Overview

overview

10

Static

static

3

E1-2020082...16.exe

windows7-x64

10

E1-2020082...16.exe

windows10-2004-x64

10

E1-2020082...15.exe

windows7-x64

10

E1-2020082...15.exe

windows10-2004-x64

10

E1-2020082...10.exe

windows7-x64

10

E1-2020082...10.exe

windows10-2004-x64

10

E1-2020082...27.exe

windows7-x64

10

E1-2020082...27.exe

windows10-2004-x64

10

E1-2020082...48.exe

windows7-x64

10

E1-2020082...48.exe

windows10-2004-x64

10

E1-2020082...10.exe

windows7-x64

10

E1-2020082...10.exe

windows10-2004-x64

10

E1-2020082...48.exe

windows7-x64

10

E1-2020082...48.exe

windows10-2004-x64

10

E2-2020082...28.exe

windows7-x64

10

E2-2020082...28.exe

windows10-2004-x64

10

E2-2020082...15.exe

windows7-x64

10

E2-2020082...15.exe

windows10-2004-x64

10

E2-2020082...02.exe

windows7-x64

10

E2-2020082...02.exe

windows10-2004-x64

10

E2-2020082...54.exe

windows7-x64

10

E2-2020082...54.exe

windows10-2004-x64

10

E2-2020082...48.exe

windows7-x64

10

E2-2020082...48.exe

windows10-2004-x64

10

E2-2020082...21.exe

windows7-x64

10

E2-2020082...21.exe

windows10-2004-x64

10

E3-2020082...31.exe

windows7-x64

10

E3-2020082...31.exe

windows10-2004-x64

10

E3-2020082...28.exe

windows7-x64

10

E3-2020082...28.exe

windows10-2004-x64

10

E3-2020082...56.exe

windows7-x64

10

E3-2020082...56.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-11-2024 00:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    E1-20200827_090915.exe

  • Size

    704KB

  • MD5

    1e92c1d84c8132e9fbf1887d3903144a

  • SHA1

    0803d84972aaee54e629a7f09c7804aa6ea3b916

  • SHA256

    3c84b2d43034c6eea5bb00b9b84271eca6cb0dffe6d1c5faac32bea7095ef8da

  • SHA512

    07524b8a17c7c91779e0b7a2a07a84ab32a934d533415ccb96596b90ebd7113542a2f2b1ba080f6e3ed1b075241261604cdff816b5d99a7945fe378c546cc538

  • SSDEEP

    12288:SIlkcMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM+MMMMMMMMMMMMMMMMMMMMMMMMQ:SEkcMMMMMMMMMMMMMMMMMMMMMMMMMMMl

Score
10/10
emotetepoch1bankerdiscoverytrojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch1

C2

71.197.211.156:80

91.121.54.71:8080

209.236.123.42:8080

89.32.150.160:8080

68.183.190.199:8080

45.161.242.102:80

217.199.160.224:7080

73.116.193.136:80

190.163.31.26:80

68.183.170.114:8080

207.144.103.227:80

114.109.179.60:80

178.148.55.236:8080

188.135.15.49:80

72.47.248.48:7080

83.169.21.32:7080

24.135.198.218:80

212.174.55.22:443

174.100.27.229:80

192.241.143.52:8080
rsa_pubkey.plain

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

    trojanbankeremotet
  • Emotet family
    emotet
  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\E1-20200827_090915.exe
    "C:\Users\Admin\AppData\Local\Temp\E1-20200827_090915.exe"
    1⤵
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:4244
    • C:\Windows\SysWOW64\ConsoleLogon\azroleui.exe
      "C:\Windows\SysWOW64\ConsoleLogon\azroleui.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1536

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\ConsoleLogon\azroleui.exe
    Filesize

    704KB

    MD5

    1e92c1d84c8132e9fbf1887d3903144a

    SHA1

    0803d84972aaee54e629a7f09c7804aa6ea3b916

    SHA256

    3c84b2d43034c6eea5bb00b9b84271eca6cb0dffe6d1c5faac32bea7095ef8da

    SHA512

    07524b8a17c7c91779e0b7a2a07a84ab32a934d533415ccb96596b90ebd7113542a2f2b1ba080f6e3ed1b075241261604cdff816b5d99a7945fe378c546cc538

    Download Submit

  • memory/1536-7-0x0000000002210000-0x000000000221C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/1536-11-0x0000000002210000-0x000000000221C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/4244-0-0x0000000002350000-0x000000000235C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/4244-4-0x0000000000730000-0x0000000000739000-memory.dmp

    Filesize

    36KB

    Download

  • memory/4244-6-0x0000000000400000-0x00000000004B4000-memory.dmp

    Filesize

    720KB

    Download