Overview

overview

10

Static

static

emotet_pe_1min

windows10_x64

10

Analysis

  • max time kernel
    47s
  • max time network
    59s
  • platform
    windows10_x64
  • resource
    win10-de-20211104
  • submitted
    25-11-2021 16:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    94c793c741698a75da4246ef790ce366534ddf5d620533c68f004b1f142de218.dll

  • Size

    653KB

  • MD5

    4a2de25016b471b380c4eb430f61ef0d

  • SHA1

    ed79dc00e10ff969bb35322e023f1f9c1750b602

  • SHA256

    94c793c741698a75da4246ef790ce366534ddf5d620533c68f004b1f142de218

  • SHA512

    7256ddbce7d2ad0d996e6d6c3579c7ac52b0d0f6d1f7b9c27ba1c48cdc92c5442b9054e62b810d004c5342deaf2ef3e4a83f342718a77e0ff8fa3b3e76f0f4ff

Score
10/10
emotetepoch5bankersuricatatrojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch5

C2

51.178.61.60:443

168.197.250.14:80

45.79.33.48:8080

196.44.98.190:8080

177.72.80.14:7080

51.210.242.234:8080

185.148.169.10:8080

142.4.219.173:8080

78.47.204.80:443

78.46.73.125:443

37.44.244.177:8080

37.59.209.141:8080

191.252.103.16:80

54.38.242.185:443

85.214.67.203:8080

54.37.228.122:443

207.148.81.119:8080

195.77.239.39:8080

66.42.57.149:443

195.154.146.35:443
eck1.plain
ecs1.plain

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

    trojanbankeremotet
  • suricata: ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex/Trickbot CnC)

    suricata: ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex/Trickbot CnC)

    suricata
  • suricata: ET MALWARE W32/Emotet CnC Beacon 3

    suricata: ET MALWARE W32/Emotet CnC Beacon 3

    suricata
  • Blocklisted process makes network request 1 IoCs
  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\94c793c741698a75da4246ef790ce366534ddf5d620533c68f004b1f142de218.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1636
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\94c793c741698a75da4246ef790ce366534ddf5d620533c68f004b1f142de218.dll,#1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4576
      • C:\Windows\SysWOW64\rundll32.exe
        C:\Windows\SysWOW64\rundll32.exe "C:\Users\Admin\AppData\Local\Temp\94c793c741698a75da4246ef790ce366534ddf5d620533c68f004b1f142de218.dll",Control_RunDLL
        3⤵
        • Drops file in System32 directory
        • Suspicious behavior: RenamesItself
        • Suspicious use of WriteProcessMemory
        PID:4664
        • C:\Windows\SysWOW64\rundll32.exe
          C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Lyaxhhsbw\vlbkzgcuftjpa.sfm",nUIbtGnRx
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2224
          • C:\Windows\SysWOW64\rundll32.exe
            C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Lyaxhhsbw\vlbkzgcuftjpa.sfm",Control_RunDLL
            5⤵
            • Blocklisted process makes network request
            • Suspicious behavior: EnumeratesProcesses
            PID:2776

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2224-138-0x0000000000000000-mapping.dmp
    Download
  • memory/2224-140-0x0000000004A60000-0x0000000004A88000-memory.dmp
    Filesize

    160KB

    Download
  • memory/2776-146-0x0000000004E40000-0x0000000004E68000-memory.dmp
    Filesize

    160KB

    Download
  • memory/2776-145-0x0000000000000000-mapping.dmp
    Download
  • memory/2776-161-0x0000000005960000-0x0000000005988000-memory.dmp
    Filesize

    160KB

    Download
  • memory/2776-158-0x0000000005880000-0x00000000058A8000-memory.dmp
    Filesize

    160KB

    Download
  • memory/2776-155-0x00000000057A0000-0x00000000057C8000-memory.dmp
    Filesize

    160KB

    Download
  • memory/2776-152-0x00000000056C0000-0x00000000056E8000-memory.dmp
    Filesize

    160KB

    Download
  • memory/2776-149-0x00000000053C0000-0x00000000053E8000-memory.dmp
    Filesize

    160KB

    Download
  • memory/4576-118-0x0000000000000000-mapping.dmp
    Download
  • memory/4576-119-0x0000000002D40000-0x0000000002D68000-memory.dmp
    Filesize

    160KB

    Download
  • memory/4664-139-0x0000000004B80000-0x0000000004BA8000-memory.dmp
    Filesize

    160KB

    Download
  • memory/4664-123-0x0000000004110000-0x0000000004138000-memory.dmp
    Filesize

    160KB

    Download
  • memory/4664-122-0x0000000000000000-mapping.dmp
    Download
  • memory/4664-135-0x0000000004A20000-0x0000000004A48000-memory.dmp
    Filesize

    160KB

    Download
  • memory/4664-132-0x00000000049C0000-0x00000000049E8000-memory.dmp
    Filesize

    160KB

    Download
  • memory/4664-129-0x0000000004820000-0x0000000004848000-memory.dmp
    Filesize

    160KB

    Download
  • memory/4664-126-0x0000000004640000-0x0000000004668000-memory.dmp
    Filesize

    160KB

    Download