Overview

overview

10

Static

static

3

b15bb6f089...fd.exe

windows10-1703-x64

10

b349269e93...16.exe

windows10-1703-x64

3

b349849a59...23.exe

windows10-1703-x64

b3f7df11dc...8c.exe

windows10-1703-x64

10

b3f7f7bbc7...d0.exe

windows10-1703-x64

10

b6f8f78085...05.exe

windows10-1703-x64

10

b71794921e...51.exe

windows10-1703-x64

10

c05c6e2434...8e.exe

windows10-1703-x64

10

c8cc203f99...d2.exe

windows10-1703-x64

10

c96fd5f1dd...40.exe

windows10-1703-x64

10

cf0751df31...7d.exe

windows10-1703-x64

cf3610e817...5f.exe

windows10-1703-x64

5

d191674c65...da.exe

windows10-1703-x64

5

d559a80052...7c.exe

windows10-1703-x64

10

d60229cbc2...b0.exe

windows10-1703-x64

10

d78e74e4a3...22.exe

windows10-1703-x64

10

d901b86714...43.exe

windows10-1703-x64

da760f61e0...56.exe

windows10-1703-x64

10

e0d0a27648...61.exe

windows10-1703-x64

5

e4d38d99f9...fc.exe

windows10-1703-x64

e5ad2b2fe9...be.exe

windows10-1703-x64

10

e9724fe8d0...4b.exe

windows10-1703-x64

10

ea3311758e...ad.exe

windows10-1703-x64

10

eaf6bd6c1d...95.exe

windows10-1703-x64

10

ebb147e6b3...ee.exe

windows10-1703-x64

ebd0168e06...16.exe

windows10-1703-x64

ecc88023ac...cd.exe

windows10-1703-x64

10

f0502f754c...69.exe

windows10-1703-x64

10

f164297bfa...de.exe

windows10-1703-x64

10

f1ad160996...3b.exe

windows10-1703-x64

f4a5067973...6e.exe

windows10-1703-x64

10

f86dd9321d...0e.exe

windows10-1703-x64

10

Analysis

  • max time kernel
    198s
  • max time network
    210s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    13-07-2024 18:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b15bb6f0892dc78e8cec312c97b78d00b59e60fd.exe

  • Size

    205KB

  • MD5

    f36d27c36ce258283a050db08051ddc3

  • SHA1

    b15bb6f0892dc78e8cec312c97b78d00b59e60fd

  • SHA256

    d7e48995f37ac2d3de583b3b9483d8f9a73180b01209a75b61f3b76777144bd5

  • SHA512

    6bbc0675f76e6f58ad27ee74b4c0cafb89cbe355e72742436061934a435218ad649057f83c929e0d293394e21854c7e0b4a4d2d3549c771ecaa000058ced7522

  • SSDEEP

    3072:esOr9fFcTE+jzfNl96ZCZN4EhgpMaXSzXvkgbpf5i/CoML5A:8JWo+/R6Za4EqpQvPbpxYCm

Score
10/10
emotetepoch1bankertrojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch1

C2

110.36.234.146:80

191.82.16.60:80

91.83.93.105:8080

216.98.148.181:8080

68.183.190.199:8080

190.230.60.129:80

183.82.97.25:80

114.79.134.129:443

89.188.124.145:443

178.79.163.131:8080

76.69.29.42:80

87.106.77.40:7080

178.249.187.151:8080

62.75.143.100:7080

201.163.74.202:443

62.75.160.178:8080

181.188.149.134:80

186.0.95.172:80

217.199.160.224:8080

203.25.159.3:8080
rsa_pubkey.plain

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

    trojanbankeremotet
  • Drops file in System32 directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 3 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 3 IoCs
  • Modifies registry class 12 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 38 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b15bb6f0892dc78e8cec312c97b78d00b59e60fd.exe
    "C:\Users\Admin\AppData\Local\Temp\b15bb6f0892dc78e8cec312c97b78d00b59e60fd.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1768
    • C:\Users\Admin\AppData\Local\Temp\b15bb6f0892dc78e8cec312c97b78d00b59e60fd.exe
      --3ec38160
      2⤵
      • Suspicious behavior: RenamesItself
      PID:3796
  • C:\Windows\SysWOW64\withoutwubi.exe
    "C:\Windows\SysWOW64\withoutwubi.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4996
    • C:\Windows\SysWOW64\withoutwubi.exe
      --6a183003
      2⤵
      • Drops file in System32 directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      PID:752
  • C:\Windows\system32\mspaint.exe
    "C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\WritePing.jpg" /ForceBootstrapPaint3D
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    PID:4976
  • C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe
    "C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe" -ServerName:Microsoft.MSPaint.AppX437q68k2qc2asvaagas2prv9tjej6ja9.mca
    1⤵
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    PID:380

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\LocalState\Projects\Projects.json
    Filesize

    2B

    MD5

    d751713988987e9331980363e24189ce

    SHA1

    97d170e1550eee4afc0af065b78cda302a97674c

    SHA256

    4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

    SHA512

    b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

    Download Submit
  • C:\Users\Admin\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\LocalState\Projects\Projects.json
    Filesize

    233B

    MD5

    cc0d9c5314f8aa9b2fa11a32e3705b11

    SHA1

    d70179412e39b0c72a0534e3d4dde5146dcd2517

    SHA256

    1611119e55803479dcbe55deb2d07ad74c5e71de9970acbfd09fb9bd714f46ea

    SHA512

    f67642aec23f0f62e102e931d9eb04b9ac694d3b24ca0d087241e954d0a2c5fb0d7e97ef9034e2cb937a6ee6f0a00ae5a5ebe2a5ea436fc0199aa0b8ddbf5332

    Download Submit
  • C:\Users\Admin\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\LocalState\cloudCommunitySettings.json
    Filesize

    2KB

    MD5

    404a3ec24e3ebf45be65e77f75990825

    SHA1

    1e05647cf0a74cedfdeabfa3e8ee33b919780a61

    SHA256

    cc45905af3aaa62601a69c748a06a2fa48eca3b28d44d8ec18764a7e8e4c3da2

    SHA512

    a55382b72267375821b0a229d3529ed54cef0f295f550d1e95661bafccec606aa1cd72e059d37d78e7d2927ae72e2919941251d233152f5eeb32ffdfc96023e5

    Download Submit
  • memory/1768-0-0x0000000000550000-0x0000000000567000-memory.dmp
    Filesize

    92KB

    Download
  • memory/1768-5-0x00000000001F0000-0x0000000000200000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3796-6-0x0000000000480000-0x0000000000497000-memory.dmp
    Filesize

    92KB

    Download
  • memory/3796-16-0x0000000000400000-0x0000000000437000-memory.dmp
    Filesize

    220KB

    Download
  • memory/4996-11-0x0000000000440000-0x0000000000457000-memory.dmp
    Filesize

    92KB

    Download