Analysis

  • max time kernel
    17s
  • max time network
    67s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    24-11-2020 15:21

General

  • Target

    22052e.dll

  • Size

    58KB

  • MD5

    a74d845c1a8fa5aa08fa50b763df5280

  • SHA1

    93696c16595d6d8d829d7364d1f8d721a2422932

  • SHA256

    4d269510f7daaf159b8e10c8b976ace9de19756d54b3ace7a00afd7c3ba4023c

  • SHA512

    799aa2dc166c23831d6600c5f5c31c6cecc2c9d4f623e0b01a1e0dcc6889162fde2938c7053b2de2057f3139854cea9d1b74dc609451bb56f9a81bb527f4e959

Malware Config

Extracted

Family

emotet

Botnet

Epoch3

C2

115.79.119.206:443

91.74.148.90:443

103.229.72.197:8080

91.121.200.35:8080

188.226.165.170:8080

180.198.105.177:80

203.153.216.178:7080

143.95.101.72:8080

202.29.237.113:8080

163.53.204.180:443

37.46.129.215:8080

183.91.3.63:80

192.210.217.94:8080

74.208.173.91:8080

91.75.75.46:80

172.96.190.154:8080

177.130.51.198:80

178.33.167.120:8080

185.142.236.163:443

50.116.78.109:8080

rsa_pubkey.plain

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

  • Emotet Payload 1 IoCs

    Detects Emotet payload in memory.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\22052e.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4760
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\22052e.dll,#1
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:4772

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/4772-0-0x0000000000000000-mapping.dmp
  • memory/4772-1-0x0000000000820000-0x0000000000830000-memory.dmp
    Filesize

    64KB