Overview

overview

10

Static

static

3

48ec51ec5d...49.exe

windows7-x64

10

48ec51ec5d...49.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20250207-en
  • resource tags

    arch:x64arch:x86image:win7-20250207-enlocale:en-usos:windows7-x64system
  • submitted
    27/02/2025, 21:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    48ec51ec5d4347dff96e2e9212fdd88f1a21d471dc40c0f98517abe784673b49.exe

  • Size

    437KB

  • MD5

    e04ef63295ecda683a949ad6ac84e2d9

  • SHA1

    38738d42664fe9d82c71a7f4df3bcb665b39316e

  • SHA256

    48ec51ec5d4347dff96e2e9212fdd88f1a21d471dc40c0f98517abe784673b49

  • SHA512

    18f6653d66d17278fc73922518f916ae2eb0d985f0289738fba876e94816cdd1c9906803f3fcc9f441ccd2f3769fc31f7b1aa3aa8ae9419ff7df79d1a47b9eb5

  • SSDEEP

    12288:GRX3wK9rybO3AlLBeTWi+eO6e2dAtyK0G+pG/YI:GRX3wK9ruO3Alpi+eO6e2mt2gYI

Score
10/10
emotetramnitepoch2bankerdiscoveryspywarestealertrojanupxworm

Malware Config

Extracted

Family

emotet

Botnet

Epoch2

C2

64.88.202.250:80

212.51.142.238:8080

200.55.243.138:8080

104.236.246.93:8080

61.19.246.238:443

79.45.112.220:80

95.213.236.64:8080

169.239.182.217:8080

103.86.49.11:8080

87.106.139.101:8080

74.208.45.104:8080

113.160.130.116:8443

209.141.54.221:8080

203.153.216.189:7080

73.11.153.178:8080

186.208.123.210:443

37.187.72.193:8080

201.173.217.124:443

121.124.124.40:7080

24.1.189.87:8080
rsa_pubkey.plain

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

    trojanbankeremotet
  • Emotet family
    emotet
  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Ramnit family
    ramnit
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 52 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\48ec51ec5d4347dff96e2e9212fdd88f1a21d471dc40c0f98517abe784673b49.exe
    "C:\Users\Admin\AppData\Local\Temp\48ec51ec5d4347dff96e2e9212fdd88f1a21d471dc40c0f98517abe784673b49.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2868
    • C:\Users\Admin\AppData\Local\Temp\48ec51ec5d4347dff96e2e9212fdd88f1a21d471dc40c0f98517abe784673b49mgr.exe
      C:\Users\Admin\AppData\Local\Temp\48ec51ec5d4347dff96e2e9212fdd88f1a21d471dc40c0f98517abe784673b49mgr.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2028
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe"
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2532
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2532 CREDAT:275457 /prefetch:2
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:2388
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe"
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1256
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1256 CREDAT:275457 /prefetch:2
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:2220

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
    Filesize

    71KB

    MD5

    83142242e97b8953c386f988aa694e4a

    SHA1

    833ed12fc15b356136dcdd27c61a50f59c5c7d50

    SHA256

    d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755

    SHA512

    bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    2b68fe21ab2148be12b93576194bee7b

    SHA1

    e8c628047a463fc3d87d0b56120e3dab0c45a3d6

    SHA256

    8ff8a9c3e8979fe0bd3585705e5336f3c1f158d8c67b3e61f9f7c8c4e09731c4

    SHA512

    a800cd315ed9940198a94a4822420e662d1dc73073dd7a975836bb138343c91ca532d60f723a0998fe1283436ded84840259a38bc7c387922feca04d4d13141e

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{209D6291-F554-11EF-9446-FE3312B4242D}.dat
    Filesize

    5KB

    MD5

    6ff8a7dbd2ca6a6f5a131bfcbd0e91be

    SHA1

    b5be38148367f9164cae899e8e3cf3b758065c90

    SHA256

    7a511e70dde7a741c4e0b5cbd12faedeb14c41705ea8cc72cf9f8c9589c56844

    SHA512

    0e09ba0e78c14fddf142d847893aa557f4ce9e9df6bb93c3187e4e350a3c6fcc71afd67e8b674692933c5afe37e4f01086856afb70b4c74a382f58d7d3ee2133

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{209FC3F1-F554-11EF-9446-FE3312B4242D}.dat
    Filesize

    5KB

    MD5

    dfb2fa0e34679276f6934bfcbb1cc458

    SHA1

    a0ac77932d9ea216bb3d90157410d5311575d897

    SHA256

    d5f003fe14a1eff9532c4605cbd9963ed226542ccd28ba6cdeeebc2cf527a9da

    SHA512

    325ee3713314c1c3e5400a42a8fa8959794089a80dd23f07d9897c54edb3c51e30ffb7a296d82cb2c167da01fe6025a00bacf518d5cb7269c21211d9f9c027a2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\48ec51ec5d4347dff96e2e9212fdd88f1a21d471dc40c0f98517abe784673b49mgr.exe
    Filesize

    105KB

    MD5

    d5ca6e1f080abc64bbb11e098acbeabb

    SHA1

    1849634bf5a65e1baddddd4452c99dfa003e2647

    SHA256

    30193b5ccf8a1834eac3502ef165350ab74b107451145f3d2937fdf24b9eceae

    SHA512

    aa57ce51de38af6212d7339c4baac543a54b0f527621b0ef9e78eca5e5699e8508a154f54f8ac04135527d8417275eeee72a502a362547575699330cc756b161

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\CabAE2D.tmp
    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\TarBB8C.tmp
    Filesize

    183KB

    MD5

    109cab5505f5e065b63d01361467a83b

    SHA1

    4ed78955b9272a9ed689b51bf2bf4a86a25e53fc

    SHA256

    ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673

    SHA512

    753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc

    Download Submit

  • memory/2028-15-0x0000000000400000-0x000000000045D000-memory.dmp

    Filesize

    372KB

    Download

  • memory/2028-14-0x0000000000270000-0x0000000000271000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2028-12-0x0000000000260000-0x0000000000261000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2028-28-0x0000000000400000-0x000000000045D000-memory.dmp

    Filesize

    372KB

    Download

  • memory/2028-11-0x0000000000400000-0x000000000045D000-memory.dmp

    Filesize

    372KB

    Download

  • memory/2028-13-0x0000000000400000-0x000000000045D000-memory.dmp

    Filesize

    372KB

    Download

  • memory/2868-16-0x00000000003F0000-0x00000000003FE000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2868-0-0x0000000000400000-0x0000000000474000-memory.dmp

    Filesize

    464KB

    Download

  • memory/2868-29-0x00000000004F0000-0x000000000054D000-memory.dmp

    Filesize

    372KB

    Download

  • memory/2868-20-0x0000000000570000-0x000000000057C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/2868-23-0x0000000000400000-0x0000000000474000-memory.dmp

    Filesize

    464KB

    Download

  • memory/2868-9-0x00000000004F0000-0x000000000054D000-memory.dmp

    Filesize

    372KB

    Download

  • memory/2868-10-0x00000000004F0000-0x000000000054D000-memory.dmp

    Filesize

    372KB

    Download