Emotet, an Analysis of TTP’s: Part 1 The Break-in

Emotet has been around since around 2014, and over their 5-year run they have morphed and changed to become one of the most omnipresent threats today. While there has been much written about them we want to look a bit deeper into some recent behaviors of the group. This blog will be one in a part of a series looking into the larger attack patterns of the emotet groups and ways to detect and prevent this threat actor. Look for part 2 soon as I will be updating the emotet detection rules I wrote about back in the spring.

Action on Objectives, what happens after that macro?

While we have been observing the activity of Emotet over the past year we have observed 3 variants in the activity of the malware after the user has open the macro laden documents.

After execution of the document an executable is downloaded and written to C:\Users\Username

Generally, this is numeric 2 to 3 digits. (25.exe, 502.exe, 893.exe)

The executable is copied and removed from the user directory and moved to the C:\Users\Username\AppData\Local\Temp\ Directory with a new name.

Examples of executable names after renaming:

footresw.exe easydom.exe cloudprompt.exe choreengine.exe

After this step the Emotet actors have 3 various paths they might take.

  1. The most common is to deploy additional malware, most commonly Trickbot, but IceD and Ursnif have also been observed.
  2. Keep only Emotet on the box and be used as a spreader sending out new emails to continue the infection.
  3. Run an infostealer module dumping credentials and other information for exfiltration.

In automated or manual sandboxes witnessing all of these various activities can be difficult as the environment may not emulate the target profile enough to trigger specific behavior. To this end we’ve been working on an environment that should present a more temping target to the adversary to see their further activity after infection.

Simulated Environment:

With the Domain environment we have see a further dive into the threat actor’s workflow. While completing a sandbox execution we witnessed the following infection chain.

Word Doc -> Emotet -> Trickbot -> Cobaltstrike -> Bloodhound -> Powershell Empire -> ???

While not observed in this execution based on the pattern and public information we expect after powershell empire that ransomware would likely have been the next set of malware delivered.

Let’s walk through the events.

Event Timeline

Oct 7, 2019 @ 09:14:42.200 Content enabled and macro ran (WMI > PWSH)

Oct 7, 2019 @ 09:14:47.287 Download established (

Oct 7, 2019 @ 09:14:47.305 Emotet EXE started (C:\Users\colmey\42.exe)

Oct 7, 2019 @ 09:14:57.906 Emotet moved to AppData (C:\Users\colmey\AppData\Local\pixelproc\pixelproc.exe)

Oct 7, 2019 @ 09:15:29.937 Emotet C2 Established (C:\Users\colmey\AppData\Local\pixelproc\pixelproc.exe >,

Oct 7, 2019 @ 09:19:58.424 Trickbot appears (C:\Users\colmey\AppData\Roaming\netcloud\دمأرخأتيا.exe)

Oct 7, 2019 @ 09:32:50.601 Trickbot Enumerate’s Machine and domain trusts (ipconfig, net, nltest)

Oct 7, 2019 @ 09:39:31.636 Trickbot calls out to download CobaltStrike Payload

Oct 7, 2019 @ 09:40:39.871 Cobalt Strike Executes bloodhound

Oct 7, 2019 @ 09:40:40.762 Cobalt Stike Connects to C2 (

Oct 7, 2019 @ 09:40:43.762 – Oct 7, 2019 @ 09:40:44.824 Bloodhound maps neighbor machines via Network


Oct 7, 2019 @ 10:23:42.241 Last connection to Cobalt Strike C2 (

Oct 7, 2019 @ 11:40:21.043 Trickbot Calls out to execute Powershell Empire

Oct 7, 2019 @ 11:40:21.855 C2 Established to Powershell Empire (

Oct 7, 2019 @ 11:41:07.481 Calls to Windows tools to Enumerate system and Domain

Oct 7, 2019 @ 12:26:58.269 Threat Actor Appears to be scanning local network, mapping environment

Oct 7, 2019 @ 16:46:49.557 Sandbox Taken offline Emotet, Trickbot and Powershell Empire all had active beaconing still ongoing.


The Emotet group is very capable of identifying the environment their malware lands in to take the most advantage of the access they are given. We see immediately that after the group recognizes they are in an enterprise domain environment they pivot to recon to be able to gain the most advantage of the environment.

While not seen here, based on many public reports we expect that given enough time we would have witnessed lateral movement, dumping of the active directory database and potentially ransomware had the sandbox been run for long enough. The events outlined clearly speak to the need to monitor domain mapping activity as should your primary endpoint detection fail this activity should be expected in a domain environment. As well a very effective method to prevent infection is to enable blocking of Word macro’s via GPO, look forward to a write-up on that soon.


Available in MISP format here: https://github.com/Hestat/intel-sharing/tree/master/emotet-10-07-19

Emotet Maldoc





Url’s Reached out to by the Maldoc






Emotet Exe





Trickbot Exe

Cobalt Strike C2

Port 443

Powershell Empire C2


Network Signatures:
ET TROJAN Possible PowerShell Empire Activity Outbound
ET TROJAN Suspected Powershell Empire GET M1
ET POLICY HTTP traffic on port 443 (POST)
ET CNC Feodo Tracker Reported CnC Server group 23
ET CNC Feodo Tracker Reported CnC Server group 24
ET CNC Feodo Tracker Reported CnC Server group 3
ET CNC Feodo Tracker Reported CnC Server group 5
ET CNC Feodo Tracker Reported CnC Server group 1
ET CNC Feodo Tracker Reported CnC Server group 10
ET CNC Feodo Tracker Reported CnC Server group 13
ET CNC Feodo Tracker Reported CnC Server group 16
ET CNC Feodo Tracker Reported CnC Server group 17
ET CNC Feodo Tracker Reported CnC Server group 18
ET CNC Feodo Tracker Reported CnC Server group 19
ET CNC Feodo Tracker Reported CnC Server group 21
ET CNC Feodo Tracker Reported CnC Server group 25
ET CNC Feodo Tracker Reported CnC Server group 4
ET CNC Feodo Tracker Reported CnC Server group 6
ET CNC Feodo Tracker Reported CnC Server group 7
ET CNC Feodo Tracker Reported CnC Server group 9
ET TROJAN Suspicious POST with Common Windows Process Names - Possible Process List Exfiltration
C2 Urls: