Analysis
-
max time kernel
173s -
max time network
191s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
03-07-2022 10:14
Static task
static1
Behavioral task
behavioral1
Sample
3b9bb674c9d2fad913cedd560bc7f3307041086d601c3a20897e51f915cdc610.exe
Resource
win7-20220414-en
General
-
Target
3b9bb674c9d2fad913cedd560bc7f3307041086d601c3a20897e51f915cdc610.exe
-
Size
254KB
-
MD5
eee3d28e9ca19d5cb75ae00e497e9c16
-
SHA1
35a45bf1cc9d5b4648b46a60ca6dca8b95d8eb63
-
SHA256
3b9bb674c9d2fad913cedd560bc7f3307041086d601c3a20897e51f915cdc610
-
SHA512
b1c052174297dea7614bfe58af3477726f6e36e33f7bbd4746b00938068a51f49e250c9b4e8e6ca7c5e1bb99a6dd11f780abfdec8ab9b8f8f29cbbf3ffd5461a
Malware Config
Extracted
emotet
Epoch2
94.205.247.10:80
86.22.221.170:80
85.25.255.207:8080
185.94.252.13:443
94.177.216.217:8080
62.75.187.192:8080
78.24.219.147:8080
91.205.215.66:8080
24.45.195.162:7080
94.192.225.46:80
200.113.106.18:21
186.4.172.5:8080
104.131.44.150:8080
67.225.229.55:8080
190.226.44.20:21
92.233.128.13:143
5.196.74.210:8080
185.187.198.15:80
87.230.19.21:8080
186.176.138.171:7080
69.164.201.54:8080
186.4.172.5:443
86.98.25.30:53
85.54.169.141:8080
80.11.163.139:443
190.228.72.244:53
189.209.217.49:80
181.143.194.138:443
138.201.140.110:8080
187.144.61.73:443
46.105.131.87:80
206.189.98.125:8080
149.202.153.252:8080
104.131.11.150:8080
87.106.139.101:8080
59.103.164.174:80
198.199.114.69:8080
200.113.106.18:465
190.53.135.159:21
159.65.25.128:8080
169.239.182.217:8080
95.128.43.213:8080
144.139.247.220:80
190.145.67.134:8090
186.75.241.230:80
133.167.80.63:7080
136.243.177.26:8080
217.160.182.191:8080
27.4.80.183:443
37.157.194.134:443
92.222.216.44:8080
182.76.6.2:8080
162.241.208.52:8080
83.136.245.190:8080
31.12.67.62:7080
31.172.240.91:8080
200.71.148.138:8080
173.212.203.26:8080
103.39.131.88:80
200.51.94.251:80
222.214.218.192:8080
192.81.213.192:8080
201.251.43.69:8080
181.143.53.227:21
104.236.246.93:8080
167.71.10.37:8080
182.176.132.213:8090
87.106.136.232:8080
27.147.163.188:8080
212.71.234.16:8080
178.79.161.166:443
124.240.198.66:80
85.104.59.244:20
47.41.213.2:22
152.89.236.214:8080
115.78.95.230:443
45.33.49.124:443
211.63.71.72:8080
80.11.163.139:21
190.211.207.11:443
186.4.172.5:20
Signatures
-
Drops file in System32 directory 4 IoCs
Processes:
binderbrowser.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 binderbrowser.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE binderbrowser.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies binderbrowser.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 binderbrowser.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 3 IoCs
Processes:
binderbrowser.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix binderbrowser.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" binderbrowser.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" binderbrowser.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
binderbrowser.exepid process 3520 binderbrowser.exe 3520 binderbrowser.exe 3520 binderbrowser.exe 3520 binderbrowser.exe 3520 binderbrowser.exe 3520 binderbrowser.exe 3520 binderbrowser.exe 3520 binderbrowser.exe 3520 binderbrowser.exe 3520 binderbrowser.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
3b9bb674c9d2fad913cedd560bc7f3307041086d601c3a20897e51f915cdc610.exepid process 3612 3b9bb674c9d2fad913cedd560bc7f3307041086d601c3a20897e51f915cdc610.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
Processes:
3b9bb674c9d2fad913cedd560bc7f3307041086d601c3a20897e51f915cdc610.exe3b9bb674c9d2fad913cedd560bc7f3307041086d601c3a20897e51f915cdc610.exebinderbrowser.exebinderbrowser.exepid process 716 3b9bb674c9d2fad913cedd560bc7f3307041086d601c3a20897e51f915cdc610.exe 716 3b9bb674c9d2fad913cedd560bc7f3307041086d601c3a20897e51f915cdc610.exe 3612 3b9bb674c9d2fad913cedd560bc7f3307041086d601c3a20897e51f915cdc610.exe 3612 3b9bb674c9d2fad913cedd560bc7f3307041086d601c3a20897e51f915cdc610.exe 1128 binderbrowser.exe 1128 binderbrowser.exe 3520 binderbrowser.exe 3520 binderbrowser.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
3b9bb674c9d2fad913cedd560bc7f3307041086d601c3a20897e51f915cdc610.exebinderbrowser.exedescription pid process target process PID 716 wrote to memory of 3612 716 3b9bb674c9d2fad913cedd560bc7f3307041086d601c3a20897e51f915cdc610.exe 3b9bb674c9d2fad913cedd560bc7f3307041086d601c3a20897e51f915cdc610.exe PID 716 wrote to memory of 3612 716 3b9bb674c9d2fad913cedd560bc7f3307041086d601c3a20897e51f915cdc610.exe 3b9bb674c9d2fad913cedd560bc7f3307041086d601c3a20897e51f915cdc610.exe PID 716 wrote to memory of 3612 716 3b9bb674c9d2fad913cedd560bc7f3307041086d601c3a20897e51f915cdc610.exe 3b9bb674c9d2fad913cedd560bc7f3307041086d601c3a20897e51f915cdc610.exe PID 1128 wrote to memory of 3520 1128 binderbrowser.exe binderbrowser.exe PID 1128 wrote to memory of 3520 1128 binderbrowser.exe binderbrowser.exe PID 1128 wrote to memory of 3520 1128 binderbrowser.exe binderbrowser.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3b9bb674c9d2fad913cedd560bc7f3307041086d601c3a20897e51f915cdc610.exe"C:\Users\Admin\AppData\Local\Temp\3b9bb674c9d2fad913cedd560bc7f3307041086d601c3a20897e51f915cdc610.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3b9bb674c9d2fad913cedd560bc7f3307041086d601c3a20897e51f915cdc610.exe--b69e4c8f2⤵
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\binderbrowser.exe"C:\Windows\SysWOW64\binderbrowser.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\binderbrowser.exe--11ba71d42⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/716-130-0x0000000000B10000-0x0000000000B24000-memory.dmpFilesize
80KB
-
memory/716-141-0x0000000000B00000-0x0000000000B0F000-memory.dmpFilesize
60KB
-
memory/1128-142-0x0000000000E00000-0x0000000000E14000-memory.dmpFilesize
80KB
-
memory/3520-147-0x0000000000000000-mapping.dmp
-
memory/3520-148-0x0000000000600000-0x0000000000614000-memory.dmpFilesize
80KB
-
memory/3612-135-0x0000000000000000-mapping.dmp
-
memory/3612-136-0x00000000007F0000-0x0000000000804000-memory.dmpFilesize
80KB