Analysis
-
max time kernel
146s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
03-07-2022 10:14
Static task
static1
Behavioral task
behavioral1
Sample
3b9bb674c9d2fad913cedd560bc7f3307041086d601c3a20897e51f915cdc610.exe
Resource
win7-20220414-en
General
-
Target
3b9bb674c9d2fad913cedd560bc7f3307041086d601c3a20897e51f915cdc610.exe
-
Size
254KB
-
MD5
eee3d28e9ca19d5cb75ae00e497e9c16
-
SHA1
35a45bf1cc9d5b4648b46a60ca6dca8b95d8eb63
-
SHA256
3b9bb674c9d2fad913cedd560bc7f3307041086d601c3a20897e51f915cdc610
-
SHA512
b1c052174297dea7614bfe58af3477726f6e36e33f7bbd4746b00938068a51f49e250c9b4e8e6ca7c5e1bb99a6dd11f780abfdec8ab9b8f8f29cbbf3ffd5461a
Malware Config
Extracted
emotet
Epoch2
94.205.247.10:80
86.22.221.170:80
85.25.255.207:8080
185.94.252.13:443
94.177.216.217:8080
62.75.187.192:8080
78.24.219.147:8080
91.205.215.66:8080
24.45.195.162:7080
94.192.225.46:80
200.113.106.18:21
186.4.172.5:8080
104.131.44.150:8080
67.225.229.55:8080
190.226.44.20:21
92.233.128.13:143
5.196.74.210:8080
185.187.198.15:80
87.230.19.21:8080
186.176.138.171:7080
69.164.201.54:8080
186.4.172.5:443
86.98.25.30:53
85.54.169.141:8080
80.11.163.139:443
190.228.72.244:53
189.209.217.49:80
181.143.194.138:443
138.201.140.110:8080
187.144.61.73:443
46.105.131.87:80
206.189.98.125:8080
149.202.153.252:8080
104.131.11.150:8080
87.106.139.101:8080
59.103.164.174:80
198.199.114.69:8080
200.113.106.18:465
190.53.135.159:21
159.65.25.128:8080
169.239.182.217:8080
95.128.43.213:8080
144.139.247.220:80
190.145.67.134:8090
186.75.241.230:80
133.167.80.63:7080
136.243.177.26:8080
217.160.182.191:8080
27.4.80.183:443
37.157.194.134:443
92.222.216.44:8080
182.76.6.2:8080
162.241.208.52:8080
83.136.245.190:8080
31.12.67.62:7080
31.172.240.91:8080
200.71.148.138:8080
173.212.203.26:8080
103.39.131.88:80
200.51.94.251:80
222.214.218.192:8080
192.81.213.192:8080
201.251.43.69:8080
181.143.53.227:21
104.236.246.93:8080
167.71.10.37:8080
182.176.132.213:8090
87.106.136.232:8080
27.147.163.188:8080
212.71.234.16:8080
178.79.161.166:443
124.240.198.66:80
85.104.59.244:20
47.41.213.2:22
152.89.236.214:8080
115.78.95.230:443
45.33.49.124:443
211.63.71.72:8080
80.11.163.139:21
190.211.207.11:443
186.4.172.5:20
Signatures
-
Drops file in System32 directory 1 IoCs
Processes:
binderchapp.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat binderchapp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 25 IoCs
Processes:
binderchapp.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings binderchapp.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{DE0DBFFB-8459-4FD7-877A-F578FC5B79ED}\WpadNetworkName = "Network 3" binderchapp.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{DE0DBFFB-8459-4FD7-877A-F578FC5B79ED}\0a-43-2e-98-cc-c4 binderchapp.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-43-2e-98-cc-c4\WpadDecisionTime = e0ccfc7bcb8ed801 binderchapp.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 binderchapp.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" binderchapp.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 binderchapp.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-43-2e-98-cc-c4\WpadDecisionReason = "1" binderchapp.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000004000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f008e000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 binderchapp.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-43-2e-98-cc-c4\WpadDecisionTime = a07d66bfcb8ed801 binderchapp.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings binderchapp.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections binderchapp.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f008e000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 binderchapp.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{DE0DBFFB-8459-4FD7-877A-F578FC5B79ED} binderchapp.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{DE0DBFFB-8459-4FD7-877A-F578FC5B79ED}\WpadDecisionReason = "1" binderchapp.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-43-2e-98-cc-c4\WpadDetectedUrl binderchapp.