Overview

overview

10

task1

 

10

task2

 

10

Analysis

  • max time kernel
    145s
  • resource
    win10v191014
  • submitted
    29-01-2020 22:01

Sharing

Copy URL
Twitter E-mail

General

  • Target

    30de8c7dc8c76a42f2cb7e215586f975a0c660aad71d214c6d6cec7666a5d456

  • Sample

    200129-94qxyrqzca

  • SHA256

    30de8c7dc8c76a42f2cb7e215586f975a0c660aad71d214c6d6cec7666a5d456

Score
10/10
trojanbankeremotet

Malware Config

Extracted

Family

emotet

C2

186.10.98.177:80

154.70.158.97:80

95.66.182.136:80

68.183.18.169:8080

178.62.75.204:8080

178.33.167.120:8080

144.76.56.36:8080

61.204.119.188:443

163.172.107.70:8080

156.155.163.232:80

91.117.31.181:80

153.183.25.24:80

110.2.118.164:80

195.250.143.182:80

162.154.175.215:80

50.116.78.109:8080

72.176.87.136:80

184.162.115.11:443

37.70.131.107:80

181.39.96.86:443
rsa_pubkey.plain

Signatures

  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs
  • Suspicious behavior: EmotetMutantsSpam 2 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Emotet

    Emotet is a trojan that is primarily spread through spam emails

    trojanbankeremotet
  • Drops file in System32 directory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\30de8c7dc8c76a42f2cb7e215586f975a0c660aad71d214c6d6cec7666a5d456.exe
    "C:\Users\Admin\AppData\Local\Temp\30de8c7dc8c76a42f2cb7e215586f975a0c660aad71d214c6d6cec7666a5d456.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4852
    • C:\Users\Admin\AppData\Local\Temp\30de8c7dc8c76a42f2cb7e215586f975a0c660aad71d214c6d6cec7666a5d456.exe
      --d4672c00
      2⤵
      • Suspicious use of SetWindowsHookEx
      • Suspicious behavior: EmotetMutantsSpam
      • Suspicious behavior: RenamesItself
      • Drops file in System32 directory
      PID:4884
  • C:\Windows\SysWOW64\multedge.exe
    "C:\Windows\SysWOW64\multedge.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4188
    • C:\Windows\SysWOW64\multedge.exe
      --da72adf
      2⤵
      • Suspicious use of SetWindowsHookEx
      • Suspicious behavior: EmotetMutantsSpam
      • Suspicious behavior: EnumeratesProcesses
      • Drops file in System32 directory
      PID:1940

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1940-4-0x0000000000550000-0x0000000000567000-memory.dmp

    Filesize

    92KB

    Download

  • memory/1940-5-0x0000000000400000-0x000000000048F000-memory.dmp

    Filesize

    572KB

    Download

  • memory/4188-3-0x00000000009D0000-0x00000000009E7000-memory.dmp

    Filesize

    92KB

    Download

  • memory/4852-0-0x0000000000660000-0x0000000000677000-memory.dmp

    Filesize

    92KB

    Download

  • memory/4884-1-0x0000000002150000-0x0000000002167000-memory.dmp

    Filesize

    92KB

    Download

  • memory/4884-2-0x0000000000400000-0x000000000048F000-memory.dmp

    Filesize

    572KB

    Download