Overview

overview

10

Static

static

3

df7483be54...b8.exe

windows7-x64

10

df7483be54...b8.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-07-2024 03:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    df7483be5406be695b50b1f15d83bbb8.exe

  • Size

    671KB

  • MD5

    df7483be5406be695b50b1f15d83bbb8

  • SHA1

    69de8d0c0cead028805e8ac93ac6aa1bc95850aa

  • SHA256

    011280573f3ffbf712b5c146749878c18d8f94d57f325c7f9435fc886331c09a

  • SHA512

    7b73ee755af1365a32ac70b4b8658283089e35b3c967b2328b6ab2a9e36881083a87c03d072acfd47eb9fb7d010ae48c8c55a2ebf00bf30b748f4473aff0eb02

  • SSDEEP

    12288:BhGEsm5TpQrNAosJcRl7Bflkby3SJTGfRCK8lizPpZlySdpvIWjuZ:f5v0rNAMXBflkG3BCKiizxhjuZ

Score
10/10
emotetepoch1bankertrojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch1

C2

152.170.196.157:443

103.31.232.93:443

200.123.183.137:443

201.213.100.141:8080

70.32.115.157:8080

164.77.130.222:80

203.25.159.3:8080

184.57.130.8:80

190.147.137.153:443

91.83.93.124:7080

217.199.160.224:8080

190.57.130.142:443

185.94.252.12:80

77.55.211.77:8080

111.67.12.221:8080

5.45.108.146:8080

73.155.126.84:80

212.71.237.140:8080

5.196.35.138:7080

188.129.197.149:80
rsa_pubkey.plain

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

    trojanbankeremotet
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\df7483be5406be695b50b1f15d83bbb8.exe
    "C:\Users\Admin\AppData\Local\Temp\df7483be5406be695b50b1f15d83bbb8.exe"
    1⤵
    • Suspicious behavior: RenamesItself
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2600
    • C:\Windows\SysWOW64\Windows.Internal.Devices.Sensors\Windows.Internal.Devices.Sensors.exe
      "C:\Windows\SysWOW64\Windows.Internal.Devices.Sensors\Windows.Internal.Devices.Sensors.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:996

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-4124900551-4068476067-3491212533-1000\0f5007522459c86e95ffcc62f32308f1_310807ab-751f-4d81-ae09-b202eaf21e19
    Filesize

    1KB

    MD5

    3ff6de5e7a3e04e54cc10fe54fc5f4eb

    SHA1

    c4cb262eeb16b73e6d448688dda194caeb7a5a98

    SHA256

    2b91fb36eb86422e1866d4630145f66c919120cc8215ae49ecf5a498cac633dd

    SHA512

    fd03a9b377d9332ee5140e78847710d4bdf420a75e53ccbb665b75adf16b90fcdc97e672f1548050cfbcc07559bc4f42714bba2f1a6483b5f393651b8792fd52

    Download Submit
  • memory/996-13-0x00000000006A0000-0x00000000006AC000-memory.dmp
    Filesize

    48KB

    Download
  • memory/2600-0-0x00000000023E0000-0x00000000023E2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2600-7-0x00000000023D0000-0x00000000023DA000-memory.dmp
    Filesize

    40KB

    Download
  • memory/2600-4-0x0000000002440000-0x000000000244C000-memory.dmp
    Filesize

    48KB

    Download
  • memory/2600-8-0x0000000000400000-0x00000000004AE000-memory.dmp
    Filesize

    696KB

    Download