emotet | ac6ff653497ef0da394e6485c2a29b584c602ae1fbed0a5327737e756045cc68

Analysis

max time kernel
148s
max time network
158s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
13/07/2024, 18:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b71794921e0c21d4c4f68746314c37697c191451.exe
Size

236KB
MD5

7fd67a2d591f194720f5b45975b107c7
SHA1

b71794921e0c21d4c4f68746314c37697c191451
SHA256

7241c208a1068273eca2d48b01329dd24c028069ee6ba9a0682f340502fdac1b
SHA512

40c206c9ffd19b68c5c9d339ec4d5753fdbb90b4e658515510cc52c4bbfe31c713d2fb7d7c7d57d13512c65458147fd53ad8831b60f38dfce4742aa442140864
SSDEEP

3072:Tfreo/U8DEcsK6h9n8nDLxJDzxiSI+eoO1A935GAR7jrhYPc:RUIz8hd8nnxtxiS0oOC93dq

Score

10^/10

emotet epoch1 banker trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch1

110.36.234.146:80

191.82.16.60:80

91.83.93.105:8080

216.98.148.181:8080

68.183.190.199:8080

190.230.60.129:80

183.82.97.25:80

114.79.134.129:443

89.188.124.145:443

178.79.163.131:8080

76.69.29.42:80

87.106.77.40:7080

178.249.187.151:8080

62.75.143.100:7080

201.163.74.202:443

62.75.160.178:8080

181.188.149.134:80

186.0.95.172:80

217.199.160.224:8080

203.25.159.3:8080

rsa_pubkey.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	tangentpink.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	tangentpink.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	tangentpink.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	tangentpink.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	tangentpink.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	tangentpink.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	tangentpink.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	tangentpink.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
196	tangentpink.exe
196	tangentpink.exe
196	tangentpink.exe
196	tangentpink.exe
196	tangentpink.exe
196	tangentpink.exe
196	tangentpink.exe
196	tangentpink.exe
196	tangentpink.exe
196	tangentpink.exe
196	tangentpink.exe
196	tangentpink.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2280	b71794921e0c21d4c4f68746314c37697c191451.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1900 wrote to memory of 2280	1900	b71794921e0c21d4c4f68746314c37697c191451.exe	74
PID 1900 wrote to memory of 2280	1900	b71794921e0c21d4c4f68746314c37697c191451.exe	74
PID 1900 wrote to memory of 2280	1900	b71794921e0c21d4c4f68746314c37697c191451.exe	74
PID 4868 wrote to memory of 196	4868	tangentpink.exe	76
PID 4868 wrote to memory of 196	4868	tangentpink.exe	76
PID 4868 wrote to memory of 196	4868	tangentpink.exe	76

C:\Users\Admin\AppData\Local\Temp\b71794921e0c21d4c4f68746314c37697c191451.exe
"C:\Users\Admin\AppData\Local\Temp\b71794921e0c21d4c4f68746314c37697c191451.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1900
- C:\Users\Admin\AppData\Local\Temp\b71794921e0c21d4c4f68746314c37697c191451.exe
  --6a088512
  2⤵
  - Suspicious behavior: RenamesItself
  PID:2280

C:\Windows\SysWOW64\tangentpink.exe
"C:\Windows\SysWOW64\tangentpink.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4868
- C:\Windows\SysWOW64\tangentpink.exe
  --428abbb1
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/196-17-0x0000000000470000-0x0000000000487000-memory.dmp

Filesize
92KB

Download
memory/1900-5-0x00000000001E0000-0x00000000001F0000-memory.dmp

Filesize
64KB

Download
memory/1900-0-0x0000000000590000-0x00000000005A7000-memory.dmp

Filesize
92KB

Download
memory/2280-6-0x0000000001FF0000-0x0000000002007000-memory.dmp

Filesize
92KB

Download
memory/2280-16-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4868-11-0x0000000000CF0000-0x0000000000D07000-memory.dmp

Filesize
92KB

Download