Overview

overview

10

Static

static

9

381fe5b3c4...80.exe

windows10_x64

10

Analysis

  • max time kernel
    85s
  • max time network
    88s
  • platform
    windows10_x64
  • resource
    win10-en
  • submitted
    16-09-2021 17:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    381fe5b3c4d640baf1495ad7f3e111af78c88df250895d87979834f952953580.exe

  • Size

    474KB

  • MD5

    604a044f20590d8486489d2b736e47fa

  • SHA1

    8152a4a20292751f381b4a6d0bbce1c2f04739af

  • SHA256

    381fe5b3c4d640baf1495ad7f3e111af78c88df250895d87979834f952953580

  • SHA512

    89ba0d68c69ceef5956e692c2b6a8c07ff62ff0f1931b339d60252481864960c0109cd19731fca10acd659c3f7f52f7b94d8b060d4cf6483c653967dc1eedf39

Score
10/10
emotetepoch2bankertrojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch2

C2

124.240.198.66:80

186.75.241.230:80

181.143.194.138:443

45.79.188.67:8080

77.237.248.136:8080

185.142.236.163:443

63.142.253.122:8080

178.254.6.27:7080

190.211.207.11:443

78.188.105.159:21

182.176.106.43:995

178.79.161.166:443

206.189.98.125:8080

87.230.19.21:8080

80.11.163.139:443

101.187.237.217:20

190.18.146.70:80

86.98.25.30:53

92.222.125.16:7080

186.4.172.5:443
rsa_pubkey.plain

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

    trojanbankeremotet
  • Drops file in System32 directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\381fe5b3c4d640baf1495ad7f3e111af78c88df250895d87979834f952953580.exe
    "C:\Users\Admin\AppData\Local\Temp\381fe5b3c4d640baf1495ad7f3e111af78c88df250895d87979834f952953580.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3156
    • C:\Users\Admin\AppData\Local\Temp\381fe5b3c4d640baf1495ad7f3e111af78c88df250895d87979834f952953580.exe
      --f8e7cfe6
      2⤵
      • Suspicious behavior: RenamesItself
      PID:752
  • C:\Windows\SysWOW64\windowshell.exe
    "C:\Windows\SysWOW64\windowshell.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:316
    • C:\Windows\SysWOW64\windowshell.exe
      --b2d594b6
      2⤵
      • Drops file in System32 directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      PID:3972

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/752-116-0x0000000000000000-mapping.dmp
    Download
  • memory/3156-115-0x0000000002320000-0x0000000002335000-memory.dmp
    Filesize

    84KB

    Download
  • memory/3156-117-0x0000000000400000-0x0000000000478000-memory.dmp
    Filesize

    480KB

    Download
  • memory/3972-118-0x0000000000000000-mapping.dmp
    Download