Analysis
-
max time kernel
112s -
max time network
120s -
resource
win7v191014
Task
task1
Sample
292700c0de8798ffcba200b03baa40ae6a505de2056f59227f1c98e8ab225f97.exe
Resource
win7v191014
General
-
Target
292700c0de8798ffcba200b03baa40ae6a505de2056f59227f1c98e8ab225f97
-
Sample
191115-94bwgrcmf6
-
SHA256
292700c0de8798ffcba200b03baa40ae6a505de2056f59227f1c98e8ab225f97
Malware Config
Extracted
emotet
144.76.56.36:8080
78.47.106.72:8080
165.227.156.155:443
192.241.255.77:8080
83.136.245.190:8080
91.205.215.66:8080
190.226.44.20:21
186.75.241.230:80
217.160.182.191:8080
190.145.67.134:8090
86.22.221.170:80
149.202.153.252:8080
80.11.163.139:21
181.31.213.158:8080
183.102.238.69:465
186.4.172.5:8080
104.131.44.150:8080
211.63.71.72:8080
31.172.240.91:8080
115.78.95.230:443
138.201.140.110:8080
192.81.213.192:8080
87.230.19.21:8080
186.4.172.5:443
159.65.25.128:8080
104.131.11.150:8080
86.98.64.189:443
92.222.216.44:8080
67.225.179.64:8080
103.39.131.88:80
37.187.2.199:443
31.12.67.62:7080
191.92.209.110:7080
186.4.172.5:20
104.239.175.211:8080
176.31.200.130:8080
37.157.194.134:443
85.104.59.244:20
5.196.74.210:8080
169.239.182.217:8080
178.210.51.222:8080
212.129.24.79:8080
94.205.247.10:80
182.176.132.213:8090
181.57.193.14:80
78.24.219.147:8080
167.99.105.223:7080
87.106.139.101:8080
62.75.187.192:8080
173.249.47.77:8080
200.71.148.138:8080
178.79.161.166:443
87.106.136.232:8080
152.89.236.214:8080
189.209.217.49:80
190.53.135.159:21
45.33.49.124:443
190.211.207.11:443
144.139.247.220:80
181.143.194.138:443
95.128.43.213:8080
46.105.131.87:80
104.236.246.93:8080
173.212.203.26:8080
192.241.220.155:8080
59.103.164.174:80
167.71.10.37:8080
Signatures
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
anglehant.exepid process 1516 anglehant.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
292700c0de8798ffcba200b03baa40ae6a505de2056f59227f1c98e8ab225f97.exeanglehant.exedescription pid process target process PID 608 wrote to memory of 1832 608 292700c0de8798ffcba200b03baa40ae6a505de2056f59227f1c98e8ab225f97.exe 292700c0de8798ffcba200b03baa40ae6a505de2056f59227f1c98e8ab225f97.exe PID 1028 wrote to memory of 1516 1028 anglehant.exe anglehant.exe -
Processes:
292700c0de8798ffcba200b03baa40ae6a505de2056f59227f1c98e8ab225f97.exedescription ioc pid process Event created Global\E582FAEE3 1832 292700c0de8798ffcba200b03baa40ae6a505de2056f59227f1c98e8ab225f97.exe -
Suspicious behavior: EmotetMutantsSpam 2 IoCs
Processes:
292700c0de8798ffcba200b03baa40ae6a505de2056f59227f1c98e8ab225f97.exeanglehant.exepid process 1832 292700c0de8798ffcba200b03baa40ae6a505de2056f59227f1c98e8ab225f97.exe 1516 anglehant.exe -
Drops file in system dir 2 IoCs
Processes:
292700c0de8798ffcba200b03baa40ae6a505de2056f59227f1c98e8ab225f97.exeanglehant.exedescription ioc pid process File renamed C:\Users\Admin\AppData\Local\Temp\292700c0de8798ffcba200b03baa40ae6a505de2056f59227f1c98e8ab225f97.exe => C:\Windows\SysWOW64\anglehant.exe 1832 292700c0de8798ffcba200b03baa40ae6a505de2056f59227f1c98e8ab225f97.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat 1516 anglehant.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
292700c0de8798ffcba200b03baa40ae6a505de2056f59227f1c98e8ab225f97.exepid process 1832 292700c0de8798ffcba200b03baa40ae6a505de2056f59227f1c98e8ab225f97.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\292700c0de8798ffcba200b03baa40ae6a505de2056f59227f1c98e8ab225f97.exe"C:\Users\Admin\AppData\Local\Temp\292700c0de8798ffcba200b03baa40ae6a505de2056f59227f1c98e8ab225f97.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:608
-
C:\Users\Admin\AppData\Local\Temp\292700c0de8798ffcba200b03baa40ae6a505de2056f59227f1c98e8ab225f97.exe--4265a3271⤵
- Emotet Sync
- Suspicious behavior: EmotetMutantsSpam
- Drops file in system dir
- Suspicious behavior: RenamesItself
PID:1832
-
C:\Windows\SysWOW64\anglehant.exe"C:\Windows\SysWOW64\anglehant.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1028
-
C:\Windows\SysWOW64\anglehant.exe--e265b3081⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: EmotetMutantsSpam
- Drops file in system dir
PID:1516
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1774239815-1814403401-2200974991-1000\0f5007522459c86e95ffcc62f32308f1_18654976-c7db-4a1a-8859-070035d242d5
-
memory/608-0-0x00000000002A0000-0x00000000002B5000-memory.dmpFilesize
84KB
-
memory/1516-5-0x00000000003E0000-0x00000000003F5000-memory.dmpFilesize
84KB
-
memory/1516-6-0x0000000000400000-0x0000000000462000-memory.dmpFilesize
392KB
-
memory/1832-2-0x00000000002D0000-0x00000000002E5000-memory.dmpFilesize
84KB
-
memory/1832-3-0x0000000000400000-0x0000000000462000-memory.dmpFilesize
392KB