Overview

overview

10

Static

static

dvbpurge.exe

windows7_x64

10

dvbpurge.exe

windows10_x64

10

Analysis

  • max time kernel
    29s
  • max time network
    144s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    20-04-2021 18:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    dvbpurge.exe

  • Size

    357KB

  • MD5

    2408f6020b4b93a433b3440f9966a906

  • SHA1

    9ab9bd4e926bb3c20c6862d4f91c55c1541fcf90

  • SHA256

    016ebc2084ea3bac72069e97b250bf2ea5cc74afda9179eb289b84f031d4f707

  • SHA512

    c6f46ab8611bc2d2bf5d3e1aad3cd94ed50d7e1371ba8a0fd6e7a051e689efc505a8ced2b147989599fc29bb9568d7372e1360265ff57260ae5420f6b5e8bda3

Score
10/10
emotetleabankertrojan

Malware Config

Extracted

Family

emotet

Botnet

LEA

C2

80.158.53.167:80

80.158.62.194:443

80.158.59.174:8080

80.158.43.136:80

80.158.3.161:443

80.158.51.209:8080

80.158.35.51:80

80.158.63.78:443
rsa_pubkey.plain

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

    trojanbankeremotet
  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 21 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dvbpurge.exe
    "C:\Users\Admin\AppData\Local\Temp\dvbpurge.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:484
    • C:\Users\Admin\AppData\Local\Temp\dvbpurge.exe
      --7a7b875f
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: RenamesItself
      PID:1824
  • C:\Windows\SysWOW64\timeoutmexico.exe
    "C:\Windows\SysWOW64\timeoutmexico.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:524
    • C:\Windows\SysWOW64\timeoutmexico.exe
      --b84f37ec
      2⤵
      • Drops file in System32 directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      PID:560

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/484-59-0x0000000000270000-0x0000000000286000-memory.dmp
    Filesize

    88KB

    Download
  • memory/484-68-0x0000000000260000-0x0000000000270000-memory.dmp
    Filesize

    64KB

    Download
  • memory/524-71-0x00000000001C0000-0x00000000001D6000-memory.dmp
    Filesize

    88KB

    Download
  • memory/560-75-0x0000000000000000-mapping.dmp
    Download
  • memory/560-76-0x00000000003C0000-0x00000000003D6000-memory.dmp
    Filesize

    88KB

    Download
  • memory/1824-63-0x0000000000000000-mapping.dmp
    Download
  • memory/1824-64-0x00000000005F0000-0x0000000000606000-memory.dmp
    Filesize

    88KB

    Download
  • memory/1824-70-0x0000000075AD1000-0x0000000075AD3000-memory.dmp
    Filesize

    8KB

    Download