Overview

overview

10

Static

static

rimidkjf.exe

windows7-x64

10

rimidkjf.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220722-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220722-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31-07-2022 05:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    rimidkjf.exe

  • Size

    840KB

  • MD5

    406ac12181bdbb42a750ef38545afe02

  • SHA1

    7f51b30226520b2e6865ed808bc1d01dd64d78cc

  • SHA256

    fdc0245a18ce0dabe29c6ae596c7ca4144778923f71712f27c0f53b4114c2b1a

  • SHA512

    b80274c1cc8a2db6a70317b9cf557d083d39d45725af93dda855c00bb8ac45d4c37aa711c3e10b706826727646ce1fce4516ad80df035bebf736bf77b8e022bd

Score
10/10
emotetepoch1bankertrojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch1

C2

197.245.25.228:80

98.103.204.12:443

59.148.253.194:8080

173.212.197.71:8080

87.106.46.107:8080

50.28.51.143:8080

177.73.0.98:443

213.197.182.158:8080

185.94.252.12:80

189.223.16.99:80

5.189.178.202:8080

186.103.141.250:443

181.129.96.162:8080

190.101.156.139:80

46.105.114.137:8080

51.15.7.145:80

98.13.75.196:80

202.134.4.210:7080

104.131.41.185:8080

181.123.6.86:80
rsa_pubkey.plain

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

    trojanbankeremotet
  • Emotet payload 5 IoCs

    Detects Emotet payload in memory.

    trojanbanker
  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\rimidkjf.exe
    "C:\Users\Admin\AppData\Local\Temp\rimidkjf.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious behavior: RenamesItself
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3336
    • C:\Windows\SysWOW64\wiashext\ExecModelClient.exe
      "C:\Windows\SysWOW64\wiashext\ExecModelClient.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:4732

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\wiashext\ExecModelClient.exe
    Filesize

    840KB

    MD5

    406ac12181bdbb42a750ef38545afe02

    SHA1

    7f51b30226520b2e6865ed808bc1d01dd64d78cc

    SHA256

    fdc0245a18ce0dabe29c6ae596c7ca4144778923f71712f27c0f53b4114c2b1a

    SHA512

    b80274c1cc8a2db6a70317b9cf557d083d39d45725af93dda855c00bb8ac45d4c37aa711c3e10b706826727646ce1fce4516ad80df035bebf736bf77b8e022bd

    Download Submit
  • memory/3336-132-0x0000000002290000-0x00000000022A8000-memory.dmp
    Filesize

    96KB

    Download
  • memory/3336-136-0x0000000002340000-0x0000000002357000-memory.dmp
    Filesize

    92KB

    Download
  • memory/3336-140-0x0000000002270000-0x0000000002286000-memory.dmp
    Filesize

    88KB

    Download
  • memory/4732-141-0x0000000000000000-mapping.dmp
    Download
  • memory/4732-143-0x00000000007B0000-0x00000000007C8000-memory.dmp
    Filesize

    96KB

    Download
  • memory/4732-147-0x0000000002100000-0x0000000002117000-memory.dmp
    Filesize

    92KB

    Download