Overview
overview
10Static
static
3E1-2020082...16.exe
windows7-x64
10E1-2020082...16.exe
windows10-2004-x64
10E1-2020082...15.exe
windows7-x64
10E1-2020082...15.exe
windows10-2004-x64
10E1-2020082...10.exe
windows7-x64
10E1-2020082...10.exe
windows10-2004-x64
10E1-2020082...27.exe
windows7-x64
10E1-2020082...27.exe
windows10-2004-x64
10E1-2020082...48.exe
windows7-x64
10E1-2020082...48.exe
windows10-2004-x64
10E1-2020082...10.exe
windows7-x64
10E1-2020082...10.exe
windows10-2004-x64
10E1-2020082...48.exe
windows7-x64
10E1-2020082...48.exe
windows10-2004-x64
10E2-2020082...28.exe
windows7-x64
10E2-2020082...28.exe
windows10-2004-x64
10E2-2020082...15.exe
windows7-x64
10E2-2020082...15.exe
windows10-2004-x64
10E2-2020082...02.exe
windows7-x64
10E2-2020082...02.exe
windows10-2004-x64
10E2-2020082...54.exe
windows7-x64
10E2-2020082...54.exe
windows10-2004-x64
10E2-2020082...48.exe
windows7-x64
10E2-2020082...48.exe
windows10-2004-x64
10E2-2020082...21.exe
windows7-x64
10E2-2020082...21.exe
windows10-2004-x64
10E3-2020082...31.exe
windows7-x64
10E3-2020082...31.exe
windows10-2004-x64
10E3-2020082...28.exe
windows7-x64
10E3-2020082...28.exe
windows10-2004-x64
10E3-2020082...56.exe
windows7-x64
10E3-2020082...56.exe
windows10-2004-x64
10Analysis
-
max time kernel
130s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
21-11-2024 00:03
Static task
static1
Behavioral task
behavioral1
Sample
E1-20200827_061516.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
E1-20200827_061516.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
E1-20200827_090915.exe
Resource
win7-20241010-en
Behavioral task
behavioral4
Sample
E1-20200827_090915.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
E1-20200827_095810.exe
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
E1-20200827_095810.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
E1-20200827_145627.exe
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
E1-20200827_145627.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
E1-20200827_162348.exe
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
E1-20200827_162348.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
E1-20200827_163610.exe
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
E1-20200827_163610.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
E1-20200827_170748.exe
Resource
win7-20241010-en
Behavioral task
behavioral14
Sample
E1-20200827_170748.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
E2-20200827_061428.exe
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
E2-20200827_061428.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral17
Sample
E2-20200827_090615.exe
Resource
win7-20240903-en
Behavioral task
behavioral18
Sample
E2-20200827_090615.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral19
Sample
E2-20200827_145402.exe
Resource
win7-20240903-en
Behavioral task
behavioral20
Sample
E2-20200827_145402.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral21
Sample
E2-20200827_162454.exe
Resource
win7-20241023-en
Behavioral task
behavioral22
Sample
E2-20200827_162454.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral23
Sample
E2-20200827_163448.exe
Resource
win7-20240903-en
Behavioral task
behavioral24
Sample
E2-20200827_163448.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral25
Sample
E2-20200827_170621.exe
Resource
win7-20240729-en
Behavioral task
behavioral26
Sample
E2-20200827_170621.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral27
Sample
E3-20200827_061531.exe
Resource
win7-20241010-en
Behavioral task
behavioral28
Sample
E3-20200827_061531.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral29
Sample
E3-20200827_090928.exe
Resource
win7-20240903-en
Behavioral task
behavioral30
Sample
E3-20200827_090928.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral31
Sample
E3-20200827_145656.exe
Resource
