Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

KBDYAK.exe

windows7-x64

10

KBDYAK.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    165s
  • max time network
    184s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/10/2022, 20:20 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    KBDYAK.exe

  • Size

    848KB

  • MD5

    a4513379dad5233afa402cc56a8b9222

  • SHA1

    805727279208de9cf49e6374b1f3a6dc0052620e

  • SHA256

    ccd380ea868ffad4f960d7455fecf88c2ac3550001bbb6c21c31ae70b3bbf4f6

  • SHA512

    10b23a9721bc9692f225a864f541d722761e622ff94e92f08c367a14fb7398199d4f4d3895ca456064889871246c6cbfc15fb2e593be21f384fb49e084cf3f9f

  • SSDEEP

    6144:/TaQZdJnaB1kNOlFSm9tc6c6c6c6c6c6c6c6c6csImOksMWNIDK:/GQfJyFrz7

Score
10/10
emotetepoch2bankertrojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch2

C2

67.68.210.95:80

162.241.242.173:8080

45.55.36.51:443

45.55.219.163:443

68.188.112.97:80

46.105.131.79:8080

78.24.219.147:8080

37.70.8.161:80

153.232.188.106:80

209.141.54.221:8080

203.117.253.142:80

152.168.248.128:443

93.147.212.206:80

24.137.76.62:80

189.212.199.126:443

204.197.146.48:80

137.119.36.33:80

185.94.252.104:443

139.130.242.43:80

203.153.216.189:7080
rsa_pubkey.plain
1
-----BEGIN PUBLIC KEY-----
2
MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhANQOcBKvh5xEW7VcJ9totsjdBwuAclxS
3
Q0e09fk8V053lktpW3TRrzAW63yt6j1KWnyxMrU3igFXypBoI4lVNmkje4UPtIIS
4
fkzjEIvG1v/ZNn1k0J0PfFTxbFFeUEs3AwIDAQAB
5
-----END PUBLIC KEY-----

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

    trojanbankeremotet
  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\KBDYAK.exe
    "C:\Users\Admin\AppData\Local\Temp\KBDYAK.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious behavior: RenamesItself
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4548
    • C:\Windows\SysWOW64\dfshim\MsCtfMonitor.exe
      "C:\Windows\SysWOW64\dfshim\MsCtfMonitor.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:4384

Network

  • flag-us
    DNS
    97.97.242.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    97.97.242.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    226.101.242.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    226.101.242.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    a.2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.5.0.8.0.0.3.0.1.3.0.6.2.ip6.arpa
    Remote address:
    8.8.8.8:53
    Request
    a.2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.5.0.8.0.0.3.0.1.3.0.6.2.ip6.arpa
    IN PTR
    Response
  • flag-us
    POST
    http://45.55.36.51:443/RPPbKsZFs5WA2sXnBm/
    MsCtfMonitor.exe
    Remote address:
    45.55.36.51:443
    Request
    POST /RPPbKsZFs5WA2sXnBm/ HTTP/1.1
    Content-Type: multipart/form-data; boundary=-------------------------91904fbf5d807505ed08d4ceeaa03aed
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
    Host: 45.55.36.51:443
    Content-Length: 4532
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.0 301 Moved Permanently
    Location: https://45.55.36.51:443/RPPbKsZFs5WA2sXnBm/
    Cache-Control: private, no-cache, max-age=0
    Pragma: no-cache
    Server:LiteSpeed
    Content-Length: 0
    Connection: Close
  • 20.224.254.73:443
    40 B
     1
  • 87.248.202.1:80
    46 B
     40 B
     1
    1
  • 87.248.202.1:80
    46 B
     40 B
     1
    1
  • 8.238.20.126:80
    322 B
     7
  • 8.238.20.126:80
    322 B
     7
  • 8.253.208.120:80
    322 B
     7
  • 67.68.210.95:80
    MsCtfMonitor.exe
    260 B
     5
  • 162.241.242.173:8080
    MsCtfMonitor.exe
    260 B
     200 B
     5
    5
  • 45.55.36.51:443
    http://45.55.36.51:443/RPPbKsZFs5WA2sXnBm/
    http
    MsCtfMonitor.exe
    6.7kB
     484 B
     10
    6

    HTTP Request

    POST http://45.55.36.51:443/RPPbKsZFs5WA2sXnBm/

    HTTP Response

    301
  • 45.55.36.51:443
    tls
    MsCtfMonitor.exe
    572 B
     4.7kB
     9
    7
  • 45.55.219.163:443
    MsCtfMonitor.exe
    260 B
     5
  • 68.188.112.97:80
    MsCtfMonitor.exe
    260 B
     5
  • 46.105.131.79:8080
    MsCtfMonitor.exe
    260 B
     200 B
     5
    5
  • 78.24.219.147:8080
    MsCtfMonitor.exe
    260 B
     5
  • 8.8.8.8:53
    97.97.242.52.in-addr.arpa
    dns
    71 B
     145 B
     1
    1

    DNS Request

    97.97.242.52.in-addr.arpa

  • 8.8.8.8:53
    226.101.242.52.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    226.101.242.52.in-addr.arpa

  • 8.8.8.8:53
    a.2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.5.0.8.0.0.3.0.1.3.0.6.2.ip6.arpa
    dns
    118 B
     204 B
     1
    1

    DNS Request

    a.2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.5.0.8.0.0.3.0.1.3.0.6.2.ip6.arpa

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\dfshim\MsCtfMonitor.exe
    Filesize

    848KB

    MD5

    a4513379dad5233afa402cc56a8b9222

    SHA1

    805727279208de9cf49e6374b1f3a6dc0052620e

    SHA256

    ccd380ea868ffad4f960d7455fecf88c2ac3550001bbb6c21c31ae70b3bbf4f6

    SHA512

    10b23a9721bc9692f225a864f541d722761e622ff94e92f08c367a14fb7398199d4f4d3895ca456064889871246c6cbfc15fb2e593be21f384fb49e084cf3f9f

    Download Submit

  • memory/4384-139-0x0000000000640000-0x000000000064C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/4548-132-0x0000000002300000-0x000000000230C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/4548-136-0x00000000007D0000-0x00000000007D9000-memory.dmp

    Filesize

    36KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.