3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1280

C:\Windows\system32\regsvr32.exe
regsvr32 "C:\Users\Admin\AppData\Local\Temp\emotet.dll"
2⤵
PID:3912

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5w50xf0z.a5w.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\emotet.dll
Filesize
534KB

MD5
56bb8500d7ab6860760eddd7a55e9456

SHA1
e9b38c5fb51ce1a038f65c1620115a9bba1e383d

SHA256
b4bead39ead2a29de2f0a6fb52eea172cfe25224b71e4a9b1418f55c8b053d59

SHA512
83ceff476d071412b02bab0753bd3c4440937b663397d73349fa90c38d96cf88051b645c781cbe5de281aa3bd45e71da7fcc8c99c2846ce29c2f36c3e1307a84

Download Submit
C:\Users\Admin\AppData\Local\Temp\emotet.zip
Filesize
289KB

MD5
ebe6bc9eab807cdd910976a341bc070d

SHA1
1052700b1945bb1754f3cadad669fc4a99f5607b

SHA256
b0353f4547466a0a402198b3750d928fc7c4e96dd3adc00b181e9d98e4602ea7

SHA512
9a6bfcb90c1e24be1b930990dd2af72e889f71ad7e1a7b8353b6522a625e2ae36013793ee2c159880bd510b8f785ce4c9dfced1d2901d3ca8f091e26084185a8

Download Submit
memory/1716-22-0x0000000002E10000-0x0000000002E40000-memory.dmp

Filesize
192KB

Download
memory/1716-25-0x0000000001640000-0x0000000001641000-memory.dmp

Filesize
4KB

Download
memory/3516-0-0x000001B4A1CF0000-0x000001B4A1D12000-memory.dmp

Filesize
136KB

Download
memory/3516-10-0x00007FFECA640000-0x00007FFECB101000-memory.dmp

Filesize
10.8MB

Download
memory/3516-11-0x000001B488E50000-0x000001B488E60000-memory.dmp

Filesize
64KB

Download
memory/3516-12-0x000001B488E50000-0x000001B488E60000-memory.dmp

Filesize
64KB

Download
memory/3516-19-0x00007FFECA640000-0x00007FFECB101000-memory.dmp

Filesize
10.8MB

Download