Overview

overview

10

Static

static

9

3bebc167ad...f1.exe

windows7_x64

10

3bebc167ad...f1.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    156s
  • max time network
    174s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    24-05-2022 01:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3bebc167adc5cfc6df3e052fcc56cca0c5d91d30fe2791b2a5a6485878c3b2f1.exe

  • Size

    329KB

  • MD5

    cc269eb719302c38ae0df44ca4833024

  • SHA1

    d1d22fd4ea2a90099fdc76c0b2d150d61c2aef6b

  • SHA256

    3bebc167adc5cfc6df3e052fcc56cca0c5d91d30fe2791b2a5a6485878c3b2f1

  • SHA512

    a0ee73595b15f9e9b686b1206c71739992ca0c39792e086d3ce1b1cd4499beb01a15708c19f689dd38471759c49244b52e865ccb2473da9d8213cd4b6069200b

Score
10/10
emotetepoch2bankertrojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch2

C2

186.4.172.5:443

117.197.124.36:443

37.208.39.59:7080

186.4.172.5:8080

182.176.106.43:995

178.62.37.188:443

92.51.129.249:4143

92.222.125.16:7080

142.44.162.209:8080

31.12.67.62:7080

46.105.131.87:80

92.222.216.44:8080

87.106.136.232:8080

103.97.95.218:143

190.145.67.134:8090

104.236.246.93:8080

88.156.97.210:80

175.100.138.82:22

78.24.219.147:8080

91.205.215.66:8080
rsa_pubkey.plain

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

    trojanbankeremotet
  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 21 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of UnmapMainImage 4 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3bebc167adc5cfc6df3e052fcc56cca0c5d91d30fe2791b2a5a6485878c3b2f1.exe
    "C:\Users\Admin\AppData\Local\Temp\3bebc167adc5cfc6df3e052fcc56cca0c5d91d30fe2791b2a5a6485878c3b2f1.exe"
    1⤵
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:1064
    • C:\Users\Admin\AppData\Local\Temp\3bebc167adc5cfc6df3e052fcc56cca0c5d91d30fe2791b2a5a6485878c3b2f1.exe
      --cc5ff026
      2⤵
      • Suspicious behavior: RenamesItself
      • Suspicious use of UnmapMainImage
      PID:1724
  • C:\Windows\SysWOW64\nextdrawa.exe
    "C:\Windows\SysWOW64\nextdrawa.exe"
    1⤵
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:1784
    • C:\Windows\SysWOW64\nextdrawa.exe
      --72ce4c80
      2⤵
      • Drops file in System32 directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of UnmapMainImage
      PID:1668

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1064-54-0x00000000769D1000-0x00000000769D3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1064-56-0x00000000001B0000-0x00000000001C3000-memory.dmp
    Filesize

    76KB

    Download
  • memory/1064-58-0x0000000000400000-0x0000000000419000-memory.dmp
    Filesize

    100KB

    Download
  • memory/1668-61-0x0000000000000000-mapping.dmp
    Download
  • memory/1668-63-0x00000000001B0000-0x00000000001C3000-memory.dmp
    Filesize

    76KB

    Download
  • memory/1724-55-0x0000000000000000-mapping.dmp
    Download
  • memory/1724-59-0x0000000000400000-0x0000000000456000-memory.dmp
    Filesize

    344KB

    Download