emotet | df86773d02fbb0ecdb10d2fdcc5da0ed49a54718da1aa9f608024e783b7fc8d2

Analysis

max time kernel
191s
max time network
209s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
12-03-2023 14:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

task1.exe
Size

188KB
MD5

2ba73d2d47cf2d388446b781613b7eff
SHA1

c75c7eb4814835388881d1b4c2db67e64a023e1e
SHA256

06c6442d5bb110140ac1cdbcf1be52388441b9a0750d59b743acc6b52d19582b
SHA512

667ddc16765d8c3c3596bb734174862db1f2ac24037c361a2e37ec9824c35a8926728400025d62c62c361b1b1e1a9d1e3b4c38c2c5989eee832e083481e50caa
SSDEEP

3072:0O7Mn+0UNzRqN7GZDA62KrcNaQV/7T9kSjkltZJmHcPz6HEJE:kUGJeD8HVOSqBmHbk

Score

10^/10

emotet epoch2 banker trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch2

74.219.172.26:80

134.209.36.254:8080

104.156.59.7:8080

120.138.30.150:8080

194.187.133.160:443

104.236.246.93:8080

74.208.45.104:8080

78.187.156.31:80

187.161.206.24:80

94.23.216.33:80

172.91.208.86:80

91.211.88.52:7080

50.91.114.38:80

200.123.150.89:443

121.124.124.40:7080

62.75.141.82:80

5.196.74.210:8080

24.137.76.62:80

85.105.205.77:8080

139.130.242.43:80

rsa_pubkey.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Emotet payload 5 IoCs

Detects Emotet payload in memory.

trojan banker

Processes:

resource	yara_rule
behavioral2/memory/1220-133-0x0000000000A90000-0x0000000000AA2000-memory.dmp	emotet
behavioral2/memory/1220-137-0x0000000000AB0000-0x0000000000AC0000-memory.dmp	emotet
behavioral2/memory/1220-140-0x0000000000A80000-0x0000000000A8F000-memory.dmp	emotet
behavioral2/memory/320-142-0x00000000008D0000-0x00000000008E2000-memory.dmp	emotet
behavioral2/memory/320-146-0x00000000008F0000-0x0000000000900000-memory.dmp	emotet

Executes dropped EXE 1 IoCs

Processes:

sdiagnhost.exe

pid process

320 sdiagnhost.exe
Drops file in System32 directory 1 IoCs

Processes:

task1.exe

description ioc process

File opened for modification C:\Windows\SysWOW64\wscript\sdiagnhost.exe task1.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\wscript\sdiagnhost.exe	task1.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

sdiagnhost.exe

pid	process
320	sdiagnhost.exe
320	sdiagnhost.exe
320	sdiagnhost.exe
320	sdiagnhost.exe
320	sdiagnhost.exe
320	sdiagnhost.exe
320	sdiagnhost.exe
320	sdiagnhost.exe
320	sdiagnhost.exe
320	sdiagnhost.exe
320	sdiagnhost.exe
320	sdiagnhost.exe
320	sdiagnhost.exe
320	sdiagnhost.exe
320	sdiagnhost.exe
320	sdiagnhost.exe
320	sdiagnhost.exe
320	sdiagnhost.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

task1.exe

pid process

1220 task1.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

task1.exesdiagnhost.exe

pid process

1220 task1.exe
1220 task1.exe
320 sdiagnhost.exe
320 sdiagnhost.exe

pid	process
1220	task1.exe

pid	process
1220	task1.exe
1220	task1.exe
320	sdiagnhost.exe
320	sdiagnhost.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

task1.exe

description	pid	process	target process
PID 1220 wrote to memory of 320	1220	task1.exe	sdiagnhost.exe
PID 1220 wrote to memory of 320	1220	task1.exe	sdiagnhost.exe
PID 1220 wrote to memory of 320	1220	task1.exe	sdiagnhost.exe

C:\Users\Admin\AppData\Local\Temp\task1.exe
"C:\Users\Admin\AppData\Local\Temp\task1.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1220

C:\Windows\SysWOW64\wscript\sdiagnhost.exe
"C:\Windows\SysWOW64\wscript\sdiagnhost.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:320

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\wscript\sdiagnhost.exe
Filesize
188KB

MD5
2ba73d2d47cf2d388446b781613b7eff

SHA1
c75c7eb4814835388881d1b4c2db67e64a023e1e

SHA256
06c6442d5bb110140ac1cdbcf1be52388441b9a0750d59b743acc6b52d19582b

SHA512
667ddc16765d8c3c3596bb734174862db1f2ac24037c361a2e37ec9824c35a8926728400025d62c62c361b1b1e1a9d1e3b4c38c2c5989eee832e083481e50caa

Download Submit
memory/320-142-0x00000000008D0000-0x00000000008E2000-memory.dmp

Filesize
72KB

Download
memory/320-146-0x00000000008F0000-0x0000000000900000-memory.dmp

Filesize
64KB

Download
memory/1220-133-0x0000000000A90000-0x0000000000AA2000-memory.dmp

Filesize
72KB

Download
memory/1220-137-0x0000000000AB0000-0x0000000000AC0000-memory.dmp

Filesize
64KB

Download
memory/1220-140-0x0000000000A80000-0x0000000000A8F000-memory.dmp

Filesize
60KB

Download