Overview

overview

10

Static

static

4d8acd99b8...29.exe

windows7_x64

10

4d8acd99b8...29.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    148s
  • max time network
    170s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    01-07-2022 07:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4d8acd99b8e8b1e40b64b35dcee753a3f9073847ec1e8957e793dab849140c29.exe

  • Size

    516KB

  • MD5

    f7a31719c91770d2f7f945c5acba4116

  • SHA1

    ac2162d2ae066bf9067ad7f8bf3697a78154ea68

  • SHA256

    4d8acd99b8e8b1e40b64b35dcee753a3f9073847ec1e8957e793dab849140c29

  • SHA512

    1375dced5b7a646461d632d7069d40d69aaca2e008f16f6bbcb22ea8304ebaaa6f8d26d05da45dbe3c79b89fea9e3c048da5bd3c8823eafe7bb7376182b6a38d

Score
10/10
emotetepoch2bankertrojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch2

C2

190.18.146.70:80

187.147.50.167:8080

80.11.163.139:21

178.254.6.27:7080

92.222.125.16:7080

142.44.162.209:8080

31.12.67.62:7080

45.123.3.54:443

201.250.11.236:50000

41.220.119.246:80

86.98.25.30:53

37.157.194.134:443

187.144.189.58:50000

189.209.217.49:80

31.172.240.91:8080

104.131.11.150:8080

59.152.93.46:443

190.53.135.159:21

222.214.218.192:8080

162.243.125.212:8080
rsa_pubkey.plain

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

    trojanbankeremotet
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 21 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 4 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4d8acd99b8e8b1e40b64b35dcee753a3f9073847ec1e8957e793dab849140c29.exe
    "C:\Users\Admin\AppData\Local\Temp\4d8acd99b8e8b1e40b64b35dcee753a3f9073847ec1e8957e793dab849140c29.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1776
    • C:\Users\Admin\AppData\Local\Temp\4d8acd99b8e8b1e40b64b35dcee753a3f9073847ec1e8957e793dab849140c29.exe
      "C:\Users\Admin\AppData\Local\Temp\4d8acd99b8e8b1e40b64b35dcee753a3f9073847ec1e8957e793dab849140c29.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:828
      • C:\Users\Admin\AppData\Local\Temp\4d8acd99b8e8b1e40b64b35dcee753a3f9073847ec1e8957e793dab849140c29.exe
        --2a94fb31
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1716
        • C:\Users\Admin\AppData\Local\Temp\4d8acd99b8e8b1e40b64b35dcee753a3f9073847ec1e8957e793dab849140c29.exe
          --2a94fb31
          4⤵
          • Suspicious behavior: RenamesItself
          PID:1688
  • C:\Windows\SysWOW64\xinputmail.exe
    "C:\Windows\SysWOW64\xinputmail.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:880
    • C:\Windows\SysWOW64\xinputmail.exe
      "C:\Windows\SysWOW64\xinputmail.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:652
      • C:\Windows\SysWOW64\xinputmail.exe
        --e16d003b
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1364
        • C:\Windows\SysWOW64\xinputmail.exe
          --e16d003b
          4⤵
          • Drops file in System32 directory
          • Modifies data under HKEY_USERS
          • Suspicious behavior: EnumeratesProcesses
          PID:1568

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\6d14e4b1d8ca773bab785d1be032546e_4cab856c-2ae4-4cbd-8a04-329969ee64da
    Filesize

    1KB

    MD5

    72ccd02fb3698e1160d7254bdd1ab540

    SHA1

    2cf4030ab2b227248fc4cbfbdb6a6b1058afe18b

    SHA256

    02e18e27033ca28e0974b35c6204167bd54837cb5aef56047b9f10f07476ed50

    SHA512

    92827aa9790cd73315101f0911767a76348c1b5f88e7a09e01d506a7bda8f8885d58776ebfbcc44befb6afdbde1afe043d1a6cb33ec45dfcbcb972b0fa2fb6d1

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2277218442-1199762539-2004043321-1000\0f5007522459c86e95ffcc62f32308f1_4cab856c-2ae4-4cbd-8a04-329969ee64da
    Filesize

    1KB

    MD5

    cb0c48e49486766cc5e3d2e5bc8dfa9c

    SHA1

    f1f04725015775f75fa7223a0508e1eb1a2d99e9

    SHA256

    8d24c1f57b7168a7ea5398ddcbf5ac22a4fc5c8ed9b7e54350337eefc6796d8f

    SHA512

    5bfc0e06ea8774c485e4484fbe8f7d90ddc8b8662d9bf56d7703bcd13f418c18f61adfcee4bfaeb21c4a32e5cf71a10e96e15475dcd8b7509284859901f71ab8

    Download Submit
  • memory/652-75-0x000000000040F072-mapping.dmp
    Download
  • memory/828-59-0x000000000040F072-mapping.dmp
    Download
  • memory/828-61-0x0000000000400000-0x0000000000419000-memory.dmp
    Filesize

    100KB

    Download
  • memory/880-72-0x00000000003D0000-0x00000000003E6000-memory.dmp
    Filesize

    88KB

    Download
  • memory/1364-80-0x0000000000A50000-0x0000000000A66000-memory.dmp
    Filesize

    88KB

    Download
  • memory/1364-76-0x0000000000000000-mapping.dmp
    Download
  • memory/1568-86-0x0000000000400000-0x0000000000419000-memory.dmp
    Filesize

    100KB

    Download
  • memory/1568-84-0x0000000000400000-0x0000000000419000-memory.dmp
    Filesize

    100KB

    Download
  • memory/1568-83-0x000000000040F072-mapping.dmp
    Download
  • memory/1688-70-0x0000000000400000-0x0000000000419000-memory.dmp
    Filesize

    100KB

    Download
  • memory/1688-68-0x0000000000400000-0x0000000000419000-memory.dmp
    Filesize

    100KB

    Download
  • memory/1688-77-0x0000000000400000-0x0000000000419000-memory.dmp
    Filesize

    100KB

    Download
  • memory/1688-67-0x000000000040F072-mapping.dmp
    Download
  • memory/1716-64-0x00000000003B0000-0x00000000003C6000-memory.dmp
    Filesize

    88KB

    Download
  • memory/1716-60-0x0000000000000000-mapping.dmp
    Download
  • memory/1776-54-0x00000000754A1000-0x00000000754A3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1776-58-0x0000000000240000-0x0000000000255000-memory.dmp
    Filesize

    84KB

    Download
  • memory/1776-55-0x00000000002A0000-0x00000000002B6000-memory.dmp
    Filesize

    88KB

    Download