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{DE0DBFFB-8459-4FD7-877A-F578FC5B79ED}\WpadDecisionTime = a07d66bfcb8ed801 binderchapp.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix binderchapp.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" binderchapp.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" binderchapp.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad binderchapp.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{DE0DBFFB-8459-4FD7-877A-F578FC5B79ED}\WpadDecisionTime = e0ccfc7bcb8ed801 binderchapp.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{DE0DBFFB-8459-4FD7-877A-F578FC5B79ED}\WpadDecision = "0" binderchapp.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-43-2e-98-cc-c4 binderchapp.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-43-2e-98-cc-c4\WpadDecision = "0" binderchapp.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
binderchapp.exepid process 2008 binderchapp.exe 2008 binderchapp.exe 2008 binderchapp.exe 2008 binderchapp.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
3b9bb674c9d2fad913cedd560bc7f3307041086d601c3a20897e51f915cdc610.exepid process 860 3b9bb674c9d2fad913cedd560bc7f3307041086d601c3a20897e51f915cdc610.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
Processes:
3b9bb674c9d2fad913cedd560bc7f3307041086d601c3a20897e51f915cdc610.exe3b9bb674c9d2fad913cedd560bc7f3307041086d601c3a20897e51f915cdc610.exebinderchapp.exebinderchapp.exepid process 1564 3b9bb674c9d2fad913cedd560bc7f3307041086d601c3a20897e51f915cdc610.exe 1564 3b9bb674c9d2fad913cedd560bc7f3307041086d601c3a20897e51f915cdc610.exe 860 3b9bb674c9d2fad913cedd560bc7f3307041086d601c3a20897e51f915cdc610.exe 860 3b9bb674c9d2fad913cedd560bc7f3307041086d601c3a20897e51f915cdc610.exe 1156 binderchapp.exe 1156 binderchapp.exe 2008 binderchapp.exe 2008 binderchapp.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
3b9bb674c9d2fad913cedd560bc7f3307041086d601c3a20897e51f915cdc610.exebinderchapp.exedescription pid process target process PID 1564 wrote to memory of 860 1564 3b9bb674c9d2fad913cedd560bc7f3307041086d601c3a20897e51f915cdc610.exe 3b9bb674c9d2fad913cedd560bc7f3307041086d601c3a20897e51f915cdc610.exe PID 1564 wrote to memory of 860 1564 3b9bb674c9d2fad913cedd560bc7f3307041086d601c3a20897e51f915cdc610.exe 3b9bb674c9d2fad913cedd560bc7f3307041086d601c3a20897e51f915cdc610.exe PID 1564 wrote to memory of 860 1564 3b9bb674c9d2fad913cedd560bc7f3307041086d601c3a20897e51f915cdc610.exe 3b9bb674c9d2fad913cedd560bc7f3307041086d601c3a20897e51f915cdc610.exe PID 1564 wrote to memory of 860 1564 3b9bb674c9d2fad913cedd560bc7f3307041086d601c3a20897e51f915cdc610.exe 3b9bb674c9d2fad913cedd560bc7f3307041086d601c3a20897e51f915cdc610.exe PID 1156 wrote to memory of 2008 1156 binderchapp.exe binderchapp.exe PID 1156 wrote to memory of 2008 1156 binderchapp.exe binderchapp.exe PID 1156 wrote to memory of 2008 1156 binderchapp.exe binderchapp.exe PID 1156 wrote to memory of 2008 1156 binderchapp.exe binderchapp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3b9bb674c9d2fad913cedd560bc7f3307041086d601c3a20897e51f915cdc610.exe"C:\Users\Admin\AppData\Local\Temp\3b9bb674c9d2fad913cedd560bc7f3307041086d601c3a20897e51f915cdc610.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3b9bb674c9d2fad913cedd560bc7f3307041086d601c3a20897e51f915cdc610.exe--b69e4c8f2⤵
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\binderchapp.exe"C:\Windows\SysWOW64\binderchapp.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\binderchapp.exe--77e602c82⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/860-60-0x0000000000000000-mapping.dmp
-
memory/860-63-0x0000000000300000-0x0000000000314000-memory.dmpFilesize
80KB
-
memory/1564-54-0x0000000075CD1000-0x0000000075CD3000-memory.dmpFilesize
8KB
-
memory/1564-55-0x00000000003C0000-0x00000000003D4000-memory.dmpFilesize
80KB
-
memory/1564-61-0x00000000003A0000-0x00000000003AF000-memory.dmpFilesize
60KB
-
memory/2008-74-0x0000000000000000-mapping.dmp
-
memory/2008-76-0x0000000000330000-0x0000000000344000-memory.dmpFilesize
80KB