Overview

overview

10

Static

static

10

2020-07-20.zip

windows10-2004-x64

10

Resubmissions

24-07-2023 06:32

230724-haylwaag65 10

16-07-2023 18:15

230716-wwbacshb7z 10

Analysis

  • max time kernel
    121s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-07-2023 18:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2020-07-20.zip

  • Size

    347.3MB

  • MD5

    712b5aa5e08566a0f01a0a39418d6132

  • SHA1

    91349082a104f862b531278769f3d0c587244fc0

  • SHA256

    18fcb8604dc88c010d786be917f618a461876f5db6f80f1f8a64bc3b8fe48a98

  • SHA512

    12642ecf4ebc7be19bd78b5b18d4a283ce5d7008eaa616dcc962e9fd21a083bb59821f72995843a8884fd1e6722a74da1461dea6bb49e789b4bf7b4fcb019016

  • SSDEEP

    6291456:7EC9ko9Z5jyHn8ly4KT5uOXAKcXPAANTaqWXmhN0pxn+UeXiGf9dHh2hWFr40VCn:7E09Z5mc4FcfAAvhWpxnoLf9dHZxVQrz

Score
10/10
emotetepoch1epoch3bankertrojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch1

C2

177.144.135.2:80

104.247.221.104:443

201.213.32.59:80

190.147.137.153:443

178.79.163.131:8080

190.17.195.202:80

212.71.237.140:8080

68.183.190.199:8080

12.162.84.2:8080

186.250.52.226:8080

181.129.96.162:8080

185.94.252.12:80

77.55.211.77:8080

177.72.13.80:80

70.32.115.157:8080

114.109.179.60:80

68.183.170.114:8080

5.196.35.138:7080

87.106.46.107:8080

190.163.1.31:8080
rsa_pubkey.plain

Extracted

Family

emotet

Botnet

Epoch3

C2

201.212.78.182:80

74.207.230.187:8080

81.214.253.80:443

181.167.35.84:80

195.201.56.70:8080

37.46.129.215:8080

190.251.235.239:80

192.163.221.191:8080

177.0.241.28:80

41.185.29.128:8080

46.105.131.68:8080

78.188.170.128:80

45.118.136.92:8080

163.172.107.70:8080

37.70.131.107:80

177.144.130.105:443

181.230.65.232:80

192.210.217.94:8080

181.164.110.7:80

50.116.78.109:8080
rsa_pubkey.plain

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

    trojanbankeremotet
  • Emotet payload 8 IoCs

    Detects Emotet payload in memory.

    trojanbanker
  • Executes dropped EXE 3 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 56 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of FindShellTrayWindow 62 IoCs
  • Suspicious use of SendNotifyMessage 60 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs

Processes

  • C:\Windows\Explorer.exe
    C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\2020-07-20.zip
    1⤵
      PID:3392
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:4688
      • C:\Program Files\7-Zip\7zG.exe
        "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\2020-07-20\" -spe -an -ai#7zMap1887:78:7zEvent25787
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        PID:2716
      • C:\Users\Admin\Desktop\2020-07-20\1ad90b5aaf62cfcc58862d240e7434cbba005b722bbb7ae0abcf79345f7a5ec3.exe
        "C:\Users\Admin\Desktop\2020-07-20\1ad90b5aaf62cfcc58862d240e7434cbba005b722bbb7ae0abcf79345f7a5ec3.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        PID:392
      • C:\Windows\system32\taskmgr.exe
        "C:\Windows\system32\taskmgr.exe" /4
        1⤵
        • Checks SCSI registry key(s)
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:1536
      • C:\Users\Admin\Desktop\2020-07-20\1b8d17710f49eb41e4f408340811e44c738eeadb9f4629b18bcff37ac175c976.exe
        "C:\Users\Admin\Desktop\2020-07-20\1b8d17710f49eb41e4f408340811e44c738eeadb9f4629b18bcff37ac175c976.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        PID:4832
      • C:\Users\Admin\Desktop\2020-07-20\1b06541ad523a8ab5fa42a7260a51e1b61b18b5c33528db6aa30b7a777231004.exe
        "C:\Users\Admin\Desktop\2020-07-20\1b06541ad523a8ab5fa42a7260a51e1b61b18b5c33528db6aa30b7a777231004.exe"
        1⤵
        • Executes dropped EXE
        PID:2716

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\Desktop\2020-07-20\1ad90b5aaf62cfcc58862d240e7434cbba005b722bbb7ae0abcf79345f7a5ec3.exe
        Filesize

