Analysis
-
max time kernel
131s -
max time network
149s -
resource
win10v191014
Task
task1
Sample
0f0a815fb89f99cf690ae43ec7761b2b3e8a07980d758158742217149bdc6089.exe
Resource
win7v191014
General
-
Target
0f0a815fb89f99cf690ae43ec7761b2b3e8a07980d758158742217149bdc6089
-
Sample
191129-66c3pr3epj
-
SHA256
0f0a815fb89f99cf690ae43ec7761b2b3e8a07980d758158742217149bdc6089
Malware Config
Extracted
emotet
211.218.105.101:80
197.90.159.42:80
201.183.251.100:80
50.63.13.135:8080
80.211.32.88:8080
222.239.249.166:443
192.161.190.171:8080
161.18.233.114:80
41.218.118.66:80
189.236.4.214:443
181.197.108.171:443
80.93.48.49:7080
212.129.14.27:8080
78.46.87.133:8080
200.71.112.158:53
216.75.37.196:8080
157.7.164.178:8081
195.201.56.68:7080
189.180.105.125:443
124.150.175.129:8080
201.196.15.79:990
81.213.145.45:443
187.250.92.82:80
190.189.79.73:80
172.90.70.168:443
172.104.70.207:8080
176.58.93.123:80
152.169.32.143:8080
46.17.6.116:8080
50.116.78.109:8080
143.95.101.72:8080
163.172.97.112:8080
60.53.3.153:8080
37.59.24.25:8080
139.162.185.116:443
142.93.87.198:8080
182.176.116.139:995
122.11.164.183:80
46.105.131.68:8080
85.105.183.228:443
186.66.224.182:990
195.226.144.249:80
23.253.207.142:8080
181.47.235.26:993
162.144.46.90:8080
119.159.150.176:443
181.44.166.242:80
51.38.134.203:8080
172.245.13.50:8080
198.57.217.170:8080
192.241.220.183:8080
95.216.212.157:8080
187.177.155.123:990
177.226.25.78:80
177.103.201.23:80
190.101.87.170:80
191.100.24.201:50000
187.233.220.93:443
5.189.148.98:8080
95.216.207.86:7080
124.150.175.133:80
113.52.135.33:7080
212.112.113.235:80
217.26.163.82:7080
186.215.101.106:80
138.197.140.163:8080
72.27.212.209:8080
83.110.107.243:443
195.191.107.67:80
192.163.221.191:8080
Signatures
-
Checks system information in the registry (likely anti-VM) 2 TTPs 2 IoCs
description ioc pid Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer 4184 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName 4184 svchost.exe -
description ioc pid Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\cval = "0" 2924 svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\cval = "1" 2924 svchost.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 4932 0f0a815fb89f99cf690ae43ec7761b2b3e8a07980d758158742217149bdc6089.exe 1676 0f0a815fb89f99cf690ae43ec7761b2b3e8a07980d758158742217149bdc6089.exe 992 netshserial.exe 4376 netshserial.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 5012 wrote to memory of 5040 5012 SppExtComObj.exe 74 PID 4932 wrote to memory of 1676 4932 0f0a815fb89f99cf690ae43ec7761b2b3e8a07980d758158742217149bdc6089.exe 76 PID 992 wrote to memory of 4376 992 netshserial.exe 79 -
Drops file in system dir 11 IoCs
description ioc pid Process File renamed C:\Users\Admin\AppData\Local\Temp\0f0a815fb89f99cf690ae43ec7761b2b3e8a07980d758158742217149bdc6089.exe => C:\Windows\SysWOW64\netshserial.exe 1676 0f0a815fb89f99cf690ae43ec7761b2b3e8a07980d758158742217149bdc6089.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat 4376 netshserial.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 4376 netshserial.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE 4376 netshserial.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies 4376 netshserial.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 4376 netshserial.exe File opened for modification C:\Windows\Debug\ESE.TXT 3624 svchost.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp 3624 svchost.exe File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp 3624 svchost.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-2.tmp 3624 svchost.exe File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-2.tmp 3624 svchost.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1676 0f0a815fb89f99cf690ae43ec7761b2b3e8a07980d758158742217149bdc6089.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 4376 netshserial.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0f0a815fb89f99cf690ae43ec7761b2b3e8a07980d758158742217149bdc6089.exe"C:\Users\Admin\AppData\Local\Temp\0f0a815fb89f99cf690ae43ec7761b2b3e8a07980d758158742217149bdc6089.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4932
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵
- Suspicious use of WriteProcessMemory
PID:5012
-
C:\Windows\System32\SLUI.exe"C:\Windows\System32\SLUI.exe" RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2de67392-b7a7-462a-b1ca-108dd189f588;NotificationInterval=1440;Trigger=TimerEvent1⤵PID:5040
-
C:\Users\Admin\AppData\Local\Temp\0f0a815fb89f99cf690ae43ec7761b2b3e8a07980d758158742217149bdc6089.exe--6476713c1⤵
- Suspicious use of SetWindowsHookEx
- Drops file in system dir
- Suspicious behavior: RenamesItself
PID:1676
-
C:\Windows\SysWOW64\netshserial.exe"C:\Windows\SysWOW64\netshserial.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:992
-
C:\Windows\SysWOW64\netshserial.exe--4621b09c1⤵
- Suspicious use of SetWindowsHookEx
- Drops file in system dir
- Suspicious behavior: EnumeratesProcesses
PID:4376
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s BITS1⤵
- Drops file in system dir
PID:3624
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV1⤵PID:4632
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s DoSvc1⤵
- Checks system information in the registry (likely anti-VM)
PID:4184
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s wscsvc1⤵
- Windows security modification
PID:2924
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k unistacksvcgroup1⤵PID:2324
Network
MITRE ATT&CK Enterprise v15
MITRE ATT&CK Additional techniques
- T1089