Analysis

  • max time kernel
    135s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    08-03-2024 12:42

General

  • Target

    bb49d3fbd4cb3fdc2bb2256463275826.exe

  • Size

    480KB

  • MD5

    bb49d3fbd4cb3fdc2bb2256463275826

  • SHA1

    ee7ad5be4550845f3cac328d2ece58b7225e900e

  • SHA256

    65c97fcbc4483c7dbd4692342ce8c7089573603677f917e40b45cea43a30abab

  • SHA512

    28d330283830844c13b2680e2569e2d686ff86b5d71b678e6dd24c17e42ec59517c3b032e5e9596340ddceaa7e7a08928a0e124a6bb8796091f0c4557a87fe99

  • SSDEEP

    12288:L7seycbncWlgxDb3qhmic7zziD5ap/LeDeqwyx:cey8lgR31iFapSqqn

Malware Config

Extracted

Family

emotet

Botnet

Epoch3

C2

152.169.31.120:8080

211.20.154.102:80

45.55.179.121:8080

198.211.121.27:8080

82.145.43.153:8080

139.59.12.63:8080

154.73.137.131:80

78.188.33.71:80

50.116.78.109:8080

187.72.47.161:443

195.250.143.182:80

42.51.192.231:8080

178.62.75.204:8080

187.177.155.123:990

189.235.233.119:80

101.141.5.17:80

181.167.35.84:80

183.82.123.60:443

77.74.78.80:443

177.144.130.105:443

rsa_pubkey.plain

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies data under HKEY_USERS 21 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bb49d3fbd4cb3fdc2bb2256463275826.exe
    "C:\Users\Admin\AppData\Local\Temp\bb49d3fbd4cb3fdc2bb2256463275826.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2648
    • C:\Users\Admin\AppData\Local\Temp\bb49d3fbd4cb3fdc2bb2256463275826.exe
      --a40aa9df
      2⤵
      • Suspicious behavior: RenamesItself
      • Suspicious use of SetWindowsHookEx
      PID:3008
  • C:\Windows\SysWOW64\sestargets.exe
    "C:\Windows\SysWOW64\sestargets.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2568
    • C:\Windows\SysWOW64\sestargets.exe
      --235e9d13
      2⤵
      • Drops file in System32 directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:2368

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2368-19-0x0000000000540000-0x0000000000564000-memory.dmp

    Filesize

    144KB

  • memory/2568-13-0x0000000000A00000-0x0000000000A24000-memory.dmp

    Filesize

    144KB

  • memory/2648-0-0x0000000001E50000-0x0000000001E74000-memory.dmp

    Filesize

    144KB

  • memory/2648-3-0x0000000001E20000-0x0000000001E43000-memory.dmp

    Filesize

    140KB

  • memory/3008-7-0x0000000001EB0000-0x0000000001ED4000-memory.dmp

    Filesize

    144KB