Overview

overview

10

task1

 

10

task2

 

10

Analysis

  • max time kernel
    114s
  • resource
    win7v191014
  • submitted
    09-12-2019 21:06

Sharing

Copy URL
Twitter E-mail

General

  • Target

    5ab974ead53fe2ec317e5f9b30dee0c195014cab15ff7a0fb9024da735d1917b.exe

  • Sample

    191209-m96h8k52dx

  • SHA256

    5ab974ead53fe2ec317e5f9b30dee0c195014cab15ff7a0fb9024da735d1917b

Score
10/10
trojanbankeremotet

Malware Config

Extracted

Family

emotet

C2

76.221.133.146:80

104.33.129.244:80

172.90.70.168:8080

96.126.121.64:443

104.236.137.72:8080

172.104.233.225:8080

85.234.143.94:8080

50.28.51.143:8080

190.186.164.23:80

47.146.42.234:80

63.246.252.234:80

80.29.54.20:80

68.183.190.199:8080

46.28.111.142:7080

183.82.97.25:80

87.106.46.107:8080

188.216.24.204:80

186.68.48.204:443

181.198.203.45:443

88.250.223.190:8080
rsa_pubkey.plain

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails

    trojanbankeremotet
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs
  • Suspicious behavior: EmotetMutantsSpam 2 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5ab974ead53fe2ec317e5f9b30dee0c195014cab15ff7a0fb9024da735d1917b.exe
    "C:\Users\Admin\AppData\Local\Temp\5ab974ead53fe2ec317e5f9b30dee0c195014cab15ff7a0fb9024da735d1917b.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1536
    • C:\Users\Admin\AppData\Local\Temp\5ab974ead53fe2ec317e5f9b30dee0c195014cab15ff7a0fb9024da735d1917b.exe
      --137bb2ce
      2⤵
      • Drops file in System32 directory
      • Suspicious use of SetWindowsHookEx
      • Suspicious behavior: EmotetMutantsSpam
      • Suspicious behavior: RenamesItself
      PID:1104
  • C:\Windows\SysWOW64\publishstuck.exe
    "C:\Windows\SysWOW64\publishstuck.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:544
    • C:\Windows\SysWOW64\publishstuck.exe
      --86c9fabf
      2⤵
      • Drops file in System32 directory
      • Suspicious use of SetWindowsHookEx
      • Suspicious behavior: EmotetMutantsSpam
      • Suspicious behavior: EnumeratesProcesses
      PID:1128

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/544-3-0x0000000000520000-0x0000000000537000-memory.dmp
    Filesize

    92KB

    Download
  • memory/1104-1-0x0000000000260000-0x0000000000277000-memory.dmp
    Filesize

    92KB

    Download
  • memory/1104-2-0x0000000000400000-0x0000000000455000-memory.dmp
    Filesize

    340KB

    Download
  • memory/1128-5-0x0000000000400000-0x0000000000455000-memory.dmp
    Filesize

    340KB

    Download
  • memory/1536-0-0x00000000003A0000-0x00000000003B7000-memory.dmp
    Filesize

    92KB

    Download