Malware Analysis Report

2024-09-22 22:04

Sample ID 240615-y26pkaxarm
Target b2a1f3c18c864d52b8f7b81a333d51f14687ab0ecc4bc3eddc75b878ff4c9861
SHA256 b2a1f3c18c864d52b8f7b81a333d51f14687ab0ecc4bc3eddc75b878ff4c9861
Tags
emotet epoch4 banker trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b2a1f3c18c864d52b8f7b81a333d51f14687ab0ecc4bc3eddc75b878ff4c9861

Threat Level: Known bad

The file b2a1f3c18c864d52b8f7b81a333d51f14687ab0ecc4bc3eddc75b878ff4c9861 was found to be: Known bad.

Malicious Activity Summary

emotet epoch4 banker trojan

Emotet

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious behavior: RenamesItself

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-15 20:17

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-15 20:17

Reported

2024-06-15 20:20

Platform

win7-20240508-en

Max time kernel

134s

Max time network

141s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\b2a1f3c18c864d52b8f7b81a333d51f14687ab0ecc4bc3eddc75b878ff4c9861.dll

Signatures

Emotet

trojan banker emotet

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2084 wrote to memory of 2772 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2084 wrote to memory of 2772 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2084 wrote to memory of 2772 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2084 wrote to memory of 2772 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2084 wrote to memory of 2772 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2084 wrote to memory of 2772 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2084 wrote to memory of 2772 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\b2a1f3c18c864d52b8f7b81a333d51f14687ab0ecc4bc3eddc75b878ff4c9861.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\b2a1f3c18c864d52b8f7b81a333d51f14687ab0ecc4bc3eddc75b878ff4c9861.dll

Network

Country Destination Domain Proto
PK 175.107.196.192:80 tcp
PK 175.107.196.192:80 tcp
SG 156.67.219.84:7080 tcp
SG 156.67.219.84:7080 tcp
US 159.8.59.82:8080 tcp
US 159.8.59.82:8080 tcp
ID 119.235.255.201:8080 tcp

Files

memory/2772-0-0x00000000003F0000-0x0000000000416000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-15 20:17

Reported

2024-06-15 20:20

Platform

win10v2004-20240611-en

Max time kernel

143s

Max time network

148s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\b2a1f3c18c864d52b8f7b81a333d51f14687ab0ecc4bc3eddc75b878ff4c9861.dll

Signatures

Emotet

trojan banker emotet

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\Dsfiawrbfxjt\watf.ukh C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2256 wrote to memory of 1544 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2256 wrote to memory of 1544 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2256 wrote to memory of 1544 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1544 wrote to memory of 4556 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1544 wrote to memory of 4556 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1544 wrote to memory of 4556 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\b2a1f3c18c864d52b8f7b81a333d51f14687ab0ecc4bc3eddc75b878ff4c9861.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\b2a1f3c18c864d52b8f7b81a333d51f14687ab0ecc4bc3eddc75b878ff4c9861.dll

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Dsfiawrbfxjt\watf.ukh"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 2.18.27.76:443 www.bing.com tcp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 76.27.18.2.in-addr.arpa udp
PK 175.107.196.192:80 tcp
SG 156.67.219.84:7080 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 105.83.221.88.in-addr.arpa udp
US 159.8.59.82:8080 tcp
US 8.8.8.8:53 207.131.50.23.in-addr.arpa udp
ID 119.235.255.201:8080 tcp
ES 31.24.158.56:8080 tcp
US 8.8.8.8:53 145.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
IT 212.237.17.99:8080 tcp
SG 45.118.135.203:7080 tcp
CO 45.176.232.124:443 tcp
ZA 129.232.188.93:443 tcp
KR 58.227.42.236:80 tcp

Files

memory/1544-0-0x0000000002F50000-0x0000000002F76000-memory.dmp

memory/1544-3-0x0000000010000000-0x0000000010119000-memory.dmp

C:\Windows\SysWOW64\Dsfiawrbfxjt\watf.ukh

MD5 442cfb9a511e845c428c7bda24cdde4c
SHA1 b8e669af6c42be23706076305aafdd68878419f0
SHA256 b2a1f3c18c864d52b8f7b81a333d51f14687ab0ecc4bc3eddc75b878ff4c9861
SHA512 62f6dbfbba475f991dddd209b38c0765b2e501a06fb9836f473221aedcf626f77ed4867d709053ac1df96f3b6b2f3c013602d53f6e3b55b4fd20863b0d64047e

memory/4556-5-0x0000000002730000-0x0000000002756000-memory.dmp