Analysis

  • max time kernel
    148s
  • max time network
    148s
  • platform
    windows10_x64
  • resource
    win10-en-20211014
  • submitted
    19-11-2021 19:49

General

  • Target

    bad71.bin.exe

  • Size

    752KB

  • MD5

    b356ddc2348a102711ccd47a65b6cbcf

  • SHA1

    9d72d0985e61dc81758e0afcb58375e6182e7d66

  • SHA256

    5a89c0b4d52a8feb9b4bf7ebd49eb7a84b54b9cd94ced300b16202177926287f

  • SHA512

    3eb612bdd8f01c3b182a980fe79d47980d16fd9d934e13bd5f2db06163b60e63e8054add2dcffedb0cb8a8e2d66d67838ab7cbf58c6125d35ea3f32edec73fc2

Malware Config

Extracted

Family

emotet

Botnet

Epoch2

C2

217.160.19.232:8080

192.241.220.155:8080

167.99.105.223:7080

176.31.200.130:8080

91.205.215.66:8080

181.143.194.138:443

167.71.10.37:8080

133.167.80.63:7080

183.102.238.69:465

190.145.67.134:8090

169.239.182.217:8080

78.24.219.147:8080

92.222.216.44:8080

47.41.213.2:22

124.240.198.66:80

189.209.217.49:80

80.11.163.139:21

190.53.135.159:21

217.160.182.191:8080

87.230.19.21:8080

rsa_pubkey.plain

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

  • Drops file in System32 directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bad71.bin.exe
    "C:\Users\Admin\AppData\Local\Temp\bad71.bin.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2716
    • C:\Users\Admin\AppData\Local\Temp\bad71.bin.exe
      --97c5adc
      2⤵
      • Suspicious behavior: RenamesItself
      • Suspicious use of SetWindowsHookEx
      PID:3312
  • C:\Windows\SysWOW64\mmcfwk.exe
    "C:\Windows\SysWOW64\mmcfwk.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2900
    • C:\Windows\SysWOW64\mmcfwk.exe
      --93bb249
      2⤵
      • Drops file in System32 directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:3864

Network

MITRE ATT&CK Matrix ATT&CK v6

Discovery

System Information Discovery

1
T1082

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\82a49bd7c4665dd0096a98a028c03321_2c818d6f-6b05-478c-8ce1-9d49a3874096
    MD5

    78c781de007b076c097dc6ff6441157b

    SHA1

    2c87de22cebe6827bba9f37154a8812c3e56fe59

    SHA256

    5ed6c6c600f903e8f3a0ff075a4b8a455c399c4b75b77ac12079f04091fc9335

    SHA512

    e189729935eb664eb96893960e970acaadf20d40741404ab0f7bca0753051ea7b9795cc1a9974d7442c36f4bd336ab13c2360d2c43b061ecf793a46aa4dc12f5

  • memory/2716-115-0x0000000002220000-0x0000000002237000-memory.dmp
    Filesize

    92KB

  • memory/2716-119-0x0000000000570000-0x000000000061E000-memory.dmp
    Filesize

    696KB

  • memory/2900-126-0x0000000000E10000-0x0000000000E27000-memory.dmp
    Filesize

    92KB

  • memory/3312-120-0x0000000000000000-mapping.dmp
  • memory/3312-121-0x0000000002230000-0x0000000002247000-memory.dmp
    Filesize

    92KB

  • memory/3312-125-0x0000000002130000-0x0000000002141000-memory.dmp
    Filesize

    68KB

  • memory/3864-130-0x0000000000000000-mapping.dmp
  • memory/3864-132-0x0000000000610000-0x0000000000627000-memory.dmp
    Filesize

    92KB

  • memory/3864-136-0x00000000004C0000-0x000000000060A000-memory.dmp
    Filesize

    1.3MB