Analysis
-
max time kernel
150s -
max time network
133s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
26-01-2021 23:59
Static task
static1
Behavioral task
behavioral1
Sample
sjbodmaxe.dll.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
sjbodmaxe.dll.exe
Resource
win10v20201028
General
-
Target
sjbodmaxe.dll.exe
Malware Config
Extracted
emotet
LEA
80.158.59.174:8080
80.158.43.136:80
80.158.3.161:443
80.158.51.209:8080
80.158.35.51:80
80.158.63.78:443
80.158.53.167:80
80.158.62.194:443
Signatures
-
Emotet Payload 5 IoCs
Detects Emotet payload in memory.
Processes:
resource yara_rule behavioral1/memory/1096-3-0x0000000000380000-0x00000000003DB000-memory.dmp emotet behavioral1/memory/1096-4-0x0000000000490000-0x00000000004EA000-memory.dmp emotet behavioral1/memory/1100-9-0x0000000000280000-0x00000000002DB000-memory.dmp emotet behavioral1/memory/1100-10-0x0000000000480000-0x00000000004DA000-memory.dmp emotet behavioral1/memory/1096-11-0x0000000000320000-0x0000000000379000-memory.dmp emotet -
Executes dropped EXE 1 IoCs
Processes:
mmcshext.exepid process 1100 mmcshext.exe -
Drops file in System32 directory 1 IoCs
Processes:
sjbodmaxe.dll.exedescription ioc process File opened for modification C:\Windows\SysWOW64\bitsprx4\mmcshext.exe sjbodmaxe.dll.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
sjbodmaxe.dll.exemmcshext.exepid process 1096 sjbodmaxe.dll.exe 1100 mmcshext.exe 1100 mmcshext.exe 1100 mmcshext.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
sjbodmaxe.dll.exepid process 1096 sjbodmaxe.dll.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
sjbodmaxe.dll.exedescription pid process target process PID 1096 wrote to memory of 1100 1096 sjbodmaxe.dll.exe mmcshext.exe PID 1096 wrote to memory of 1100 1096 sjbodmaxe.dll.exe mmcshext.exe PID 1096 wrote to memory of 1100 1096 sjbodmaxe.dll.exe mmcshext.exe PID 1096 wrote to memory of 1100 1096 sjbodmaxe.dll.exe mmcshext.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\sjbodmaxe.dll.exePID:1096"C:\Users\Admin\AppData\Local\Temp\sjbodmaxe.dll.exe"Drops file in System32 directorySuspicious behavior: EnumeratesProcessesSuspicious behavior: RenamesItselfSuspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\bitsprx4\mmcshext.exePID:1100"C:\Windows\SysWOW64\bitsprx4\mmcshext.exe"Executes dropped EXESuspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
System Information Discovery
1Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Replay Monitor
Downloads
-
C:\Windows\SysWOW64\bitsprx4\mmcshext.exeMD5
13b9d586bb973ac14bfa24e4ae7b24f1
SHA1a5653ebe4fa9f906554e56f4d732489189c3a3f9
SHA25690e4f02ab9157f389d785c3dcddfa432085b237f2a4c3befb4a093d0f2711b5b
SHA512517b1728ac24a587c6a4ccb7c0ea18f2059609958eb06f06107efd5a2e06faf0caa78c49f252e8b2e602a88de194e7edb1f4aaf1efe423298e94257c3df902ae
-
memory/1096-2-0x0000000075711000-0x0000000075713000-memory.dmpFilesize
8KB
-
memory/1096-3-0x0000000000380000-0x00000000003DB000-memory.dmpFilesize
364KB
-
memory/1096-4-0x0000000000490000-0x00000000004EA000-memory.dmpFilesize
360KB
-
memory/1096-11-0x0000000000320000-0x0000000000379000-memory.dmpFilesize
356KB
-
memory/1100-5-0x0000000000000000-mapping.dmp
-
memory/1100-9-0x0000000000280000-0x00000000002DB000-memory.dmpFilesize
364KB
-
memory/1100-10-0x0000000000480000-0x00000000004DA000-memory.dmpFilesize
360KB
-
memory/1116-13-0x000007FEF6930000-0x000007FEF6BAA000-memory.dmpFilesize
2MB