Overview
overview
10Static
static
3E1-2020082...16.exe
windows7-x64
10E1-2020082...16.exe
windows10-2004-x64
10E1-2020082...15.exe
windows7-x64
10E1-2020082...15.exe
windows10-2004-x64
10E1-2020082...10.exe
windows7-x64
10E1-2020082...10.exe
windows10-2004-x64
10E1-2020082...27.exe
windows7-x64
10E1-2020082...27.exe
windows10-2004-x64
10E1-2020082...48.exe
windows7-x64
10E1-2020082...48.exe
windows10-2004-x64
10E1-2020082...10.exe
windows7-x64
10E1-2020082...10.exe
windows10-2004-x64
10E1-2020082...48.exe
windows7-x64
10E1-2020082...48.exe
windows10-2004-x64
10E2-2020082...28.exe
windows7-x64
10E2-2020082...28.exe
windows10-2004-x64
10E2-2020082...15.exe
windows7-x64
10E2-2020082...15.exe
windows10-2004-x64
10E2-2020082...02.exe
windows7-x64
10E2-2020082...02.exe
windows10-2004-x64
10E2-2020082...54.exe
windows7-x64
10E2-2020082...54.exe
windows10-2004-x64
10E2-2020082...48.exe
windows7-x64
10E2-2020082...48.exe
windows10-2004-x64
10E2-2020082...21.exe
windows7-x64
10E2-2020082...21.exe
windows10-2004-x64
10E3-2020082...31.exe
windows7-x64
10E3-2020082...31.exe
windows10-2004-x64
10E3-2020082...28.exe
windows7-x64
10E3-2020082...28.exe
windows10-2004-x64
10E3-2020082...56.exe
windows7-x64
10E3-2020082...56.exe
windows10-2004-x64
10Analysis
-
max time kernel
139s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
21-11-2024 00:03
Static task
static1
Behavioral task
behavioral1
Sample
E1-20200827_061516.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
E1-20200827_061516.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
E1-20200827_090915.exe
Resource
win7-20241010-en
Behavioral task
behavioral4
Sample
E1-20200827_090915.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
E1-20200827_095810.exe
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
E1-20200827_095810.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
E1-20200827_145627.exe
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
E1-20200827_145627.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
E1-20200827_162348.exe
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
E1-20200827_162348.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
E1-20200827_163610.exe
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
E1-20200827_163610.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
E1-20200827_170748.exe
Resource
win7-20241010-en
Behavioral task
behavioral14
Sample
E1-20200827_170748.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
E2-20200827_061428.exe
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
E2-20200827_061428.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral17
Sample
E2-20200827_090615.exe
Resource
win7-20240903-en
Behavioral task
behavioral18
Sample
E2-20200827_090615.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral19
Sample
E2-20200827_145402.exe
Resource
win7-20240903-en
Behavioral task
behavioral20
Sample
E2-20200827_145402.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral21
Sample
E2-20200827_162454.exe
Resource
win7-20241023-en
Behavioral task
behavioral22
Sample
E2-20200827_162454.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral23
Sample
E2-20200827_163448.exe
Resource
win7-20240903-en
Behavioral task
behavioral24
Sample
E2-20200827_163448.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral25
Sample
E2-20200827_170621.exe
Resource
win7-20240729-en
Behavioral task
behavioral26
Sample
E2-20200827_170621.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral27
Sample
E3-20200827_061531.exe
Resource
win7-20241010-en
Behavioral task
behavioral28
Sample
E3-20200827_061531.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral29
Sample
E3-20200827_090928.exe
Resource
win7-20240903-en
Behavioral task
behavioral30
Sample
E3-20200827_090928.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral31
Sample
E3-20200827_145656.exe
Resource
win7-20240903-en
General
-
Target
