Overview

overview

10

Static

static

8deb508a95...a1.exe

windows7-x64

10

8deb508a95...a1.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    127s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-20220718-en
  • resource tags

    arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system
  • submitted
    31-07-2022 06:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8deb508a95178d159b43da93160ff6d64c5ad468f1f91e222021eba9292954a1.exe

  • Size

    400KB

  • MD5

    7332e39a8d45ca37ee9a767fa00ec90f

  • SHA1

    026064006b987ed951ffce4f03c4394f557bf588

  • SHA256

    8deb508a95178d159b43da93160ff6d64c5ad468f1f91e222021eba9292954a1

  • SHA512

    443270e1050bf8beb5898455ebd5ad5605f870315c3a3fa3768629681c0c8891d754ca9a2a83ed4c61eec331aeb0ff69153f081b2d1c36ad7f38d5af515f3478

Score
10/10
emotetepoch1bankertrojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch1

C2

189.129.4.186:80

189.244.245.238:80

79.127.57.42:80

207.180.208.175:8080

71.244.60.230:7080

119.59.124.163:8080

71.244.60.231:7080

104.236.243.129:8080

190.117.206.153:443

80.85.87.122:8080

77.245.101.134:8080

138.68.106.4:7080

187.155.233.46:443

190.230.60.129:80

200.21.90.6:8080

159.203.204.126:8080

181.188.149.134:80

62.75.143.100:7080

23.92.22.225:7080

183.87.87.73:80
rsa_pubkey.plain

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

    trojanbankeremotet
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 21 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: MapViewOfSection 4 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8deb508a95178d159b43da93160ff6d64c5ad468f1f91e222021eba9292954a1.exe
    "C:\Users\Admin\AppData\Local\Temp\8deb508a95178d159b43da93160ff6d64c5ad468f1f91e222021eba9292954a1.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1768
    • C:\Users\Admin\AppData\Local\Temp\8deb508a95178d159b43da93160ff6d64c5ad468f1f91e222021eba9292954a1.exe
      "C:\Users\Admin\AppData\Local\Temp\8deb508a95178d159b43da93160ff6d64c5ad468f1f91e222021eba9292954a1.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1688
      • C:\Users\Admin\AppData\Local\Temp\8deb508a95178d159b43da93160ff6d64c5ad468f1f91e222021eba9292954a1.exe
        --1f35d5ed
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2004
        • C:\Users\Admin\AppData\Local\Temp\8deb508a95178d159b43da93160ff6d64c5ad468f1f91e222021eba9292954a1.exe
          --1f35d5ed
          4⤵
          • Suspicious behavior: RenamesItself
          PID:2016
  • C:\Windows\SysWOW64\nexttoner.exe
    "C:\Windows\SysWOW64\nexttoner.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1192
    • C:\Windows\SysWOW64\nexttoner.exe
      "C:\Windows\SysWOW64\nexttoner.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1128
      • C:\Windows\SysWOW64\nexttoner.exe
        --8ef6ac83
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1164
        • C:\Windows\SysWOW64\nexttoner.exe
          --8ef6ac83
          4⤵
          • Drops file in System32 directory
          • Modifies data under HKEY_USERS
          • Suspicious behavior: EnumeratesProcesses
          PID:1064

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\6d14e4b1d8ca773bab785d1be032546e_b7281fc7-5d8a-4f8d-86a4-0f15f7d0fba8
    Filesize

    1KB

    MD5

    64059be6b8b4f743c4028e516c65c491

    SHA1

    54b877011745bedcb29495de9e73d945847f15a8

    SHA256

    918e8d559e0bdf0883ae6c8f08c2882183056314cd89a1da79f86ecebff90b93

    SHA512

    8008915ba1e1e6cf60ff01049c3765f73930eb4bd6c6e53561cc281398e1851aeb291e16c6bb5025881ebd3efb2fc5bdd8b852330c12b5347c79224eb6743978

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-4084403625-2215941253-1760665084-1000\0f5007522459c86e95ffcc62f32308f1_b7281fc7-5d8a-4f8d-86a4-0f15f7d0fba8
    Filesize

    1KB

    MD5

    1e0cfda0aafc8249137b533ab2585dbd

    SHA1

    4b7a22b0cf9840c0883bfd852d748a8b8bbc55d4

    SHA256

    40a46d31c49c23e061a3d8fa17c094706912f01bd92b23089c92a90a44519142

    SHA512

    877799a48bf1be555419dc2db82aac68e846e18fd13ede55835e748066dc87ae315b05e43d39e0a6f2cb3f0284e8507c3623cfaeb2be4d6c8a9fe0cdad84d1c4

    Download Submit
  • memory/1064-83-0x000000000040D977-mapping.dmp
    Download
  • memory/1064-86-0x0000000000400000-0x0000000000417000-memory.dmp
    Filesize

    92KB

    Download
  • memory/1064-84-0x0000000000400000-0x0000000000417000-memory.dmp
    Filesize

    92KB

    Download
  • memory/1128-75-0x000000000040D977-mapping.dmp
    Download
  • memory/1164-76-0x0000000000000000-mapping.dmp
    Download
  • memory/1192-72-0x0000000000630000-0x0000000000644000-memory.dmp
    Filesize

    80KB

    Download
  • memory/1688-61-0x0000000000400000-0x0000000000417000-memory.dmp
    Filesize

    92KB

    Download
  • memory/1688-58-0x000000000040D977-mapping.dmp
    Download
  • memory/1768-59-0x0000000000230000-0x0000000000243000-memory.dmp
    Filesize

    76KB

    Download
  • memory/1768-54-0x0000000075871000-0x0000000075873000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1768-55-0x00000000003D0000-0x00000000003E4000-memory.dmp
    Filesize

    80KB

    Download
  • memory/2004-60-0x0000000000000000-mapping.dmp
    Download
  • memory/2004-64-0x0000000000340000-0x0000000000354000-memory.dmp
    Filesize

    80KB

    Download
  • memory/2016-77-0x0000000000400000-0x0000000000417000-memory.dmp
    Filesize

    92KB

    Download
  • memory/2016-70-0x0000000000400000-0x0000000000417000-memory.dmp
    Filesize

    92KB

    Download
  • memory/2016-68-0x0000000000400000-0x0000000000417000-memory.dmp
    Filesize

    92KB

    Download
  • memory/2016-67-0x000000000040D977-mapping.dmp
    Download