Overview

overview

10

Static

static

emotet_pe

windows10_x64

10

Analysis

  • max time kernel
    30s
  • max time network
    31s
  • platform
    windows10_x64
  • resource
    win10v200722
  • submitted
    29-07-2020 06:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e91d41a173c4277278828677138995d9faea8b4785040758649f40ad8a12eae9.exe

  • Size

    688KB

  • MD5

    b74f91b7ba2e3eac4aaa6b2f3b017570

  • SHA1

    d0b675504724f257c84f8ac19a0d8c21efc73436

  • SHA256

    e91d41a173c4277278828677138995d9faea8b4785040758649f40ad8a12eae9

  • SHA512

    aa1d0d0ec217ec05045ce588dc1b08fe3808c6a6da087a85598464f90c81b9e5c9abb6eb0f5e28b920202d7b32c346d824f64a6148c418efdb287e57ddc7fd15

Score
10/10
trojanbankeremotet

Malware Config

Extracted

Family

emotet

C2

76.27.179.47:80

212.51.142.238:8080

189.212.199.126:443

61.19.246.238:443

162.154.38.103:80

91.211.88.52:7080

83.110.223.58:443

124.45.106.173:443

116.203.32.252:8080

109.117.53.230:443

5.196.74.210:8080

75.139.38.211:80

168.235.67.138:7080

176.111.60.55:8080

169.239.182.217:8080

74.208.45.104:8080

31.31.77.83:443

222.214.218.37:4143

37.139.21.175:8080

91.205.215.66:443
rsa_pubkey.plain

Signatures

  • Suspicious use of WriteProcessMemory 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Emotet Payload 2 IoCs

    Detects Emotet payload in memory.

  • Drops file in System32 directory 1 IoCs
  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

    trojanbankeremotet
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e91d41a173c4277278828677138995d9faea8b4785040758649f40ad8a12eae9.exe
    "C:\Users\Admin\AppData\Local\Temp\e91d41a173c4277278828677138995d9faea8b4785040758649f40ad8a12eae9.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    • Drops file in System32 directory
    • Suspicious use of SetWindowsHookEx
    • Suspicious behavior: RenamesItself
    PID:584
    • C:\Windows\SysWOW64\wiascanprofiles\wksprtPS.exe
      "C:\Windows\SysWOW64\wiascanprofiles\wksprtPS.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:912

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/584-0-0x0000000002220000-0x000000000222C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/912-3-0x0000000000590000-0x000000000059C000-memory.dmp

    Filesize

    48KB

    Download