Overview
overview
10Static
static
3E1-2020082...16.exe
windows7-x64
10E1-2020082...16.exe
windows10-2004-x64
10E1-2020082...15.exe
windows7-x64
10E1-2020082...15.exe
windows10-2004-x64
10E1-2020082...10.exe
windows7-x64
10E1-2020082...10.exe
windows10-2004-x64
10E1-2020082...27.exe
windows7-x64
10E1-2020082...27.exe
windows10-2004-x64
10E1-2020082...48.exe
windows7-x64
10E1-2020082...48.exe
windows10-2004-x64
10E1-2020082...10.exe
windows7-x64
10E1-2020082...10.exe
windows10-2004-x64
10E1-2020082...48.exe
windows7-x64
10E1-2020082...48.exe
windows10-2004-x64
10E2-2020082...28.exe
windows7-x64
10E2-2020082...28.exe
windows10-2004-x64
10E2-2020082...15.exe
windows7-x64
10E2-2020082...15.exe
windows10-2004-x64
10E2-2020082...02.exe
windows7-x64
10E2-2020082...02.exe
windows10-2004-x64
10E2-2020082...54.exe
windows7-x64
10E2-2020082...54.exe
windows10-2004-x64
10E2-2020082...48.exe
windows7-x64
10E2-2020082...48.exe
windows10-2004-x64
10E2-2020082...21.exe
windows7-x64
10E2-2020082...21.exe
windows10-2004-x64
10E3-2020082...31.exe
windows7-x64
10E3-2020082...31.exe
windows10-2004-x64
10E3-2020082...28.exe
windows7-x64
10E3-2020082...28.exe
windows10-2004-x64
10E3-2020082...56.exe
windows7-x64
10E3-2020082...56.exe
windows10-2004-x64
10Analysis
-
max time kernel
147s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
21-11-2024 00:03
Static task
static1
Behavioral task
behavioral1
Sample
E1-20200827_061516.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
E1-20200827_061516.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
E1-20200827_090915.exe
Resource
win7-20241010-en
Behavioral task
behavioral4
Sample
E1-20200827_090915.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
E1-20200827_095810.exe
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
E1-20200827_095810.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
E1-20200827_145627.exe
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
E1-20200827_145627.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
E1-20200827_162348.exe
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
E1-20200827_162348.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
E1-20200827_163610.exe
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
E1-20200827_163610.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
E1-20200827_170748.exe
Resource
win7-20241010-en
Behavioral task
behavioral14
Sample
E1-20200827_170748.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
E2-20200827_061428.exe
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
E2-20200827_061428.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral17
Sample
E2-20200827_090615.exe
Resource
win7-20240903-en
Behavioral task
behavioral18
Sample
E2-20200827_090615.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral19
Sample
E2-20200827_145402.exe
Resource
win7-20240903-en
Behavioral task
behavioral20
Sample
E2-20200827_145402.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral21
Sample
E2-20200827_162454.exe
Resource
win7-20241023-en
Behavioral task
behavioral22
Sample
E2-20200827_162454.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral23
Sample
E2-20200827_163448.exe
Resource
win7-20240903-en
Behavioral task
behavioral24
Sample
E2-20200827_163448.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral25
Sample
E2-20200827_170621.exe
Resource
win7-20240729-en
Behavioral task
behavioral26
Sample
E2-20200827_170621.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral27
Sample
E3-20200827_061531.exe
Resource
win7-20241010-en
Behavioral task
behavioral28
Sample
E3-20200827_061531.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral29
Sample
E3-20200827_090928.exe
Resource
win7-20240903-en
Behavioral task
behavioral30
Sample
E3-20200827_090928.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral31
Sample
