Overview

overview

10

Static

static

3

ca13e53767...27.exe

windows7-x64

10

ca13e53767...27.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    130s
  • max time network
    140s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    15/03/2024, 00:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ca13e5376702f5b2d761ffb816b1cd27.exe

  • Size

    556KB

  • MD5

    ca13e5376702f5b2d761ffb816b1cd27

  • SHA1

    4f11b9b8e8ffb34908aa3ab18af13a43e1b1dc86

  • SHA256

    e787dba061d08479637fc625bb901d4c8730bf5af3d079776f0c12a37ca8562f

  • SHA512

    4f1828dda7336e40bd2f539f30ebe22a2bb0da409798f0d440137f919da38a0454ee785a62abaed21c37a969ff4bd6214f22cb195bd7fb079f6b41584a184634

  • SSDEEP

    12288:ubFmNHloUQYbEZpakjYDJA1zpYDwUeiRjPjMZ:rHNQYbuDj6SfKjPG

Score
10/10
emotetepoch1bankertrojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch1

C2

109.166.89.91:80

200.71.193.220:443

118.200.218.193:443

104.236.137.72:8080

172.104.233.225:8080

213.189.36.51:8080

85.234.143.94:8080

68.183.190.199:8080

5.196.35.138:7080

96.20.84.254:7080

69.163.33.84:8080

207.154.204.40:8080

2.38.99.79:80

50.28.51.143:8080

189.173.113.67:443

181.135.153.203:443

134.209.214.126:8080

62.75.143.100:7080

182.48.194.6:8090

86.42.166.147:80
rsa_pubkey.plain

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

    trojanbankeremotet
  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies data under HKEY_USERS 21 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ca13e5376702f5b2d761ffb816b1cd27.exe
    "C:\Users\Admin\AppData\Local\Temp\ca13e5376702f5b2d761ffb816b1cd27.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1244
    • C:\Users\Admin\AppData\Local\Temp\ca13e5376702f5b2d761ffb816b1cd27.exe
      --c27f1cb8
      2⤵
      • Suspicious behavior: RenamesItself
      • Suspicious use of SetWindowsHookEx
      PID:2188
  • C:\Windows\SysWOW64\printschunker.exe
    "C:\Windows\SysWOW64\printschunker.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2552
    • C:\Windows\SysWOW64\printschunker.exe
      --4e948aaa
      2⤵
      • Drops file in System32 directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:2640

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1244-0-0x0000000000250000-0x0000000000267000-memory.dmp

    Filesize

    92KB

    Download

  • memory/1244-2-0x00000000001B0000-0x00000000001C1000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2188-6-0x0000000000300000-0x0000000000317000-memory.dmp

    Filesize

    92KB

    Download

  • memory/2552-11-0x0000000000310000-0x0000000000327000-memory.dmp

    Filesize

    92KB

    Download

  • memory/2640-16-0x0000000000260000-0x0000000000277000-memory.dmp

    Filesize

    92KB

    Download