Overview

overview

10

Static

static

9

403ffc4501...8c.exe

windows7_x64

10

403ffc4501...8c.exe

windows10-2004_x64

Analysis

  • max time kernel
    145s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    08-07-2022 20:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    403ffc45012019acdb891d071e1ad5a23beac91ea6335048cb0484b38662858c.exe

  • Size

    474KB

  • MD5

    3f8241a5bc324829e73d61b60acac585

  • SHA1

    64c29545cb2a567133540b1c2e88ebd5deeaf827

  • SHA256

    403ffc45012019acdb891d071e1ad5a23beac91ea6335048cb0484b38662858c

  • SHA512

    bd67ab3c8d937398c3cfd91ca11821a2b48d667949c5e799b69fd618d1cb0abe01e97f3fee1321611d60c8071bae462a65316de6f515d646a5712ca42d5504f8

Score
10/10
emotetepoch2bankertrojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch2

C2

124.240.198.66:80

186.75.241.230:80

181.143.194.138:443

45.79.188.67:8080

77.237.248.136:8080

185.142.236.163:443

63.142.253.122:8080

178.254.6.27:7080

190.211.207.11:443

78.188.105.159:21

182.176.106.43:995

178.79.161.166:443

206.189.98.125:8080

87.230.19.21:8080

80.11.163.139:443

101.187.237.217:20

190.18.146.70:80

86.98.25.30:53

92.222.125.16:7080

186.4.172.5:443
rsa_pubkey.plain

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

    trojanbankeremotet
  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 21 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of UnmapMainImage 4 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\403ffc45012019acdb891d071e1ad5a23beac91ea6335048cb0484b38662858c.exe
    "C:\Users\Admin\AppData\Local\Temp\403ffc45012019acdb891d071e1ad5a23beac91ea6335048cb0484b38662858c.exe"
    1⤵
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:1860
    • C:\Users\Admin\AppData\Local\Temp\403ffc45012019acdb891d071e1ad5a23beac91ea6335048cb0484b38662858c.exe
      --687c3b74
      2⤵
      • Suspicious behavior: RenamesItself
      • Suspicious use of UnmapMainImage
      PID:888
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x548
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1244
  • C:\Windows\SysWOW64\tenanttenant.exe
    "C:\Windows\SysWOW64\tenanttenant.exe"
    1⤵
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:896
    • C:\Windows\SysWOW64\tenanttenant.exe
      --7b4783e6
      2⤵
      • Drops file in System32 directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of UnmapMainImage
      PID:744

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/744-63-0x0000000000000000-mapping.dmp
    Download
  • memory/888-55-0x0000000000000000-mapping.dmp
    Download
  • memory/888-59-0x0000000000500000-0x0000000000515000-memory.dmp
    Filesize

    84KB

    Download
  • memory/888-61-0x0000000000400000-0x0000000000478000-memory.dmp
    Filesize

    480KB

    Download
  • memory/888-64-0x0000000000400000-0x0000000000419000-memory.dmp
    Filesize

    100KB

    Download
  • memory/1860-54-0x0000000075E41000-0x0000000075E43000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1860-57-0x0000000000350000-0x0000000000365000-memory.dmp
    Filesize

    84KB

    Download
  • memory/1860-58-0x0000000000400000-0x0000000000478000-memory.dmp
    Filesize

    480KB

    Download
  • memory/1860-60-0x0000000000400000-0x0000000000419000-memory.dmp
    Filesize

    100KB

    Download