emotet | b1bea682ad5cd9c75f156c91d950baf9e7b6e2febc2c775f5f7eefe681c6bda4

Analysis

max time kernel
77s
max time network
152s
platform
windows10_x64
resource
win10v200722
submitted
09-09-2020 17:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

E3.bin.exe
Size

608KB
MD5

2f29d97e32543fc84bcce2329f7fa67a
SHA1

10a01a286ccd88c8d4851d99a3ed35fd080eeb3a
SHA256

b1bea682ad5cd9c75f156c91d950baf9e7b6e2febc2c775f5f7eefe681c6bda4
SHA512

b2e46a07daa43eef710a9a1911a09a4022eda136c822fbdaf4c264e6664e5a8009cf84ab2d91a0e41b533525b8fdd959edbf071f772df524fbcba9d5bd7112d7

Score

10^/10

trojan banker emotet

Malware Config

Extracted

Family

emotet

190.194.12.132:80

51.254.140.91:7080

51.75.163.68:7080

162.144.42.60:8080

77.74.78.80:443

143.95.101.72:8080

81.214.253.80:443

222.159.240.58:80

37.205.9.252:7080

45.182.161.17:80

188.0.135.237:80

118.10.44.53:80

223.17.215.76:80

80.200.62.81:20

179.191.239.255:80

172.105.78.244:8080

181.122.154.240:80

41.185.29.128:8080

198.57.203.63:8080

179.62.238.49:80

rsa_pubkey.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
Drops file in Windows directory 1 IoCs

Processes:

svchost.exe

description ioc process

File opened for modification C:\Windows\ServiceProfiles\LocalService\winhttp\cachev3.dat svchost.exe

description	ioc	process
File opened for modification	C:\Windows\ServiceProfiles\LocalService\winhttp\cachev3.dat	svchost.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

svchost.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecisionTime = 2ee99c7bdf86d601	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecision = "0"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecisionReason = "1"	svchost.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

E3.bin.exe

pid process

3888 E3.bin.exe
3888 E3.bin.exe
3888 E3.bin.exe
3888 E3.bin.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

svchost.exe

description pid process

Token: SeShutdownPrivilege 3272 svchost.exe
Token: SeCreatePagefilePrivilege 3272 svchost.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

E3.bin.exe

pid process

3888 E3.bin.exe

pid	process
3888	E3.bin.exe
3888	E3.bin.exe
3888	E3.bin.exe
3888	E3.bin.exe

description	pid	process
Token: SeShutdownPrivilege	3272	svchost.exe
Token: SeCreatePagefilePrivilege	3272	svchost.exe

pid	process
3888	E3.bin.exe

C:\Users\Admin\AppData\Local\Temp\E3.bin.exe
"C:\Users\Admin\AppData\Local\Temp\E3.bin.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3888

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3272

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3888-0-0x0000000002380000-0x0000000002392000-memory.dmp

Filesize
72KB

Download
memory/3888-1-0x00000000006F0000-0x0000000000700000-memory.dmp

Filesize
64KB

Download