Overview

overview

10

Static

static

1

7bdd1409b0...0b.exe

windows7-x64

10

7bdd1409b0...0b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    08-03-2023 12:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7bdd1409b080eb8510163cea3761d694be0eaec7e22bc44736cbfbc3025a310b.exe

  • Size

    540KB

  • MD5

    28cfd8a6b63836e39fc10c87ee7ec59d

  • SHA1

    7ace13d7b698ca6fa87ef337237893424503bde7

  • SHA256

    7bdd1409b080eb8510163cea3761d694be0eaec7e22bc44736cbfbc3025a310b

  • SHA512

    0de6451ccbc936e3eebead59447ea803a012b8774d7622a9822d59cfab1400ce0345da8cfb729c76a3b4fc1cd5775183e0a43289a5f428a31bb86ddf91718862

  • SSDEEP

    12288:ry5iow33myVaf/mhy4h0gTLL/niHDpWuOthr+RMp:6i/Hm6xhyLgHrni0H

Score
10/10
emotetepoch2bankertrojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch2

C2

186.75.241.230:80

181.143.194.138:443

181.143.53.227:21

85.104.59.244:20

80.11.163.139:443

167.71.10.37:8080

104.131.44.150:8080

185.187.198.15:80

133.167.80.63:7080

198.199.114.69:8080

144.139.247.220:80

152.89.236.214:8080

78.24.219.147:8080

92.222.216.44:8080

46.105.131.87:80

190.226.44.20:21

182.176.132.213:8090

85.54.169.141:8080

192.81.213.192:8080

101.187.237.217:20
rsa_pubkey.plain

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

    trojanbankeremotet
  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 21 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7bdd1409b080eb8510163cea3761d694be0eaec7e22bc44736cbfbc3025a310b.exe
    "C:\Users\Admin\AppData\Local\Temp\7bdd1409b080eb8510163cea3761d694be0eaec7e22bc44736cbfbc3025a310b.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1712
    • C:\Users\Admin\AppData\Local\Temp\7bdd1409b080eb8510163cea3761d694be0eaec7e22bc44736cbfbc3025a310b.exe
      --98a75cc4
      2⤵
      • Suspicious behavior: RenamesItself
      • Suspicious use of SetWindowsHookEx
      PID:1688
  • C:\Windows\SysWOW64\editionrouter.exe
    "C:\Windows\SysWOW64\editionrouter.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:380
    • C:\Windows\SysWOW64\editionrouter.exe
      --3945615d
      2⤵
      • Drops file in System32 directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:1924

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/380-65-0x00000000004A0000-0x00000000004B4000-memory.dmp
    Filesize

    80KB

    Download
  • memory/1688-60-0x0000000000240000-0x0000000000254000-memory.dmp
    Filesize

    80KB

    Download
  • memory/1712-54-0x0000000000250000-0x0000000000264000-memory.dmp
    Filesize

    80KB

    Download
  • memory/1712-59-0x0000000000240000-0x000000000024F000-memory.dmp
    Filesize

    60KB

    Download
  • memory/1924-70-0x00000000002D0000-0x00000000002E4000-memory.dmp
    Filesize

    80KB

    Download