Overview

overview

10

Static

static

34222f81e9...a0.exe

windows7_x64

10

34222f81e9...a0.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    144s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    19-06-2022 22:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    34222f81e9d8bd85c6b6e66b94da2d1e118f29d206b12b323abc81ad94bd55a0.exe

  • Size

    275KB

  • MD5

    0edc1d0416e429be7b5622bbd8332737

  • SHA1

    80f03cf8b4cd9a30259593ee906cf61701032c79

  • SHA256

    34222f81e9d8bd85c6b6e66b94da2d1e118f29d206b12b323abc81ad94bd55a0

  • SHA512

    73256722267499dbc8cffc43f8fbca6fd3f10a4b02f967455f215e830a944c70c78832a9d5f25b1cc31c1286c3adaf529b7923faccbe65f95001413b354a9948

Score
10/10
emotetepoch1bankertrojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch1

C2

181.123.0.125:80

119.159.150.176:443

184.69.214.94:20

80.240.141.141:7080

185.187.198.10:8080

46.41.134.46:8080

178.249.187.151:8080

217.199.160.224:8080

186.83.133.253:8080

23.92.22.225:7080

212.71.237.140:8080

190.221.50.210:8080

187.199.158.226:443

185.86.148.222:8080

200.58.171.51:80

77.245.101.134:8080

201.163.74.202:443

203.25.159.3:8080

183.82.97.25:80

51.15.8.192:8080
rsa_pubkey.plain

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

    trojanbankeremotet
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 21 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: MapViewOfSection 4 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\34222f81e9d8bd85c6b6e66b94da2d1e118f29d206b12b323abc81ad94bd55a0.exe
    "C:\Users\Admin\AppData\Local\Temp\34222f81e9d8bd85c6b6e66b94da2d1e118f29d206b12b323abc81ad94bd55a0.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2040
    • C:\Users\Admin\AppData\Local\Temp\34222f81e9d8bd85c6b6e66b94da2d1e118f29d206b12b323abc81ad94bd55a0.exe
      "C:\Users\Admin\AppData\Local\Temp\34222f81e9d8bd85c6b6e66b94da2d1e118f29d206b12b323abc81ad94bd55a0.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:864
      • C:\Users\Admin\AppData\Local\Temp\34222f81e9d8bd85c6b6e66b94da2d1e118f29d206b12b323abc81ad94bd55a0.exe
        --2c4a6959
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1252
        • C:\Users\Admin\AppData\Local\Temp\34222f81e9d8bd85c6b6e66b94da2d1e118f29d206b12b323abc81ad94bd55a0.exe
          --2c4a6959
          4⤵
          • Suspicious behavior: RenamesItself
          PID:1336
  • C:\Windows\SysWOW64\twoshell.exe
    "C:\Windows\SysWOW64\twoshell.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:280
    • C:\Windows\SysWOW64\twoshell.exe
      "C:\Windows\SysWOW64\twoshell.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1600
      • C:\Windows\SysWOW64\twoshell.exe
        --8138d4d6
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1684
        • C:\Windows\SysWOW64\twoshell.exe
          --8138d4d6
          4⤵
          • Drops file in System32 directory
          • Modifies data under HKEY_USERS
          • Suspicious behavior: EnumeratesProcesses
          PID:908

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/280-70-0x00000000003D0000-0x00000000003E4000-memory.dmp

    Filesize

    80KB

    Download

  • memory/864-60-0x0000000000400000-0x0000000000417000-memory.dmp

    Filesize

    92KB

    Download

  • memory/908-83-0x0000000000400000-0x0000000000417000-memory.dmp

    Filesize

    92KB

    Download

  • memory/908-81-0x0000000000400000-0x0000000000417000-memory.dmp

    Filesize

    92KB

    Download

  • memory/1252-63-0x0000000000450000-0x0000000000464000-memory.dmp

    Filesize

    80KB

    Download

  • memory/1336-67-0x0000000000400000-0x0000000000417000-memory.dmp

    Filesize

    92KB

    Download

  • memory/1336-75-0x0000000000400000-0x0000000000417000-memory.dmp

    Filesize

    92KB

    Download

  • memory/1684-77-0x00000000004F0000-0x0000000000504000-memory.dmp

    Filesize

    80KB

    Download

  • memory/2040-54-0x0000000075B71000-0x0000000075B73000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2040-61-0x0000000000370000-0x0000000000383000-memory.dmp

    Filesize

    76KB

    Download

  • memory/2040-55-0x0000000000390000-0x00000000003A4000-memory.dmp

    Filesize

    80KB

    Download