Overview

overview

10

task1

 

10

task2

 

10

Analysis

  • max time kernel
    123s
  • max time network
    151s
  • resource
    win7v191014

Sharing

Copy URL
Twitter E-mail

General

  • Target

    9272b10a338140158ea856a53c658dc704be76579ec8f13ff27b4349ad7d03d2

  • Sample

    191120-9ane93lles

  • SHA256

    9272b10a338140158ea856a53c658dc704be76579ec8f13ff27b4349ad7d03d2

Score
N/A

Malware Config

Extracted

Family

emotet

C2

198.58.120.26:8080

209.97.168.52:8080

37.187.2.199:443

149.202.197.94:8080

190.147.215.53:22

115.78.95.230:443

87.106.136.232:8080

186.4.172.5:8080

190.145.67.134:8090

83.136.245.190:8080

191.92.209.110:7080

190.211.207.11:443

5.196.74.210:8080

85.104.59.244:20

78.24.219.147:8080

190.53.135.159:21

211.63.71.72:8080

212.129.24.79:8080

165.227.156.155:443

182.176.132.213:8090
rsa_pubkey.plain

Signatures

  • Suspicious use of WriteProcessMemory 2 IoCs
  • Emotet Sync 1 IoCs
    trojanbanker
  • Suspicious behavior: EmotetMutantsSpam 2 IoCs
  • Drops file in system dir 2 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • emotet family
    familyemotet

Processes

  • C:\Users\Admin\AppData\Local\Temp\9272b10a338140158ea856a53c658dc704be76579ec8f13ff27b4349ad7d03d2.exe
    "C:\Users\Admin\AppData\Local\Temp\9272b10a338140158ea856a53c658dc704be76579ec8f13ff27b4349ad7d03d2.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:856
  • C:\Users\Admin\AppData\Local\Temp\9272b10a338140158ea856a53c658dc704be76579ec8f13ff27b4349ad7d03d2.exe
    --40556ffc
    1⤵
    • Emotet Sync
    • Suspicious behavior: EmotetMutantsSpam
    • Drops file in system dir
    • Suspicious behavior: RenamesItself
    PID:1036
  • C:\Windows\SysWOW64\anglehant.exe
    "C:\Windows\SysWOW64\anglehant.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:928
  • C:\Windows\SysWOW64\anglehant.exe
    --e265b308
    1⤵
    • Suspicious behavior: EmotetMutantsSpam
    • Drops file in system dir
    • Suspicious behavior: EnumeratesProcesses
    PID:332

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1774239815-1814403401-2200974991-1000\0f5007522459c86e95ffcc62f32308f1_18654976-c7db-4a1a-8859-070035d242d5
    Download Submit

  • memory/332-5-0x0000000000570000-0x0000000000585000-memory.dmp

    Filesize

    84KB

    Download

  • memory/332-6-0x0000000000400000-0x000000000046C000-memory.dmp

    Filesize

    432KB

    Download

  • memory/856-0-0x0000000000370000-0x0000000000385000-memory.dmp

    Filesize

    84KB

    Download

  • memory/928-4-0x00000000004B0000-0x00000000004C5000-memory.dmp

    Filesize

    84KB

    Download

  • memory/1036-2-0x00000000002C0000-0x00000000002D5000-memory.dmp

    Filesize

    84KB

    Download

  • memory/1036-3-0x0000000000400000-0x000000000046C000-memory.dmp

    Filesize

    432KB

    Download