Overview

overview

10

Static

static

0374bb627e...71.dll

windows7_x64

10

0374bb627e...71.dll

windows10-2004_x64

10

0ba117fd39...35.exe

windows7_x64

10

0ba117fd39...35.exe

windows10-2004_x64

10

196c17a866...fe.exe

windows7_x64

10

196c17a866...fe.exe

windows10-2004_x64

10

1e0215f67f...53.exe

windows7_x64

10

1e0215f67f...53.exe

windows10-2004_x64

10

25d04d6314...de.exe

windows7_x64

10

25d04d6314...de.exe

windows10-2004_x64

10

428ff553b6...50.exe

windows7_x64

10

428ff553b6...50.exe

windows10-2004_x64

10

455d08a5e2...ce.exe

windows7_x64

10

455d08a5e2...ce.exe

windows10-2004_x64

10

4dbd0cd1e0...59.dll

windows7_x64

10

4dbd0cd1e0...59.dll

windows10-2004_x64

10

4febaf5c3e...92.exe

windows7_x64

10

4febaf5c3e...92.exe

windows10-2004_x64

10

5282f373b4...ff.exe

windows7_x64

9

5282f373b4...ff.exe

windows10-2004_x64

9

6c2e494f16...47.exe

windows7_x64

10

6c2e494f16...47.exe

windows10-2004_x64

10

6c95be6a53...65.exe

windows7_x64

10

6c95be6a53...65.exe

windows10-2004_x64

10

75a5b0e0e9...1a.exe

windows7_x64

10

75a5b0e0e9...1a.exe

windows10-2004_x64

10

7dd89cf8a1...d2.exe

windows7_x64

10

7dd89cf8a1...d2.exe

windows10-2004_x64

10

81fa8a3bdc...77.exe

windows7_x64

10

81fa8a3bdc...77.exe

windows10-2004_x64

10

9268e1f0af...b0.dll

windows7_x64

10

9268e1f0af...b0.dll

windows10-2004_x64

10

Analysis

  • max time kernel
    297s
  • max time network
    306s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    20-06-2022 13:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    25d04d6314390db9f02656b70f9d0da208b7d3e4dd47ece7cb907854a2c07dde.exe

  • Size

    284KB

  • MD5

    f81f03280cfa4379453f152008311573

  • SHA1

    97a418aaebc019f4715c911af232d4ca09004536

  • SHA256

    25d04d6314390db9f02656b70f9d0da208b7d3e4dd47ece7cb907854a2c07dde

  • SHA512

    714a662ba23c5f971d92e7db65745c1ce663e59cbf94a767a695dc3527f9645129dd0d584333a3ea6dbe2857c12f9da323cf8b9ce535f04c8617fc7e31e0842f

Score
10/10
emotetepoch2bankertrojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch2

C2

74.135.120.91:80

108.21.72.56:443

185.201.9.197:8080

64.207.182.168:8080

51.89.36.180:443

110.145.101.66:443

85.105.111.166:80

72.27.212.209:8080

24.69.65.8:8080

109.116.245.80:80

113.61.66.94:80

61.19.246.238:443

62.75.141.82:80

110.142.236.207:80

109.74.5.95:8080

174.106.122.139:80

139.99.158.11:443

190.162.215.233:80

41.185.28.84:8080

172.125.40.123:80
rsa_pubkey.plain

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

    trojanbankeremotet
  • Emotet Payload 5 IoCs

    Detects Emotet payload in memory.

    trojanbanker
  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 30 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\25d04d6314390db9f02656b70f9d0da208b7d3e4dd47ece7cb907854a2c07dde.exe
    "C:\Users\Admin\AppData\Local\Temp\25d04d6314390db9f02656b70f9d0da208b7d3e4dd47ece7cb907854a2c07dde.exe"
    1⤵
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Suspicious behavior: RenamesItself
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4088
    • C:\Windows\SysWOW64\WinSync\Geolocation.exe
      "C:\Windows\SysWOW64\WinSync\Geolocation.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:2176

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\WinSync\Geolocation.exe
    Filesize

    284KB

    MD5

    f81f03280cfa4379453f152008311573

    SHA1

    97a418aaebc019f4715c911af232d4ca09004536

    SHA256

    25d04d6314390db9f02656b70f9d0da208b7d3e4dd47ece7cb907854a2c07dde

    SHA512

    714a662ba23c5f971d92e7db65745c1ce663e59cbf94a767a695dc3527f9645129dd0d584333a3ea6dbe2857c12f9da323cf8b9ce535f04c8617fc7e31e0842f

    Download Submit
  • memory/2176-138-0x0000000000000000-mapping.dmp
    Download
  • memory/2176-140-0x0000000000680000-0x0000000000692000-memory.dmp
    Filesize

    72KB

    Download
  • memory/2176-144-0x00000000006A0000-0x00000000006B0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4088-130-0x00000000021B0000-0x00000000021C2000-memory.dmp
    Filesize

    72KB

    Download
  • memory/4088-134-0x00000000004F0000-0x0000000000500000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4088-137-0x00000000004E0000-0x00000000004EF000-memory.dmp
    Filesize

    60KB

    Download