1d51d8e9ae1d67cb804fb28024b04969fd5888c3befece09547e5506ee946027

General

Target

1d51d8e9ae1d67cb804fb28024b04969fd5888c3befece09547e5506ee946027
Sample

191004-q63j1g78d6
SHA256

1d51d8e9ae1d67cb804fb28024b04969fd5888c3befece09547e5506ee946027

Score

N/A

Malware Config

Extracted

Family

emotet

C2

http://172.105.11.15:8080/

http://91.121.116.137:443/

http://80.79.23.144:443/

http://144.139.247.220/

http://188.166.253.46:8080/

http://95.128.43.213:8080/

http://138.201.140.110:8080/

http://27.4.80.183:443/

http://80.11.163.139:443/

http://115.78.95.230:443/

http://189.209.217.49/

http://149.202.153.252:8080/

http://186.4.172.5:8080/

http://24.51.106.145:21/

http://46.105.131.87/

http://63.142.253.122:8080/

http://185.14.187.201:8080/

http://149.167.86.174:990/

http://124.240.198.66/

http://80.11.163.139:443/

Signatures

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

1d51d8e9ae1d67cb804fb28024b04969fd5888c3befece09547e5506ee946027.exeloadarouter.exe

at	description	process	target process
780	PID 1452 wrote to memory of 1368	1d51d8e9ae1d67cb804fb28024b04969fd5888c3befece09547e5506ee946027.exe	1d51d8e9ae1d67cb804fb28024b04969fd5888c3befece09547e5506ee946027.exe
8877	PID 1332 wrote to memory of 1116	loadarouter.exe	loadarouter.exe

Emotet Sync 1 IoCs
trojan banker

Processes:

1d51d8e9ae1d67cb804fb28024b04969fd5888c3befece09547e5506ee946027.exe

description ioc process

Event created Global\E64C019BB 1d51d8e9ae1d67cb804fb28024b04969fd5888c3befece09547e5506ee946027.exe
Suspicious behavior: EmotetMutantsSpam

description	ioc	process
Event created	Global\E64C019BB	1d51d8e9ae1d67cb804fb28024b04969fd5888c3befece09547e5506ee946027.exe

Drops file in system dir 2 IoCs

Processes:

1d51d8e9ae1d67cb804fb28024b04969fd5888c3befece09547e5506ee946027.exeloadarouter.exe

at	description	ioc	process
8456	File renamed	C:\Users\Admin\AppData\Local\Temp\1d51d8e9ae1d67cb804fb28024b04969fd5888c3befece09547e5506ee946027.exe => C:\Windows\SysWOW64\loadarouter.exe	1d51d8e9ae1d67cb804fb28024b04969fd5888c3befece09547e5506ee946027.exe
28065	File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	loadarouter.exe

Suspicious behavior: EnumeratesProcesses
emotet family
family

C:\Users\Admin\AppData\Local\Temp\1d51d8e9ae1d67cb804fb28024b04969fd5888c3befece09547e5506ee946027.exe
"C:\Users\Admin\AppData\Local\Temp\1d51d8e9ae1d67cb804fb28024b04969fd5888c3befece09547e5506ee946027.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1452

C:\Users\Admin\AppData\Local\Temp\1d51d8e9ae1d67cb804fb28024b04969fd5888c3befece09547e5506ee946027.exe
--881b2f27
1⤵
- Emotet Sync
- Drops file in system dir
PID:1368

C:\Windows\SysWOW64\loadarouter.exe
"C:\Windows\SysWOW64\loadarouter.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1332

C:\Windows\SysWOW64\loadarouter.exe
--f7a216da
1⤵
- Drops file in system dir
PID:1116

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1116-5-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1332-3-0x00000000003E0000-0x00000000003F4000-memory.dmp

Filesize
80KB

Download
memory/1368-2-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download

Analysis

Sharing