Overview

overview

10

Static

static

9

d08df2a4dd...90.exe

windows7_x64

10

d08df2a4dd...90.exe

windows10_x64

10

Resubmissions

16-09-2021 11:50

210916-nzpyxsdcc5 10

16-09-2021 11:45

210916-nw243sdcb9 10

Analysis

  • max time kernel
    1800s
  • max time network
    1801s
  • platform
    windows7_x64
  • resource
    win7-en
  • submitted
    16-09-2021 11:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d08df2a4dd3c1f2b8f99a541acf61f088f5659caf27da9472205ac2ea2d47790.exe

  • Size

    474KB

  • MD5

    591d2b97f834d2c95667850564e8fbe2

  • SHA1

    cf28700496e977e7a4e01c02f20b954a01d89878

  • SHA256

    d08df2a4dd3c1f2b8f99a541acf61f088f5659caf27da9472205ac2ea2d47790

  • SHA512

    1a112bde7e667a85706d67c89663d2ec4e2dfe9bfc2a861f42d0761e633d45c93041363cffa49ed45de249e9c19373c497f8d2900288c80d36a74d14eb80e89c

Score
10/10
emotetepoch2bankertrojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch2

C2

124.240.198.66:80

186.75.241.230:80

181.143.194.138:443

45.79.188.67:8080

77.237.248.136:8080

185.142.236.163:443

63.142.253.122:8080

178.254.6.27:7080

190.211.207.11:443

78.188.105.159:21

182.176.106.43:995

178.79.161.166:443

206.189.98.125:8080

87.230.19.21:8080

80.11.163.139:443

101.187.237.217:20

190.18.146.70:80

86.98.25.30:53

92.222.125.16:7080

186.4.172.5:443
rsa_pubkey.plain

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

    trojanbankeremotet
  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 46 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of UnmapMainImage 4 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d08df2a4dd3c1f2b8f99a541acf61f088f5659caf27da9472205ac2ea2d47790.exe
    "C:\Users\Admin\AppData\Local\Temp\d08df2a4dd3c1f2b8f99a541acf61f088f5659caf27da9472205ac2ea2d47790.exe"
    1⤵
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:2024
    • C:\Users\Admin\AppData\Local\Temp\d08df2a4dd3c1f2b8f99a541acf61f088f5659caf27da9472205ac2ea2d47790.exe
      --35f827d5
      2⤵
      • Suspicious behavior: RenamesItself
      • Suspicious use of UnmapMainImage
      PID:1504
  • C:\Windows\SysWOW64\violetcounter.exe
    "C:\Windows\SysWOW64\violetcounter.exe"
    1⤵
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:1016
    • C:\Windows\SysWOW64\violetcounter.exe
      --a0cab773
      2⤵
      • Drops file in System32 directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of UnmapMainImage
      PID:1692

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1504-55-0x0000000000000000-mapping.dmp
    Download
  • memory/1692-59-0x0000000000000000-mapping.dmp
    Download
  • memory/2024-53-0x00000000764D1000-0x00000000764D3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2024-54-0x0000000000270000-0x0000000000285000-memory.dmp
    Filesize

    84KB

    Download
  • memory/2024-57-0x0000000000400000-0x0000000000478000-memory.dmp
    Filesize

    480KB

    Download