· 6 years ago · Nov 28, 2019, 05:46 AM
1Target
2http://sociallysavvyseo.com/PinnacleDynamicServices/l0305/
3
4Filesize
5N/A
6
7Completed
82019-11-28 07:26
9
10Score
1110
12/10
13MD5
14N/A
15
16SHA1
17N/A
18
19SHA256
20N/A
21
22emotet trojan banker family
23Extracted
24Family
25emotet
26rsa_pubkey.plain
27-----BEGIN PUBLIC KEY-----
28MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAOmlscqbEIhLjVsj9r3eYacKi6C+Qrua
29j5TlU+pn3zc0k06qCoahFXBBGnYMotHQc6OwfBKwHWm831LIVg29kEjT8UYxnN5v
30fzNGgqXTe25QARf78CsQqqN/ImKdXo+GFwIDAQAB
31-----END PUBLIC KEY-----
32C2
33104.236.137.72:8080
34
35104.236.137.72:8080
36172.104.233.225:8080
37
38172.104.233.225:8080
39213.189.36.51:8080
40
41213.189.36.51:8080
4285.234.143.94:8080
43
4485.234.143.94:8080
45119.59.124.163:8080
46
47119.59.124.163:8080
48190.146.131.105:8080
49
50190.146.131.105:8080
51186.23.132.93:990
52
53186.23.132.93:990
54200.113.106.18:80
55
56200.113.106.18:80
57163.172.40.218:7080
58
59163.172.40.218:7080
60187.190.49.92:443
61
62187.190.49.92:443
63201.190.133.235:8080
64
65201.190.133.235:8080
6646.28.111.142:7080
67
6846.28.111.142:7080
69104.131.58.132:8080
70
71104.131.58.132:8080
7214.160.93.230:80
73
7414.160.93.230:80
75201.163.74.202:443
76
77201.163.74.202:443
78200.124.225.32:80
79
80200.124.225.32:80
81203.130.0.69:80
82
83203.130.0.69:80
84181.36.42.205:443
85
86181.36.42.205:443
87182.48.194.6:8090
88
89182.48.194.6:8090
9087.106.77.40:7080
91
9287.106.77.40:7080
93190.97.30.167:990
94
95190.97.30.167:990
9691.83.93.124:7080
97
9891.83.93.124:7080
99190.195.129.227:8090
100
101190.195.129.227:8090
10250.28.51.143:8080
103
10450.28.51.143:8080
105189.173.113.67:443
106
107189.173.113.67:443
108181.231.62.54:80
109
110181.231.62.54:80
111109.169.86.13:8080
112
113109.169.86.13:8080
11486.42.166.147:80
115
11686.42.166.147:80
117200.113.106.18:80
118
119200.113.106.18:80
120186.0.68.43:8443
121
122186.0.68.43:8443
123183.82.97.25:80
124
125183.82.97.25:80
12696.20.84.254:7080
127
12896.20.84.254:7080
129159.203.204.126:8080
130
131159.203.204.126:8080
13268.183.190.199:8080
133
13468.183.190.199:8080
135201.213.32.59:80
136
137201.213.32.59:80
13846.101.212.195:8080
139
14046.101.212.195:8080
141186.15.83.52:8080
142
143186.15.83.52:8080
144181.198.203.45:443
145
146181.198.203.45:443
14762.75.143.100:7080
148
14962.75.143.100:7080
15069.163.33.84:8080
151
15269.163.33.84:8080
153149.62.173.247:8080
154
155149.62.173.247:8080
15688.250.223.190:8080
157
15888.250.223.190:8080
159125.99.61.162:7080
160
161125.99.61.162:7080
162190.186.164.23:80
163
164190.186.164.23:80
165181.135.153.203:443
166
167181.135.153.203:443
168178.79.163.131:8080
169
170178.79.163.131:8080
171142.93.114.137:8080
172
173142.93.114.137:8080
174154.120.227.206:8080
175
176154.120.227.206:8080
177181.61.143.177:80
178
179181.61.143.177:80
180190.16.101.10:80
181
182190.16.101.10:80
183142.127.57.63:8080
184
185142.127.57.63:8080
186138.68.106.4:7080
187
188138.68.106.4:7080
18968.183.170.114:8080
190
19168.183.170.114:8080
192134.209.214.126:8080
193
194134.209.214.126:8080
195185.86.148.222:8080
196
197185.86.148.222:8080
198186.68.48.204:443
199
200186.68.48.204:443
201190.102.226.91:80
202
203190.102.226.91:80
204191.103.76.34:443
205
206191.103.76.34:443
20791.204.163.19:8090
208
20991.204.163.19:8090
210190.210.184.138:995
211
212190.210.184.138:995
213200.123.101.90:80
214
215200.123.101.90:80
216190.38.14.52:80
217
218190.38.14.52:80
21945.79.95.107:443
220
22145.79.95.107:443
2225.196.35.138:7080
223
2245.196.35.138:7080
22586.142.102.191:8443
226
22786.142.102.191:8443
228200.58.83.179:80
229
230200.58.83.179:80
23180.85.87.122:8080
232
23380.85.87.122:8080
234190.4.50.26:80
235
236190.4.50.26:80
237203.25.159.3:8080
238
239203.25.159.3:8080
240212.71.237.140:8080
241
242212.71.237.140:8080
243217.199.160.224:8080
244
245217.199.160.224:8080
246187.230.99.192:443
247
248187.230.99.192:443
24981.213.215.216:50000
250
