Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

KBDYAK.exe

windows7-x64

10

KBDYAK.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    139s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    11/10/2022, 20:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    KBDYAK.exe

  • Size

    848KB

  • MD5

    a4513379dad5233afa402cc56a8b9222

  • SHA1

    805727279208de9cf49e6374b1f3a6dc0052620e

  • SHA256

    ccd380ea868ffad4f960d7455fecf88c2ac3550001bbb6c21c31ae70b3bbf4f6

  • SHA512

    10b23a9721bc9692f225a864f541d722761e622ff94e92f08c367a14fb7398199d4f4d3895ca456064889871246c6cbfc15fb2e593be21f384fb49e084cf3f9f

  • SSDEEP

    6144:/TaQZdJnaB1kNOlFSm9tc6c6c6c6c6c6c6c6c6csImOksMWNIDK:/GQfJyFrz7

Score
10/10
emotetepoch2bankertrojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch2

C2

67.68.210.95:80

162.241.242.173:8080

45.55.36.51:443

45.55.219.163:443

68.188.112.97:80

46.105.131.79:8080

78.24.219.147:8080

37.70.8.161:80

153.232.188.106:80

209.141.54.221:8080

203.117.253.142:80

152.168.248.128:443

93.147.212.206:80

24.137.76.62:80

189.212.199.126:443

204.197.146.48:80

137.119.36.33:80

185.94.252.104:443

139.130.242.43:80

203.153.216.189:7080
rsa_pubkey.plain

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

    trojanbankeremotet
  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies system certificate store 2 TTPs 6 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\KBDYAK.exe
    "C:\Users\Admin\AppData\Local\Temp\KBDYAK.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious behavior: RenamesItself
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1424
    • C:\Windows\SysWOW64\api-ms-win-crt-multibyte-l1-1-0\imgutil.exe
      "C:\Windows\SysWOW64\api-ms-win-crt-multibyte-l1-1-0\imgutil.exe"
      2⤵
      • Executes dropped EXE
      • Modifies system certificate store
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:1528

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\api-ms-win-crt-multibyte-l1-1-0\imgutil.exe
    Filesize

    848KB

    MD5

    a4513379dad5233afa402cc56a8b9222

    SHA1

    805727279208de9cf49e6374b1f3a6dc0052620e

    SHA256

    ccd380ea868ffad4f960d7455fecf88c2ac3550001bbb6c21c31ae70b3bbf4f6

    SHA512

    10b23a9721bc9692f225a864f541d722761e622ff94e92f08c367a14fb7398199d4f4d3895ca456064889871246c6cbfc15fb2e593be21f384fb49e084cf3f9f

    Download Submit

  • memory/1424-54-0x0000000000250000-0x000000000025C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/1424-58-0x0000000076151000-0x0000000076153000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1424-59-0x0000000000240000-0x0000000000249000-memory.dmp

    Filesize

    36KB

    Download

  • memory/1528-62-0x00000000002C0000-0x00000000002CC000-memory.dmp

    Filesize

    48KB

    Download