emotet | e59e7db0c75cef4bb6e057d725bae7ed5e13fd011b54fe39c3fe7cdb123b684f

Analysis

max time kernel
312s
max time network
320s
platform
windows7_x64
resource
win7-20220414-en
submitted
20-06-2022 13:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

25d04d6314390db9f02656b70f9d0da208b7d3e4dd47ece7cb907854a2c07dde.exe
Size

284KB
MD5

f81f03280cfa4379453f152008311573
SHA1

97a418aaebc019f4715c911af232d4ca09004536
SHA256

25d04d6314390db9f02656b70f9d0da208b7d3e4dd47ece7cb907854a2c07dde
SHA512

714a662ba23c5f971d92e7db65745c1ce663e59cbf94a767a695dc3527f9645129dd0d584333a3ea6dbe2857c12f9da323cf8b9ce535f04c8617fc7e31e0842f

Score

10^/10

emotet epoch2 banker trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch2

74.135.120.91:80

108.21.72.56:443

185.201.9.197:8080

64.207.182.168:8080

51.89.36.180:443

110.145.101.66:443

85.105.111.166:80

72.27.212.209:8080

24.69.65.8:8080

109.116.245.80:80

113.61.66.94:80

61.19.246.238:443

62.75.141.82:80

110.142.236.207:80

109.74.5.95:8080

174.106.122.139:80

139.99.158.11:443

190.162.215.233:80

41.185.28.84:8080

172.125.40.123:80

rsa_pubkey.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Emotet Payload 5 IoCs

Detects Emotet payload in memory.

trojan banker

Processes:

resource	yara_rule
behavioral9/memory/904-54-0x00000000003A0000-0x00000000003B2000-memory.dmp	emotet
behavioral9/memory/904-58-0x0000000000380000-0x0000000000390000-memory.dmp	emotet
behavioral9/memory/904-62-0x0000000000370000-0x000000000037F000-memory.dmp	emotet
behavioral9/memory/2012-65-0x00000000002C0000-0x00000000002D2000-memory.dmp	emotet
behavioral9/memory/2012-69-0x00000000002F0000-0x0000000000300000-memory.dmp	emotet

Executes dropped EXE 1 IoCs

Processes:

wevtapi.exe

pid process

2012 wevtapi.exe

pid	process
2012	wevtapi.exe

Drops file in System32 directory 1 IoCs

Processes:

25d04d6314390db9f02656b70f9d0da208b7d3e4dd47ece7cb907854a2c07dde.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\mfcm110\wevtapi.exe	25d04d6314390db9f02656b70f9d0da208b7d3e4dd47ece7cb907854a2c07dde.exe

Drops file in Windows directory 2 IoCs

Processes:

25d04d6314390db9f02656b70f9d0da208b7d3e4dd47ece7cb907854a2c07dde.exewevtapi.exe

description	ioc	process
File opened for modification	C:\Windows\notepad.exe	25d04d6314390db9f02656b70f9d0da208b7d3e4dd47ece7cb907854a2c07dde.exe
File opened for modification	C:\Windows\notepad.exe	wevtapi.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

wevtapi.exe

pid process

2012 wevtapi.exe
2012 wevtapi.exe
2012 wevtapi.exe
2012 wevtapi.exe
2012 wevtapi.exe
2012 wevtapi.exe
2012 wevtapi.exe
2012 wevtapi.exe
2012 wevtapi.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

25d04d6314390db9f02656b70f9d0da208b7d3e4dd47ece7cb907854a2c07dde.exe

pid process

904 25d04d6314390db9f02656b70f9d0da208b7d3e4dd47ece7cb907854a2c07dde.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

25d04d6314390db9f02656b70f9d0da208b7d3e4dd47ece7cb907854a2c07dde.exewevtapi.exe

pid process

904 25d04d6314390db9f02656b70f9d0da208b7d3e4dd47ece7cb907854a2c07dde.exe
2012 wevtapi.exe

pid	process
2012	wevtapi.exe
2012	wevtapi.exe
2012	wevtapi.exe
2012	wevtapi.exe
2012	wevtapi.exe
2012	wevtapi.exe
2012	wevtapi.exe
2012	wevtapi.exe
2012	wevtapi.exe

pid	process
904	25d04d6314390db9f02656b70f9d0da208b7d3e4dd47ece7cb907854a2c07dde.exe

pid	process
904	25d04d6314390db9f02656b70f9d0da208b7d3e4dd47ece7cb907854a2c07dde.exe
2012	wevtapi.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

25d04d6314390db9f02656b70f9d0da208b7d3e4dd47ece7cb907854a2c07dde.exe

description	pid	process	target process
PID 904 wrote to memory of 2012	904	25d04d6314390db9f02656b70f9d0da208b7d3e4dd47ece7cb907854a2c07dde.exe	wevtapi.exe
PID 904 wrote to memory of 2012	904	25d04d6314390db9f02656b70f9d0da208b7d3e4dd47ece7cb907854a2c07dde.exe	wevtapi.exe
PID 904 wrote to memory of 2012	904	25d04d6314390db9f02656b70f9d0da208b7d3e4dd47ece7cb907854a2c07dde.exe	wevtapi.exe
PID 904 wrote to memory of 2012	904	25d04d6314390db9f02656b70f9d0da208b7d3e4dd47ece7cb907854a2c07dde.exe	wevtapi.exe

C:\Users\Admin\AppData\Local\Temp\25d04d6314390db9f02656b70f9d0da208b7d3e4dd47ece7cb907854a2c07dde.exe
"C:\Users\Admin\AppData\Local\Temp\25d04d6314390db9f02656b70f9d0da208b7d3e4dd47ece7cb907854a2c07dde.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:904

C:\Windows\SysWOW64\mfcm110\wevtapi.exe
"C:\Windows\SysWOW64\mfcm110\wevtapi.exe"
2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2012

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\mfcm110\wevtapi.exe

Filesize
284KB

MD5
f81f03280cfa4379453f152008311573

SHA1
97a418aaebc019f4715c911af232d4ca09004536

SHA256
25d04d6314390db9f02656b70f9d0da208b7d3e4dd47ece7cb907854a2c07dde

SHA512
714a662ba23c5f971d92e7db65745c1ce663e59cbf94a767a695dc3527f9645129dd0d584333a3ea6dbe2857c12f9da323cf8b9ce535f04c8617fc7e31e0842f

Download Submit
memory/904-54-0x00000000003A0000-0x00000000003B2000-memory.dmp

Filesize
72KB

Download
memory/904-58-0x0000000000380000-0x0000000000390000-memory.dmp

Filesize
64KB

Download
memory/904-61-0x00000000761F1000-0x00000000761F3000-memory.dmp

Filesize
8KB

Download
memory/904-62-0x0000000000370000-0x000000000037F000-memory.dmp

Filesize
60KB

Download
memory/2012-63-0x0000000000000000-mapping.dmp

Download
memory/2012-65-0x00000000002C0000-0x00000000002D2000-memory.dmp

Filesize
72KB

Download
memory/2012-69-0x00000000002F0000-0x0000000000300000-memory.dmp

Filesize
64KB

Download