Analysis

  • max time kernel
    124s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    23-02-2021 15:28

General

  • Target

    61e37534bfb2acbb787788100b1932f5011cbc98db86ce10b7a8a730d2a4de35.exe

  • Size

    256KB

  • MD5

    b12817c1c8ba085a7a82655fba90e53d

  • SHA1

    1f56268ada7ef3e7b788121cfa2ca1879cf70f1e

  • SHA256

    61e37534bfb2acbb787788100b1932f5011cbc98db86ce10b7a8a730d2a4de35

  • SHA512

    788a14c7f1bd001650f9eb01f9d7031bd99853bbb4de5a62b88c4c28bf60f5118a5b6884387c8880388dd3ba78b87caa312e3b82f8351db41befbb8b76aac672

Malware Config

Extracted

Family

emotet

Botnet

Epoch2

C2

190.144.18.198:80

79.143.178.194:8080

87.106.136.232:8080

87.106.139.101:8080

37.187.72.193:8080

114.145.241.208:80

195.244.215.206:80

185.94.252.104:443

5.39.91.110:7080

169.239.182.217:8080

46.105.131.79:8080

58.171.38.26:80

37.139.21.175:8080

190.160.53.126:80

95.213.236.64:8080

78.186.5.109:443

190.55.181.54:443

59.20.65.102:80

62.75.187.192:8080

110.145.77.103:80

rsa_pubkey.plain

Extracted

Family

emotet

Botnet

LEA

C2

80.158.59.174:8080

80.158.43.136:80

80.158.3.161:443

80.158.51.209:8080

80.158.35.51:80

80.158.63.78:443

80.158.53.167:80

80.158.62.194:443

rsa_pubkey.plain

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

  • Emotet Payload 3 IoCs

    Detects Emotet payload in memory.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EmotetMutantsSpam 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\61e37534bfb2acbb787788100b1932f5011cbc98db86ce10b7a8a730d2a4de35.exe
    "C:\Users\Admin\AppData\Local\Temp\61e37534bfb2acbb787788100b1932f5011cbc98db86ce10b7a8a730d2a4de35.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: EmotetMutantsSpam
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1924
    • C:\Users\Admin\AppData\Local\Temp\msdtcuiu2.exe
      "C:\Users\Admin\AppData\Local\Temp\\msdtcuiu2.exe" 7AAAAIwAAABUAGUAbQBwAFwANgAxAGUAMwA3ADUAMwA0AGIAZgBiADIAYQBjAGIAYgA3ADgANwA3ADgAOAAxADAAMABiADEAOQAzADIAZgA1ADAAMQAxAGMAYgBjADkAOABkAGIAOAA2AGMAZQAxADAAYgA3AGEAOABhADcAMwAwAGQAMgBhADQAZABlADMANQAAAA==
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      PID:916

Network

MITRE ATT&CK Matrix ATT&CK v6

Discovery

System Information Discovery

1
T1082

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\msdtcuiu2.exe
    MD5

    13b9d586bb973ac14bfa24e4ae7b24f1

    SHA1

    a5653ebe4fa9f906554e56f4d732489189c3a3f9

    SHA256

    90e4f02ab9157f389d785c3dcddfa432085b237f2a4c3befb4a093d0f2711b5b

    SHA512

    517b1728ac24a587c6a4ccb7c0ea18f2059609958eb06f06107efd5a2e06faf0caa78c49f252e8b2e602a88de194e7edb1f4aaf1efe423298e94257c3df902ae

  • C:\Users\Admin\AppData\Local\Temp\msdtcuiu2.exe
    MD5

    13b9d586bb973ac14bfa24e4ae7b24f1

    SHA1

    a5653ebe4fa9f906554e56f4d732489189c3a3f9

    SHA256

    90e4f02ab9157f389d785c3dcddfa432085b237f2a4c3befb4a093d0f2711b5b

    SHA512

    517b1728ac24a587c6a4ccb7c0ea18f2059609958eb06f06107efd5a2e06faf0caa78c49f252e8b2e602a88de194e7edb1f4aaf1efe423298e94257c3df902ae

  • \Users\Admin\AppData\Local\Temp\msdtcuiu2.exe
    MD5

    13b9d586bb973ac14bfa24e4ae7b24f1

    SHA1

    a5653ebe4fa9f906554e56f4d732489189c3a3f9

    SHA256

    90e4f02ab9157f389d785c3dcddfa432085b237f2a4c3befb4a093d0f2711b5b

    SHA512

    517b1728ac24a587c6a4ccb7c0ea18f2059609958eb06f06107efd5a2e06faf0caa78c49f252e8b2e602a88de194e7edb1f4aaf1efe423298e94257c3df902ae

  • memory/916-12-0x0000000000270000-0x00000000002CB000-memory.dmp
    Filesize

    364KB

  • memory/916-9-0x0000000000000000-mapping.dmp
  • memory/916-13-0x00000000002D0000-0x000000000032A000-memory.dmp
    Filesize

    360KB

  • memory/916-21-0x00000000001B0000-0x0000000000209000-memory.dmp
    Filesize

    356KB

  • memory/1700-6-0x000007FEF6680000-0x000007FEF68FA000-memory.dmp
    Filesize

    2MB

  • memory/1924-7-0x0000000000400000-0x000000000040C000-memory.dmp
    Filesize

    48KB

  • memory/1924-5-0x0000000000250000-0x000000000025B000-memory.dmp
    Filesize

    44KB

  • memory/1924-4-0x0000000075AE1000-0x0000000075AE3000-memory.dmp
    Filesize

    8KB

  • memory/1924-2-0x00000000003D0000-0x00000000003DE000-memory.dmp
    Filesize

    56KB

  • memory/1924-3-0x00000000003E0000-0x00000000003EC000-memory.dmp
    Filesize

    48KB