Overview

overview

10

Static

static

3

2024-06-29...er.exe

windows7-x64

10

2024-06-29...er.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    29-06-2024 20:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-06-29_df7483be5406be695b50b1f15d83bbb8_icedid_magniber.exe

  • Size

    671KB

  • MD5

    df7483be5406be695b50b1f15d83bbb8

  • SHA1

    69de8d0c0cead028805e8ac93ac6aa1bc95850aa

  • SHA256

    011280573f3ffbf712b5c146749878c18d8f94d57f325c7f9435fc886331c09a

  • SHA512

    7b73ee755af1365a32ac70b4b8658283089e35b3c967b2328b6ab2a9e36881083a87c03d072acfd47eb9fb7d010ae48c8c55a2ebf00bf30b748f4473aff0eb02

  • SSDEEP

    12288:BhGEsm5TpQrNAosJcRl7Bflkby3SJTGfRCK8lizPpZlySdpvIWjuZ:f5v0rNAMXBflkG3BCKiizxhjuZ

Score
10/10
emotetepoch1bankertrojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch1

C2

152.170.196.157:443

103.31.232.93:443

200.123.183.137:443

201.213.100.141:8080

70.32.115.157:8080

164.77.130.222:80

203.25.159.3:8080

184.57.130.8:80

190.147.137.153:443

91.83.93.124:7080

217.199.160.224:8080

190.57.130.142:443

185.94.252.12:80

77.55.211.77:8080

111.67.12.221:8080

5.45.108.146:8080

73.155.126.84:80

212.71.237.140:8080

5.196.35.138:7080

188.129.197.149:80
rsa_pubkey.plain

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

    trojanbankeremotet
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-06-29_df7483be5406be695b50b1f15d83bbb8_icedid_magniber.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-06-29_df7483be5406be695b50b1f15d83bbb8_icedid_magniber.exe"
    1⤵
    • Suspicious behavior: RenamesItself
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2952
    • C:\Windows\SysWOW64\hid\hid.exe
      "C:\Windows\SysWOW64\hid\hid.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:2312

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2812790648-3157963462-487717889-1000\0f5007522459c86e95ffcc62f32308f1_e03cd433-c719-47e1-9d16-06aabadbc419
    Filesize

    1KB

    MD5

    6713cdc901a721ce4c8ad6312be29952

    SHA1

    fe5424016fe2a6fca60ac9b9b4264cca2b9dfa81

    SHA256

    6f41d5f8401133205313f266f3b26619eac0dc29b4e4e29a4ca1677d811da7e1

    SHA512

    6ffc9e36ce6d9364c9902ec3e2ebba9abb46aad0ad04f50b8223247c1806b313367807571abafa3362c3e3bbdc0705ccc1a0aba041386c34f994e0fe4aa23a69

    Download Submit
  • memory/2312-13-0x00000000002A0000-0x00000000002AC000-memory.dmp
    Filesize

    48KB

    Download
  • memory/2952-4-0x0000000000300000-0x000000000030C000-memory.dmp
    Filesize

    48KB

    Download
  • memory/2952-7-0x00000000002E0000-0x00000000002EA000-memory.dmp
    Filesize

    40KB

    Download
  • memory/2952-0-0x00000000002F0000-0x00000000002F2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2952-8-0x0000000000400000-0x00000000004AE000-memory.dmp
    Filesize

    696KB

    Download