emotet | 53c36c90f88f924fd19fc272e41454fb01aba0fc492ae74a3001b59b51d275f2

Analysis

max time kernel
29s
max time network
30s
platform
windows10_x64
resource
win10v200722
submitted
29/07/2020, 00:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

53c36c90f88f924fd19fc272e41454fb01aba0fc492ae74a3001b59b51d275f2.exe
Size

668KB
MD5

e1a72766b78745bdbb969e64f89bfbb9
SHA1

7acb5b8d297e70600c55538a2359212ad6c05dcf
SHA256

53c36c90f88f924fd19fc272e41454fb01aba0fc492ae74a3001b59b51d275f2
SHA512

52240e63495d26f9efc1030046bb26b35266bec6ee83e944a00f86b0117adc5966108e44f3b88d39a0de71b34f249341cc1b641446ab09d11ece8bf7149b1952

Score

10^/10

trojan banker emotet

Malware Config

Extracted

Family

emotet

179.60.229.168:443

185.94.252.13:443

189.218.165.63:80

77.90.136.129:8080

217.199.160.224:7080

104.131.41.185:8080

2.47.112.152:80

185.94.252.27:443

186.250.52.226:8080

51.255.165.160:8080

68.183.170.114:8080

191.99.160.58:80

104.131.103.37:8080

181.31.211.181:80

202.62.39.111:80

83.169.21.32:7080

87.106.46.107:8080

72.47.248.48:7080

177.75.143.112:443

190.17.195.202:80

rsa_pubkey.plain

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2540	msdtcVSp1res.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2540	msdtcVSp1res.exe
2540	msdtcVSp1res.exe
2540	msdtcVSp1res.exe
2540	msdtcVSp1res.exe
2540	msdtcVSp1res.exe
2540	msdtcVSp1res.exe

Emotet Payload 2 IoCs

Detects Emotet payload in memory.

resource	yara_rule
behavioral1/memory/3908-0-0x00000000005A0000-0x00000000005AC000-memory.dmp	emotet
behavioral1/memory/2540-3-0x0000000000560000-0x000000000056C000-memory.dmp	emotet

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\ddisplay\msdtcVSp1res.exe	53c36c90f88f924fd19fc272e41454fb01aba0fc492ae74a3001b59b51d275f2.exe

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3908	53c36c90f88f924fd19fc272e41454fb01aba0fc492ae74a3001b59b51d275f2.exe
3908	53c36c90f88f924fd19fc272e41454fb01aba0fc492ae74a3001b59b51d275f2.exe
2540	msdtcVSp1res.exe
2540	msdtcVSp1res.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3908	53c36c90f88f924fd19fc272e41454fb01aba0fc492ae74a3001b59b51d275f2.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3908 wrote to memory of 2540	3908	53c36c90f88f924fd19fc272e41454fb01aba0fc492ae74a3001b59b51d275f2.exe	66
PID 3908 wrote to memory of 2540	3908	53c36c90f88f924fd19fc272e41454fb01aba0fc492ae74a3001b59b51d275f2.exe	66
PID 3908 wrote to memory of 2540	3908	53c36c90f88f924fd19fc272e41454fb01aba0fc492ae74a3001b59b51d275f2.exe	66

C:\Users\Admin\AppData\Local\Temp\53c36c90f88f924fd19fc272e41454fb01aba0fc492ae74a3001b59b51d275f2.exe
"C:\Users\Admin\AppData\Local\Temp\53c36c90f88f924fd19fc272e41454fb01aba0fc492ae74a3001b59b51d275f2.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:3908
- C:\Windows\SysWOW64\ddisplay\msdtcVSp1res.exe
  "C:\Windows\SysWOW64\ddisplay\msdtcVSp1res.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2540

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2540-3-0x0000000000560000-0x000000000056C000-memory.dmp

Filesize
48KB

Download
memory/3908-0-0x00000000005A0000-0x00000000005AC000-memory.dmp

Filesize
48KB

Download