Emotet is Back Again
DFIR Summary
You’re probably already aware that Emotet emerged during the month of November after long absence. We first started seeing a new and improved version being delivered in campaigns since mid November labelled as Epoch 4 campaign. In the past week we have seen them move towards Epoch 5 campaign which is based on the current public samples analyzed.
The initial email contained a password-protected ZIP file containing “.docm” or “.xlsm” file with embedded payload. Attackers often use this technique in an attempt to bypass email security products that might detect a malicious Office document if it were directly attached to email. The twitter account from GData Analytics has also reported that Emotet is being distributed by trickbot and here is link to list of C2 servers from November 15th
- https://pastebin.com/35mhCsw2
In short I analyzed multiple payloads from XLS, EXE, DLL and all resulted in very similar findings. The initial payload was executed which resulted in immediate C2 server beacons and level of persistence
After the payload was running for period of time in LAB setting it was observed that services where created. However running payloads in various sandboxes didn’t always return these results.
- HKLM\System\CurrentControlSet\Services\genericpixel
- Start = 00000002
- HKLM\System\CurrentControlSet\Services\genericpixel
- ImagePath = “%WINDIR%\SysWOW64\genericpixel.exe”
As Threat hunter these TTP really haven’t changed and ultimately we should be monitoring new files being created in “SYSWOW64” folder which are executable in nature, new services being created and registry entries being created. We can also look for key indicators for example. I will have to test these queries at scale since these comments are based of malware analysis findings and results may vary at scale. Ultimately this is often the challenge as threat hunter that we know tactics of the attackers and we require hunts to have low noise ratio to make them useful and scalable.
- Registry entries created where file paths are User Temp space AppData\Local\Temp or critical windows folders in this case Windows\SysWOW64
- New Services Created
- Internet Setting Changes for Example “ProxyEnable = 0”
Here are few great articles associated with Emotet that have surfaced in the last 30 days
Reference
- https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/
- https://thedfirreport.com/2022/09/12/dead-or-alive-an-emotet-story/
- https://darktrace.com/blog/emotet-resurgence-cross-industry-campaign-analysis
- https://otx.alienvault.com/pulse/6363d3e885c201a125c263ad
- https://pastebin.com/35mhCsw2
TTP
- Phishing Attachment – Mitre T1193
- Process Injection – Mitre T1055
- Windows Service – Mitre T1543.003
- System Information Discovery – Mitre T1082
- Enumerates Physical Storage Devices – Mitre T1083
- Enumerates Processes – Mitre T1424 (Process Discovery)
- Modifies Registry – Mitre T1112
- Renames itself – Suspicious Behaviour
IP Addresses
113.52.135.33:7080 138.197.140.163:8080 143.95.101.72:8080 144.76.62.10:8080 157.7.164.178:8081 173.249.157.58:8080 176.58.93.123:80 178.249.187.150:7080 186.10.16.244:53 190.117.206.153:443 190.13.146.47:443 192.241.220.183:8080 200.55.168.82:20 203.99.182.135:443 203.99.187.137:443 212.112.113.235:80 213.138.100.98:8080 216.70.88.55:8080 216.75.37.196:8080 51.38.134.203:8080 5.189.148.98:8080 70.32.94.58:8080 78.109.34.178:443 83.169.33.157:8080 91.109.5.28:8080 93.78.205.196:443 94.177.253.126:80
95.216.207.86:7080
Detailed Investigation
Initial Payload
- File Name: 1Z73gYfhkp.exe
- Size: 490KB
- MD5 – f4d1470af3a7d82560b38558b132d468
- SHA1 – 0c45cf4e32116eae8d73b52c140f5d91a19ee8ea
- SHA256 – 6fa0dd6002d4b4e7ebabefc7f4f90f36fc53069e0cf4e845f683fb087d476e90
Initial Process Created
After execution, you can observe the initial process executed from a temporary space “AppData\Local\Temp” and then additional commands are spawned from “Windows\Syswow64” folder.
- Process: genericpixel.exe
- Command: C:\Users\Admin\AppData\Local\Temp\genericpixel.exe
Drops Files in System32 Directory
I observed it dropping “DAT” file in Termporary Internet files and also “Random Named Exectuable” in “Windows\SysWOW64” folder.
