Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-03-2024 12:42

General

  • Target

    bb49d3fbd4cb3fdc2bb2256463275826.exe

  • Size

    480KB

  • MD5

    bb49d3fbd4cb3fdc2bb2256463275826

  • SHA1

    ee7ad5be4550845f3cac328d2ece58b7225e900e

  • SHA256

    65c97fcbc4483c7dbd4692342ce8c7089573603677f917e40b45cea43a30abab

  • SHA512

    28d330283830844c13b2680e2569e2d686ff86b5d71b678e6dd24c17e42ec59517c3b032e5e9596340ddceaa7e7a08928a0e124a6bb8796091f0c4557a87fe99

  • SSDEEP

    12288:L7seycbncWlgxDb3qhmic7zziD5ap/LeDeqwyx:cey8lgR31iFapSqqn

Malware Config

Extracted

Family

emotet

Botnet

Epoch3

C2

152.169.31.120:8080

211.20.154.102:80

45.55.179.121:8080

198.211.121.27:8080

82.145.43.153:8080

139.59.12.63:8080

154.73.137.131:80

78.188.33.71:80

50.116.78.109:8080

187.72.47.161:443

195.250.143.182:80

42.51.192.231:8080

178.62.75.204:8080

187.177.155.123:990

189.235.233.119:80

101.141.5.17:80

181.167.35.84:80

183.82.123.60:443

77.74.78.80:443

177.144.130.105:443

rsa_pubkey.plain

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

  • Drops file in System32 directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies data under HKEY_USERS 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bb49d3fbd4cb3fdc2bb2256463275826.exe
    "C:\Users\Admin\AppData\Local\Temp\bb49d3fbd4cb3fdc2bb2256463275826.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4964
    • C:\Users\Admin\AppData\Local\Temp\bb49d3fbd4cb3fdc2bb2256463275826.exe
      --a40aa9df
      2⤵
      • Suspicious behavior: RenamesItself
      • Suspicious use of SetWindowsHookEx
      PID:1972
  • C:\Windows\SysWOW64\sidebarwmp.exe
    "C:\Windows\SysWOW64\sidebarwmp.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4992
    • C:\Windows\SysWOW64\sidebarwmp.exe
      --e45a3410
      2⤵
      • Drops file in System32 directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:4556

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1972-7-0x0000000002420000-0x0000000002444000-memory.dmp

    Filesize

    144KB

  • memory/4556-19-0x00000000016D0000-0x00000000016F4000-memory.dmp

    Filesize

    144KB

  • memory/4964-0-0x0000000002430000-0x0000000002454000-memory.dmp

    Filesize

    144KB

  • memory/4964-3-0x0000000002400000-0x0000000002423000-memory.dmp

    Filesize

    140KB

  • memory/4992-13-0x0000000001690000-0x00000000016B4000-memory.dmp

    Filesize

    144KB