win7-20240903-en
General
-
Target
E2-20200827_090615.exe
-
Size
704KB
-
MD5
358d17af2bc59fc7bc8776bb90563d55
-
SHA1
d0581d6bce890cfc28f289b227b9e5f9c615b380
-
SHA256
78e235ad1c7fa29da9ebe722d77ec3b67a5068af654957e88d90c502265c16dd
-
SHA512
cfb35a8aa45c04722e9c29785c058b2f8e60ff76516e4b362a6a7ef79757c9a009e43ddddf00354b777fe20a62efcdd94cb019abb41a5b127dc359a700e9b0fa
-
SSDEEP
12288:YIlkcMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM+MMMMMMMMMMMMMMMMMMMMMMMMV:YEkcMMMMMMMMMMMMMMMMMMMMMMMMMMMc
Malware Config
Extracted
emotet
Epoch2
174.45.13.118:80
45.55.36.51:443
91.83.93.99:7080
45.55.219.163:443
5.196.74.210:8080
180.92.239.110:8080
74.208.45.104:8080
68.171.118.7:80
62.75.141.82:80
61.19.246.238:443
24.137.76.62:80
5.39.91.110:7080
70.121.172.89:80
137.59.187.107:8080
94.23.237.171:443
93.147.212.206:80
169.239.182.217:8080
157.147.76.151:80
209.141.54.221:8080
85.105.205.77:8080
47.146.117.214:80
194.187.133.160:443
78.24.219.147:8080
67.205.85.243:8080
187.161.206.24:80
1.221.254.82:80
68.188.112.97:80
204.197.146.48:80
190.55.181.54:443
109.74.5.95:8080
167.86.90.214:8080
200.41.121.90:80
168.235.67.138:7080
104.236.246.93:8080
97.82.79.83:80
174.102.48.180:443
24.179.13.119:80
139.59.60.244:8080
121.124.124.40:7080
201.173.217.124:443
79.98.24.39:8080
157.245.99.39:8080
203.117.253.142:80
139.162.108.71:8080
176.111.60.55:8080
93.51.50.171:8080
112.185.64.233:80
69.30.203.214:8080
139.99.158.11:443
47.144.21.12:443
98.109.204.230:80
173.62.217.22:443
74.109.108.202:80
41.60.200.34:80
85.152.162.105:80
173.81.218.65:80
107.5.122.110:80
113.160.130.116:8443
84.39.182.7:80
83.169.36.251:8080
85.66.181.138:80
153.232.188.106:80
95.179.229.244:8080
189.212.199.126:443
104.131.44.150:8080
181.230.116.163:80
37.139.21.175:8080
91.211.88.52:7080
110.145.77.103:80
94.200.114.161:80
203.153.216.189:7080
103.86.49.11:8080
87.106.139.101:8080
37.187.72.193:8080
46.105.131.79:8080
24.43.99.75:80
152.168.248.128:443
104.131.11.150:443
75.139.38.211:80
95.213.236.64:8080
216.208.76.186:80
200.114.213.233:8080
87.106.136.232:8080
137.119.36.33:80
185.94.252.104:443
37.70.8.161:80
139.130.242.43:80
74.120.55.163:80
62.30.7.67:443
190.160.53.126:80
174.137.65.18:80
120.150.60.189:80
Signatures
-
Emotet family
-
Executes dropped EXE 1 IoCs
pid Process 3212 rastlsext.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\esevss\rastlsext.exe E2-20200827_090615.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language E2-20200827_090615.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rastlsext.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 3212 rastlsext.exe 3212 rastlsext.exe 3212 rastlsext.exe 3212 rastlsext.exe 3212 rastlsext.exe 3212 rastlsext.exe 3212 rastlsext.exe 3212 rastlsext.exe 3212 rastlsext.exe 3212 rastlsext.exe 3212 rastlsext.exe 3212 rastlsext.exe 3212 rastlsext.exe 3212 rastlsext.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 5076 E2-20200827_090615.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 5076 wrote to memory of 3212 5076 E2-20200827_090615.exe 83 PID 5076 wrote to memory of 3212 5076 E2-20200827_090615.exe 83 PID 5076 wrote to memory of 3212 5076 E2-20200827_090615.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\E2-20200827_090615.exe"C:\Users\Admin\AppData\Local\Temp\E2-20200827_090615.exe"1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:5076 -
C:\Windows\SysWOW64\esevss\rastlsext.exe"C:\Windows\SysWOW64\esevss\rastlsext.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3212
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
704KB
MD5358d17af2bc59fc7bc8776bb90563d55
SHA1d0581d6bce890cfc28f289b227b9e5f9c615b380
SHA25678e235ad1c7fa29da9ebe722d77ec3b67a5068af654957e88d90c502265c16dd
SHA512cfb35a8aa45c04722e9c29785c058b2f8e60ff76516e4b362a6a7ef79757c9a009e43ddddf00354b777fe20a62efcdd94cb019abb41a5b127dc359a700e9b0fa