Analysis
-
max time kernel
112s -
resource
win7v191014 -
submitted
12-12-2019 13:40
Task
task1
Sample
2abe79c1ae41bb9e67aa0a75f7b9689b385556561b8cd6875f2aff68a2910713.exe
Resource
win7v191014
General
Malware Config
Extracted
emotet
96.234.38.186:8080
120.51.83.89:443
98.15.140.226:80
143.95.101.72:8080
46.105.128.215:8080
69.30.205.162:7080
192.161.190.171:8080
178.134.1.238:80
58.93.151.148:80
23.253.207.142:8080
190.101.87.170:80
177.103.201.23:80
190.189.79.73:80
46.17.6.116:8080
165.100.148.200:443
181.47.235.26:993
42.51.192.231:8080
128.92.54.20:80
89.215.225.15:80
77.245.12.212:80
113.52.135.33:7080
45.129.121.222:443
175.103.239.50:80
210.111.160.220:80
95.216.212.157:8080
78.186.102.195:80
85.109.190.235:443
182.176.116.139:995
67.254.196.78:443
78.187.204.70:80
190.161.67.63:80
189.225.211.171:443
95.216.207.86:7080
195.250.143.182:80
100.38.11.243:80
123.142.37.165:80
200.41.121.69:443
83.156.88.159:80
162.144.46.90:8080
187.233.220.93:443
37.59.24.25:8080
78.46.87.133:8080
110.142.161.90:80
201.196.15.79:990
163.172.97.112:8080
91.117.131.122:80
67.171.182.231:80
221.154.59.110:80
37.46.129.215:8080
177.103.240.93:80
190.5.162.204:80
82.79.244.92:80
98.15.140.226:80
72.69.99.47:80
81.82.247.216:80
212.112.113.235:80
172.104.70.207:8080
86.70.224.211:80
41.77.74.214:443
190.171.135.235:80
193.33.38.208:443
142.93.87.198:8080
60.53.3.153:8080
95.255.140.89:443
139.59.12.63:8080
158.69.167.246:8080
92.16.222.156:80
138.197.140.163:8080
103.122.75.218:80
128.92.54.20:80
124.150.175.129:8080
210.224.65.117:80
153.190.41.185:80
46.105.131.68:8080
187.250.92.82:80
176.58.93.123:80
181.44.166.242:80
124.150.175.133:80
86.6.123.109:80
115.93.14.196:443
190.146.14.143:443
51.38.134.203:8080
115.179.91.58:80
50.116.78.109:8080
24.28.178.71:80
85.235.219.74:80
1.32.54.12:8080
174.57.150.13:8080
200.71.112.158:53
211.218.105.101:80
24.27.122.202:80
192.241.220.183:8080
212.129.14.27:8080
192.210.217.94:8080
91.117.31.181:80
86.98.157.3:80
185.244.167.25:443
201.183.251.100:80
175.127.140.68:80
119.57.36.54:8080
189.61.200.9:443
191.100.24.201:50000
83.110.107.243:443
216.75.37.196:8080
100.38.11.243:80
72.27.212.209:8080
217.181.139.237:443
188.230.134.205:80
172.90.70.168:443
119.159.150.176:443
122.11.164.183:80
5.189.148.98:8080
Signatures
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
titlemailbox.exepid process 1848 titlemailbox.exe -
Drops file in System32 directory 2 IoCs
Processes:
2abe79c1ae41bb9e67aa0a75f7b9689b385556561b8cd6875f2aff68a2910713.exetitlemailbox.exedescription ioc process File renamed C:\Users\Admin\AppData\Local\Temp\2abe79c1ae41bb9e67aa0a75f7b9689b385556561b8cd6875f2aff68a2910713.exe => C:\Windows\SysWOW64\titlemailbox.exe 2abe79c1ae41bb9e67aa0a75f7b9689b385556561b8cd6875f2aff68a2910713.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat titlemailbox.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
2abe79c1ae41bb9e67aa0a75f7b9689b385556561b8cd6875f2aff68a2910713.exe2abe79c1ae41bb9e67aa0a75f7b9689b385556561b8cd6875f2aff68a2910713.exetitlemailbox.exetitlemailbox.exepid process 888 2abe79c1ae41bb9e67aa0a75f7b9689b385556561b8cd6875f2aff68a2910713.exe 616 2abe79c1ae41bb9e67aa0a75f7b9689b385556561b8cd6875f2aff68a2910713.exe 1828 titlemailbox.exe 1848 titlemailbox.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
2abe79c1ae41bb9e67aa0a75f7b9689b385556561b8cd6875f2aff68a2910713.exetitlemailbox.exedescription pid process target process PID 888 wrote to memory of 616 888 2abe79c1ae41bb9e67aa0a75f7b9689b385556561b8cd6875f2aff68a2910713.exe 2abe79c1ae41bb9e67aa0a75f7b9689b385556561b8cd6875f2aff68a2910713.exe PID 1828 wrote to memory of 1848 1828 titlemailbox.exe titlemailbox.exe -
Suspicious behavior: EmotetMutantsSpam 2 IoCs
Processes:
2abe79c1ae41bb9e67aa0a75f7b9689b385556561b8cd6875f2aff68a2910713.exetitlemailbox.exepid process 616 2abe79c1ae41bb9e67aa0a75f7b9689b385556561b8cd6875f2aff68a2910713.exe 1848 titlemailbox.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
2abe79c1ae41bb9e67aa0a75f7b9689b385556561b8cd6875f2aff68a2910713.exepid process 616 2abe79c1ae41bb9e67aa0a75f7b9689b385556561b8cd6875f2aff68a2910713.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2abe79c1ae41bb9e67aa0a75f7b9689b385556561b8cd6875f2aff68a2910713.exe"C:\Users\Admin\AppData\Local\Temp\2abe79c1ae41bb9e67aa0a75f7b9689b385556561b8cd6875f2aff68a2910713.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\2abe79c1ae41bb9e67aa0a75f7b9689b385556561b8cd6875f2aff68a2910713.exe--6eedf3de2⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: EmotetMutantsSpam
- Suspicious behavior: RenamesItself
-
C:\Windows\SysWOW64\titlemailbox.exe"C:\Windows\SysWOW64\titlemailbox.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\titlemailbox.exe--cbf676ce2⤵
- Suspicious behavior: EnumeratesProcesses
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: EmotetMutantsSpam
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/616-1-0x0000000000370000-0x0000000000387000-memory.dmpFilesize
92KB
-
memory/616-2-0x0000000000400000-0x0000000000459000-memory.dmpFilesize
356KB
-
memory/888-0-0x00000000001F0000-0x0000000000207000-memory.dmpFilesize
92KB
-
memory/1848-4-0x0000000000270000-0x0000000000287000-memory.dmpFilesize
92KB
-
memory/1848-5-0x0000000000400000-0x0000000000459000-memory.dmpFilesize
356KB