Analysis
-
max time kernel
115s -
max time network
132s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
26-01-2021 23:59
Static task
static1
Behavioral task
behavioral1
Sample
sjbodmaxe.dll.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
sjbodmaxe.dll.exe
Resource
win10v20201028
General
-
Target
sjbodmaxe.dll.exe
Malware Config
Extracted
emotet
LEA
80.158.59.174:8080
80.158.43.136:80
80.158.3.161:443
80.158.51.209:8080
80.158.35.51:80
80.158.63.78:443
80.158.53.167:80
80.158.62.194:443
Signatures
-
Emotet Payload 4 IoCs
Detects Emotet payload in memory.
Processes:
resource yara_rule behavioral2/memory/1456-2-0x0000000003160000-0x00000000031BB000-memory.dmp emotet behavioral2/memory/1456-3-0x0000000000400000-0x000000000045A000-memory.dmp emotet behavioral2/memory/1456-4-0x0000000003100000-0x0000000003159000-memory.dmp emotet behavioral2/memory/3836-7-0x0000000002F80000-0x0000000002FDB000-memory.dmp emotet -
Executes dropped EXE 1 IoCs
Processes:
MSVideoDSP.exepid process 3836 MSVideoDSP.exe -
Drops file in System32 directory 1 IoCs
Processes:
sjbodmaxe.dll.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Windows.Payments\MSVideoDSP.exe sjbodmaxe.dll.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
sjbodmaxe.dll.exeMSVideoDSP.exepid process 1456 sjbodmaxe.dll.exe 1456 sjbodmaxe.dll.exe 3836 MSVideoDSP.exe 3836 MSVideoDSP.exe 3836 MSVideoDSP.exe 3836 MSVideoDSP.exe 3836 MSVideoDSP.exe 3836 MSVideoDSP.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
sjbodmaxe.dll.exepid process 1456 sjbodmaxe.dll.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
sjbodmaxe.dll.exedescription pid process target process PID 1456 wrote to memory of 3836 1456 sjbodmaxe.dll.exe MSVideoDSP.exe PID 1456 wrote to memory of 3836 1456 sjbodmaxe.dll.exe MSVideoDSP.exe PID 1456 wrote to memory of 3836 1456 sjbodmaxe.dll.exe MSVideoDSP.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\sjbodmaxe.dll.exePID:1456"C:\Users\Admin\AppData\Local\Temp\sjbodmaxe.dll.exe"Drops file in System32 directorySuspicious behavior: EnumeratesProcessesSuspicious behavior: RenamesItselfSuspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Windows.Payments\MSVideoDSP.exePID:3836"C:\Windows\SysWOW64\Windows.Payments\MSVideoDSP.exe"Executes dropped EXESuspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
System Information Discovery
1Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Replay Monitor
Downloads
-
C:\Windows\SysWOW64\Windows.Payments\MSVideoDSP.exeMD5
13b9d586bb973ac14bfa24e4ae7b24f1
SHA1a5653ebe4fa9f906554e56f4d732489189c3a3f9
SHA25690e4f02ab9157f389d785c3dcddfa432085b237f2a4c3befb4a093d0f2711b5b
SHA512517b1728ac24a587c6a4ccb7c0ea18f2059609958eb06f06107efd5a2e06faf0caa78c49f252e8b2e602a88de194e7edb1f4aaf1efe423298e94257c3df902ae
-
memory/1456-2-0x0000000003160000-0x00000000031BB000-memory.dmpFilesize
364KB
-
memory/1456-3-0x0000000000400000-0x000000000045A000-memory.dmpFilesize
360KB
-
memory/1456-4-0x0000000003100000-0x0000000003159000-memory.dmpFilesize
356KB
-
memory/3836-5-0x0000000000000000-mapping.dmp
-
memory/3836-7-0x0000000002F80000-0x0000000002FDB000-memory.dmpFilesize
364KB