Overview

overview

10

Static

static

9f80b5d6dc...e0.exe

windows7_x64

10

9f80b5d6dc...e0.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    134s
  • max time network
    167s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    01-07-2022 05:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9f80b5d6dc1a155418079737f3f93a38c1333bda1d9fc3044d101ce4f92526e0.exe

  • Size

    113KB

  • MD5

    a4ec5fbd48767dcdd6f5e2fd78af6d94

  • SHA1

    160d5c0bf3bc95282f288df0d465ab8de78efc9a

  • SHA256

    9f80b5d6dc1a155418079737f3f93a38c1333bda1d9fc3044d101ce4f92526e0

  • SHA512

    70392031967be0b1a05995ec64d720e44382c270160a6c863fa9d82358d599ed98e9a1d2fa5e2d972e38e91a819490f82899cc893c2b521cd47f8ab06ec224fc

Score
10/10
emotetepoch2bankertrojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch2

C2

81.109.227.123:80

82.15.36.209:443

142.4.198.249:7080

162.144.119.216:8080

142.93.88.16:443

31.12.67.62:7080

91.83.93.103:7080

178.152.78.149:20

104.131.208.175:8080

136.243.177.26:8080

206.189.98.125:8080

178.79.161.166:443

195.242.117.231:8080

187.163.222.244:465

186.144.64.31:53

104.236.99.225:8080

71.244.60.230:8080

91.205.215.66:8080

212.71.234.16:8080

190.25.255.98:443
rsa_pubkey.plain

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

    trojanbankeremotet
  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 21 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of UnmapMainImage 4 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9f80b5d6dc1a155418079737f3f93a38c1333bda1d9fc3044d101ce4f92526e0.exe
    "C:\Users\Admin\AppData\Local\Temp\9f80b5d6dc1a155418079737f3f93a38c1333bda1d9fc3044d101ce4f92526e0.exe"
    1⤵
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:872
    • C:\Users\Admin\AppData\Local\Temp\9f80b5d6dc1a155418079737f3f93a38c1333bda1d9fc3044d101ce4f92526e0.exe
      --eaa5566
      2⤵
      • Suspicious behavior: RenamesItself
      • Suspicious use of UnmapMainImage
      PID:1224
  • C:\Windows\SysWOW64\apodlls.exe
    "C:\Windows\SysWOW64\apodlls.exe"
    1⤵
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:1988
    • C:\Windows\SysWOW64\apodlls.exe
      --4b0cba5
      2⤵
      • Drops file in System32 directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of UnmapMainImage
      PID:2004

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/872-54-0x00000000763E1000-0x00000000763E3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/872-55-0x0000000000220000-0x0000000000230000-memory.dmp
    Filesize

    64KB

    Download
  • memory/872-59-0x0000000000400000-0x0000000000415000-memory.dmp
    Filesize

    84KB

    Download
  • memory/872-57-0x0000000000220000-0x0000000000230000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1224-56-0x0000000000000000-mapping.dmp
    Download
  • memory/1224-60-0x0000000000400000-0x000000000041E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/1224-64-0x0000000000400000-0x0000000000415000-memory.dmp
    Filesize

    84KB

    Download
  • memory/2004-62-0x0000000000000000-mapping.dmp
    Download
  • memory/2004-65-0x0000000000400000-0x000000000041E000-memory.dmp
    Filesize

    120KB

    Download