emotet | 29a3bae7a75df1164c6d359b1e290b605e1d1b87a22dfd077bbad8b2ef641ccb

Analysis

max time kernel
122s
max time network
147s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
22-12-2023 14:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c1d2c4ddb4eefc8d083ac4e93adab431.exe
Size

68KB
MD5

c1d2c4ddb4eefc8d083ac4e93adab431
SHA1

23796e16b56cfe0f021ff8e66a57b305e1fe64f0
SHA256

29a3bae7a75df1164c6d359b1e290b605e1d1b87a22dfd077bbad8b2ef641ccb
SHA512

a0ea49b7ac7569f29262bce5b165a7309bbbd62d739d6c173262e48c61566a29b7cc477bbb0663f55cd50655ca923e00e5d775882a57b110cf838190f2c00730
SSDEEP

768:4C8g5Yu/sP222zSK5Apae39UQ3JZuB7YgWbn/P+zAyTDnYJylxD/dfisve1U4FTl:4pul2+SIGaeGnB7YDnQHWelqsmy8

Score

10^/10

emotet epoch2 banker trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch2

47.146.32.175:80

212.51.142.238:8080

200.55.243.138:8080

114.146.222.200:80

153.126.210.205:7080

121.124.124.40:7080

222.214.218.37:4143

67.241.24.163:8080

180.92.239.110:8080

203.153.216.189:7080

119.198.40.179:80

70.167.215.250:8080

168.235.67.138:7080

190.55.181.54:443

139.59.60.244:8080

189.212.199.126:443

78.24.219.147:8080

61.19.246.238:443

137.59.187.107:8080

87.106.139.101:8080

rsa_pubkey.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Emotet payload 3 IoCs

Detects Emotet payload in memory.

trojan banker

Processes:

resource	yara_rule
behavioral1/memory/1724-1-0x00000000003C0000-0x00000000003CC000-memory.dmp	emotet
behavioral1/memory/1724-5-0x0000000000490000-0x0000000000590000-memory.dmp	emotet
behavioral1/memory/1724-7-0x0000000000490000-0x0000000000590000-memory.dmp	emotet

Executes dropped EXE 1 IoCs

Processes:

netid.exe

pid process

2660 netid.exe
Drops file in System32 directory 1 IoCs

Processes:

c1d2c4ddb4eefc8d083ac4e93adab431.exe

description ioc process

File opened for modification C:\Windows\SysWOW64\KBDCZ1\netid.exe c1d2c4ddb4eefc8d083ac4e93adab431.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2940 2660 WerFault.exe netid.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

c1d2c4ddb4eefc8d083ac4e93adab431.exe

pid process

1724 c1d2c4ddb4eefc8d083ac4e93adab431.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

c1d2c4ddb4eefc8d083ac4e93adab431.exenetid.exe

pid process

1724 c1d2c4ddb4eefc8d083ac4e93adab431.exe
1724 c1d2c4ddb4eefc8d083ac4e93adab431.exe
2660 netid.exe
2660 netid.exe

pid	process
2660	netid.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\KBDCZ1\netid.exe	c1d2c4ddb4eefc8d083ac4e93adab431.exe

pid	pid_target	process	target process
2940	2660	WerFault.exe	netid.exe

pid	process
1724	c1d2c4ddb4eefc8d083ac4e93adab431.exe

pid	process
1724	c1d2c4ddb4eefc8d083ac4e93adab431.exe
1724	c1d2c4ddb4eefc8d083ac4e93adab431.exe
2660	netid.exe
2660	netid.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

c1d2c4ddb4eefc8d083ac4e93adab431.exenetid.exe

description	pid	process	target process
PID 1724 wrote to memory of 2660	1724	c1d2c4ddb4eefc8d083ac4e93adab431.exe	netid.exe
PID 1724 wrote to memory of 2660	1724	c1d2c4ddb4eefc8d083ac4e93adab431.exe	netid.exe
PID 1724 wrote to memory of 2660	1724	c1d2c4ddb4eefc8d083ac4e93adab431.exe	netid.exe
PID 1724 wrote to memory of 2660	1724	c1d2c4ddb4eefc8d083ac4e93adab431.exe	netid.exe
PID 2660 wrote to memory of 2940	2660	netid.exe	WerFault.exe
PID 2660 wrote to memory of 2940	2660	netid.exe	WerFault.exe
PID 2660 wrote to memory of 2940	2660	netid.exe	WerFault.exe
PID 2660 wrote to memory of 2940	2660	netid.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\c1d2c4ddb4eefc8d083ac4e93adab431.exe
"C:\Users\Admin\AppData\Local\Temp\c1d2c4ddb4eefc8d083ac4e93adab431.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1724

C:\Windows\SysWOW64\KBDCZ1\netid.exe
"C:\Windows\SysWOW64\KBDCZ1\netid.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2660 -s 216
3⤵
- Program crash
PID:2940

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\KBDCZ1\netid.exe
Filesize
68KB

MD5
c1d2c4ddb4eefc8d083ac4e93adab431

SHA1
23796e16b56cfe0f021ff8e66a57b305e1fe64f0

SHA256
29a3bae7a75df1164c6d359b1e290b605e1d1b87a22dfd077bbad8b2ef641ccb

SHA512
a0ea49b7ac7569f29262bce5b165a7309bbbd62d739d6c173262e48c61566a29b7cc477bbb0663f55cd50655ca923e00e5d775882a57b110cf838190f2c00730

Download Submit
memory/1724-1-0x00000000003C0000-0x00000000003CC000-memory.dmp

Filesize
48KB

Download
memory/1724-5-0x0000000000490000-0x0000000000590000-memory.dmp

Filesize
1024KB

Download
memory/1724-7-0x0000000000490000-0x0000000000590000-memory.dmp

Filesize
1024KB

Download