E3-20200827_061531.exe
-
Size
412KB
-
MD5
a2df421b99f9854f75e68e8c3d8476a3
-
SHA1
bbfc4bba21022043d50e47f56635f8122704aee7
-
SHA256
529cac7f42d829cfba9ff7ff39e053717247bae222879ef4f54af2165d020119
-
SHA512
bd517ca96eb4f9c420dc4079ff03f4cb1bb2778c928bd455fe52c757ebbbcf2f9712383d55316a472931d43c5f926a892ec3eddc62e58370be59ba5906f7d7c4
-
SSDEEP
3072:nzoB+F9ah8tFGNhd5/2dGqHNLiFgpaO8072SBKUgTtuNtiDrUYNA0YFH8w:n8B+F9Nuhd56paJEZTcu3QA0Y
Malware Config
Extracted
emotet
Epoch3
88.249.181.198:443
65.156.53.186:8080
68.183.233.80:8080
185.81.158.15:8080
37.187.100.220:7080
60.125.114.64:443
201.235.10.215:80
81.214.253.80:443
118.101.24.148:80
181.126.54.234:80
197.232.36.108:80
178.87.171.199:80
139.99.157.213:8080
115.79.195.246:80
177.94.227.143:80
113.161.148.81:80
192.210.217.94:8080
173.94.215.84:80
112.78.142.170:80
217.199.160.224:8080
181.137.229.1:80
190.53.144.120:80
85.25.207.108:8080
168.0.97.6:80
185.86.148.68:443
91.83.93.103:443
75.127.14.170:8080
37.46.129.215:8080
81.17.93.134:80
71.57.180.213:80
115.78.11.155:80
95.216.205.155:8080
179.5.118.12:80
113.203.250.121:443
185.208.226.142:8080
1.54.67.22:80
51.38.201.19:7080
77.74.78.80:443
202.5.47.71:80
157.245.138.101:7080
175.29.183.2:80
74.208.173.91:8080
78.189.60.109:443
178.33.167.120:8080
220.254.198.228:443
192.163.221.191:8080
203.153.216.178:7080
162.249.220.190:80
82.239.200.118:80
105.209.235.113:8080
190.55.186.229:80
190.164.75.175:80
197.221.158.162:80
86.57.216.23:80
177.32.8.85:80
190.212.140.6:80
46.32.229.152:8080
172.105.78.244:8080
45.182.161.17:80
87.106.231.60:8080
51.255.15.193:7080
172.96.190.154:8080
185.142.236.163:443
103.80.51.61:8080
157.7.164.178:8081
188.0.135.237:80
46.105.131.68:8080
50.116.78.109:8080
5.79.70.250:8080
179.62.238.49:80
177.144.130.105:443
192.241.220.183:8080
190.190.15.20:80
41.185.29.128:8080
201.213.177.139:80
189.39.32.161:80
195.201.56.70:8080
2.144.244.204:443
66.61.94.36:80
198.57.203.63:8080
86.98.143.163:80
188.251.213.180:443
181.113.229.139:443
143.95.101.72:8080
139.59.12.63:8080
107.161.30.122:8080
31.146.61.34:80
Signatures
-
Emotet family
-
Executes dropped EXE 1 IoCs
pid Process 4540 NaturalLanguage6.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\wlanext\NaturalLanguage6.exe E3-20200827_061531.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language E3-20200827_061531.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NaturalLanguage6.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 4540 NaturalLanguage6.exe 4540 NaturalLanguage6.exe 4540 NaturalLanguage6.exe 4540 NaturalLanguage6.exe 4540 NaturalLanguage6.exe 4540 NaturalLanguage6.exe 4540 NaturalLanguage6.exe 4540 NaturalLanguage6.exe 4540 NaturalLanguage6.exe 4540 NaturalLanguage6.exe 4540 NaturalLanguage6.exe 4540 NaturalLanguage6.exe 4540 NaturalLanguage6.exe 4540 NaturalLanguage6.exe 4540 NaturalLanguage6.exe 4540 NaturalLanguage6.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1668 E3-20200827_061531.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1668 wrote to memory of 4540 1668 E3-20200827_061531.exe 83 PID 1668 wrote to memory of 4540 1668 E3-20200827_061531.exe 83 PID 1668 wrote to memory of 4540 1668 E3-20200827_061531.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\E3-20200827_061531.exe"C:\Users\Admin\AppData\Local\Temp\E3-20200827_061531.exe"1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1668 -
C:\Windows\SysWOW64\wlanext\NaturalLanguage6.exe"C:\Windows\SysWOW64\wlanext\NaturalLanguage6.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4540
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
412KB
MD5a2df421b99f9854f75e68e8c3d8476a3
SHA1bbfc4bba21022043d50e47f56635f8122704aee7
SHA256529cac7f42d829cfba9ff7ff39e053717247bae222879ef4f54af2165d020119
SHA512bd517ca96eb4f9c420dc4079ff03f4cb1bb2778c928bd455fe52c757ebbbcf2f9712383d55316a472931d43c5f926a892ec3eddc62e58370be59ba5906f7d7c4