bad71.bin

max time kernel142s
max time network145s
platformwindows7_x64
resourcewin7-en-20211014
submitted19-11-2021 19:49

Report
Files
Registry
Network
Processes
Mutex
Misc

Target

bad71.bin.exe

Filesize

752KB

Completed

19-11-2021 19:51

Score

10^/10

MD5

b356ddc2348a102711ccd47a65b6cbcf

SHA1

9d72d0985e61dc81758e0afcb58375e6182e7d66

SHA256

5a89c0b4d52a8feb9b4bf7ebd49eb7a84b54b9cd94ced300b16202177926287f

Extracted

Family	emotet
Botnet	Epoch2
C2	217.160.19.232:8080 192.241.220.155:8080 167.99.105.223:7080 176.31.200.130:8080 91.205.215.66:8080 181.143.194.138:443 167.71.10.37:8080 133.167.80.63:7080 183.102.238.69:465 190.145.67.134:8090 169.239.182.217:8080 78.24.219.147:8080 92.222.216.44:8080 47.41.213.2:22 124.240.198.66:80 189.209.217.49:80 80.11.163.139:21 190.53.135.159:21 217.160.182.191:8080 87.230.19.21:8080 136.243.177.26:8080 178.79.161.166:443 144.139.247.220:80 103.39.131.88:80 192.81.213.192:8080 152.89.236.214:8080 62.75.187.192:8080 46.105.131.87:80 190.226.44.20:21 173.212.203.26:8080 181.31.213.158:8080 190.228.72.244:53 104.131.44.150:8080 95.128.43.213:8080 104.131.11.150:8080 186.4.172.5:20 94.205.247.10:80 200.71.148.138:8080 5.196.74.210:8080 37.157.194.134:443 200.51.94.251:80 171.101.153.86:990 45.33.49.124:443 181.143.53.227:21 86.22.221.170:80 87.106.139.101:8080 83.136.245.190:8080 94.177.216.217:8080 31.12.67.62:7080 138.201.140.110:8080 37.187.2.199:443 178.210.51.222:8080 186.4.172.5:443 190.211.207.11:443 186.75.241.230:80 87.106.136.232:8080 209.141.41.136:8080 173.249.47.77:8080 186.4.172.5:8080 159.65.25.128:8080 85.104.59.244:20 149.202.153.252:8080 31.172.240.91:8080 206.189.98.125:8080 212.71.234.16:8080 182.176.132.213:8090 104.236.246.93:8080 212.129.24.79:8080 211.63.71.72:8080 115.78.95.230:443 59.103.164.174:80 217.160.19.232:8080 192.241.220.155:8080 167.99.105.223:7080 176.31.200.130:8080 91.205.215.66:8080 181.143.194.138:443 167.71.10.37:8080 133.167.80.63:7080 183.102.238.69:465 190.145.67.134:8090 169.239.182.217:8080 78.24.219.147:8080 92.222.216.44:8080 47.41.213.2:22 124.240.198.66:80 189.209.217.49:80 80.11.163.139:21 190.53.135.159:21 217.160.182.191:8080 87.230.19.21:8080 136.243.177.26:8080 178.79.161.166:443 144.139.247.220:80 103.39.131.88:80 192.81.213.192:8080 152.89.236.214:8080 62.75.187.192:8080 46.105.131.87:80 190.226.44.20:21 173.212.203.26:8080 181.31.213.158:8080 190.228.72.244:53 104.131.44.150:8080 95.128.43.213:8080 104.131.11.150:8080 186.4.172.5:20 94.205.247.10:80 200.71.148.138:8080 5.196.74.210:8080 37.157.194.134:443 200.51.94.251:80 171.101.153.86:990 45.33.49.124:443 181.143.53.227:21 86.22.221.170:80 87.106.139.101:8080 83.136.245.190:8080 94.177.216.217:8080 31.12.67.62:7080 138.201.140.110:8080 37.187.2.199:443 178.210.51.222:8080 186.4.172.5:443 190.211.207.11:443 186.75.241.230:80 87.106.136.232:8080 209.141.41.136:8080 173.249.47.77:8080 186.4.172.5:8080 159.65.25.128:8080 85.104.59.244:20 149.202.153.252:8080 31.172.240.91:8080 206.189.98.125:8080 212.71.234.16:8080 182.176.132.213:8090 104.236.246.93:8080 212.129.24.79:8080 211.63.71.72:8080 115.78.95.230:443 59.103.164.174:80
rsa_pubkey.plain

Discovery

Emotet

Description

Emotet is a trojan that is primarily spread through spam emails.

