bad71.bin

General
Target

bad71.bin.exe

Filesize

752KB

Completed

19-11-2021 19:51

Score
10/10
MD5

b356ddc2348a102711ccd47a65b6cbcf

SHA1

9d72d0985e61dc81758e0afcb58375e6182e7d66

SHA256

5a89c0b4d52a8feb9b4bf7ebd49eb7a84b54b9cd94ced300b16202177926287f

Malware Config

Extracted

Family emotet
Botnet Epoch2
C2

217.160.19.232:8080

192.241.220.155:8080

167.99.105.223:7080

176.31.200.130:8080

91.205.215.66:8080

181.143.194.138:443

167.71.10.37:8080

133.167.80.63:7080

183.102.238.69:465

190.145.67.134:8090

169.239.182.217:8080

78.24.219.147:8080

92.222.216.44:8080

47.41.213.2:22

124.240.198.66:80

189.209.217.49:80

80.11.163.139:21

190.53.135.159:21

217.160.182.191:8080

87.230.19.21:8080

136.243.177.26:8080

178.79.161.166:443

144.139.247.220:80

103.39.131.88:80

192.81.213.192:8080

152.89.236.214:8080

62.75.187.192:8080

46.105.131.87:80

190.226.44.20:21

173.212.203.26:8080

181.31.213.158:8080

190.228.72.244:53

104.131.44.150:8080

95.128.43.213:8080

104.131.11.150:8080

186.4.172.5:20

94.205.247.10:80

200.71.148.138:8080

5.196.74.210:8080

37.157.194.134:443

200.51.94.251:80

171.101.153.86:990

45.33.49.124:443

181.143.53.227:21

86.22.221.170:80

87.106.139.101:8080

83.136.245.190:8080

94.177.216.217:8080

31.12.67.62:7080

138.201.140.110:8080

rsa_pubkey.plain
Signatures 8

Filter: none

Discovery
  • Emotet

    Description

    Emotet is a trojan that is primarily spread through spam emails.

  • Drops file in System32 directory
    mmcfwk.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.datmmcfwk.exe
    File opened for modificationC:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5mmcfwk.exe
    File opened for modificationC:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IEmmcfwk.exe
    File opened for modificationC:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookiesmmcfwk.exe
    File opened for modificationC:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5mmcfwk.exe
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Modifies data under HKEY_USERS
    mmcfwk.exe

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefixmmcfwk.exe
    Set value (str)\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"mmcfwk.exe
    Set value (str)\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"mmcfwk.exe
  • Suspicious behavior: EnumeratesProcesses
    mmcfwk.exe

    Reported IOCs

    pidprocess
    3864mmcfwk.exe
    3864mmcfwk.exe
    3864mmcfwk.exe
    3864mmcfwk.exe
    3864mmcfwk.exe
    3864mmcfwk.exe
    3864mmcfwk.exe
    3864mmcfwk.exe
    3864mmcfwk.exe
    3864mmcfwk.exe
    3864mmcfwk.exe
    3864mmcfwk.exe
    3864mmcfwk.exe
    3864mmcfwk.exe
  • Suspicious behavior: RenamesItself
    bad71.bin.exe

    Reported IOCs

    pidprocess
    3312bad71.bin.exe
  • Suspicious use of SetWindowsHookEx
    bad71.bin.exebad71.bin.exemmcfwk.exemmcfwk.exe

    Reported IOCs

    pidprocess
    2716bad71.bin.exe
    2716bad71.bin.exe
    3312bad71.bin.exe
    3312bad71.bin.exe
    2900mmcfwk.exe
    2900mmcfwk.exe
    3864mmcfwk.exe
    3864mmcfwk.exe
  • Suspicious use of WriteProcessMemory
    bad71.bin.exemmcfwk.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 2716 wrote to memory of 33122716bad71.bin.exebad71.bin.exe
    PID 2716 wrote to memory of 33122716bad71.bin.exebad71.bin.exe
    PID 2716 wrote to memory of 33122716bad71.bin.exebad71.bin.exe
    PID 2900 wrote to memory of 38642900mmcfwk.exemmcfwk.exe
    PID 2900 wrote to memory of 38642900mmcfwk.exemmcfwk.exe
    PID 2900 wrote to memory of 38642900mmcfwk.exemmcfwk.exe
Processes 4
  • C:\Users\Admin\AppData\Local\Temp\bad71.bin.exe
    "C:\Users\Admin\AppData\Local\Temp\bad71.bin.exe"
    Suspicious use of SetWindowsHookEx
    Suspicious use of WriteProcessMemory
    PID:2716
    • C:\Users\Admin\AppData\Local\Temp\bad71.bin.exe
      --97c5adc
      Suspicious behavior: RenamesItself
      Suspicious use of SetWindowsHookEx
      PID:3312
  • C:\Windows\SysWOW64\mmcfwk.exe
    "C:\Windows\SysWOW64\mmcfwk.exe"
    Suspicious use of SetWindowsHookEx
    Suspicious use of WriteProcessMemory
    PID:2900
    • C:\Windows\SysWOW64\mmcfwk.exe
      --93bb249
      Drops file in System32 directory
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:3864
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Persistence
                      Privilege Escalation
                        Replay Monitor
                        00:00 00:00
                        Downloads
                        • C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\82a49bd7c4665dd0096a98a028c03321_2c818d6f-6b05-478c-8ce1-9d49a3874096

                          MD5

                          78c781de007b076c097dc6ff6441157b

                          SHA1

                          2c87de22cebe6827bba9f37154a8812c3e56fe59

                          SHA256

                          5ed6c6c600f903e8f3a0ff075a4b8a455c399c4b75b77ac12079f04091fc9335

                          SHA512

                          e189729935eb664eb96893960e970acaadf20d40741404ab0f7bca0753051ea7b9795cc1a9974d7442c36f4bd336ab13c2360d2c43b061ecf793a46aa4dc12f5

                        • memory/2716-115-0x0000000002220000-0x0000000002237000-memory.dmp

                        • memory/2716-119-0x0000000000570000-0x000000000061E000-memory.dmp

                        • memory/2900-126-0x0000000000E10000-0x0000000000E27000-memory.dmp

                        • memory/3312-120-0x0000000000000000-mapping.dmp

                        • memory/3312-121-0x0000000002230000-0x0000000002247000-memory.dmp

                        • memory/3312-125-0x0000000002130000-0x0000000002141000-memory.dmp

                        • memory/3864-130-0x0000000000000000-mapping.dmp

                        • memory/3864-132-0x0000000000610000-0x0000000000627000-memory.dmp

                        • memory/3864-136-0x00000000004C0000-0x000000000060A000-memory.dmp