Analysis
-
max time kernel
113s -
max time network
152s -
resource
win7v191014
Task
task1
Sample
14350967435fb5757dfac35ba53aac870170421bd2a6a9048573328cacfd7a8d.exe
Resource
win7v191014
General
-
Target
14350967435fb5757dfac35ba53aac870170421bd2a6a9048573328cacfd7a8d
-
Sample
191121-8mnzf32ptj
-
SHA256
14350967435fb5757dfac35ba53aac870170421bd2a6a9048573328cacfd7a8d
Malware Config
Extracted
emotet
198.58.120.26:8080
209.97.168.52:8080
37.187.2.199:443
149.202.197.94:8080
190.147.215.53:22
115.78.95.230:443
87.106.136.232:8080
186.4.172.5:8080
190.145.67.134:8090
83.136.245.190:8080
191.92.209.110:7080
190.211.207.11:443
5.196.74.210:8080
85.104.59.244:20
78.24.219.147:8080
190.53.135.159:21
211.63.71.72:8080
212.129.24.79:8080
165.227.156.155:443
182.176.132.213:8090
178.210.51.222:8080
186.75.241.230:80
149.202.153.252:8080
173.212.203.26:8080
176.31.200.130:8080
192.241.255.77:8080
104.131.11.150:8080
183.102.238.69:465
189.209.217.49:80
90.77.228.193:8090
159.65.25.128:8080
200.71.148.138:8080
201.250.92.247:50000
46.105.131.87:80
167.99.105.223:7080
95.128.43.213:8080
80.11.163.139:21
31.172.240.91:8080
59.103.164.174:80
87.106.139.101:8080
186.4.172.5:20
62.75.187.192:8080
144.139.247.220:80
107.170.24.125:8080
104.239.175.211:8080
217.160.182.191:8080
167.71.10.37:8080
31.12.67.62:7080
171.101.153.86:990
65.23.154.17:8080
103.39.131.88:80
178.209.71.63:8080
92.222.216.44:8080
190.226.44.20:21
138.201.140.110:8080
37.157.194.134:443
91.205.215.66:8080
192.241.220.155:8080
104.131.44.150:8080
181.57.193.14:80
169.239.182.217:8080
152.89.236.214:8080
67.225.179.64:8080
94.192.228.255:80
45.33.49.124:443
87.230.19.21:8080
186.4.172.5:443
181.143.194.138:443
192.81.213.192:8080
181.31.213.158:8080
104.236.246.93:8080
Signatures
-
Processes:
14350967435fb5757dfac35ba53aac870170421bd2a6a9048573328cacfd7a8d.exedescription ioc pid process Event created Global\E582FAEE3 1388 14350967435fb5757dfac35ba53aac870170421bd2a6a9048573328cacfd7a8d.exe -
Suspicious behavior: EmotetMutantsSpam 2 IoCs
Processes:
14350967435fb5757dfac35ba53aac870170421bd2a6a9048573328cacfd7a8d.exeanglehant.exepid process 1388 14350967435fb5757dfac35ba53aac870170421bd2a6a9048573328cacfd7a8d.exe 1916 anglehant.exe -
Drops file in system dir 2 IoCs
Processes:
14350967435fb5757dfac35ba53aac870170421bd2a6a9048573328cacfd7a8d.exeanglehant.exedescription ioc pid process File renamed C:\Users\Admin\AppData\Local\Temp\14350967435fb5757dfac35ba53aac870170421bd2a6a9048573328cacfd7a8d.exe => C:\Windows\SysWOW64\anglehant.exe 1388 14350967435fb5757dfac35ba53aac870170421bd2a6a9048573328cacfd7a8d.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat 1916 anglehant.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
14350967435fb5757dfac35ba53aac870170421bd2a6a9048573328cacfd7a8d.exepid process 1388 14350967435fb5757dfac35ba53aac870170421bd2a6a9048573328cacfd7a8d.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
anglehant.exepid process 1916 anglehant.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
14350967435fb5757dfac35ba53aac870170421bd2a6a9048573328cacfd7a8d.exeanglehant.exedescription pid process target process PID 1416 wrote to memory of 1388 1416 14350967435fb5757dfac35ba53aac870170421bd2a6a9048573328cacfd7a8d.exe 14350967435fb5757dfac35ba53aac870170421bd2a6a9048573328cacfd7a8d.exe PID 820 wrote to memory of 1916 820 anglehant.exe anglehant.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\14350967435fb5757dfac35ba53aac870170421bd2a6a9048573328cacfd7a8d.exe"C:\Users\Admin\AppData\Local\Temp\14350967435fb5757dfac35ba53aac870170421bd2a6a9048573328cacfd7a8d.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1416
-
C:\Users\Admin\AppData\Local\Temp\14350967435fb5757dfac35ba53aac870170421bd2a6a9048573328cacfd7a8d.exe--1320dc9d1⤵
- Emotet Sync
- Suspicious behavior: EmotetMutantsSpam
- Drops file in system dir
- Suspicious behavior: RenamesItself
PID:1388
-
C:\Windows\SysWOW64\anglehant.exe"C:\Windows\SysWOW64\anglehant.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:820
-
C:\Windows\SysWOW64\anglehant.exe--e265b3081⤵
- Suspicious behavior: EmotetMutantsSpam
- Drops file in system dir
- Suspicious behavior: EnumeratesProcesses
PID:1916
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1774239815-1814403401-2200974991-1000\0f5007522459c86e95ffcc62f32308f1_18654976-c7db-4a1a-8859-070035d242d5
-
memory/820-4-0x00000000002B0000-0x00000000002C5000-memory.dmpFilesize
84KB
-
memory/1388-2-0x00000000003D0000-0x00000000003E5000-memory.dmpFilesize
84KB
-
memory/1388-3-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/1416-0-0x0000000000320000-0x0000000000335000-memory.dmpFilesize
84KB
-
memory/1916-5-0x00000000005C0000-0x00000000005D5000-memory.dmpFilesize
84KB
-
memory/1916-6-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB