Overview

overview

10

Static

static

3

c5e06a4b5b...JC.exe

windows7-x64

10

c5e06a4b5b...JC.exe

windows10-2004-x64

10

Resubmissions

29-07-2023 04:16

230729-ev7hqsah27 10

29-07-2023 04:16

230729-ev281sbe7t 10

28-07-2023 18:29

230728-w5en5sgf37 10

Analysis

  • max time kernel
    151s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-07-2023 18:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c5e06a4b5bb840ex_JC.exe

  • Size

    262KB

  • MD5

    c5e06a4b5bb8405acda4dabb99536291

  • SHA1

    d91b9e8c2645746a735c909fb298f23797157ac8

  • SHA256

    d270723b72eb71b721d1b7ec77667f3f799e5069b65971ef360292cd43c67b7c

  • SHA512

    4548c1d8042f47cc5c1240c1ebb68234a25684cb5a82f7578b5f49c963b2fde9e8fefd3a3567ba9a122b1dc129560235b1c3db95c99fde500a89cf13a30af0ec

  • SSDEEP

    6144:YzxQjP1gLp2i2NBYW2e42sqW9dl4e4tU5:Yzgi2NBY9XpYU5

Score
10/10
emotetepoch1bankertrojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch1

C2

80.11.158.65:8080

91.236.4.234:443

190.147.137.153:443

192.241.143.52:8080

149.62.173.247:8080

190.17.195.202:80

77.55.211.77:8080

70.32.115.157:8080

83.169.21.32:7080

190.229.148.144:80

175.114.178.83:443

46.214.11.172:80

172.104.169.32:8080

70.32.84.74:8080

170.81.48.2:80

113.190.254.245:80

118.69.71.14:80

203.25.159.3:8080

190.47.227.130:80

177.139.131.143:443
rsa_pubkey.plain

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

    trojanbankeremotet
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c5e06a4b5bb840ex_JC.exe
    "C:\Users\Admin\AppData\Local\Temp\c5e06a4b5bb840ex_JC.exe"
    1⤵
    • Suspicious behavior: RenamesItself
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4904
    • C:\Windows\SysWOW64\joinproviderol\joinproviderol.exe
      "C:\Windows\SysWOW64\joinproviderol\joinproviderol.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:2132

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2132-138-0x0000000000530000-0x000000000053C000-memory.dmp
    Filesize

    48KB

    Download
  • memory/2132-141-0x0000000002140000-0x00000000021BA000-memory.dmp
    Filesize

    488KB

    Download
  • memory/4904-134-0x0000000002280000-0x000000000228C000-memory.dmp
    Filesize

    48KB

    Download
  • memory/4904-133-0x0000000000620000-0x000000000062A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/4904-137-0x0000000002300000-0x000000000237A000-memory.dmp
    Filesize

    488KB

    Download