25181.213.215.216:50000
25287.118.70.69:8080
253
25487.118.70.69:8080
255186.1.41.111:443
256
257186.1.41.111:443
25877.55.211.77:8080
259
26077.55.211.77:8080
261139.5.237.27:443
262
263139.5.237.27:443
26462.75.160.178:8080
265
26662.75.160.178:8080
26751.255.165.160:8080
268
26951.255.165.160:8080
270207.154.204.40:8080
271
272207.154.204.40:8080
27382.196.15.205:8080
274
27582.196.15.205:8080
276190.17.42.79:80
277
278190.17.42.79:80
27991.205.215.57:7080
280
28191.205.215.57:7080
282Defense Evasion
283
284Discovery
285 Emotet Sync
2865m15va2u.exe
287Reported IOC
2885m15va2u.exe
289Global\E64D5799F Event created
290 emotet family
291 Executes dropped EXE
2925m15va2u.exe
2935m15va2u.exe
294publishrun.exe
295publishrun.exe
296 Drops file in system dir
2975m15va2u.exe
298publishrun.exe
299BITS
300Reported IOC
3015m15va2u.exe
302C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\89TS8EPW\5m15va2u.exe => C:\Windows\SysWOW64\publishrun.exe File renamed
303Reported IOC
304publishrun.exe
305C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat File opened for modification
306C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 File opened for modification
307C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE File opened for modification
308C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies File opened for modification
309C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 File opened for modification
310Reported IOC
311BITS
312C:\Windows\Debug\ESE.TXT File opened for modification
313C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp File opened for modification
314C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp File created
315C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-2.tmp File opened for modification
316C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-2.tmp File created
317 Modifies Internet Explorer settings
318iexplore.exe
319IEXPLORE.EXE
320Matched TTPs
321Modify Registry
322Reported IOC
323iexplore.exe
324\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" Set value (int)
325\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A9481EFA-11A7-11EA-BD7F-7E4C806F89F5} = "0" Set value (int)
326\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" Set value (str)
327\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" Set value (str)
328\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 Set value (data)
329\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" Set value (int)
330\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = 4c6bfe76f785d501 Set value (data)
331\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" Set value (int)
332\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\RepId\PublicId = "{DC68F301-9B19-460B-8764-4AEFEDC09458}" Set value (str)
333\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2117655513" Set value (int)
334\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30778804" Set value (int)
335\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" Set value (int)
336\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" Set value (int)
337\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2117655513" Set value (int)
338\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30778804" Set value (int)
339\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" Set value (int)
340\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c36c9cdac63c12448d84f1a7215689fa000000000200000000001066000000010000200000006081ca07a5e399d1b4e4b78dfbd4924e6d3507a060ec9b9f45e22bfdf50762dc000000000e80000000020000200000008c0bc621bea003c1202f1c75e982c82fa309e0da75c2076d196de75928ebf9dd20000000dad8b1beaea3d6c337b3ef560fbb50eeb0840c01fa9a0f045c0a4f7ef126a85e40000000f45a60ef2b1fa5479e5aea74af7689674c3821ba4c9ccf5afdcd49f741cf68f8087462c66412dc4487d3b382c86fbf6f2b9107ab31bc90aa8ea62aae44dab45e Set value (data)
341\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a068a980b4a5d501 Set value (data)
