Analysis
-
max time kernel
114s -
resource
win7v191014 -
submitted
12-12-2019 09:03
Task
task1
Sample
32fec2fe28e0315ee8210962e60e3764874dafb7572d976e448019f3b3f9b9b3.exe
Resource
win7v191014
General
Malware Config
Extracted
emotet
110.143.84.202:80
75.80.148.244:80
64.53.242.181:8080
37.59.24.177:8080
66.34.201.20:7080
108.179.206.219:8080
45.56.88.91:443
206.189.112.148:8080
211.63.71.72:8080
178.210.51.222:8080
92.186.52.193:80
195.244.215.206:80
2.38.99.79:80
37.157.194.134:443
206.81.10.215:8080
80.21.182.46:80
80.11.163.139:21
190.56.255.118:80
190.226.44.20:21
173.70.81.77:80
190.12.119.180:443
120.150.246.241:80
110.142.38.16:80
192.241.255.77:8080
181.31.213.158:8080
178.209.71.63:8080
212.186.191.177:80
85.72.180.68:80
181.57.193.14:80
46.105.131.87:80
12.176.19.218:80
86.98.156.239:443
167.71.10.37:8080
116.48.142.21:443
176.31.200.130:8080
45.51.40.140:80
67.225.179.64:8080
110.143.57.109:80
185.159.102.74:80
1.33.230.137:80
212.64.171.206:80
144.139.247.220:80
165.228.24.197:80
188.152.7.140:80
70.175.171.251:80
165.227.156.155:443
5.196.74.210:8080
182.176.132.213:8090
164.68.101.171:80
149.202.153.252:8080
5.88.182.250:80
62.75.187.192:8080
104.131.44.150:8080
12.229.155.122:80
167.114.242.226:8080
107.2.2.28:80
128.65.154.183:443
31.31.77.83:443
98.24.231.64:80
217.160.182.191:8080
87.106.136.232:8080
218.44.21.114:80
190.53.135.159:21
87.230.19.21:8080
91.231.166.126:8080
186.75.241.230:80
197.254.221.174:80
92.222.216.44:8080
209.97.168.52:8080
100.14.117.137:80
183.102.238.69:465
107.170.24.125:8080
104.131.11.150:8080
103.86.49.11:8080
58.171.42.66:8080
108.191.2.72:80
91.73.197.90:80
66.76.63.99:80
210.6.85.121:80
139.130.241.252:443
201.184.105.242:443
45.33.49.124:443
73.11.153.178:8080
78.24.219.147:8080
24.45.193.161:7080
104.236.246.93:8080
50.116.86.205:8080
31.131.182.30:80
31.172.240.91:8080
101.187.134.207:443
212.129.24.79:8080
91.205.215.66:8080
189.209.217.49:80
73.176.241.255:80
101.187.247.29:80
159.65.25.128:8080
167.99.105.223:7080
190.211.207.11:443
190.147.215.53:22
83.136.245.190:8080
169.239.182.217:8080
176.106.183.253:8080
61.197.110.214:80
93.147.141.5:80
87.106.139.101:8080
104.237.155.168:443
209.141.54.221:8080
181.143.194.138:443
59.103.164.174:80
91.242.138.5:80
74.105.102.97:8080
47.156.70.145:80
200.7.243.108:443
201.173.217.124:443
173.13.135.102:80
95.128.43.213:8080
Signatures
-
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
32fec2fe28e0315ee8210962e60e3764874dafb7572d976e448019f3b3f9b9b3.exe32fec2fe28e0315ee8210962e60e3764874dafb7572d976e448019f3b3f9b9b3.exemanualwsat.exemanualwsat.exepid process 1304 32fec2fe28e0315ee8210962e60e3764874dafb7572d976e448019f3b3f9b9b3.exe 1104 32fec2fe28e0315ee8210962e60e3764874dafb7572d976e448019f3b3f9b9b3.exe 1948 manualwsat.exe 848 manualwsat.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
32fec2fe28e0315ee8210962e60e3764874dafb7572d976e448019f3b3f9b9b3.exemanualwsat.exedescription pid process target process PID 1304 wrote to memory of 1104 1304 32fec2fe28e0315ee8210962e60e3764874dafb7572d976e448019f3b3f9b9b3.exe 32fec2fe28e0315ee8210962e60e3764874dafb7572d976e448019f3b3f9b9b3.exe PID 1948 wrote to memory of 848 1948 manualwsat.exe manualwsat.exe -
Suspicious behavior: EmotetMutantsSpam 2 IoCs
Processes:
32fec2fe28e0315ee8210962e60e3764874dafb7572d976e448019f3b3f9b9b3.exemanualwsat.exepid process 1104 32fec2fe28e0315ee8210962e60e3764874dafb7572d976e448019f3b3f9b9b3.exe 848 manualwsat.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
32fec2fe28e0315ee8210962e60e3764874dafb7572d976e448019f3b3f9b9b3.exepid process 1104 32fec2fe28e0315ee8210962e60e3764874dafb7572d976e448019f3b3f9b9b3.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
manualwsat.exepid process 848 manualwsat.exe -
Drops file in System32 directory 2 IoCs
Processes:
32fec2fe28e0315ee8210962e60e3764874dafb7572d976e448019f3b3f9b9b3.exemanualwsat.exedescription ioc process File renamed C:\Users\Admin\AppData\Local\Temp\32fec2fe28e0315ee8210962e60e3764874dafb7572d976e448019f3b3f9b9b3.exe => C:\Windows\SysWOW64\manualwsat.exe 32fec2fe28e0315ee8210962e60e3764874dafb7572d976e448019f3b3f9b9b3.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat manualwsat.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\32fec2fe28e0315ee8210962e60e3764874dafb7572d976e448019f3b3f9b9b3.exe"C:\Users\Admin\AppData\Local\Temp\32fec2fe28e0315ee8210962e60e3764874dafb7572d976e448019f3b3f9b9b3.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\32fec2fe28e0315ee8210962e60e3764874dafb7572d976e448019f3b3f9b9b3.exe--554277f12⤵
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: EmotetMutantsSpam
- Suspicious behavior: RenamesItself
- Drops file in System32 directory
-
C:\Windows\SysWOW64\manualwsat.exe"C:\Windows\SysWOW64\manualwsat.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\manualwsat.exe--fac71fa72⤵
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: EmotetMutantsSpam
- Suspicious behavior: EnumeratesProcesses
- Drops file in System32 directory
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1774239815-1814403401-2200974991-1000\0f5007522459c86e95ffcc62f32308f1_18654976-c7db-4a1a-8859-070035d242d5
-
memory/848-5-0x00000000002A0000-0x00000000002B7000-memory.dmpFilesize
92KB
-
memory/848-6-0x0000000000400000-0x000000000048D000-memory.dmpFilesize
564KB
-
memory/1104-2-0x0000000000240000-0x0000000000257000-memory.dmpFilesize
92KB
-
memory/1104-3-0x0000000000400000-0x000000000048D000-memory.dmpFilesize
564KB
-
memory/1304-0-0x00000000003A0000-0x00000000003B7000-memory.dmpFilesize
92KB
-
memory/1948-4-0x0000000000320000-0x0000000000337000-memory.dmpFilesize
92KB