emotet | 83e988460e2d1305223d78eed848f66fbe3fdfe9d6fa0a10a008e09867dc90cb

Analysis

max time kernel
578s
max time network
590s
platform
windows10_x64
resource
win10v20201028
submitted
24-01-2021 19:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

E2-20210122_075416.dll
Size

340KB
MD5

87ab0405dd92650067542696ee0c2c98
SHA1

204e0200e2c648edf70d90472e0b6c4b15bc58c8
SHA256

8a87e9ca0011dced9b29abff8ffa438815ed675b7c9fcef3e546109a08f2ab45
SHA512

2fbb98040f88eb7d3f34157372db49fb7ee933bd63a59d74b1fd91d8ec0eaf065aa8cd69851ec75c2c379e174a3eaaf9d630f847bc525ba61fc127a68454e2d2

Score

10^/10

emotet epoch2 banker ransomware trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch2

12.175.220.98:80

162.241.204.233:8080

50.116.111.59:8080

172.86.188.251:8080

139.99.158.11:443

66.57.108.14:443

75.177.207.146:80

194.190.67.75:80

50.245.107.73:443

173.70.61.180:80

85.105.205.77:8080

104.131.11.150:443

62.75.141.82:80

70.92.118.112:80

194.4.58.192:7080

120.150.60.189:80

24.231.88.85:80

78.24.219.147:8080

110.142.236.207:80

119.59.116.21:8080

rsa_pubkey.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
Blocklisted process makes network request 4 IoCs

Processes:

rundll32.exe

flow pid process

21 692 rundll32.exe
22 692 rundll32.exe
23 692 rundll32.exe
24 692 rundll32.exe
Drops file in System32 directory 1 IoCs

Processes:

rundll32.exe

description ioc process

File opened for modification C:\Windows\SysWOW64\Dsqoehpsqsblw\hrycsaymnjxw.idj rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
ransomware

System Information Discovery
T1082

flow	pid	process
21	692	rundll32.exe
22	692	rundll32.exe
23	692	rundll32.exe
24	692	rundll32.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\Dsqoehpsqsblw\hrycsaymnjxw.idj	rundll32.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

rundll32.exe

pid	process
692	rundll32.exe
692	rundll32.exe
692	rundll32.exe
692	rundll32.exe
692	rundll32.exe
692	rundll32.exe
692	rundll32.exe
692	rundll32.exe
692	rundll32.exe
692	rundll32.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

rundll32.exe

pid process

416 rundll32.exe

pid	process
416	rundll32.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

rundll32.exerundll32.exerundll32.exe

description	pid	process	target process
PID 496 wrote to memory of 416	496	rundll32.exe	rundll32.exe
PID 496 wrote to memory of 416	496	rundll32.exe	rundll32.exe
PID 496 wrote to memory of 416	496	rundll32.exe	rundll32.exe
PID 416 wrote to memory of 208	416	rundll32.exe	rundll32.exe
PID 416 wrote to memory of 208	416	rundll32.exe	rundll32.exe
PID 416 wrote to memory of 208	416	rundll32.exe	rundll32.exe
PID 208 wrote to memory of 692	208	rundll32.exe	rundll32.exe
PID 208 wrote to memory of 692	208	rundll32.exe	rundll32.exe
PID 208 wrote to memory of 692	208	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\E2-20210122_075416.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:496
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\E2-20210122_075416.dll,#1
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:416
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Dsqoehpsqsblw\hrycsaymnjxw.idj",dEeQxLRRc
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:208
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Dsqoehpsqsblw\hrycsaymnjxw.idj",#1
      4⤵
      Blocklisted process makes network request
      Suspicious behavior: EnumeratesProcesses
      PID:692

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/208-5-0x0000000000000000-mapping.dmp

Download
memory/416-2-0x0000000000000000-mapping.dmp

Download
memory/416-4-0x0000000010000000-0x0000000010023000-memory.dmp

Filesize
140KB

Download
memory/416-3-0x0000000003310000-0x0000000003330000-memory.dmp

Filesize
128KB

Download
memory/692-6-0x0000000000000000-mapping.dmp

Download