Analysis

  • max time kernel
    19s
  • max time network
    69s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    24-11-2020 15:26

General

  • Target

    240000.dll

  • Size

    58KB

  • MD5

    e057356bb0d280a9ce7568f7563fde2b

  • SHA1

    cea88224bb82dfca71799d3e667f532820c21270

  • SHA256

    d6a88cbe2b699edc2062f03734f63335b72ad9107adf64e07fac4b7c9fd62319

  • SHA512

    88669ca2c02e552599b8ccf59a4e515d5257c1424b6b64a7fcf677cbee6b9d254928cdf43c42241195ea747eb9e9194f7ba6e92c1a81a95cb1ef8cdfa7f14602

Malware Config

Extracted

Family

emotet

Botnet

Epoch3

C2

115.79.119.206:443

91.74.148.90:443

103.229.72.197:8080

91.121.200.35:8080

188.226.165.170:8080

180.198.105.177:80

203.153.216.178:7080

143.95.101.72:8080

202.29.237.113:8080

163.53.204.180:443

37.46.129.215:8080

183.91.3.63:80

192.210.217.94:8080

74.208.173.91:8080

91.75.75.46:80

172.96.190.154:8080

177.130.51.198:80

178.33.167.120:8080

185.142.236.163:443

50.116.78.109:8080

rsa_pubkey.plain

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

  • Emotet Payload 1 IoCs

    Detects Emotet payload in memory.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240000.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:640
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\240000.dll,#1
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:992

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/992-0-0x0000000000000000-mapping.dmp
  • memory/992-1-0x0000000000400000-0x0000000000410000-memory.dmp
    Filesize

    64KB