emotet | 672d3e3a2dbecb8950cb8bd76c637fad98b59a3d27d1bf18fc327f40fa0948a3

Analysis

max time kernel
131s
max time network
142s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-11-2024 00:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

E2-20200827_061428.exe
Size

412KB
MD5

d877c44e3bb8450f4373c952c8940f09
SHA1

1fc9a7f8e433b3723547d473dd5a85f4dbbb8f9c
SHA256

69eb2fcf19e6b3fd975f41422f3609b3a23d6895ed29637ffc2327ef75a4cd30
SHA512

d1d25fb276b8437c9ec79784cba030eb3dacc4824aa78c82c82ff1cf298147cb2d08e0acb109df3439ec98dbb163d491bd065a544c78e296578727d5a54ba58b
SSDEEP

3072:WzoB+F9ah8tFGNhd5/2dGqHNLiFgpaO8072SBKUgMouNtaNv8ft+UhFZaexOAvvw:W8B+F9Nuhd56paJEZTMup8I+A

Score

10^/10

emotet epoch2 banker discovery trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch2

173.81.218.65:80

45.55.36.51:443

91.83.93.99:7080

45.55.219.163:443

169.239.182.217:8080

24.43.99.75:80

78.24.219.147:8080

95.179.229.244:8080

107.5.122.110:80

47.144.21.12:443

204.197.146.48:80

139.99.158.11:443

190.160.53.126:80

74.120.55.163:80

74.109.108.202:80

47.146.117.214:80

104.236.246.93:8080

174.137.65.18:80

41.60.200.34:80

209.141.54.221:8080

rsa_pubkey.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
Emotet family
emotet
Executes dropped EXE 1 IoCs

Processes:

mfc120rus.exe

pid process

2356 mfc120rus.exe
Drops file in System32 directory 1 IoCs

Processes:

E2-20200827_061428.exe

description ioc process

File opened for modification C:\Windows\SysWOW64\api-ms-win-security-sddl-l1-1-0\mfc120rus.exe E2-20200827_061428.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2356	mfc120rus.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\api-ms-win-security-sddl-l1-1-0\mfc120rus.exe	E2-20200827_061428.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

E2-20200827_061428.exemfc120rus.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	E2-20200827_061428.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mfc120rus.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

mfc120rus.exe

pid process

2356 mfc120rus.exe
2356 mfc120rus.exe
2356 mfc120rus.exe
2356 mfc120rus.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

E2-20200827_061428.exe

pid process

1668 E2-20200827_061428.exe

pid	process
2356	mfc120rus.exe
2356	mfc120rus.exe
2356	mfc120rus.exe
2356	mfc120rus.exe

pid	process
1668	E2-20200827_061428.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

E2-20200827_061428.exe

description	pid	process	target process
PID 1668 wrote to memory of 2356	1668	E2-20200827_061428.exe	mfc120rus.exe
PID 1668 wrote to memory of 2356	1668	E2-20200827_061428.exe	mfc120rus.exe
PID 1668 wrote to memory of 2356	1668	E2-20200827_061428.exe	mfc120rus.exe
PID 1668 wrote to memory of 2356	1668	E2-20200827_061428.exe	mfc120rus.exe

C:\Users\Admin\AppData\Local\Temp\E2-20200827_061428.exe
"C:\Users\Admin\AppData\Local\Temp\E2-20200827_061428.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1668
- C:\Windows\SysWOW64\api-ms-win-security-sddl-l1-1-0\mfc120rus.exe
  "C:\Windows\SysWOW64\api-ms-win-security-sddl-l1-1-0\mfc120rus.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\api-ms-win-security-sddl-l1-1-0\mfc120rus.exe

Filesize
412KB

MD5
d877c44e3bb8450f4373c952c8940f09

SHA1
1fc9a7f8e433b3723547d473dd5a85f4dbbb8f9c

SHA256
69eb2fcf19e6b3fd975f41422f3609b3a23d6895ed29637ffc2327ef75a4cd30

SHA512
d1d25fb276b8437c9ec79784cba030eb3dacc4824aa78c82c82ff1cf298147cb2d08e0acb109df3439ec98dbb163d491bd065a544c78e296578727d5a54ba58b

Download Submit
memory/1668-1-0x0000000000240000-0x000000000024C000-memory.dmp

Filesize
48KB

Download
memory/1668-4-0x0000000000230000-0x0000000000239000-memory.dmp

Filesize
36KB

Download
memory/1668-5-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2356-11-0x0000000000240000-0x000000000024C000-memory.dmp

Filesize
48KB

Download