        92KB

        MD5

        f00867953970a6fb94161d3ec951e264

        SHA1

        b4cf3b4f11b246223817d0433c946a5750708664

        SHA256

        1ad90b5aaf62cfcc58862d240e7434cbba005b722bbb7ae0abcf79345f7a5ec3

        SHA512

        54cd9905aa6a7df11e4bc3b697ac199cc2e340e519724a961e903b0b158f3895c3ecca6b44660733f872c53fbb6c536f60d3da1c734b7846a4b0c966d9af29a9

        Download Submit

      • C:\Users\Admin\Desktop\2020-07-20\1ad90b5aaf62cfcc58862d240e7434cbba005b722bbb7ae0abcf79345f7a5ec3.exe
        Filesize

        92KB

        MD5

        f00867953970a6fb94161d3ec951e264

        SHA1

        b4cf3b4f11b246223817d0433c946a5750708664

        SHA256

        1ad90b5aaf62cfcc58862d240e7434cbba005b722bbb7ae0abcf79345f7a5ec3

        SHA512

        54cd9905aa6a7df11e4bc3b697ac199cc2e340e519724a961e903b0b158f3895c3ecca6b44660733f872c53fbb6c536f60d3da1c734b7846a4b0c966d9af29a9

        Download Submit

      • C:\Users\Admin\Desktop\2020-07-20\1b06541ad523a8ab5fa42a7260a51e1b61b18b5c33528db6aa30b7a777231004.exe
        Filesize

        776KB

        MD5

        c917e89878c7f2c91ebc7caaa426bf39

        SHA1

        5fd9e9262c067e94598d4a4e429e3eab07aefee7

        SHA256

        1b06541ad523a8ab5fa42a7260a51e1b61b18b5c33528db6aa30b7a777231004

        SHA512

        b504ee5a66a787a541f68a6520966d8ff4db51dd70af8f7f6ea8e78ed338dee6c644f2e56bc0a3e2438c8692996dbc84403acb6bef5ba9dc29152911b37ca954

        Download Submit

      • C:\Users\Admin\Desktop\2020-07-20\1b06541ad523a8ab5fa42a7260a51e1b61b18b5c33528db6aa30b7a777231004.exe
        Filesize

        776KB

        MD5

        c917e89878c7f2c91ebc7caaa426bf39

        SHA1

        5fd9e9262c067e94598d4a4e429e3eab07aefee7

        SHA256

        1b06541ad523a8ab5fa42a7260a51e1b61b18b5c33528db6aa30b7a777231004

        SHA512

        b504ee5a66a787a541f68a6520966d8ff4db51dd70af8f7f6ea8e78ed338dee6c644f2e56bc0a3e2438c8692996dbc84403acb6bef5ba9dc29152911b37ca954

        Download Submit

      • C:\Users\Admin\Desktop\2020-07-20\1b8d17710f49eb41e4f408340811e44c738eeadb9f4629b18bcff37ac175c976.exe
        Filesize

        304KB

        MD5

        d4ab05622c0a2789a81c68dfb267925a

        SHA1

        039588a8b2cbb1d311c26580dbae1b70051f8343

        SHA256

        1b8d17710f49eb41e4f408340811e44c738eeadb9f4629b18bcff37ac175c976

        SHA512

        13b927cbbdfa95d7797ddecff8ae0b8a0bd22e1e9c7ed167773b546e394f3d9f64cfde2dcfe1a932f55137bc33be4d168fa514e5e1ea97e6804d97e6d60100ef

        Download Submit

      • C:\Users\Admin\Desktop\2020-07-20\1b8d17710f49eb41e4f408340811e44c738eeadb9f4629b18bcff37ac175c976.exe
        Filesize

        304KB

        MD5

        d4ab05622c0a2789a81c68dfb267925a

        SHA1

        039588a8b2cbb1d311c26580dbae1b70051f8343

        SHA256

        1b8d17710f49eb41e4f408340811e44c738eeadb9f4629b18bcff37ac175c976

        SHA512

        13b927cbbdfa95d7797ddecff8ae0b8a0bd22e1e9c7ed167773b546e394f3d9f64cfde2dcfe1a932f55137bc33be4d168fa514e5e1ea97e6804d97e6d60100ef

        Download Submit

      • C:\Users\Admin\Desktop\2020-07-20\3b4234689b756c2238146c5ed6de6e566d2559c1cb8685095a95578cd41ae4d6.doc
        Filesize

