Overview
overview
10Static
static
3E1-2020082...16.exe
windows7-x64
10E1-2020082...16.exe
windows10-2004-x64
10E1-2020082...15.exe
windows7-x64
10E1-2020082...15.exe
windows10-2004-x64
10E1-2020082...10.exe
windows7-x64
10E1-2020082...10.exe
windows10-2004-x64
10E1-2020082...27.exe
windows7-x64
10E1-2020082...27.exe
windows10-2004-x64
10E1-2020082...48.exe
windows7-x64
10E1-2020082...48.exe
windows10-2004-x64
10E1-2020082...10.exe
windows7-x64
10E1-2020082...10.exe
windows10-2004-x64
10E1-2020082...48.exe
windows7-x64
10E1-2020082...48.exe
windows10-2004-x64
10E2-2020082...28.exe
windows7-x64
10E2-2020082...28.exe
windows10-2004-x64
10E2-2020082...15.exe
windows7-x64
10E2-2020082...15.exe
windows10-2004-x64
10E2-2020082...02.exe
windows7-x64
10E2-2020082...02.exe
windows10-2004-x64
10E2-2020082...54.exe
windows7-x64
10E2-2020082...54.exe
windows10-2004-x64
10E2-2020082...48.exe
windows7-x64
10E2-2020082...48.exe
windows10-2004-x64
10E2-2020082...21.exe
windows7-x64
10E2-2020082...21.exe
windows10-2004-x64
10E3-2020082...31.exe
windows7-x64
10E3-2020082...31.exe
windows10-2004-x64
10E3-2020082...28.exe
windows7-x64
10E3-2020082...28.exe
windows10-2004-x64
10E3-2020082...56.exe
windows7-x64
10E3-2020082...56.exe
windows10-2004-x64
10Analysis
-
max time kernel
145s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
21-11-2024 00:03
Static task
static1
Behavioral task
behavioral1
Sample
E1-20200827_061516.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
E1-20200827_061516.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
E1-20200827_090915.exe
Resource
win7-20241010-en
Behavioral task
behavioral4
Sample
E1-20200827_090915.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
E1-20200827_095810.exe
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
E1-20200827_095810.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
E1-20200827_145627.exe
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
E1-20200827_145627.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
E1-20200827_162348.exe
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
E1-20200827_162348.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
E1-20200827_163610.exe
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
E1-20200827_163610.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
E1-20200827_170748.exe
Resource
win7-20241010-en
Behavioral task
behavioral14
Sample
E1-20200827_170748.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
E2-20200827_061428.exe
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
E2-20200827_061428.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral17
Sample
E2-20200827_090615.exe
Resource
win7-20240903-en
Behavioral task
behavioral18
Sample
E2-20200827_090615.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral19
Sample
E2-20200827_145402.exe
Resource
win7-20240903-en
Behavioral task
behavioral20
Sample
E2-20200827_145402.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral21
Sample
E2-20200827_162454.exe
Resource
win7-20241023-en
Behavioral task
behavioral22
Sample
E2-20200827_162454.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral23
Sample
E2-20200827_163448.exe
Resource
win7-20240903-en
Behavioral task
behavioral24
Sample
E2-20200827_163448.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral25
Sample
E2-20200827_170621.exe
Resource
win7-20240729-en
Behavioral task
behavioral26
Sample
E2-20200827_170621.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral27
Sample
E3-20200827_061531.exe
Resource
win7-20241010-en
Behavioral task
behavioral28
Sample
E3-20200827_061531.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral29
Sample
E3-20200827_090928.exe
Resource
win7-20240903-en
Behavioral task
behavioral30
Sample
E3-20200827_090928.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral31
Sample
E3-20200827_145656.exe
Resource
win7-20240903-en
General
-
Target
E1-20200827_061516.exe
-
Size
