emotet | 672d3e3a2dbecb8950cb8bd76c637fad98b59a3d27d1bf18fc327f40fa0948a3

Analysis

max time kernel
139s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-11-2024 00:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

E3-20200827_061531.exe
Size

412KB
MD5

a2df421b99f9854f75e68e8c3d8476a3
SHA1

bbfc4bba21022043d50e47f56635f8122704aee7
SHA256

529cac7f42d829cfba9ff7ff39e053717247bae222879ef4f54af2165d020119
SHA512

bd517ca96eb4f9c420dc4079ff03f4cb1bb2778c928bd455fe52c757ebbbcf2f9712383d55316a472931d43c5f926a892ec3eddc62e58370be59ba5906f7d7c4
SSDEEP

3072:nzoB+F9ah8tFGNhd5/2dGqHNLiFgpaO8072SBKUgTtuNtiDrUYNA0YFH8w:n8B+F9Nuhd56paJEZTcu3QA0Y

Score

10^/10

emotet epoch3 banker discovery trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch3

88.249.181.198:443

65.156.53.186:8080

68.183.233.80:8080

185.81.158.15:8080

37.187.100.220:7080

60.125.114.64:443

201.235.10.215:80

81.214.253.80:443

118.101.24.148:80

181.126.54.234:80

197.232.36.108:80

178.87.171.199:80

139.99.157.213:8080

115.79.195.246:80

177.94.227.143:80

113.161.148.81:80

192.210.217.94:8080

173.94.215.84:80

112.78.142.170:80

217.199.160.224:8080

rsa_pubkey.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
Emotet family
emotet
Executes dropped EXE 1 IoCs

Processes:

NaturalLanguage6.exe

pid process

4540 NaturalLanguage6.exe
Drops file in System32 directory 1 IoCs

Processes:

E3-20200827_061531.exe

description ioc process

File opened for modification C:\Windows\SysWOW64\wlanext\NaturalLanguage6.exe E3-20200827_061531.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\wlanext\NaturalLanguage6.exe	E3-20200827_061531.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

E3-20200827_061531.exeNaturalLanguage6.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	E3-20200827_061531.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NaturalLanguage6.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

NaturalLanguage6.exe

pid	process
4540	NaturalLanguage6.exe
4540	NaturalLanguage6.exe
4540	NaturalLanguage6.exe
4540	NaturalLanguage6.exe
4540	NaturalLanguage6.exe
4540	NaturalLanguage6.exe
4540	NaturalLanguage6.exe
4540	NaturalLanguage6.exe
4540	NaturalLanguage6.exe
4540	NaturalLanguage6.exe
4540	NaturalLanguage6.exe
4540	NaturalLanguage6.exe
4540	NaturalLanguage6.exe
4540	NaturalLanguage6.exe
4540	NaturalLanguage6.exe
4540	NaturalLanguage6.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

E3-20200827_061531.exe

pid process

1668 E3-20200827_061531.exe

pid	process
1668	E3-20200827_061531.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

E3-20200827_061531.exe

description	pid	process	target process
PID 1668 wrote to memory of 4540	1668	E3-20200827_061531.exe	NaturalLanguage6.exe
PID 1668 wrote to memory of 4540	1668	E3-20200827_061531.exe	NaturalLanguage6.exe
PID 1668 wrote to memory of 4540	1668	E3-20200827_061531.exe	NaturalLanguage6.exe

C:\Users\Admin\AppData\Local\Temp\E3-20200827_061531.exe
"C:\Users\Admin\AppData\Local\Temp\E3-20200827_061531.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1668
- C:\Windows\SysWOW64\wlanext\NaturalLanguage6.exe
  "C:\Windows\SysWOW64\wlanext\NaturalLanguage6.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\wlanext\NaturalLanguage6.exe

Filesize
412KB

MD5
a2df421b99f9854f75e68e8c3d8476a3

SHA1
bbfc4bba21022043d50e47f56635f8122704aee7

SHA256
529cac7f42d829cfba9ff7ff39e053717247bae222879ef4f54af2165d020119

SHA512
bd517ca96eb4f9c420dc4079ff03f4cb1bb2778c928bd455fe52c757ebbbcf2f9712383d55316a472931d43c5f926a892ec3eddc62e58370be59ba5906f7d7c4

Download Submit
memory/1668-0-0x0000000002090000-0x000000000209C000-memory.dmp

Filesize
48KB

Download
memory/1668-4-0x00000000004D0000-0x00000000004D9000-memory.dmp

Filesize
36KB

Download
memory/1668-10-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/4540-6-0x00000000005B0000-0x00000000005BC000-memory.dmp

Filesize
48KB

Download
memory/4540-11-0x00000000005B0000-0x00000000005BC000-memory.dmp

Filesize
48KB

Download