E3-20200827_145656.exe
Resource
win7-20240903-en
General
-
Target
E3-20200827_145656.exe
-
Size
660KB
-
MD5
a8b8675b57545f8f3bab0b000d4b65ef
-
SHA1
98af039a6a1d3faaeb4cb1ffed43d720c62b1aa9
-
SHA256
66ad54e3a1a266fd12cda27eeb9830b1e084548a90693ff11ad4e5498352e9ef
-
SHA512
bd9e899fe74168e1890e2b7554b2241b0c7a191908f58a9e004f36acc62979d93aae051abab27a4944ee5cd86ed491f57b6ffed9aed4559e1d6d9ac34028a0e6
-
SSDEEP
6144:EZd3Z+AlMjixnmMsQSyzKdYkTGdvWh3+IiEwkyEQGEGsG:EZBZZKimMsQSGH/dv0DwFydV
Malware Config
Extracted
emotet
Epoch3
24.26.151.3:80
162.144.42.60:8080
134.209.193.138:443
68.183.233.80:8080
105.209.235.113:8080
198.57.203.63:8080
175.29.183.2:80
178.87.171.199:80
177.32.8.85:80
71.57.180.213:80
190.190.15.20:80
31.146.61.34:80
157.7.164.178:8081
82.239.200.118:80
220.254.198.228:443
41.185.29.128:8080
113.161.148.81:80
51.38.201.19:7080
179.5.118.12:80
66.61.94.36:80
87.106.231.60:8080
188.0.135.237:80
189.39.32.161:80
173.94.215.84:80
81.17.93.134:80
185.86.148.68:443
190.96.15.50:80
177.144.130.105:443
168.0.97.6:80
60.125.114.64:443
50.116.78.109:8080
190.53.144.120:80
37.205.9.252:7080
115.79.195.246:80
201.235.10.215:80
75.127.14.170:8080
181.126.54.234:80
172.96.190.154:8080
192.241.220.183:8080
190.164.75.175:80
81.214.253.80:443
139.99.157.213:8080
91.75.75.46:80
46.32.229.152:8080
37.187.100.220:7080
107.161.30.122:8080
157.245.138.101:7080
5.79.70.250:8080
185.142.236.163:443
118.101.24.148:80
103.80.51.61:8080
74.208.173.91:8080
178.33.167.120:8080
185.208.226.142:8080
143.95.101.72:8080
195.201.56.70:8080
46.105.131.68:8080
192.210.217.94:8080
37.46.129.215:8080
190.212.140.6:80
91.83.93.103:443
45.182.161.17:80
95.216.205.155:8080
202.5.47.71:80
88.249.181.198:443
197.232.36.108:80
1.54.67.22:80
86.98.143.163:80
77.74.78.80:443
172.105.78.244:8080
181.137.229.1:80
179.62.238.49:80
192.163.221.191:8080
177.94.227.143:80
203.153.216.178:7080
139.59.12.63:8080
115.78.11.155:80
2.144.244.204:443
197.221.158.162:80
162.249.220.190:80
85.25.207.108:8080
201.213.177.139:80
54.38.143.245:8080
181.113.229.139:443
188.251.213.180:443
190.55.186.229:80
113.203.250.121:443
Signatures
-
Emotet family
-
Executes dropped EXE 1 IoCs
pid Process 4356 KBDUS.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\nslookup\KBDUS.exe E3-20200827_145656.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language KBDUS.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language E3-20200827_145656.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 4356 KBDUS.exe 4356 KBDUS.exe 4356 KBDUS.exe 4356 KBDUS.exe 4356 KBDUS.exe 4356 KBDUS.exe 4356 KBDUS.exe 4356 KBDUS.exe 4356 KBDUS.exe 4356 KBDUS.exe 4356 KBDUS.exe 4356 KBDUS.exe 4356 KBDUS.exe 4356 KBDUS.exe 4356 KBDUS.exe 4356 KBDUS.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2256 E3-20200827_145656.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2256 E3-20200827_145656.exe 2256 E3-20200827_145656.exe 4356 KBDUS.exe 4356 KBDUS.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2256 wrote to memory of 4356 2256 E3-20200827_145656.exe 82 PID 2256 wrote to memory of 4356 2256 E3-20200827_145656.exe 82 PID 2256 wrote to memory of 4356 2256 E3-20200827_145656.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\E3-20200827_145656.exe"C:\Users\Admin\AppData\Local\Temp\E3-20200827_145656.exe"1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Windows\SysWOW64\nslookup\KBDUS.exe"C:\Windows\SysWOW64\nslookup\KBDUS.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4356
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
660KB
MD5a8b8675b57545f8f3bab0b000d4b65ef
SHA198af039a6a1d3faaeb4cb1ffed43d720c62b1aa9
SHA25666ad54e3a1a266fd12cda27eeb9830b1e084548a90693ff11ad4e5498352e9ef
SHA512bd9e899fe74168e1890e2b7554b2241b0c7a191908f58a9e004f36acc62979d93aae051abab27a4944ee5cd86ed491f57b6ffed9aed4559e1d6d9ac34028a0e6