Tags

trojan banker emotet

Drops file in System32 directory

teapotcaching.exe

Reported IOCs

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	teapotcaching.exe

Enumerates physical storage devices

Description

Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

TTPs

System Information Discovery

Modifies data under HKEY_USERS

teapotcaching.exe

Reported IOCs

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	teapotcaching.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0271AF7A-4677-4C25-BD6A-784087224B50}\WpadDecisionReason = "1"	teapotcaching.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0271AF7A-4677-4C25-BD6A-784087224B50}\WpadDecisionTime = a090358086ddd701	teapotcaching.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\e2-99-3c-5b-5b-f8	teapotcaching.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	teapotcaching.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	teapotcaching.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	teapotcaching.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	teapotcaching.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0271AF7A-4677-4C25-BD6A-784087224B50}\e2-99-3c-5b-5b-f8	teapotcaching.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\e2-99-3c-5b-5b-f8\WpadDecisionTime = a090358086ddd701	teapotcaching.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\e2-99-3c-5b-5b-f8\WpadDetectedUrl	teapotcaching.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0271AF7A-4677-4C25-BD6A-784087224B50}\WpadDecisionTime = 20fdefba86ddd701	teapotcaching.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	teapotcaching.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	teapotcaching.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0271AF7A-4677-4C25-BD6A-784087224B50}	teapotcaching.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0271AF7A-4677-4C25-BD6A-784087224B50}\WpadDecision = "0"	teapotcaching.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\e2-99-3c-5b-5b-f8\WpadDecisionReason = "1"	teapotcaching.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\e2-99-3c-5b-5b-f8\WpadDecision = "0"	teapotcaching.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000004000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0043000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	teapotcaching.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\e2-99-3c-5b-5b-f8\WpadDecisionTime = 20fdefba86ddd701	teapotcaching.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	teapotcaching.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0043000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	teapotcaching.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0271AF7A-4677-4C25-BD6A-784087224B50}\WpadNetworkName = "Network 3"	teapotcaching.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	teapotcaching.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	teapotcaching.exe

Suspicious behavior: EnumeratesProcesses
teapotcaching.exe

Reported IOCs

pid process

1920 teapotcaching.exe
1920 teapotcaching.exe
1920 teapotcaching.exe
1920 teapotcaching.exe
1920 teapotcaching.exe
Suspicious behavior: RenamesItself
bad71.bin.exe

Reported IOCs

pid process

1292 bad71.bin.exe

pid	process
1920	teapotcaching.exe
1920	teapotcaching.exe
1920	teapotcaching.exe
1920	teapotcaching.exe
1920	teapotcaching.exe

pid	process
1292	bad71.bin.exe

Suspicious use of SetWindowsHookEx

bad71.bin.exebad71.bin.exeteapotcaching.exeteapotcaching.exe

Reported IOCs

pid	process
524	bad71.bin.exe
524	bad71.bin.exe
1292	bad71.bin.exe
1292	bad71.bin.exe
1984	teapotcaching.exe
1984	teapotcaching.exe
1920	teapotcaching.exe
1920	teapotcaching.exe

Suspicious use of WriteProcessMemory

bad71.bin.exeteapotcaching.exe

Reported IOCs

description	pid	process	target process
PID 524 wrote to memory of 1292	524	bad71.bin.exe	bad71.bin.exe
PID 524 wrote to memory of 1292	524	bad71.bin.exe	bad71.bin.exe
PID 524 wrote to memory of 1292	524	bad71.bin.exe	bad71.bin.exe
PID 524 wrote to memory of 1292	524	bad71.bin.exe	bad71.bin.exe
PID 1984 wrote to memory of 1920	1984	teapotcaching.exe	teapotcaching.exe
PID 1984 wrote to memory of 1920	1984	teapotcaching.exe	teapotcaching.exe
PID 1984 wrote to memory of 1920	1984	teapotcaching.exe	teapotcaching.exe
PID 1984 wrote to memory of 1920	1984	teapotcaching.exe	teapotcaching.exe

C:\Users\Admin\AppData\Local\Temp\bad71.bin.exe

"C:\Users\Admin\AppData\Local\Temp\bad71.bin.exe"

Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory

PID:524

C:\Users\Admin\AppData\Local\Temp\bad71.bin.exe

--97c5adc

Suspicious behavior: RenamesItself
Suspicious use of SetWindowsHookEx

PID:1292

C:\Windows\SysWOW64\teapotcaching.exe

"C:\Windows\SysWOW64\teapotcaching.exe"

Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory

PID:1984

C:\Windows\SysWOW64\teapotcaching.exe

--73c72110

Drops file in System32 directory
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx

PID:1920

Collection

Command and Control

Credential Access

Defense Evasion

Discovery

System Information Discovery

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Privilege Escalation

00:00 00:00

memory/524-55-0x0000000075B71000-0x0000000075B73000-memory.dmp

Download
memory/524-56-0x00000000003E0000-0x00000000003F7000-memory.dmp

Download
memory/524-66-0x00000000003C0000-0x00000000003D1000-memory.dmp

Download
memory/1292-60-0x0000000000000000-mapping.dmp

Download
memory/1292-62-0x0000000000260000-0x0000000000277000-memory.dmp

Download
memory/1920-72-0x0000000000000000-mapping.dmp

Download
memory/1920-74-0x0000000000A90000-0x0000000000AA7000-memory.dmp

Download
memory/1984-68-0x0000000000540000-0x0000000000557000-memory.dmp

Download

bad71.bin

Extracted

Filter: none

Description

Tags

Reported IOCs

Description

TTPs

Reported IOCs

Reported IOCs

Reported IOCs

Reported IOCs

Reported IOCs

Title