emotet | 967865a88cfd3f1bec1a7e6271c68c787d2351e4173a0c98d77166a61b151638

Resubmissions

13-09-2021 08:53

210913-ktqrgsddb9 10

09-09-2021 12:04

210909-n8ty8sgbc2 10

Analysis

max time kernel
139s
max time network
149s
platform
windows10_x64
resource
win10-en
submitted
09-09-2021 12:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

967865a88cfd3f1bec1a7e6271c68c787d2351e4173a0c98d77166a61b151638.exe
Size

584KB
MD5

430b59363f1aaebb0682c525d60e7bf6
SHA1

75afa9329b922fc49430c34ef37514f2f9e5802b
SHA256

967865a88cfd3f1bec1a7e6271c68c787d2351e4173a0c98d77166a61b151638
SHA512

20587cfa212f8d9554fc97ba336c27438e75d0525baa1ffacfc594bbfa570fe02077d4ab8097496933cc93ca2653404301220ec642d0505360ff8f8ec32ec1ac

Score

10^/10

emotet epoch2 banker trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch2

94.49.254.194:80

212.51.142.238:8080

91.231.166.124:8080

162.241.92.219:8080

79.98.24.39:8080

109.117.53.230:443

78.189.165.52:8080

113.160.130.116:8443

121.124.124.40:7080

101.187.97.173:80

168.235.67.138:7080

104.131.44.150:8080

5.39.91.110:7080

139.59.60.244:8080

81.2.235.111:8080

116.203.32.252:8080

61.19.246.238:443

176.111.60.55:8080

190.55.181.54:443

108.48.41.69:80

rsa_pubkey.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Emotet Payload 2 IoCs

Detects Emotet payload in memory.

Processes:

resource	yara_rule
behavioral2/memory/4480-116-0x0000000000620000-0x000000000062C000-memory.dmp	emotet
behavioral2/memory/3964-121-0x0000000000600000-0x000000000060C000-memory.dmp	emotet

Executes dropped EXE 1 IoCs

Processes:

Dism.exe

pid process

3964 Dism.exe

Drops file in System32 directory 1 IoCs

Processes:

967865a88cfd3f1bec1a7e6271c68c787d2351e4173a0c98d77166a61b151638.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\SearchFolder\Dism.exe	967865a88cfd3f1bec1a7e6271c68c787d2351e4173a0c98d77166a61b151638.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

Dism.exe

pid	process
3964	Dism.exe
3964	Dism.exe
3964	Dism.exe
3964	Dism.exe
3964	Dism.exe
3964	Dism.exe
3964	Dism.exe
3964	Dism.exe
3964	Dism.exe
3964	Dism.exe
3964	Dism.exe
3964	Dism.exe
3964	Dism.exe
3964	Dism.exe
3964	Dism.exe
3964	Dism.exe
3964	Dism.exe
3964	Dism.exe
3964	Dism.exe
3964	Dism.exe
3964	Dism.exe
3964	Dism.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

967865a88cfd3f1bec1a7e6271c68c787d2351e4173a0c98d77166a61b151638.exe

pid process

4480 967865a88cfd3f1bec1a7e6271c68c787d2351e4173a0c98d77166a61b151638.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

967865a88cfd3f1bec1a7e6271c68c787d2351e4173a0c98d77166a61b151638.exeDism.exe

pid	process
4480	967865a88cfd3f1bec1a7e6271c68c787d2351e4173a0c98d77166a61b151638.exe
4480	967865a88cfd3f1bec1a7e6271c68c787d2351e4173a0c98d77166a61b151638.exe
3964	Dism.exe
3964	Dism.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

967865a88cfd3f1bec1a7e6271c68c787d2351e4173a0c98d77166a61b151638.exe

description	pid	process	target process
PID 4480 wrote to memory of 3964	4480	967865a88cfd3f1bec1a7e6271c68c787d2351e4173a0c98d77166a61b151638.exe	Dism.exe
PID 4480 wrote to memory of 3964	4480	967865a88cfd3f1bec1a7e6271c68c787d2351e4173a0c98d77166a61b151638.exe	Dism.exe
PID 4480 wrote to memory of 3964	4480	967865a88cfd3f1bec1a7e6271c68c787d2351e4173a0c98d77166a61b151638.exe	Dism.exe

C:\Users\Admin\AppData\Local\Temp\967865a88cfd3f1bec1a7e6271c68c787d2351e4173a0c98d77166a61b151638.exe
"C:\Users\Admin\AppData\Local\Temp\967865a88cfd3f1bec1a7e6271c68c787d2351e4173a0c98d77166a61b151638.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4480

C:\Windows\SysWOW64\SearchFolder\Dism.exe
"C:\Windows\SysWOW64\SearchFolder\Dism.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3964

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\SearchFolder\Dism.exe
MD5
430b59363f1aaebb0682c525d60e7bf6

SHA1
75afa9329b922fc49430c34ef37514f2f9e5802b

SHA256
967865a88cfd3f1bec1a7e6271c68c787d2351e4173a0c98d77166a61b151638

SHA512
20587cfa212f8d9554fc97ba336c27438e75d0525baa1ffacfc594bbfa570fe02077d4ab8097496933cc93ca2653404301220ec642d0505360ff8f8ec32ec1ac

Download Submit
memory/3964-119-0x0000000000000000-mapping.dmp

Download
memory/3964-121-0x0000000000600000-0x000000000060C000-memory.dmp

Filesize
48KB

Download
memory/3964-124-0x00000000004A0000-0x000000000054E000-memory.dmp

Filesize
696KB

Download
memory/4480-116-0x0000000000620000-0x000000000062C000-memory.dmp

Filesize
48KB

Download
memory/4480-118-0x00000000005D0000-0x000000000071A000-memory.dmp

Filesize
1.3MB

Download