Overview

overview

10

Static

static

emotet_exe...xe.exe

windows7_x64

10

emotet_exe...xe.exe

windows10_x64

10

Analysis

  • max time kernel
    135s
  • max time network
    131s
  • platform
    windows7_x64
  • resource
    win7v200722
  • submitted
    28-07-2020 20:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    emotet_exe_e3_5e1a90dfb4c793ca62181c0e162bc142795afa16b5b8ebcd96ede5df1810f010_2020-07-28__204345._exe.exe

  • Size

    612KB

  • MD5

    57f4b5568de5f2405c904944cdd6ef86

  • SHA1

    e1ab7f158b119ca62cf811676934c84407ae1110

  • SHA256

    5e1a90dfb4c793ca62181c0e162bc142795afa16b5b8ebcd96ede5df1810f010

  • SHA512

    f5988c3836a7f86be02b3a7d00d77a201512df5a4ce9a207d2b1d7c498df95021fe586053854c31da28b0275a5097a50508bd4040bb9550273829fc12a3242b4

Score
10/10
trojanbankeremotet

Malware Config

Extracted

Family

emotet

C2

177.37.81.212:443

74.207.230.187:8080

190.164.75.175:80

87.252.100.28:80

105.209.239.55:80

163.172.107.70:8080

37.208.106.146:8080

24.157.25.203:80

212.112.113.235:80

140.207.113.106:443

75.139.38.211:80

192.210.217.94:8080

46.49.124.53:80

75.127.14.170:8080

87.106.231.60:8080

139.59.12.63:8080

181.167.35.84:80

201.214.108.231:80

74.208.173.91:8080

189.146.1.78:443
rsa_pubkey.plain

Signatures

  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • Executes dropped EXE 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Emotet Payload 2 IoCs

    Detects Emotet payload in memory.

  • Drops file in System32 directory 1 IoCs
  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

    trojanbankeremotet

Processes

  • C:\Users\Admin\AppData\Local\Temp\emotet_exe_e3_5e1a90dfb4c793ca62181c0e162bc142795afa16b5b8ebcd96ede5df1810f010_2020-07-28__204345._exe.exe
    "C:\Users\Admin\AppData\Local\Temp\emotet_exe_e3_5e1a90dfb4c793ca62181c0e162bc142795afa16b5b8ebcd96ede5df1810f010_2020-07-28__204345._exe.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    • Drops file in System32 directory
    PID:748
    • C:\Windows\SysWOW64\NlsLexicons0001\SystemPropertiesDataExecutionPrevention.exe
      "C:\Windows\SysWOW64\NlsLexicons0001\SystemPropertiesDataExecutionPrevention.exe"
      2⤵
      • Suspicious use of SetWindowsHookEx
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:1776

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\NlsLexicons0001\SystemPropertiesDataExecutionPrevention.exe
    Download Submit

  • memory/748-0-0x0000000000280000-0x000000000028C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/1776-1-0x0000000000000000-mapping.dmp

    Download

  • memory/1776-3-0x0000000000310000-0x000000000031C000-memory.dmp

    Filesize

    48KB

    Download