emotet | 31e3618ed96c5d5b45d1d6a34a7da1369e9303b005ac2383851a09b3be395d3b

Analysis

max time kernel
134s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
26-03-2023 01:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ccd380ea868ffad4f960d7455fecf88c2ac3550001bbb6c21c31ae70b3bbf4f6.exe
Size

848KB
MD5

a4513379dad5233afa402cc56a8b9222
SHA1

805727279208de9cf49e6374b1f3a6dc0052620e
SHA256

ccd380ea868ffad4f960d7455fecf88c2ac3550001bbb6c21c31ae70b3bbf4f6
SHA512

10b23a9721bc9692f225a864f541d722761e622ff94e92f08c367a14fb7398199d4f4d3895ca456064889871246c6cbfc15fb2e593be21f384fb49e084cf3f9f
SSDEEP

6144:/TaQZdJnaB1kNOlFSm9tc6c6c6c6c6c6c6c6c6csImOksMWNIDK:/GQfJyFrz7

Score

10^/10

emotet epoch2 banker trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch2

67.68.210.95:80

162.241.242.173:8080

45.55.36.51:443

45.55.219.163:443

68.188.112.97:80

46.105.131.79:8080

78.24.219.147:8080

37.70.8.161:80

153.232.188.106:80

209.141.54.221:8080

203.117.253.142:80

152.168.248.128:443

93.147.212.206:80

24.137.76.62:80

189.212.199.126:443

204.197.146.48:80

137.119.36.33:80

185.94.252.104:443

139.130.242.43:80

203.153.216.189:7080

rsa_pubkey.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
Executes dropped EXE 1 IoCs

Processes:

wscinterop.exe

pid process

2496 wscinterop.exe

Drops file in System32 directory 1 IoCs

Processes:

ccd380ea868ffad4f960d7455fecf88c2ac3550001bbb6c21c31ae70b3bbf4f6.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\winrssrv\wscinterop.exe	ccd380ea868ffad4f960d7455fecf88c2ac3550001bbb6c21c31ae70b3bbf4f6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

wscinterop.exe

pid	process
2496	wscinterop.exe
2496	wscinterop.exe
2496	wscinterop.exe
2496	wscinterop.exe
2496	wscinterop.exe
2496	wscinterop.exe
2496	wscinterop.exe
2496	wscinterop.exe
2496	wscinterop.exe
2496	wscinterop.exe
2496	wscinterop.exe
2496	wscinterop.exe
2496	wscinterop.exe
2496	wscinterop.exe
2496	wscinterop.exe
2496	wscinterop.exe
2496	wscinterop.exe
2496	wscinterop.exe
2496	wscinterop.exe
2496	wscinterop.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

ccd380ea868ffad4f960d7455fecf88c2ac3550001bbb6c21c31ae70b3bbf4f6.exe

pid process

2704 ccd380ea868ffad4f960d7455fecf88c2ac3550001bbb6c21c31ae70b3bbf4f6.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

ccd380ea868ffad4f960d7455fecf88c2ac3550001bbb6c21c31ae70b3bbf4f6.exewscinterop.exe

pid	process
2704	ccd380ea868ffad4f960d7455fecf88c2ac3550001bbb6c21c31ae70b3bbf4f6.exe
2704	ccd380ea868ffad4f960d7455fecf88c2ac3550001bbb6c21c31ae70b3bbf4f6.exe
2496	wscinterop.exe
2496	wscinterop.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

ccd380ea868ffad4f960d7455fecf88c2ac3550001bbb6c21c31ae70b3bbf4f6.exe

description	pid	process	target process
PID 2704 wrote to memory of 2496	2704	ccd380ea868ffad4f960d7455fecf88c2ac3550001bbb6c21c31ae70b3bbf4f6.exe	wscinterop.exe
PID 2704 wrote to memory of 2496	2704	ccd380ea868ffad4f960d7455fecf88c2ac3550001bbb6c21c31ae70b3bbf4f6.exe	wscinterop.exe
PID 2704 wrote to memory of 2496	2704	ccd380ea868ffad4f960d7455fecf88c2ac3550001bbb6c21c31ae70b3bbf4f6.exe	wscinterop.exe

C:\Users\Admin\AppData\Local\Temp\ccd380ea868ffad4f960d7455fecf88c2ac3550001bbb6c21c31ae70b3bbf4f6.exe
"C:\Users\Admin\AppData\Local\Temp\ccd380ea868ffad4f960d7455fecf88c2ac3550001bbb6c21c31ae70b3bbf4f6.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2704

C:\Windows\SysWOW64\winrssrv\wscinterop.exe
"C:\Windows\SysWOW64\winrssrv\wscinterop.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2496

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\winrssrv\wscinterop.exe
Filesize
848KB

MD5
a4513379dad5233afa402cc56a8b9222

SHA1
805727279208de9cf49e6374b1f3a6dc0052620e

SHA256
ccd380ea868ffad4f960d7455fecf88c2ac3550001bbb6c21c31ae70b3bbf4f6

SHA512
10b23a9721bc9692f225a864f541d722761e622ff94e92f08c367a14fb7398199d4f4d3895ca456064889871246c6cbfc15fb2e593be21f384fb49e084cf3f9f

Download Submit
memory/2496-140-0x00000000020D0000-0x00000000020DC000-memory.dmp

Filesize
48KB

Download
memory/2496-144-0x00000000020D0000-0x00000000020DC000-memory.dmp

Filesize
48KB

Download
memory/2704-133-0x0000000002430000-0x000000000243C000-memory.dmp

Filesize
48KB

Download
memory/2704-137-0x00000000022E0000-0x00000000022E1000-memory.dmp

Filesize
4KB

Download
memory/2704-138-0x0000000002320000-0x0000000002329000-memory.dmp

Filesize
36KB

Download