342\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c36c9cdac63c12448d84f1a7215689fa0000000002000000000010660000000100002000000036979b423d8c76e46a014084fb70004a8286ee8959cce924485e81541bfcf5e6000000000e80000000020000200000004bb33414b9c4300c196cbf64f191f3e9bbaf7998d7c23c1c26e260aee83e60b3200000004117ea07607b4ce213f050e3fb1f2c1e21cc394eb7e35dcdfc5e6541c25d26f74000000060d84076b49c61608e6f0daf54b79dab511cda20fc005e1543e2c9bb2909dcdd3d14793429a6cdb00bbfafa0f9369a808875e94c83d7a6519c20a2dcab3f3086 Set value (data)
343\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 60a7c380b4a5d501 Set value (data)
344\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\Main\DownloadWindowPlacement = 2c0000000000000000000000ffffffffffffffffffffffffffffffff100100003c000000900300001c020000 Set value (data)
345Reported IOC
346IEXPLORE.EXE
347\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2146718552" Set value (int)
348\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30778804" Set value (int)
349 Suspicious use of WriteProcessMemory
350iexplore.exe
351SppExtComObj.exe
3525m15va2u.exe
353publishrun.exe
354Reported IOC
355iexplore.exe
356PID 4928 wrote to memory of 4980
357PID 4928 wrote to memory of 4536
358Reported IOC
359SppExtComObj.exe
360PID 64 wrote to memory of 2012
361Reported IOC
3625m15va2u.exe
363PID 4536 wrote to memory of 4580
364Reported IOC
365publishrun.exe
366PID 4712 wrote to memory of 4680
367 Uses Task Scheduler COM API
368iexplore.exe
369Matched TTPs
370Query Registry
371Reported IOC
372iexplore.exe
373\Registry\Machine\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Key opened
374\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd} Key queried
375\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49} Key opened
376 Suspicious behavior: EmotetMutantsSpam
3775m15va2u.exe
378publishrun.exe
379 Windows security modification
380wscsvc
381Matched TTPs
382Disabling Security Tools
383Modify Registry
384Reported IOC
385wscsvc
386\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\cval = "0" Set value (int)
387\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\cval = "1" Set value (int)
388 Uses Volume Shadow Copy WMI provider
389iexplore.exe
390Reported IOC
391iexplore.exe
392\Registry\Machine\Software\Classes\CLSID\{890CB943-D715-401B-98B1-CF82DCF36D7C} Key opened
393\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{890CB943-D715-401B-98B1-CF82DCF36D7C} Key queried
394\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{890CB943-D715-401B-98B1-CF82DCF36D7C}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49} Key opened
395 Uses Volume Shadow Copy Service COM API
396iexplore.exe
397Reported IOC
398iexplore.exe
399\Registry\Machine\Software\Classes\CLSID\{E579AB5F-1CC4-44B4-BED9-DE0991FF0623} Key opened
400\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44b4-BED9-DE0991FF0623} Key queried
401\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44b4-BED9-DE0991FF0623}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49} Key opened
402 Checks system information in the registry (likely anti-VM)
403DoSvc
404Matched TTPs
405Query Registry
406System Information Discovery
407Reported IOC
408DoSvc
409\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer Key value queried
410\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName Key value queried
411 Suspicious use of SetWindowsHookEx
412iexplore.exe
413IEXPLORE.EXE
4145m15va2u.exe
4155m15va2u.exe
416publishrun.exe
417publishrun.exe
418 Suspicious use of FindShellTrayWindow
419iexplore.exe
420 Suspicious behavior: EnumeratesProcesses
421publishrun.exe
422C:\Program Files\Internet Explorer\iexplore.exe
423"C:\Program Files\Internet Explorer\iexplore.exe" http://sociallysavvyseo.com/PinnacleDynamicServices/l0305/
424PID: 4928
425C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\89TS8EPW\5m15va2u.exe
426"C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\89TS8EPW\5m15va2u.exe"