- File opened for Modification: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat
- File Dropped: C:\WIndows\SysWOW64\genericpixel.exe
Process Injection
- Mitre T1055
Multiple commands are observed with unqiue switches “–a30a1053”
Process: genericpixel.exe
- Command: C:\Windows\SysWOW64\genericpixel.exe
- CMD: –a30a1053
Process: msptermmove.exe
- Command: C:\Windows\SysWOW64\msptermmove.exe
- CMD: –92da54fd
Registry Changes and Queries
Modifications to HKEY_USERS included 21 unique indicators of compromise. What I found interesting about these artifacts is they aren’t new and various articles from 2019 reference similar registry queries and often identical registry changes outlines bellow. Here is an article from TrendMicro regarding emotet
HKEY_Users Registry
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ce-d9-9d-36-8c-9f\WpadDecision = “0” | afterwce.exe |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad | afterwce.exe |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0003000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | afterwce.exe |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = “Visited:” | afterwce.exe |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | afterwce.exe |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{927785FF-6FDD-4EA2-A504-67A742DAD509} | afterwce.exe |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{927785FF-6FDD-4EA2-A504-67A742DAD509}\WpadDecisionTime = 608d03907c04d901 | afterwce.exe |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{927785FF-6FDD-4EA2-A504-67A742DAD509}\WpadNetworkName = “Network 2” | afterwce.exe |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{927785FF-6FDD-4EA2-A504-67A742DAD509}\ce-d9-9d-36-8c-9f | afterwce.exe |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings | afterwce.exe |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix | afterwce.exe |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ce-d9-9d-36-8c-9f\WpadDecisionTime = 608d03907c04d901 | afterwce.exe |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = “Cookie:” | afterwce.exe |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = “0” | afterwce.exe |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ce-d9-9d-36-8c-9f | afterwce.exe |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ce-d9-9d-36-8c-9f\WpadDecisionReason = “1” | afterwce.exe |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | afterwce.exe |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | afterwce.exe |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{927785FF-6FDD-4EA2-A504-67A742DAD509}\WpadDecision = “0” | afterwce.exe |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings | afterwce.exe |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{927785FF-6FDD-4EA2-A504-67A742DAD509}\WpadDecisionReason = “1” |
HKEY Machine
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\DefaultIcon\ = “C:\\Users\\Admin\\AppData\\Local\\Temp\\6FA0DD~1.EXE,0” | 6fa0dd6002d4b4e7ebabefc7f4f90f36fc53069e0cf4e845f683fb087d476e90.exe |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\open\ddeexec | 6fa0dd6002d4b4e7ebabefc7f4f90f36fc53069e0cf4e845f683fb087d476e90.exe |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\print\command | 6fa0dd6002d4b4e7ebabefc7f4f90f36fc53069e0cf4e845f683fb087d476e90.exe |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\print\ddeexec | 6fa0dd6002d4b4e7ebabefc7f4f90f36fc53069e0cf4e845f683fb087d476e90.exe |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\printto\ddeexec\ = “[printto(\”%1\”,\”%2\”,\”%3\”,\”%4\”)]” | 6fa0dd6002d4b4e7ebabefc7f4f90f36fc53069e0cf4e845f683fb087d476e90.exe |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\DefaultIcon | afterwce.exe |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\open\ddeexec\ = “[open(\”%1\”)]” | afterwce.exe |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\printto | 6fa0dd6002d4b4e7ebabefc7f4f90f36fc53069e0cf4e845f683fb087d476e90.exe |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\ = “Recalc Document” | 6fa0dd6002d4b4e7ebabefc7f4f90f36fc53069e0cf4e845f683fb087d476e90.exe |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\printto\ddeexec\ = “[printto(\”%1\”,\”%2\”,\”%3\”,\”%4\”)]” | afterwce.exe |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\printto\command\ = “C:\\Windows\\SysWOW64\\afterwce.exe /dde” | afterwce.exe |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\printto\ddeexec\ = “[printto(\”%1\”,\”%2\”,\”%3\”,\”%4\”)]” | afterwce.exe |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1 | 6fa0dd6002d4b4e7ebabefc7f4f90f36fc53069e0cf4e845f683fb087d476e90.exe |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\DefaultIcon | 6fa0dd6002d4b4e7ebabefc7f4f90f36fc53069e0cf4e845f683fb087d476e90.exe |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\print\ddeexec | 6fa0dd6002d4b4e7ebabefc7f4f90f36fc53069e0cf4e845f683fb087d476e90.exe |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\ = “Recalc Document” | afterwce.exe |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.RCL\ = “Recalc.Document.1” | afterwce.exe |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\printto\ddeexec | 6fa0dd6002d4b4e7ebabefc7f4f90f36fc53069e0cf4e845f683fb087d476e90.exe |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\open\command | 6fa0dd6002d4b4e7ebabefc7f4f90f36fc53069e0cf4e845f683fb087d476e90.exe |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.RCL\ShellNew | 6fa0dd6002d4b4e7ebabefc7f4f90f36fc53069e0cf4e845f683fb087d476e90.exe |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.RCL\ShellNew\NullFile | 6fa0dd6002d4b4e7ebabefc7f4f90f36fc53069e0cf4e845f683fb087d476e90.exe |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.RCL\ShellNew | afterwce.exe |