        173KB

        MD5

        d1dea24b77dc58196db461a0cd0943e2

        SHA1

        de5448914c8f14d6cec57137f4197ed7b372c70e

        SHA256

        3b4234689b756c2238146c5ed6de6e566d2559c1cb8685095a95578cd41ae4d6

        SHA512

        aba170e3989bc173444291c6e6b8dba4dff1330dc94d50aa7a16497b944191b2cf63069c2aec50d284c9a236ce040cbcbea83f15c044fc5e90a67ec6798498fe

        Download Submit

      • C:\Users\Admin\Desktop\2020-07-20\a2ae7ea281aa76681c05696af76da51230b599a60382ebefd27721799b46f382.iso
        Filesize

        894KB

        MD5

        a2976d0bf34475304d637ad74b51c423

        SHA1

        bdb3f83790eab2e6849dc459795947b71e51ea19

        SHA256

        a2ae7ea281aa76681c05696af76da51230b599a60382ebefd27721799b46f382

        SHA512

        d9ce620f1744ad7c1c47487daeebbc28428f3bf8e0aa702f19b67f814c72bbcfd7decf1081a6df728d65eefd64d001f2869e0fe3f0001d9d557848cfc6bf4d17

        Download Submit

      • C:\Users\Admin\Desktop\2020-07-20\b06d6de547e2f172c5922e47786750e64d0038668c2cca7581f38c4ff02af7a4.dll
        Filesize

        278KB

        MD5

        4d422c12d1ef0e4b27742a51e7fec8a3

        SHA1

        225b6495e25c3ca0a6f338afd713e4629c5c6a22

        SHA256

        b06d6de547e2f172c5922e47786750e64d0038668c2cca7581f38c4ff02af7a4

        SHA512

        0381b526b16807d5a02c57953b3dd3289b4710f4b2991228329bb7dc6d33c2f9ed5cb05c0db3c381226f539628a1c14f245d844f12e0c988d51e4f6ad6bbeed7

        Download Submit

      • C:\Users\Admin\Desktop\2020-07-20\cfaec538eaf892fd7fe8df8a79aa732ede58e8a302a159993d9f29d04f7ea404.exe
        Filesize

        339KB

        MD5

        9c262b973b0964ce7017b896d8a89b75

        SHA1

        924c65c9869cbc6625a5742924f841625300bb45

        SHA256

        cfaec538eaf892fd7fe8df8a79aa732ede58e8a302a159993d9f29d04f7ea404

        SHA512

        5efa51e60f078639e7e13495465519b5dbce24f067fbd47fbe4c853c295614c6d58ce4195b78da1e3bfd6499220f9e1f13945c602b47fce5c6ae6c30ace17135

        Download Submit

      • memory/392-1391-0x0000000000AD0000-0x0000000000AD9000-memory.dmp

        Filesize

        36KB

        Download

      • memory/392-1412-0x0000000000AE0000-0x0000000000AEC000-memory.dmp

        Filesize

        48KB

        Download

      • memory/392-1392-0x0000000000AE0000-0x0000000000AEC000-memory.dmp

        Filesize

        48KB

        Download

      • memory/392-1396-0x0000000000AE0000-0x0000000000AEC000-memory.dmp

        Filesize

        48KB

        Download

      • memory/392-1397-0x0000000002450000-0x0000000002541000-memory.dmp

        Filesize

        964KB

        Download

      • memory/1536-1410-0x0000026C38970000-0x0000026C38971000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1536-1405-0x0000026C38970000-0x0000026C38971000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1536-1408-0x0000026C38970000-0x0000026C38971000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1536-1409-0x0000026C38970000-0x0000026C38971000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1536-1399-0x0000026C38970000-0x0000026C38971000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1536-1406-0x0000026C38970000-0x0000026C38971000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1536-1398-0x0000026C38970000-0x0000026C38971000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1536-1407-0x0000026C38970000-0x0000026C38971000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1536-1400-0x0000026C38970000-0x0000026C38971000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1536-1404-0x0000026C38970000-0x0000026C38971000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4832-1421-0x00000000022A0000-0x00000000022AC000-memory.dmp

        Filesize

        48KB

        Download

      • memory/4832-1422-0x00000000022A0000-0x00000000022AC000-memory.dmp

        Filesize

        48KB

        Download

      • memory/4832-1423-0x0000000002920000-0x0000000002A11000-memory.dmp

        Filesize

        964KB

        Download

      • memory/4832-1416-0x00000000022A0000-0x00000000022AC000-memory.dmp

        Filesize

        48KB

        Download

      • memory/4832-1417-0x0000000002280000-0x0000000002289000-memory.dmp

        Filesize

        36KB

        Download