Analysis
-
max time kernel
50s -
max time network
11651379494s -
resource
win7
Task
task1
Sample
50f70f738865bdbaa7e3ea7707a4fb142fe853f28ee215b0e83e6d265090e2c7.exe
Resource
win7
Task
task2
Sample
50f70f738865bdbaa7e3ea7707a4fb142fe853f28ee215b0e83e6d265090e2c7.exe
Resource
win10
General
-
Target
50f70f738865bdbaa7e3ea7707a4fb142fe853f28ee215b0e83e6d265090e2c7
-
Sample
191004-mhbvdst4bn
-
SHA256
50f70f738865bdbaa7e3ea7707a4fb142fe853f28ee215b0e83e6d265090e2c7
Malware Config
Extracted
emotet
http://74.208.74.92:8080/
http://89.32.150.160:8080/
http://80.240.141.141:7080/
http://151.80.142.33/
http://5.196.35.138:7080/
http://200.58.171.51/
http://81.213.215.216:50000/
http://187.150.150.127:7080/
http://149.62.173.247:8080/
http://62.75.160.178:8080/
http://170.84.133.72:8443/
http://79.129.0.173:8080/
http://181.29.101.13:8080/
http://183.82.97.25/
http://109.104.79.48:8080/
http://201.199.93.30:443/
http://159.203.204.126:8080/
http://181.36.42.205:443/
http://46.28.111.142:7080/
http://178.249.187.151:8080/
http://123.168.4.66:22/
http://212.71.237.140:8080/
http://86.42.166.147/
http://190.104.253.234:990/
http://50.28.51.143:8080/
http://114.79.134.129:443/
http://190.230.60.129/
http://185.86.148.222:8080/
http://139.5.237.27:443/
http://190.230.60.129/
http://190.230.60.129:8080/
http://71.244.60.230:7080/
http://113.170.129.113:443/
http://23.92.22.225:7080/
http://170.84.133.72:7080/
http://217.199.175.216:8080/
http://189.166.68.89:443/
http://178.79.163.131:8080/
http://77.245.101.134:8080/
http://200.51.94.251:143/
http://186.1.41.111:443/
http://51.15.8.192:8080/
http://190.158.19.141/
http://46.29.183.211:8080/
http://87.106.77.40:7080/
http://186.0.95.172/
http://80.85.87.122:8080/
http://46.21.105.59:8080/
http://201.183.247.58:443/
http://184.69.214.94:20/
http://190.1.37.125:443/
http://138.68.106.4:7080/
http://79.129.0.173:7080/
http://91.205.215.57:7080/
http://81.169.140.14:443/
http://190.221.50.210:8080/
http://119.92.51.40:8080/
http://46.41.151.103:8080/
http://76.69.29.42/
http://201.184.65.229/
http://186.83.133.253:8080/
http://190.85.152.186:8080/
http://201.163.74.202:443/
http://5.77.13.70/
http://217.199.160.224:8080/
http://71.244.60.231:7080/
http://203.25.159.3:8080/
http://185.187.198.10:8080/
http://46.163.144.228/
http://88.250.223.190:8080/
http://142.93.82.57:8080/
http://77.55.211.77:8080/
http://190.38.14.52/
http://89.188.124.145:443/
http://62.75.143.100:7080/
http://79.143.182.254:8080/
http://187.188.166.192/
http://109.169.86.13:8080/
http://190.10.194.42:8080/
http://91.83.93.124:7080/
http://119.159.150.176:443/
http://181.188.149.134/
http://200.57.102.71:8443/
http://78.189.76.2:50000/
http://119.59.124.163:8080/
Signatures
-
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
50f70f738865bdbaa7e3ea7707a4fb142fe853f28ee215b0e83e6d265090e2c7.exeloadarouter.exeat description process target process 920 PID 1260 wrote to memory of 1996 50f70f738865bdbaa7e3ea7707a4fb142fe853f28ee215b0e83e6d265090e2c7.exe 50f70f738865bdbaa7e3ea7707a4fb142fe853f28ee215b0e83e6d265090e2c7.exe 9641 PID 2004 wrote to memory of 1472 loadarouter.exe loadarouter.exe -
Processes:
50f70f738865bdbaa7e3ea7707a4fb142fe853f28ee215b0e83e6d265090e2c7.exedescription ioc process Event created Global\E64C019BB 50f70f738865bdbaa7e3ea7707a4fb142fe853f28ee215b0e83e6d265090e2c7.exe -
Suspicious behavior: EmotetMutantsSpam
-
Drops file in system dir 2 IoCs
Processes:
50f70f738865bdbaa7e3ea7707a4fb142fe853f28ee215b0e83e6d265090e2c7.exeloadarouter.exeat description ioc process 9251 File renamed C:\Users\Admin\AppData\Local\Temp\50f70f738865bdbaa7e3ea7707a4fb142fe853f28ee215b0e83e6d265090e2c7.exe => C:\Windows\SysWOW64\loadarouter.exe 50f70f738865bdbaa7e3ea7707a4fb142fe853f28ee215b0e83e6d265090e2c7.exe 26832 File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat loadarouter.exe -
Suspicious behavior: EnumeratesProcesses
-
emotet family
Processes
-
C:\Users\Admin\AppData\Local\Temp\50f70f738865bdbaa7e3ea7707a4fb142fe853f28ee215b0e83e6d265090e2c7.exe"C:\Users\Admin\AppData\Local\Temp\50f70f738865bdbaa7e3ea7707a4fb142fe853f28ee215b0e83e6d265090e2c7.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1260
-
C:\Users\Admin\AppData\Local\Temp\50f70f738865bdbaa7e3ea7707a4fb142fe853f28ee215b0e83e6d265090e2c7.exe--2cbe3ca21⤵
- Emotet Sync
- Drops file in system dir
PID:1996
-
C:\Windows\SysWOW64\loadarouter.exe"C:\Windows\SysWOW64\loadarouter.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2004
-
C:\Windows\SysWOW64\loadarouter.exe--f7a216da1⤵
- Drops file in system dir
PID:1472