Analysis
-
max time kernel
131s -
max time network
149s -
resource
win10v191014
Task
task1
Sample
3062d6268485468083a97411cc30c8ce0c292dd1d6f73649383167d36f93c56e.exe
Resource
win7v191014
General
-
Target
3062d6268485468083a97411cc30c8ce0c292dd1d6f73649383167d36f93c56e
-
Sample
191129-tba2ymyvhn
-
SHA256
3062d6268485468083a97411cc30c8ce0c292dd1d6f73649383167d36f93c56e
Malware Config
Extracted
emotet
12.229.155.122:80
5.88.182.250:80
128.65.154.183:443
59.110.18.236:443
45.56.88.91:443
51.68.220.244:8080
206.81.10.215:8080
211.63.71.72:8080
171.101.153.86:990
95.128.43.213:8080
31.172.240.91:8080
167.99.105.223:7080
24.45.193.161:7080
104.131.11.150:8080
167.71.10.37:8080
104.131.44.150:8080
190.108.228.48:990
195.244.215.206:80
192.241.220.155:8080
209.97.168.52:8080
197.254.221.174:80
37.157.194.134:443
212.129.24.79:8080
200.71.148.138:8080
206.189.112.148:8080
169.239.182.217:8080
167.114.242.226:8080
181.31.213.158:8080
181.143.194.138:443
80.11.163.139:21
120.150.246.241:80
183.102.238.69:465
159.65.25.128:8080
62.75.187.192:8080
178.210.51.222:8080
178.209.71.63:8080
138.201.140.110:8080
186.75.241.230:80
190.226.44.20:21
190.53.135.159:21
217.160.182.191:8080
165.227.156.155:443
104.236.246.93:8080
31.31.77.83:443
192.241.255.77:8080
85.104.59.244:20
182.176.132.213:8090
5.196.74.210:8080
144.139.247.220:80
50.116.86.205:8080
59.103.164.174:80
165.228.24.197:80
67.225.179.64:8080
201.184.105.242:443
91.205.215.66:8080
92.222.216.44:8080
103.39.131.88:80
190.147.215.53:22
116.48.142.21:443
87.230.19.21:8080
46.105.131.87:80
190.211.207.11:443
87.106.136.232:8080
149.202.153.252:8080
83.136.245.190:8080
91.73.197.90:80
45.33.49.124:443
191.92.209.110:7080
107.170.24.125:8080
31.12.67.62:7080
189.209.217.49:80
192.81.213.192:8080
164.68.101.171:80
173.212.203.26:8080
94.192.228.255:80
78.24.219.147:8080
190.145.67.134:8090
65.23.154.17:8080
181.57.193.14:80
176.31.200.130:8080
87.106.139.101:8080
Signatures
-
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 4880 3062d6268485468083a97411cc30c8ce0c292dd1d6f73649383167d36f93c56e.exe 5080 3062d6268485468083a97411cc30c8ce0c292dd1d6f73649383167d36f93c56e.exe 452 groupiplk.exe 1916 groupiplk.exe -
Suspicious behavior: EmotetMutantsSpam 2 IoCs
pid Process 5080 3062d6268485468083a97411cc30c8ce0c292dd1d6f73649383167d36f93c56e.exe 1916 groupiplk.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 5080 3062d6268485468083a97411cc30c8ce0c292dd1d6f73649383167d36f93c56e.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1916 groupiplk.exe -
Checks system information in the registry (likely anti-VM) 2 TTPs 2 IoCs
description ioc pid Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer 3032 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName 3032 svchost.exe -
description ioc pid Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\cval = "0" 3020 svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\cval = "1" 3020 svchost.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4960 wrote to memory of 4992 4960 SppExtComObj.exe 74 PID 4880 wrote to memory of 5080 4880 3062d6268485468083a97411cc30c8ce0c292dd1d6f73649383167d36f93c56e.exe 76 PID 452 wrote to memory of 1916 452 groupiplk.exe 79 -
description ioc pid Process Event created Global\E7447237A 5080 3062d6268485468083a97411cc30c8ce0c292dd1d6f73649383167d36f93c56e.exe -
Drops file in system dir 11 IoCs
description ioc pid Process File renamed C:\Users\Admin\AppData\Local\Temp\3062d6268485468083a97411cc30c8ce0c292dd1d6f73649383167d36f93c56e.exe => C:\Windows\SysWOW64\groupiplk.exe 5080 3062d6268485468083a97411cc30c8ce0c292dd1d6f73649383167d36f93c56e.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat 1916 groupiplk.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 1916 groupiplk.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE 1916 groupiplk.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies 1916 groupiplk.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 1916 groupiplk.exe File opened for modification C:\Windows\Debug\ESE.TXT 3676 svchost.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp 3676 svchost.exe File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp 3676 svchost.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-2.tmp 3676 svchost.exe File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-2.tmp 3676 svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3062d6268485468083a97411cc30c8ce0c292dd1d6f73649383167d36f93c56e.exe"C:\Users\Admin\AppData\Local\Temp\3062d6268485468083a97411cc30c8ce0c292dd1d6f73649383167d36f93c56e.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4880
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵
- Suspicious use of WriteProcessMemory
PID:4960
-
C:\Windows\System32\SLUI.exe"C:\Windows\System32\SLUI.exe" RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2de67392-b7a7-462a-b1ca-108dd189f588;NotificationInterval=1440;Trigger=TimerEvent1⤵PID:4992
-
C:\Users\Admin\AppData\Local\Temp\3062d6268485468083a97411cc30c8ce0c292dd1d6f73649383167d36f93c56e.exe--4661cacc1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: EmotetMutantsSpam
- Suspicious behavior: RenamesItself
- Emotet Sync
- Drops file in system dir
PID:5080
-
C:\Windows\SysWOW64\groupiplk.exe"C:\Windows\SysWOW64\groupiplk.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:452
-
C:\Windows\SysWOW64\groupiplk.exe--4e0a81b1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: EmotetMutantsSpam
- Suspicious behavior: EnumeratesProcesses
- Drops file in system dir
PID:1916
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s BITS1⤵
- Drops file in system dir
PID:3676
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV1⤵PID:4608
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s DoSvc1⤵
- Checks system information in the registry (likely anti-VM)
PID:3032
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s wscsvc1⤵
- Windows security modification
PID:3020
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k unistacksvcgroup1⤵PID:4820
Network
MITRE ATT&CK Enterprise v16
MITRE ATT&CK Additional techniques
- T1089