Analysis

  • max time kernel
    144s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    09-10-2024 01:37

General

  • Target

    591d32aeae0554f744df8843727e794d33495ff0a4b90a9f7861ab526988ded7.exe

  • Size

    57KB

  • MD5

    d09a466039ffe16e231a202bd6259db8

  • SHA1

    a625728ec40bd353b79913bed4dee0c297467d3d

  • SHA256

    591d32aeae0554f744df8843727e794d33495ff0a4b90a9f7861ab526988ded7

  • SHA512

    fdd7e00f1e08f51610c90df3d75c7228f6567acc6dc3c7c0e04af5ece90a7042dae445c3f80facdbd9150e579dcbc773a23b0e423c68670daae1d7dce220f80a

  • SSDEEP

    1536:pKlUb+Dm4s9hN1YkPDckM8HsquOBcrqqRTVrdnsqiMSKMkS:EI4sZ1YkPH1BcGqFVrBo3

Malware Config

Extracted

Family

emotet

Botnet

Epoch2

C2

201.184.105.242:443

24.45.195.162:7080

24.45.195.162:8443

94.192.225.46:80

80.11.163.139:443

133.167.80.63:7080

198.199.114.69:8080

80.79.23.144:443

192.254.173.31:8080

67.225.229.55:8080

190.108.228.48:990

62.75.187.192:8080

185.94.252.13:443

94.205.247.10:80

211.63.71.72:8080

59.103.164.174:80

192.81.213.192:8080

27.4.80.183:443

190.145.67.134:8090

115.78.95.230:443

rsa_pubkey.plain

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies data under HKEY_USERS 21 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\591d32aeae0554f744df8843727e794d33495ff0a4b90a9f7861ab526988ded7.exe
    "C:\Users\Admin\AppData\Local\Temp\591d32aeae0554f744df8843727e794d33495ff0a4b90a9f7861ab526988ded7.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3028
    • C:\Users\Admin\AppData\Local\Temp\591d32aeae0554f744df8843727e794d33495ff0a4b90a9f7861ab526988ded7.exe
      --37f11e0c
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: RenamesItself
      PID:2772
  • C:\Windows\SysWOW64\withoutchore.exe
    "C:\Windows\SysWOW64\withoutchore.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2776
    • C:\Windows\SysWOW64\withoutchore.exe
      --bd54e867
      2⤵
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      PID:2912

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2772-0-0x0000000000100000-0x0000000000114000-memory.dmp

    Filesize

    80KB