bad71.bin

max time kernel148s
max time network148s
platformwindows10_x64
resourcewin10-en-20211014
submitted19-11-2021 19:49

Report
Files
Registry
Network
Processes
Mutex
Misc

Target

bad71.bin.exe

Filesize

752KB

Completed

19-11-2021 19:51

Score

10^/10

MD5

b356ddc2348a102711ccd47a65b6cbcf

SHA1

9d72d0985e61dc81758e0afcb58375e6182e7d66

SHA256

5a89c0b4d52a8feb9b4bf7ebd49eb7a84b54b9cd94ced300b16202177926287f

Extracted

Family	emotet
Botnet	Epoch2
C2	217.160.19.232:8080 192.241.220.155:8080 167.99.105.223:7080 176.31.200.130:8080 91.205.215.66:8080 181.143.194.138:443 167.71.10.37:8080 133.167.80.63:7080 183.102.238.69:465 190.145.67.134:8090 169.239.182.217:8080 78.24.219.147:8080 92.222.216.44:8080 47.41.213.2:22 124.240.198.66:80 189.209.217.49:80 80.11.163.139:21 190.53.135.159:21 217.160.182.191:8080 87.230.19.21:8080 136.243.177.26:8080 178.79.161.166:443 144.139.247.220:80 103.39.131.88:80 192.81.213.192:8080 152.89.236.214:8080 62.75.187.192:8080 46.105.131.87:80 190.226.44.20:21 173.212.203.26:8080 181.31.213.158:8080 190.228.72.244:53 104.131.44.150:8080 95.128.43.213:8080 104.131.11.150:8080 186.4.172.5:20 94.205.247.10:80 200.71.148.138:8080 5.196.74.210:8080 37.157.194.134:443 200.51.94.251:80 171.101.153.86:990 45.33.49.124:443 181.143.53.227:21 86.22.221.170:80 87.106.139.101:8080 83.136.245.190:8080 94.177.216.217:8080 31.12.67.62:7080 138.201.140.110:8080 37.187.2.199:443 178.210.51.222:8080 186.4.172.5:443 190.211.207.11:443 186.75.241.230:80 87.106.136.232:8080 209.141.41.136:8080 173.249.47.77:8080 186.4.172.5:8080 159.65.25.128:8080 85.104.59.244:20 149.202.153.252:8080 31.172.240.91:8080 206.189.98.125:8080 212.71.234.16:8080 182.176.132.213:8090 104.236.246.93:8080 212.129.24.79:8080 211.63.71.72:8080 115.78.95.230:443 59.103.164.174:80 217.160.19.232:8080 192.241.220.155:8080 167.99.105.223:7080 176.31.200.130:8080 91.205.215.66:8080 181.143.194.138:443 167.71.10.37:8080 133.167.80.63:7080 183.102.238.69:465 190.145.67.134:8090 169.239.182.217:8080 78.24.219.147:8080 92.222.216.44:8080 47.41.213.2:22 124.240.198.66:80 189.209.217.49:80 80.11.163.139:21 190.53.135.159:21 217.160.182.191:8080 87.230.19.21:8080 136.243.177.26:8080 178.79.161.166:443 144.139.247.220:80 103.39.131.88:80 192.81.213.192:8080 152.89.236.214:8080 62.75.187.192:8080 46.105.131.87:80 190.226.44.20:21 173.212.203.26:8080 181.31.213.158:8080 190.228.72.244:53 104.131.44.150:8080 95.128.43.213:8080 104.131.11.150:8080 186.4.172.5:20 94.205.247.10:80 200.71.148.138:8080 5.196.74.210:8080 37.157.194.134:443 200.51.94.251:80 171.101.153.86:990 45.33.49.124:443 181.143.53.227:21 86.22.221.170:80 87.106.139.101:8080 83.136.245.190:8080 94.177.216.217:8080 31.12.67.62:7080 138.201.140.110:8080 37.187.2.199:443 178.210.51.222:8080 186.4.172.5:443 190.211.207.11:443 186.75.241.230:80 87.106.136.232:8080 209.141.41.136:8080 173.249.47.77:8080 186.4.172.5:8080 159.65.25.128:8080 85.104.59.244:20 149.202.153.252:8080 31.172.240.91:8080 206.189.98.125:8080 212.71.234.16:8080 182.176.132.213:8090 104.236.246.93:8080 212.129.24.79:8080 211.63.71.72:8080 115.78.95.230:443 59.103.164.174:80
rsa_pubkey.plain

Discovery

Emotet

Description

Emotet is a trojan that is primarily spread through spam emails.

