Overview

overview

10

Static

static

3b9bb674c9...10.exe

windows7_x64

10

3b9bb674c9...10.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    146s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    03-07-2022 10:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3b9bb674c9d2fad913cedd560bc7f3307041086d601c3a20897e51f915cdc610.exe

  • Size

    254KB

  • MD5

    eee3d28e9ca19d5cb75ae00e497e9c16

  • SHA1

    35a45bf1cc9d5b4648b46a60ca6dca8b95d8eb63

  • SHA256

    3b9bb674c9d2fad913cedd560bc7f3307041086d601c3a20897e51f915cdc610

  • SHA512

    b1c052174297dea7614bfe58af3477726f6e36e33f7bbd4746b00938068a51f49e250c9b4e8e6ca7c5e1bb99a6dd11f780abfdec8ab9b8f8f29cbbf3ffd5461a

Score
10/10
emotetepoch2bankertrojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch2

C2

94.205.247.10:80

86.22.221.170:80

85.25.255.207:8080

185.94.252.13:443

94.177.216.217:8080

62.75.187.192:8080

78.24.219.147:8080

91.205.215.66:8080

24.45.195.162:7080

94.192.225.46:80

200.113.106.18:21

186.4.172.5:8080

104.131.44.150:8080

67.225.229.55:8080

190.226.44.20:21

92.233.128.13:143

5.196.74.210:8080

185.187.198.15:80

87.230.19.21:8080

186.176.138.171:7080
rsa_pubkey.plain

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

    trojanbankeremotet
  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 25 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3b9bb674c9d2fad913cedd560bc7f3307041086d601c3a20897e51f915cdc610.exe
    "C:\Users\Admin\AppData\Local\Temp\3b9bb674c9d2fad913cedd560bc7f3307041086d601c3a20897e51f915cdc610.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1564
    • C:\Users\Admin\AppData\Local\Temp\3b9bb674c9d2fad913cedd560bc7f3307041086d601c3a20897e51f915cdc610.exe
      --b69e4c8f
      2⤵
      • Suspicious behavior: RenamesItself
      • Suspicious use of SetWindowsHookEx
      PID:860
  • C:\Windows\SysWOW64\binderchapp.exe
    "C:\Windows\SysWOW64\binderchapp.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1156
    • C:\Windows\SysWOW64\binderchapp.exe
      --77e602c8
      2⤵
      • Drops file in System32 directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:2008

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/860-60-0x0000000000000000-mapping.dmp
    Download
  • memory/860-63-0x0000000000300000-0x0000000000314000-memory.dmp
    Filesize

    80KB

    Download
  • memory/1564-54-0x0000000075CD1000-0x0000000075CD3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1564-55-0x00000000003C0000-0x00000000003D4000-memory.dmp
    Filesize

    80KB

    Download
  • memory/1564-61-0x00000000003A0000-0x00000000003AF000-memory.dmp
    Filesize

    60KB

    Download
  • memory/2008-74-0x0000000000000000-mapping.dmp
    Download
  • memory/2008-76-0x0000000000330000-0x0000000000344000-memory.dmp
    Filesize

    80KB

    Download