412KB
-
MD5
054cfae95ec070930410ae76a38479a3
-
SHA1
da35bde84c40122582fd57d793b55f4062984822
-
SHA256
43c5bfbdf4f6627e2fd6de75977daa2dbf48e5cf0b42c7d0ad2cd921549b84f6
-
SHA512
8ff6467935aef47509622f9a169b6eaa71830fb7cf49613951376eff10353276f7196c163aad3c3ad75eeb3194bb4e94cb216002f8a2cc651998a3fb85949bc0
-
SSDEEP
3072:GzoB+F9ah8tFGNhd5/2dGqHNLiFgpaO8072SBKUgMFuNtaNm/xwa0+uw:G8B+F9Nuhd56paJEZTVu/Y+
Malware Config
Extracted
emotet
Epoch1
71.197.211.156:80
87.118.70.45:8080
91.121.54.71:8080
116.125.120.88:443
213.60.96.117:80
188.2.217.94:80
174.100.27.229:80
46.28.111.142:7080
186.103.141.250:443
207.144.103.227:80
110.142.219.51:80
70.32.84.74:8080
70.32.115.157:8080
111.67.12.221:8080
219.92.13.25:80
149.62.173.247:8080
177.72.13.80:80
77.238.212.227:80
5.196.35.138:7080
114.109.179.60:80
181.129.96.162:8080
212.174.55.22:443
104.131.103.37:8080
85.105.140.135:443
103.106.236.83:8080
190.2.31.172:80
72.135.200.124:80
178.148.55.236:8080
37.52.87.0:80
77.90.136.129:8080
219.92.8.17:8080
152.169.22.67:80
51.255.165.160:8080
50.28.51.143:8080
91.219.169.180:80
199.203.62.165:80
178.79.163.131:8080
212.93.117.170:80
177.73.0.98:443
190.24.243.186:80
73.213.208.163:80
178.250.54.208:8080
212.71.237.140:8080
186.70.127.199:8090
204.225.249.100:7080
72.47.248.48:7080
190.115.18.139:8080
77.55.211.77:8080
217.13.106.14:8080
190.147.137.153:443
82.196.15.205:8080
81.129.198.57:80
189.2.177.210:443
190.163.31.26:80
185.94.252.12:80
45.33.77.42:8080
190.6.193.152:8080
191.182.6.118:80
181.30.61.163:443
89.32.150.160:8080
85.109.159.61:443
190.128.173.10:80
189.131.57.131:80
170.81.48.2:80
65.36.62.20:80
24.135.1.177:80
58.171.153.81:80
24.148.98.177:80
68.183.190.199:8080
177.74.228.34:80
138.97.60.141:7080
191.99.160.58:80
192.241.143.52:8080
185.94.252.27:443
2.47.112.152:80
187.162.248.237:80
82.76.111.249:443
137.74.106.111:7080
45.161.242.102:80
217.199.160.224:7080
68.183.170.114:8080
61.92.159.208:8080
67.247.242.247:80
104.131.41.185:8080
95.9.180.128:80
192.241.146.84:8080
209.236.123.42:8080
73.116.193.136:80
94.176.234.118:443
12.162.84.2:8080
188.135.15.49:80
190.195.129.227:8090
24.135.198.218:80
82.163.245.38:80
87.106.46.107:8080
83.169.21.32:7080
51.159.23.217:443
172.104.169.32:8080
190.190.148.27:8080
45.173.88.33:80
Signatures
-
Emotet family
-
Executes dropped EXE 1 IoCs
pid Process 3404 esent.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\dpapimig\esent.exe E1-20200827_061516.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language esent.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language E1-20200827_061516.exe -
Suspicious behavior: EnumeratesProcesses 20 IoCs
pid Process 3404 esent.exe 3404 esent.exe 3404 esent.exe 3404 esent.exe 3404 esent.exe 3404 esent.exe 3404 esent.exe 3404 esent.exe 3404 esent.exe 3404 esent.exe 3404 esent.exe 3404 esent.exe 3404 esent.exe 3404 esent.exe 3404 esent.exe 3404 esent.exe 3404 esent.exe 3404 esent.exe 3404 esent.exe 3404 esent.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2424 E1-20200827_061516.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2424 wrote to memory of 3404 2424 E1-20200827_061516.exe 82 PID 2424 wrote to memory of 3404 2424 E1-20200827_061516.exe 82 PID 2424 wrote to memory of 3404 2424 E1-20200827_061516.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\E1-20200827_061516.exe"C:\Users\Admin\AppData\Local\Temp\E1-20200827_061516.exe"1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Windows\SysWOW64\dpapimig\esent.exe"C:\Windows\SysWOW64\dpapimig\esent.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3404
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
412KB
MD5054cfae95ec070930410ae76a38479a3
SHA1da35bde84c40122582fd57d793b55f4062984822
SHA25643c5bfbdf4f6627e2fd6de75977daa2dbf48e5cf0b42c7d0ad2cd921549b84f6
SHA5128ff6467935aef47509622f9a169b6eaa71830fb7cf49613951376eff10353276f7196c163aad3c3ad75eeb3194bb4e94cb216002f8a2cc651998a3fb85949bc0