Overview

overview

10

Static

static

0c1ed39d9c...b3.exe

windows7_x64

10

0c1ed39d9c...b3.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    4294196s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7-20220223-en
  • submitted
    25-02-2022 05:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0c1ed39d9cccbc78f14972a83d4cb601ad08618ba19bec834a2061eec2abaab3.exe

  • Size

    772KB

  • MD5

    d614e5f85e2189407d452e6ed42453c9

  • SHA1

    4c4a886e910ce80e012d93903838352a9f83ed69

  • SHA256

    0c1ed39d9cccbc78f14972a83d4cb601ad08618ba19bec834a2061eec2abaab3

  • SHA512

    9f40b5fd742fc29be5f72cce5aee792e4f991960ba297ed0540deae8ef436b0f691908b7411b6f4edf183f3003379705e0038024306cf74cc9dac701e7b59f1b

Score
10/10
emotetepoch2bankerdavetrojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch2

C2

47.36.140.164:80

169.50.76.149:8080

162.241.140.129:8080

104.131.123.136:443

95.213.236.64:8080

130.0.132.242:80

123.176.25.234:80

46.105.131.79:8080

157.245.99.39:8080

79.98.24.39:8080

49.50.209.131:80

72.143.73.234:443

50.91.114.38:80

89.216.122.92:80

5.39.91.110:7080

121.124.124.40:7080

71.72.196.159:80

5.196.74.210:8080

139.162.108.71:8080

61.19.246.238:443
rsa_pubkey.plain

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

    trojanbankeremotet
  • Emotet Payload 5 IoCs

    Detects Emotet payload in memory.

  • Dave packer 1 IoCs

    Detects executable using a packer named 'Dave' by the community, based on a string at the end.

    dave
  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0c1ed39d9cccbc78f14972a83d4cb601ad08618ba19bec834a2061eec2abaab3.exe
    "C:\Users\Admin\AppData\Local\Temp\0c1ed39d9cccbc78f14972a83d4cb601ad08618ba19bec834a2061eec2abaab3.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious behavior: RenamesItself
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1992
    • C:\Windows\SysWOW64\msiexec\odexl32.exe
      "C:\Windows\SysWOW64\msiexec\odexl32.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:912

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\msiexec\odexl32.exe
    MD5

    d614e5f85e2189407d452e6ed42453c9

    SHA1

    4c4a886e910ce80e012d93903838352a9f83ed69

    SHA256

    0c1ed39d9cccbc78f14972a83d4cb601ad08618ba19bec834a2061eec2abaab3

    SHA512

    9f40b5fd742fc29be5f72cce5aee792e4f991960ba297ed0540deae8ef436b0f691908b7411b6f4edf183f3003379705e0038024306cf74cc9dac701e7b59f1b

    Download Submit
  • memory/912-64-0x00000000002A0000-0x00000000002BF000-memory.dmp
    Filesize

    124KB

    Download
  • memory/912-67-0x00000000002C0000-0x00000000002DE000-memory.dmp
    Filesize

    120KB

    Download
  • memory/1992-54-0x0000000076271000-0x0000000076273000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1992-55-0x0000000000690000-0x00000000006AF000-memory.dmp
    Filesize

    124KB

    Download
  • memory/1992-58-0x00000000007C0000-0x00000000007DE000-memory.dmp
    Filesize

    120KB

    Download
  • memory/1992-62-0x0000000000670000-0x000000000068D000-memory.dmp
    Filesize

    116KB

    Download