Tags

trojan banker emotet

Drops file in System32 directory

mmcfwk.exe

Reported IOCs

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	mmcfwk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	mmcfwk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	mmcfwk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	mmcfwk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	mmcfwk.exe

Enumerates physical storage devices

Description

Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

TTPs

System Information Discovery

Modifies data under HKEY_USERS

mmcfwk.exe

Reported IOCs

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	mmcfwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	mmcfwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	mmcfwk.exe

Suspicious behavior: EnumeratesProcesses

mmcfwk.exe

Reported IOCs

pid	process
3864	mmcfwk.exe
3864	mmcfwk.exe
3864	mmcfwk.exe
3864	mmcfwk.exe
3864	mmcfwk.exe
3864	mmcfwk.exe
3864	mmcfwk.exe
3864	mmcfwk.exe
3864	mmcfwk.exe
3864	mmcfwk.exe
3864	mmcfwk.exe
3864	mmcfwk.exe
3864	mmcfwk.exe
3864	mmcfwk.exe

Suspicious behavior: RenamesItself
bad71.bin.exe

Reported IOCs

pid process

3312 bad71.bin.exe
Suspicious use of SetWindowsHookEx
bad71.bin.exebad71.bin.exemmcfwk.exemmcfwk.exe

Reported IOCs

pid process

2716 bad71.bin.exe
2716 bad71.bin.exe
3312 bad71.bin.exe
3312 bad71.bin.exe
2900 mmcfwk.exe
2900 mmcfwk.exe
3864 mmcfwk.exe
3864 mmcfwk.exe

pid	process
3312	bad71.bin.exe

pid	process
2716	bad71.bin.exe
2716	bad71.bin.exe
3312	bad71.bin.exe
3312	bad71.bin.exe
2900	mmcfwk.exe
2900	mmcfwk.exe
3864	mmcfwk.exe
3864	mmcfwk.exe

Suspicious use of WriteProcessMemory

bad71.bin.exemmcfwk.exe

Reported IOCs

description	pid	process	target process
PID 2716 wrote to memory of 3312	2716	bad71.bin.exe	bad71.bin.exe
PID 2716 wrote to memory of 3312	2716	bad71.bin.exe	bad71.bin.exe
PID 2716 wrote to memory of 3312	2716	bad71.bin.exe	bad71.bin.exe
PID 2900 wrote to memory of 3864	2900	mmcfwk.exe	mmcfwk.exe
PID 2900 wrote to memory of 3864	2900	mmcfwk.exe	mmcfwk.exe
PID 2900 wrote to memory of 3864	2900	mmcfwk.exe	mmcfwk.exe

C:\Users\Admin\AppData\Local\Temp\bad71.bin.exe

"C:\Users\Admin\AppData\Local\Temp\bad71.bin.exe"

Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory

PID:2716

C:\Users\Admin\AppData\Local\Temp\bad71.bin.exe

--97c5adc

Suspicious behavior: RenamesItself
Suspicious use of SetWindowsHookEx

PID:3312

C:\Windows\SysWOW64\mmcfwk.exe

"C:\Windows\SysWOW64\mmcfwk.exe"

Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory

PID:2900

C:\Windows\SysWOW64\mmcfwk.exe

--93bb249

Drops file in System32 directory
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx

PID:3864

Collection

Command and Control

Credential Access

Defense Evasion

Discovery

System Information Discovery

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Privilege Escalation

00:00 00:00

C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\82a49bd7c4665dd0096a98a028c03321_2c818d6f-6b05-478c-8ce1-9d49a3874096
MD5
78c781de007b076c097dc6ff6441157b

SHA1
2c87de22cebe6827bba9f37154a8812c3e56fe59

SHA256
5ed6c6c600f903e8f3a0ff075a4b8a455c399c4b75b77ac12079f04091fc9335

SHA512
e189729935eb664eb96893960e970acaadf20d40741404ab0f7bca0753051ea7b9795cc1a9974d7442c36f4bd336ab13c2360d2c43b061ecf793a46aa4dc12f5

Download Submit
memory/2716-115-0x0000000002220000-0x0000000002237000-memory.dmp

Download
memory/2716-119-0x0000000000570000-0x000000000061E000-memory.dmp

Download
memory/2900-126-0x0000000000E10000-0x0000000000E27000-memory.dmp

Download
memory/3312-120-0x0000000000000000-mapping.dmp

Download
memory/3312-121-0x0000000002230000-0x0000000002247000-memory.dmp

Download
memory/3312-125-0x0000000002130000-0x0000000002141000-memory.dmp

Download
memory/3864-130-0x0000000000000000-mapping.dmp

Download
memory/3864-132-0x0000000000610000-0x0000000000627000-memory.dmp

Download
memory/3864-136-0x00000000004C0000-0x000000000060A000-memory.dmp

Download

bad71.bin

Extracted

Filter: none

Description

Tags

Reported IOCs

Description

TTPs

Reported IOCs

Reported IOCs

Reported IOCs

Reported IOCs

Reported IOCs

Title