Overview

overview

10

Static

static

3

2024-02-04...id.exe

windows7-x64

10

2024-02-04...id.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-02-2024 14:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-02-04_5a1d7a32649b3a2119ee4e5c053cd9a0_icedid.exe

  • Size

    452KB

  • MD5

    5a1d7a32649b3a2119ee4e5c053cd9a0

  • SHA1

    01d41589d386ac6a91c24b17322125528ac3a55f

  • SHA256

    7561fbd9bea06c1f703fe87da59d818c096b92d133edbce4f8c5523e6a117224

  • SHA512

    5eb1c9687bddcea32b8afb25f8360ecabd6364df059675a55d2181e4770ee1b917dec80648156f0d4b33013b1588f026360b9099e0fe4009974a8159163fa79b

  • SSDEEP

    6144:TvrPZDeMVjTPBlbG2Rmzd0OGKi74RWkM8ZVx4QcSahHF:35l2zdAKiuWkrxa

Score
10/10
emotetepoch3bankertrojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch3

C2

77.245.12.212:80

189.134.4.209:443

1.32.54.12:8080

172.105.213.30:80

69.30.205.162:7080

50.63.13.135:8080

192.161.190.171:8080

190.5.162.204:80

50.116.78.109:8080

210.224.65.117:80

186.215.101.106:80

5.189.148.98:8080

81.82.247.216:80

139.162.185.116:443

172.104.70.207:8080

143.95.101.72:8080

190.189.79.73:80

83.110.107.243:443

82.79.244.92:80

195.201.56.68:7080
rsa_pubkey.plain

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

    trojanbankeremotet
  • Drops file in System32 directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies data under HKEY_USERS 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-02-04_5a1d7a32649b3a2119ee4e5c053cd9a0_icedid.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-02-04_5a1d7a32649b3a2119ee4e5c053cd9a0_icedid.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3672
    • C:\Users\Admin\AppData\Local\Temp\2024-02-04_5a1d7a32649b3a2119ee4e5c053cd9a0_icedid.exe
      --25d98d1e
      2⤵
      • Suspicious behavior: RenamesItself
      • Suspicious use of SetWindowsHookEx
      PID:864
  • C:\Windows\SysWOW64\boostspeed.exe
    "C:\Windows\SysWOW64\boostspeed.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1544
    • C:\Windows\SysWOW64\boostspeed.exe
      --5bdc7416
      2⤵
      • Drops file in System32 directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:1408

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/864-6-0x0000000002160000-0x0000000002177000-memory.dmp
    Filesize

    92KB

    Download
  • memory/1408-16-0x0000000000620000-0x0000000000637000-memory.dmp
    Filesize

    92KB

    Download
  • memory/1544-11-0x0000000000A10000-0x0000000000A27000-memory.dmp
    Filesize

    92KB

    Download
  • memory/3672-0-0x0000000000780000-0x0000000000797000-memory.dmp
    Filesize

    92KB

    Download
  • memory/3672-5-0x0000000000760000-0x0000000000771000-memory.dmp
    Filesize

    68KB

    Download