Overview

overview

10

Static

static

3b9bb674c9...10.exe

windows7_x64

10

3b9bb674c9...10.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    173s
  • max time network
    191s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    03-07-2022 10:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3b9bb674c9d2fad913cedd560bc7f3307041086d601c3a20897e51f915cdc610.exe

  • Size

    254KB

  • MD5

    eee3d28e9ca19d5cb75ae00e497e9c16

  • SHA1

    35a45bf1cc9d5b4648b46a60ca6dca8b95d8eb63

  • SHA256

    3b9bb674c9d2fad913cedd560bc7f3307041086d601c3a20897e51f915cdc610

  • SHA512

    b1c052174297dea7614bfe58af3477726f6e36e33f7bbd4746b00938068a51f49e250c9b4e8e6ca7c5e1bb99a6dd11f780abfdec8ab9b8f8f29cbbf3ffd5461a

Score
10/10
emotetepoch2bankertrojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch2

C2

94.205.247.10:80

86.22.221.170:80

85.25.255.207:8080

185.94.252.13:443

94.177.216.217:8080

62.75.187.192:8080

78.24.219.147:8080

91.205.215.66:8080

24.45.195.162:7080

94.192.225.46:80

200.113.106.18:21

186.4.172.5:8080

104.131.44.150:8080

67.225.229.55:8080

190.226.44.20:21

92.233.128.13:143

5.196.74.210:8080

185.187.198.15:80

87.230.19.21:8080

186.176.138.171:7080
rsa_pubkey.plain

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

    trojanbankeremotet
  • Drops file in System32 directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3b9bb674c9d2fad913cedd560bc7f3307041086d601c3a20897e51f915cdc610.exe
    "C:\Users\Admin\AppData\Local\Temp\3b9bb674c9d2fad913cedd560bc7f3307041086d601c3a20897e51f915cdc610.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:716
    • C:\Users\Admin\AppData\Local\Temp\3b9bb674c9d2fad913cedd560bc7f3307041086d601c3a20897e51f915cdc610.exe
      --b69e4c8f
      2⤵
      • Suspicious behavior: RenamesItself
      • Suspicious use of SetWindowsHookEx
      PID:3612
  • C:\Windows\SysWOW64\binderbrowser.exe
    "C:\Windows\SysWOW64\binderbrowser.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1128
    • C:\Windows\SysWOW64\binderbrowser.exe
      --11ba71d4
      2⤵
      • Drops file in System32 directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:3520

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/716-130-0x0000000000B10000-0x0000000000B24000-memory.dmp
    Filesize

    80KB

    Download
  • memory/716-141-0x0000000000B00000-0x0000000000B0F000-memory.dmp
    Filesize

    60KB

    Download
  • memory/1128-142-0x0000000000E00000-0x0000000000E14000-memory.dmp
    Filesize

    80KB

    Download
  • memory/3520-147-0x0000000000000000-mapping.dmp
    Download
  • memory/3520-148-0x0000000000600000-0x0000000000614000-memory.dmp
    Filesize

    80KB

    Download
  • memory/3612-135-0x0000000000000000-mapping.dmp
    Download
  • memory/3612-136-0x00000000007F0000-0x0000000000804000-memory.dmp
    Filesize

    80KB

    Download