Analysis
-
max time kernel
132s -
max time network
149s -
resource
win10v191014
Task
task1
Sample
1296d8774c5c1fdfd849570b8ed42dca035348e1d3f59a846c80f2c49a80db49.exe
Resource
win7v191014
General
-
Target
1296d8774c5c1fdfd849570b8ed42dca035348e1d3f59a846c80f2c49a80db49
-
Sample
191114-7ywlhp733s
-
SHA256
1296d8774c5c1fdfd849570b8ed42dca035348e1d3f59a846c80f2c49a80db49
Malware Config
Extracted
emotet
105.226.188.128:8090
91.205.173.54:8080
163.172.97.112:8080
72.47.202.235:8080
46.17.6.116:8080
46.105.131.68:8080
37.59.24.25:8080
152.169.32.143:8080
178.249.187.150:7080
23.253.207.142:8080
201.196.15.79:990
187.177.155.123:990
189.154.130.167:443
176.58.93.123:80
191.100.24.201:50000
192.163.221.191:8080
190.128.222.14:80
51.38.134.203:8080
157.7.164.178:8081
95.216.212.157:8080
50.116.78.109:8080
95.216.207.86:7080
124.150.175.133:80
138.197.140.163:8080
189.218.243.150:443
192.241.220.183:8080
181.36.42.205:443
124.150.175.129:8080
181.47.235.26:993
143.95.101.72:8080
162.144.46.90:8080
216.75.37.196:8080
211.229.116.130:80
5.189.148.98:8080
181.198.203.45:443
200.55.168.82:20
193.34.144.138:8080
139.162.185.116:443
212.112.113.235:80
104.238.80.237:8080
91.109.5.28:8080
142.93.87.198:8080
113.52.135.33:7080
172.104.70.207:8080
78.46.87.133:8080
83.169.33.157:8080
154.120.227.206:8080
195.201.56.68:7080
119.159.150.176:443
70.45.30.28:80
216.70.88.55:8080
181.197.108.171:443
198.57.217.170:8080
190.217.1.149:80
172.245.13.50:8080
103.205.177.229:80
177.226.25.78:80
Signatures
-
Processes:
1296d8774c5c1fdfd849570b8ed42dca035348e1d3f59a846c80f2c49a80db49.exedescription ioc pid process Event created Global\EEE599D15 4832 1296d8774c5c1fdfd849570b8ed42dca035348e1d3f59a846c80f2c49a80db49.exe -
Suspicious behavior: EmotetMutantsSpam 2 IoCs
Processes:
1296d8774c5c1fdfd849570b8ed42dca035348e1d3f59a846c80f2c49a80db49.exerawattrib.exepid process 4832 1296d8774c5c1fdfd849570b8ed42dca035348e1d3f59a846c80f2c49a80db49.exe 328 rawattrib.exe -
Drops file in system dir 11 IoCs
Processes:
1296d8774c5c1fdfd849570b8ed42dca035348e1d3f59a846c80f2c49a80db49.exerawattrib.exesvchost.exedescription ioc pid process File renamed C:\Users\Admin\AppData\Local\Temp\1296d8774c5c1fdfd849570b8ed42dca035348e1d3f59a846c80f2c49a80db49.exe => C:\Windows\SysWOW64\rawattrib.exe 4832 1296d8774c5c1fdfd849570b8ed42dca035348e1d3f59a846c80f2c49a80db49.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat 328 rawattrib.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 328 rawattrib.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE 328 rawattrib.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies 328 rawattrib.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 328 rawattrib.exe File opened for modification C:\Windows\Debug\ESE.TXT 3164 svchost.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp 3164 svchost.exe File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp 3164 svchost.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-2.tmp 3164 svchost.exe File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-2.tmp 3164 svchost.exe -
Processes:
svchost.exedescription ioc pid process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\cval = "0" 4156 svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\cval = "1" 4156 svchost.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
1296d8774c5c1fdfd849570b8ed42dca035348e1d3f59a846c80f2c49a80db49.exeSppExtComObj.exerawattrib.exedescription pid process target process PID 4808 wrote to memory of 4832 4808 1296d8774c5c1fdfd849570b8ed42dca035348e1d3f59a846c80f2c49a80db49.exe 1296d8774c5c1fdfd849570b8ed42dca035348e1d3f59a846c80f2c49a80db49.exe PID 4920 wrote to memory of 4948 4920 SppExtComObj.exe SLUI.exe PID 5104 wrote to memory of 328 5104 rawattrib.exe rawattrib.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
1296d8774c5c1fdfd849570b8ed42dca035348e1d3f59a846c80f2c49a80db49.exepid process 4832 1296d8774c5c1fdfd849570b8ed42dca035348e1d3f59a846c80f2c49a80db49.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
rawattrib.exepid process 328 rawattrib.exe -
Checks system information in the registry (likely anti-VM) 2 TTPs 2 IoCs
Processes:
svchost.exedescription ioc pid process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer 4132 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName 4132 svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1296d8774c5c1fdfd849570b8ed42dca035348e1d3f59a846c80f2c49a80db49.exe"C:\Users\Admin\AppData\Local\Temp\1296d8774c5c1fdfd849570b8ed42dca035348e1d3f59a846c80f2c49a80db49.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4808
-
C:\Users\Admin\AppData\Local\Temp\1296d8774c5c1fdfd849570b8ed42dca035348e1d3f59a846c80f2c49a80db49.exe--7549115c1⤵
- Emotet Sync
- Suspicious behavior: EmotetMutantsSpam
- Drops file in system dir
- Suspicious behavior: RenamesItself
PID:4832
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵
- Suspicious use of WriteProcessMemory
PID:4920
-
C:\Windows\System32\SLUI.exe"C:\Windows\System32\SLUI.exe" RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2de67392-b7a7-462a-b1ca-108dd189f588;NotificationInterval=1440;Trigger=TimerEvent1⤵PID:4948
-
C:\Windows\SysWOW64\rawattrib.exe"C:\Windows\SysWOW64\rawattrib.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:5104
-
C:\Windows\SysWOW64\rawattrib.exe--9e8f65081⤵
- Suspicious behavior: EmotetMutantsSpam
- Drops file in system dir
- Suspicious behavior: EnumeratesProcesses
PID:328
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s BITS1⤵
- Drops file in system dir
PID:3164
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV1⤵PID:3620
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s DoSvc1⤵
- Checks system information in the registry (likely anti-VM)
PID:4132
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s wscsvc1⤵
- Windows security modification
PID:4156
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k unistacksvcgroup1⤵PID:2568
Network
MITRE ATT&CK Enterprise v15
MITRE ATT&CK Additional techniques
- T1089