Overview

overview

10

Static

static

be3be1dba4...e3.exe

windows7_x64

10

be3be1dba4...e3.exe

windows10_x64

10

Analysis

  • max time kernel
    144s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    09-05-2021 21:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    be3be1dba4703a8d3d54a2db7d79a20ebe2b8956bd660a035fdeee87b1156ae3.exe

  • Size

    368KB

  • MD5

    a1db88dad2e41285cfc785919b6ac861

  • SHA1

    f72154d5a87dcf9e9fbb6481ed60bc853b3e47eb

  • SHA256

    be3be1dba4703a8d3d54a2db7d79a20ebe2b8956bd660a035fdeee87b1156ae3

  • SHA512

    13f87a57d7cd6205e52b5ed4472b217b1d92d3588aada9aa7183134929a85ec76f688eb079687e1c8a68f1aeccc88f7695fa6d2a05a6a341bd349605e18015eb

Score
10/10
emotetepoch2bankertrojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch2

C2

149.135.10.19:80

91.231.166.124:8080

104.236.28.47:8080

46.105.131.87:80

100.6.23.40:80

200.41.121.90:80

66.34.201.20:7080

78.186.5.109:443

107.184.91.187:80

182.71.222.187:80

41.169.20.147:80

200.7.243.109:443

84.9.167.76:80

189.168.169.129:80

80.102.134.174:8080

60.250.78.22:443

24.196.13.216:80

75.133.26.185:80

37.139.21.175:8080

37.187.72.193:8080
rsa_pubkey.plain

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

    trojanbankeremotet
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\be3be1dba4703a8d3d54a2db7d79a20ebe2b8956bd660a035fdeee87b1156ae3.exe
    "C:\Users\Admin\AppData\Local\Temp\be3be1dba4703a8d3d54a2db7d79a20ebe2b8956bd660a035fdeee87b1156ae3.exe"
    1⤵
    • Suspicious behavior: RenamesItself
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1208
    • C:\Windows\SysWOW64\mtstocom\mtstocom.exe
      "C:\Windows\SysWOW64\mtstocom\mtstocom.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:1596

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1208-59-0x0000000075561000-0x0000000075563000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1208-60-0x0000000000380000-0x000000000038C000-memory.dmp
    Filesize

    48KB

    Download
  • memory/1208-62-0x0000000000370000-0x000000000037E000-memory.dmp
    Filesize

    56KB

    Download
  • memory/1596-63-0x0000000000000000-mapping.dmp
    Download
  • memory/1596-65-0x0000000000390000-0x000000000039C000-memory.dmp
    Filesize

    48KB

    Download