Analysis

  • max time kernel
    145s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    21-11-2024 00:03

General

  • Target

    E3-20200827_090928.exe

  • Size

    704KB

  • MD5

    66207dfc1a312b6b4bef4423d0bedf08

  • SHA1

    9b2e50f42d0f414596258ff712e7a9b8a5f556a5

  • SHA256

    c58af7df06b15140d8d4b76bd587e20b2c25d52b45e8099f6487e62fc844901e

  • SHA512

    104a513426822d314f7539429bc3fcfe737a46182370e12c832435edb48d9eae9ce7d401503f2bdfea715a408f51bd2e712db27f3e6e5f4d08a803eb8b5fbf6e

  • SSDEEP

    12288:BIlkcMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM+MMMMMMMMMMMMMMMMMMMMMMMM7:BEkcMMMMMMMMMMMMMMMMMMMMMMMMMMMU

Malware Config

Extracted

Family

emotet

Botnet

Epoch3

C2

88.249.181.198:443

65.156.53.186:8080

68.183.233.80:8080

85.25.207.108:8080

177.32.8.85:80

81.17.93.134:80

197.232.36.108:80

195.201.56.70:8080

107.161.30.122:8080

46.32.229.152:8080

188.251.213.180:443

66.61.94.36:80

50.116.78.109:8080

139.99.157.213:8080

179.62.238.49:80

197.221.158.162:80

192.210.217.94:8080

118.101.24.148:80

220.254.198.228:443

185.142.236.163:443

rsa_pubkey.plain

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

  • Emotet family
  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\E3-20200827_090928.exe
    "C:\Users\Admin\AppData\Local\Temp\E3-20200827_090928.exe"
    1⤵
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:2648
    • C:\Windows\SysWOW64\wudriver\ndiscapCfg.exe
      "C:\Windows\SysWOW64\wudriver\ndiscapCfg.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2744

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\wudriver\ndiscapCfg.exe

    Filesize

    704KB

    MD5

    66207dfc1a312b6b4bef4423d0bedf08

    SHA1

    9b2e50f42d0f414596258ff712e7a9b8a5f556a5

    SHA256

    c58af7df06b15140d8d4b76bd587e20b2c25d52b45e8099f6487e62fc844901e

    SHA512

    104a513426822d314f7539429bc3fcfe737a46182370e12c832435edb48d9eae9ce7d401503f2bdfea715a408f51bd2e712db27f3e6e5f4d08a803eb8b5fbf6e

  • memory/2648-0-0x0000000000240000-0x000000000024C000-memory.dmp

    Filesize

    48KB

  • memory/2648-4-0x0000000000230000-0x0000000000239000-memory.dmp

    Filesize

    36KB

  • memory/2648-6-0x0000000000400000-0x00000000004B4000-memory.dmp

    Filesize

    720KB

  • memory/2744-7-0x00000000001D0000-0x00000000001DC000-memory.dmp

    Filesize

    48KB

  • memory/2744-11-0x00000000001D0000-0x00000000001DC000-memory.dmp

    Filesize

    48KB