emotet | 967865a88cfd3f1bec1a7e6271c68c787d2351e4173a0c98d77166a61b151638

Resubmissions

13-09-2021 08:53

210913-ktqrgsddb9 10

09-09-2021 12:04

210909-n8ty8sgbc2 10

Analysis

max time kernel
146s
max time network
150s
platform
windows7_x64
resource
win7-en
submitted
09-09-2021 12:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

967865a88cfd3f1bec1a7e6271c68c787d2351e4173a0c98d77166a61b151638.exe
Size

584KB
MD5

430b59363f1aaebb0682c525d60e7bf6
SHA1

75afa9329b922fc49430c34ef37514f2f9e5802b
SHA256

967865a88cfd3f1bec1a7e6271c68c787d2351e4173a0c98d77166a61b151638
SHA512

20587cfa212f8d9554fc97ba336c27438e75d0525baa1ffacfc594bbfa570fe02077d4ab8097496933cc93ca2653404301220ec642d0505360ff8f8ec32ec1ac

Score

10^/10

emotet epoch2 banker trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch2

94.49.254.194:80

212.51.142.238:8080

91.231.166.124:8080

162.241.92.219:8080

79.98.24.39:8080

109.117.53.230:443

78.189.165.52:8080

113.160.130.116:8443

121.124.124.40:7080

101.187.97.173:80

168.235.67.138:7080

104.131.44.150:8080

5.39.91.110:7080

139.59.60.244:8080

81.2.235.111:8080

116.203.32.252:8080

61.19.246.238:443

176.111.60.55:8080

190.55.181.54:443

108.48.41.69:80

rsa_pubkey.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Emotet Payload 2 IoCs

Detects Emotet payload in memory.

Processes:

resource	yara_rule
behavioral1/memory/1816-53-0x00000000002E0000-0x00000000002EC000-memory.dmp	emotet
behavioral1/memory/1816-57-0x00000000002D0000-0x00000000002D9000-memory.dmp	emotet

Executes dropped EXE 1 IoCs

Processes:

wmpsrcwp.exe

pid process

1260 wmpsrcwp.exe

pid	process
1260	wmpsrcwp.exe

Drops file in System32 directory 1 IoCs

Processes:

967865a88cfd3f1bec1a7e6271c68c787d2351e4173a0c98d77166a61b151638.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\netprofm\wmpsrcwp.exe	967865a88cfd3f1bec1a7e6271c68c787d2351e4173a0c98d77166a61b151638.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

wmpsrcwp.exe

pid process

1260 wmpsrcwp.exe
1260 wmpsrcwp.exe
1260 wmpsrcwp.exe
1260 wmpsrcwp.exe
1260 wmpsrcwp.exe
1260 wmpsrcwp.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

967865a88cfd3f1bec1a7e6271c68c787d2351e4173a0c98d77166a61b151638.exe

pid process

1816 967865a88cfd3f1bec1a7e6271c68c787d2351e4173a0c98d77166a61b151638.exe

pid	process
1260	wmpsrcwp.exe
1260	wmpsrcwp.exe
1260	wmpsrcwp.exe
1260	wmpsrcwp.exe
1260	wmpsrcwp.exe
1260	wmpsrcwp.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

967865a88cfd3f1bec1a7e6271c68c787d2351e4173a0c98d77166a61b151638.exewmpsrcwp.exe

pid	process
1816	967865a88cfd3f1bec1a7e6271c68c787d2351e4173a0c98d77166a61b151638.exe
1816	967865a88cfd3f1bec1a7e6271c68c787d2351e4173a0c98d77166a61b151638.exe
1260	wmpsrcwp.exe
1260	wmpsrcwp.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

967865a88cfd3f1bec1a7e6271c68c787d2351e4173a0c98d77166a61b151638.exe

description	pid	process	target process
PID 1816 wrote to memory of 1260	1816	967865a88cfd3f1bec1a7e6271c68c787d2351e4173a0c98d77166a61b151638.exe	wmpsrcwp.exe
PID 1816 wrote to memory of 1260	1816	967865a88cfd3f1bec1a7e6271c68c787d2351e4173a0c98d77166a61b151638.exe	wmpsrcwp.exe
PID 1816 wrote to memory of 1260	1816	967865a88cfd3f1bec1a7e6271c68c787d2351e4173a0c98d77166a61b151638.exe	wmpsrcwp.exe
PID 1816 wrote to memory of 1260	1816	967865a88cfd3f1bec1a7e6271c68c787d2351e4173a0c98d77166a61b151638.exe	wmpsrcwp.exe

C:\Users\Admin\AppData\Local\Temp\967865a88cfd3f1bec1a7e6271c68c787d2351e4173a0c98d77166a61b151638.exe
"C:\Users\Admin\AppData\Local\Temp\967865a88cfd3f1bec1a7e6271c68c787d2351e4173a0c98d77166a61b151638.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1816

C:\Windows\SysWOW64\netprofm\wmpsrcwp.exe
"C:\Windows\SysWOW64\netprofm\wmpsrcwp.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1260

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\netprofm\wmpsrcwp.exe

MD5
430b59363f1aaebb0682c525d60e7bf6

SHA1
75afa9329b922fc49430c34ef37514f2f9e5802b

SHA256
967865a88cfd3f1bec1a7e6271c68c787d2351e4173a0c98d77166a61b151638

SHA512
20587cfa212f8d9554fc97ba336c27438e75d0525baa1ffacfc594bbfa570fe02077d4ab8097496933cc93ca2653404301220ec642d0505360ff8f8ec32ec1ac

Download Submit
memory/1260-58-0x0000000000000000-mapping.dmp

Download
memory/1816-53-0x00000000002E0000-0x00000000002EC000-memory.dmp

Filesize
48KB

Download
memory/1816-56-0x0000000075AA1000-0x0000000075AA3000-memory.dmp

Filesize
8KB

Download
memory/1816-57-0x00000000002D0000-0x00000000002D9000-memory.dmp

Filesize
36KB

Download