emotet | e59e7db0c75cef4bb6e057d725bae7ed5e13fd011b54fe39c3fe7cdb123b684f

Analysis

max time kernel
297s
max time network
306s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
20-06-2022 13:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

25d04d6314390db9f02656b70f9d0da208b7d3e4dd47ece7cb907854a2c07dde.exe
Size

284KB
MD5

f81f03280cfa4379453f152008311573
SHA1

97a418aaebc019f4715c911af232d4ca09004536
SHA256

25d04d6314390db9f02656b70f9d0da208b7d3e4dd47ece7cb907854a2c07dde
SHA512

714a662ba23c5f971d92e7db65745c1ce663e59cbf94a767a695dc3527f9645129dd0d584333a3ea6dbe2857c12f9da323cf8b9ce535f04c8617fc7e31e0842f

Score

10^/10

emotet epoch2 banker trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch2

74.135.120.91:80

108.21.72.56:443

185.201.9.197:8080

64.207.182.168:8080

51.89.36.180:443

110.145.101.66:443

85.105.111.166:80

72.27.212.209:8080

24.69.65.8:8080

109.116.245.80:80

113.61.66.94:80

61.19.246.238:443

62.75.141.82:80

110.142.236.207:80

109.74.5.95:8080

174.106.122.139:80

139.99.158.11:443

190.162.215.233:80

41.185.28.84:8080

172.125.40.123:80

rsa_pubkey.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Emotet Payload 5 IoCs

Detects Emotet payload in memory.

trojan banker

resource	yara_rule
behavioral10/memory/4088-130-0x00000000021B0000-0x00000000021C2000-memory.dmp	emotet
behavioral10/memory/4088-134-0x00000000004F0000-0x0000000000500000-memory.dmp	emotet
behavioral10/memory/4088-137-0x00000000004E0000-0x00000000004EF000-memory.dmp	emotet
behavioral10/memory/2176-140-0x0000000000680000-0x0000000000692000-memory.dmp	emotet
behavioral10/memory/2176-144-0x00000000006A0000-0x00000000006B0000-memory.dmp	emotet

Executes dropped EXE 1 IoCs

pid	Process
2176	Geolocation.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\WinSync\Geolocation.exe	25d04d6314390db9f02656b70f9d0da208b7d3e4dd47ece7cb907854a2c07dde.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\notepad.exe	25d04d6314390db9f02656b70f9d0da208b7d3e4dd47ece7cb907854a2c07dde.exe
File opened for modification	C:\Windows\notepad.exe	Geolocation.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
2176	Geolocation.exe
2176	Geolocation.exe
2176	Geolocation.exe
2176	Geolocation.exe
2176	Geolocation.exe
2176	Geolocation.exe
2176	Geolocation.exe
2176	Geolocation.exe
2176	Geolocation.exe
2176	Geolocation.exe
2176	Geolocation.exe
2176	Geolocation.exe
2176	Geolocation.exe
2176	Geolocation.exe
2176	Geolocation.exe
2176	Geolocation.exe
2176	Geolocation.exe
2176	Geolocation.exe
2176	Geolocation.exe
2176	Geolocation.exe
2176	Geolocation.exe
2176	Geolocation.exe
2176	Geolocation.exe
2176	Geolocation.exe
2176	Geolocation.exe
2176	Geolocation.exe
2176	Geolocation.exe
2176	Geolocation.exe
2176	Geolocation.exe
2176	Geolocation.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4088	25d04d6314390db9f02656b70f9d0da208b7d3e4dd47ece7cb907854a2c07dde.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4088	25d04d6314390db9f02656b70f9d0da208b7d3e4dd47ece7cb907854a2c07dde.exe
2176	Geolocation.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4088 wrote to memory of 2176	4088	25d04d6314390db9f02656b70f9d0da208b7d3e4dd47ece7cb907854a2c07dde.exe	79
PID 4088 wrote to memory of 2176	4088	25d04d6314390db9f02656b70f9d0da208b7d3e4dd47ece7cb907854a2c07dde.exe	79
PID 4088 wrote to memory of 2176	4088	25d04d6314390db9f02656b70f9d0da208b7d3e4dd47ece7cb907854a2c07dde.exe	79

C:\Users\Admin\AppData\Local\Temp\25d04d6314390db9f02656b70f9d0da208b7d3e4dd47ece7cb907854a2c07dde.exe
"C:\Users\Admin\AppData\Local\Temp\25d04d6314390db9f02656b70f9d0da208b7d3e4dd47ece7cb907854a2c07dde.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4088
- C:\Windows\SysWOW64\WinSync\Geolocation.exe
  "C:\Windows\SysWOW64\WinSync\Geolocation.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2176

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\WinSync\Geolocation.exe

Filesize
284KB

MD5
f81f03280cfa4379453f152008311573

SHA1
97a418aaebc019f4715c911af232d4ca09004536

SHA256
25d04d6314390db9f02656b70f9d0da208b7d3e4dd47ece7cb907854a2c07dde

SHA512
714a662ba23c5f971d92e7db65745c1ce663e59cbf94a767a695dc3527f9645129dd0d584333a3ea6dbe2857c12f9da323cf8b9ce535f04c8617fc7e31e0842f

Download Submit
memory/2176-140-0x0000000000680000-0x0000000000692000-memory.dmp

Filesize
72KB

Download
memory/2176-144-0x00000000006A0000-0x00000000006B0000-memory.dmp

Filesize
64KB

Download
memory/4088-130-0x00000000021B0000-0x00000000021C2000-memory.dmp

Filesize
72KB

Download
memory/4088-134-0x00000000004F0000-0x0000000000500000-memory.dmp

Filesize
64KB

Download
memory/4088-137-0x00000000004E0000-0x00000000004EF000-memory.dmp

Filesize
60KB

Download