emotet | ce8679260773363b9b36e64d7624af8ad5af6f631a3813f789245ac9a06db390

Analysis

max time kernel
143s
max time network
152s
platform
windows7_x64
resource
win7
submitted
10-07-2020 10:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

iscsied.bin.exe
Size

692KB
MD5

cdedba9345f7443d417373a581f0eb96
SHA1

e376629c1a6fcc48a9478e90c59153a634f1cc12
SHA256

ce8679260773363b9b36e64d7624af8ad5af6f631a3813f789245ac9a06db390
SHA512

f8a99ad2c77339b2b0930b6c24823cb793c3ac5dcd0b2336c9ed7265296c28586a335903bec195665e05ae3b1370abb1be05df38135269fae43bc577f84679d1

Score

10^/10

trojan banker emotet

Malware Config

Extracted

Family

emotet

181.230.65.232:80

77.74.78.80:443

192.241.220.183:8080

195.201.56.70:8080

125.63.106.22:80

203.153.216.178:7080

139.59.12.63:8080

190.251.235.239:80

14.99.112.138:80

192.163.221.191:8080

46.49.124.53:80

81.214.253.80:443

46.32.229.152:8080

74.208.173.91:8080

163.172.107.70:8080

37.46.129.215:8080

212.112.113.235:80

50.116.78.109:8080

113.161.148.81:80

78.188.170.128:80

rsa_pubkey.plain

Signatures

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1152 wrote to memory of 1520	1152	iscsied.bin.exe	24
PID 1152 wrote to memory of 1520	1152	iscsied.bin.exe	24
PID 1152 wrote to memory of 1520	1152	iscsied.bin.exe	24
PID 1152 wrote to memory of 1520	1152	iscsied.bin.exe	24

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1520	Register-CimProvider.exe
1520	Register-CimProvider.exe
1520	Register-CimProvider.exe

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1152	iscsied.bin.exe
1152	iscsied.bin.exe
1520	Register-CimProvider.exe
1520	Register-CimProvider.exe

Suspicious behavior: EmotetMutantsSpam 2 IoCs

pid	Process
1152	iscsied.bin.exe
1520	Register-CimProvider.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1152	iscsied.bin.exe

C:\Users\Admin\AppData\Local\Temp\iscsied.bin.exe
"C:\Users\Admin\AppData\Local\Temp\iscsied.bin.exe"
1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: EmotetMutantsSpam
- Suspicious behavior: RenamesItself
PID:1152
- C:\Windows\SysWOW64\Register-CimProvider\Register-CimProvider.exe
  "C:\Windows\SysWOW64\Register-CimProvider\Register-CimProvider.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious behavior: EmotetMutantsSpam
  PID:1520

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1152-0-0x00000000003E0000-0x00000000003EC000-memory.dmp

Filesize
48KB

Download
memory/1152-1-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1520-3-0x0000000000260000-0x000000000026C000-memory.dmp

Filesize
48KB

Download
memory/1520-4-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download