Malware Analysis Report

2025-01-03 06:13

Sample ID 240523-att4sseg7w
Target 931fcc0dce88b617a2f1d17b92fdc2944e29d2bee9f59e375d8b0a8c3b4f368a
SHA256 931fcc0dce88b617a2f1d17b92fdc2944e29d2bee9f59e375d8b0a8c3b4f368a
Tags
emotet epoch4 banker trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

931fcc0dce88b617a2f1d17b92fdc2944e29d2bee9f59e375d8b0a8c3b4f368a

Threat Level: Known bad

The file 931fcc0dce88b617a2f1d17b92fdc2944e29d2bee9f59e375d8b0a8c3b4f368a was found to be: Known bad.

Malicious Activity Summary

emotet epoch4 banker trojan

Emotet

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-23 00:30

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-23 00:30

Reported

2024-05-23 00:33

Platform

win7-20240508-en

Max time kernel

149s

Max time network

149s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\931fcc0dce88b617a2f1d17b92fdc2944e29d2bee9f59e375d8b0a8c3b4f368a.dll

Signatures

Emotet

trojan banker emotet

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\regsvr32.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Windows\system32\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2216 wrote to memory of 556 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 2216 wrote to memory of 556 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 2216 wrote to memory of 556 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 2216 wrote to memory of 556 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 2216 wrote to memory of 556 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\931fcc0dce88b617a2f1d17b92fdc2944e29d2bee9f59e375d8b0a8c3b4f368a.dll

C:\Windows\system32\regsvr32.exe

C:\Windows\system32\regsvr32.exe "C:\Windows\system32\AWqeqM\bpxnNWJqP.dll"

Network

Country Destination Domain Proto
US 173.82.82.196:8080 tcp
US 173.82.82.196:8080 tcp
SG 159.89.202.34:443 159.89.202.34 tcp
US 173.239.37.178:8080 tcp
US 173.239.37.178:8080 tcp
ES 89.29.244.7:443 tcp
ES 89.29.244.7:443 tcp
TH 150.95.66.124:8080 tcp

Files

memory/2216-0-0x0000000180000000-0x000000018002F000-memory.dmp

memory/2216-3-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/2216-4-0x000007FEF6FE0000-0x000007FEF703F000-memory.dmp

memory/556-8-0x0000000180000000-0x000000018002F000-memory.dmp

memory/556-9-0x000007FEF6F80000-0x000007FEF6FDF000-memory.dmp

memory/556-11-0x000007FEF6F80000-0x000007FEF6FDF000-memory.dmp

memory/556-12-0x000007FEF6F80000-0x000007FEF6FDF000-memory.dmp

memory/556-31-0x000007FEF6F80000-0x000007FEF6FDF000-memory.dmp

memory/556-33-0x000007FEF6F80000-0x000007FEF6FDF000-memory.dmp

memory/556-34-0x000007FEF6F80000-0x000007FEF6FDF000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-23 00:30

Reported

2024-05-23 00:33

Platform

win10v2004-20240508-en

Max time kernel

136s

Max time network

146s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\931fcc0dce88b617a2f1d17b92fdc2944e29d2bee9f59e375d8b0a8c3b4f368a.dll

Signatures

Emotet

trojan banker emotet

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Windows\system32\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4336 wrote to memory of 4700 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 4336 wrote to memory of 4700 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\931fcc0dce88b617a2f1d17b92fdc2944e29d2bee9f59e375d8b0a8c3b4f368a.dll

C:\Windows\system32\regsvr32.exe

C:\Windows\system32\regsvr32.exe "C:\Windows\system32\KXCbVLOzS\VQTpdzOy.dll"

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 173.82.82.196:8080 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
SG 159.89.202.34:443 159.89.202.34 tcp
US 8.8.8.8:53 11.97.55.23.in-addr.arpa udp
US 8.8.8.8:53 34.202.89.159.in-addr.arpa udp
US 8.8.8.8:53 171.101.63.23.in-addr.arpa udp
US 173.239.37.178:8080 tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
ES 89.29.244.7:443 tcp
TH 150.95.66.124:8080 tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
SG 159.65.140.115:443 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
EG 196.218.30.83:443 tcp
KR 119.193.124.41:7080 tcp
NL 77.81.247.144:8080 tcp

Files

memory/4336-0-0x0000000180000000-0x000000018002F000-memory.dmp

memory/4336-3-0x0000000000850000-0x0000000000851000-memory.dmp

memory/4336-4-0x00007FFCDBC30000-0x00007FFCDBC8F000-memory.dmp

memory/4700-8-0x0000000180000000-0x000000018002F000-memory.dmp