Overview

overview

10

Static

static

1

emotet_v6

windows10-1703-x64

8

emotet_doc

windows10-1703-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    23-03-2023 00:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    11b3d1564b12934489281250c9a683f076fe10254bfdd7da72307e538838ec56.wsf

  • Size

    53KB

  • MD5

    ae25f2104967b2708ac9dba80aac52fd

  • SHA1

    7ac0150b43cbb5eeba9a0f956e1291df6790f3bf

  • SHA256

    11b3d1564b12934489281250c9a683f076fe10254bfdd7da72307e538838ec56

  • SHA512

    d4a7f95631e7eb88fdadbe66d31bf9c7459d0f80ca2c9174952aad42bff6262241b25916e6a089f778990be981a2cf220baa69ad261314247c286397553decca

  • SSDEEP

    768:n9Te2jdcdTeNtu1t/nl8BFWVyeaNhvsbsS:9TVdaeNtuXndH

Score
10/10
emotetepoch4bankertrojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch4

C2

164.68.99.3:8080

164.90.222.65:443

186.194.240.217:443

1.234.2.232:8080

103.75.201.2:443

187.63.160.88:80

147.139.166.154:8080

91.207.28.33:8080

5.135.159.50:443

153.92.5.27:8080

213.239.212.5:443

103.43.75.120:443

159.65.88.10:8080

167.172.253.162:8080

153.126.146.25:7080

119.59.103.152:8080

107.170.39.149:8080

183.111.227.137:8080

159.89.202.34:443

110.232.117.186:8080
eck1.plain
ecs1.plain

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

    trojanbankeremotet
  • Blocklisted process makes network request 4 IoCs
  • Downloads MZ/PE file
  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Script User-Agent 3 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\11b3d1564b12934489281250c9a683f076fe10254bfdd7da72307e538838ec56.wsf"
    1⤵
    • Blocklisted process makes network request
    • Suspicious use of WriteProcessMemory
    PID:2128
    • C:\Windows\System32\regsvr32.exe
      "C:\Windows\System32\regsvr32.exe" "C:\Users\Admin\AppData\Local\Temp\rad8725D.tmp.dll"
      2⤵
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2660
      • C:\Windows\system32\regsvr32.exe
        C:\Windows\system32\regsvr32.exe "C:\Windows\system32\MeBUbztZBfNBRW\NsNOjtOgcY.dll"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:4900

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\rad8725D.tmp.dll
    Filesize

    309KB

    MD5

    bfc060937dc90b273eccb6825145f298

    SHA1

    c156c00c7e918f0cb7363614fb1f177c90d8108a

    SHA256

    2f39c2879989ddd7f9ecf52b6232598e5595f8bf367846ff188c9dfbf1251253

    SHA512

    cc1fee19314b0a0f9e292fa84f6e98f087033d77db937848dda1da0c88f49997866cba5465df04bf929b810b42fdb81481341064c4565c9b6272fa7f3b473ac5

    Download Submit

  • \Users\Admin\AppData\Local\Temp\rad8725D.tmp.dll
    Filesize

    309KB

    MD5

    bfc060937dc90b273eccb6825145f298

    SHA1

    c156c00c7e918f0cb7363614fb1f177c90d8108a

    SHA256

    2f39c2879989ddd7f9ecf52b6232598e5595f8bf367846ff188c9dfbf1251253

    SHA512

    cc1fee19314b0a0f9e292fa84f6e98f087033d77db937848dda1da0c88f49997866cba5465df04bf929b810b42fdb81481341064c4565c9b6272fa7f3b473ac5

    Download Submit

  • memory/2660-125-0x0000000000780000-0x00000000007AD000-memory.dmp

    Filesize

    180KB

    Download

  • memory/2660-130-0x00000000003C0000-0x00000000003C1000-memory.dmp

    Filesize

    4KB

    Download