Overview

overview

10

Static

static

3

ee7b8d7ea2...JC.exe

windows7-x64

10

ee7b8d7ea2...JC.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    139s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230824-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230824-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-08-2023 19:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ee7b8d7ea2079b2caccf61227fe17b57_icedid_JC.exe

  • Size

    272KB

  • MD5

    ee7b8d7ea2079b2caccf61227fe17b57

  • SHA1

    fe9055fe172abb22ac3cec65df7aeb1454210f78

  • SHA256

    9b6c77630d8501359b4231ce03fbf34b123abba06f4bec2c8e3d6662a2cf0bda

  • SHA512

    d10b1f22d2afe99ec42519a51b569495b0fd541d0bc398054b88d407d19ee482ffb3f00071a36bef55a0ad529ab440c50c8b2f81495da897b7941b44a0048654

  • SSDEEP

    6144:sWIr7BmCNyXHhGVDfF6TREmvZbHzFxYClHg5U:VE7BmSkHEV56vvZbHzjlA5

Score
10/10
emotetepoch2bankertrojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch2

C2

192.158.216.73:80

85.214.28.226:8080

142.44.137.67:443

162.241.242.173:8080

85.152.162.105:80

62.30.7.67:443

78.24.219.147:8080

74.120.55.163:80

169.239.182.217:8080

216.208.76.186:80

95.213.236.64:8080

200.114.213.233:8080

104.131.44.150:8080

70.121.172.89:80

75.139.38.211:80

185.94.252.104:443

97.82.79.83:80

103.86.49.11:8080

79.98.24.39:8080

83.169.36.251:8080
rsa_pubkey.plain

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

    trojanbankeremotet
  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ee7b8d7ea2079b2caccf61227fe17b57_icedid_JC.exe
    "C:\Users\Admin\AppData\Local\Temp\ee7b8d7ea2079b2caccf61227fe17b57_icedid_JC.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious behavior: RenamesItself
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4272
    • C:\Windows\SysWOW64\NtlmShared\fvecerts.exe
      "C:\Windows\SysWOW64\NtlmShared\fvecerts.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:4156

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\NtlmShared\fvecerts.exe
    Filesize

    272KB

    MD5

    ee7b8d7ea2079b2caccf61227fe17b57

    SHA1

    fe9055fe172abb22ac3cec65df7aeb1454210f78

    SHA256

    9b6c77630d8501359b4231ce03fbf34b123abba06f4bec2c8e3d6662a2cf0bda

    SHA512

    d10b1f22d2afe99ec42519a51b569495b0fd541d0bc398054b88d407d19ee482ffb3f00071a36bef55a0ad529ab440c50c8b2f81495da897b7941b44a0048654

    Download Submit
  • memory/4156-9-0x0000000002160000-0x000000000216E000-memory.dmp
    Filesize

    56KB

    Download
  • memory/4156-13-0x0000000002170000-0x000000000217C000-memory.dmp
    Filesize

    48KB

    Download
  • memory/4272-1-0x0000000002260000-0x000000000226E000-memory.dmp
    Filesize

    56KB

    Download
  • memory/4272-0-0x0000000002250000-0x000000000225B000-memory.dmp
    Filesize

    44KB

    Download
  • memory/4272-5-0x0000000002270000-0x000000000227C000-memory.dmp
    Filesize

    48KB

    Download