Overview

overview

10

Static

static

dvbpurge.exe

windows7_x64

10

dvbpurge.exe

windows10_x64

10

Analysis

  • max time kernel
    119s
  • max time network
    137s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    20-04-2021 18:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    dvbpurge.exe

  • Size

    357KB

  • MD5

    2408f6020b4b93a433b3440f9966a906

  • SHA1

    9ab9bd4e926bb3c20c6862d4f91c55c1541fcf90

  • SHA256

    016ebc2084ea3bac72069e97b250bf2ea5cc74afda9179eb289b84f031d4f707

  • SHA512

    c6f46ab8611bc2d2bf5d3e1aad3cd94ed50d7e1371ba8a0fd6e7a051e689efc505a8ced2b147989599fc29bb9568d7372e1360265ff57260ae5420f6b5e8bda3

Score
10/10
emotetleabankertrojan

Malware Config

Extracted

Family

emotet

Botnet

LEA

C2

80.158.53.167:80

80.158.62.194:443

80.158.59.174:8080

80.158.43.136:80

80.158.3.161:443

80.158.51.209:8080

80.158.35.51:80

80.158.63.78:443
rsa_pubkey.plain

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

    trojanbankeremotet
  • Drops file in System32 directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dvbpurge.exe
    "C:\Users\Admin\AppData\Local\Temp\dvbpurge.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2116
    • C:\Users\Admin\AppData\Local\Temp\dvbpurge.exe
      --7a7b875f
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: RenamesItself
      PID:2168
  • C:\Windows\SysWOW64\shlpduck.exe
    "C:\Windows\SysWOW64\shlpduck.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2728
    • C:\Windows\SysWOW64\shlpduck.exe
      --aec40da4
      2⤵
      • Drops file in System32 directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      PID:3548

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2116-114-0x00000000008F0000-0x0000000000906000-memory.dmp

    Filesize

    88KB

    Download

  • memory/2116-116-0x00000000001D0000-0x00000000001E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2168-120-0x00000000005B0000-0x00000000005C6000-memory.dmp

    Filesize

    88KB

    Download

  • memory/2728-126-0x0000000000510000-0x0000000000526000-memory.dmp

    Filesize

    88KB

    Download

  • memory/2728-134-0x00000000004B0000-0x000000000055E000-memory.dmp

    Filesize

    696KB

    Download

  • memory/3548-130-0x0000000000900000-0x0000000000916000-memory.dmp

    Filesize

    88KB

    Download