Analysis
-
max time kernel
138s -
max time network
148s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
13-07-2020 08:05
Static task
static1
Behavioral task
behavioral1
Sample
Emotet (2).bin.exe
Resource
win7
General
-
Target
Emotet (2).bin.exe
-
Size
104KB
-
MD5
cc217469d3c5b9163db9debdeda105f7
-
SHA1
5572b1e822116ecc5a6a1891681d38b6484b67d6
-
SHA256
763d2a1a32df52fe199d7ab1bc2dc6c028521244b8faad7b6be21fd76657c8ab
-
SHA512
7fa2f38d26038816afb87c757ef958ff6cba802f1cc6366a002ece6b66a24fa69fc29d50ba1053189d0245470a70c8e80f5f532c62fa76693a6476dd5d7bfc78
Malware Config
Extracted
emotet
181.230.65.232:80
77.74.78.80:443
192.241.220.183:8080
195.201.56.70:8080
125.63.106.22:80
203.153.216.178:7080
139.59.12.63:8080
190.251.235.239:80
14.99.112.138:80
192.163.221.191:8080
46.49.124.53:80
81.214.253.80:443
46.32.229.152:8080
74.208.173.91:8080
163.172.107.70:8080
37.46.129.215:8080
212.112.113.235:80
50.116.78.109:8080
113.161.148.81:80
78.188.170.128:80
190.171.153.139:80
41.169.20.147:8090
113.160.180.109:80
192.210.217.94:8080
51.38.201.19:7080
37.208.106.146:8080
110.44.113.2:8080
185.142.236.163:443
157.7.164.178:8081
91.83.93.103:443
211.20.154.102:80
177.0.241.28:80
179.5.118.12:80
88.235.222.255:80
203.153.216.182:7080
178.33.167.120:8080
115.79.195.246:80
190.55.233.156:80
80.211.32.88:8080
41.185.29.128:8080
188.0.135.237:80
220.128.125.18:80
181.164.110.7:80
45.118.136.92:8080
82.165.15.188:8080
37.70.131.107:80
75.127.14.170:8080
140.207.113.106:443
Signatures
-
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
Emotet (2).bin.exemsxml3.exepid process 992 Emotet (2).bin.exe 992 Emotet (2).bin.exe 1632 msxml3.exe 1632 msxml3.exe -
Suspicious behavior: EmotetMutantsSpam 2 IoCs
Processes:
Emotet (2).bin.exemsxml3.exepid process 992 Emotet (2).bin.exe 1632 msxml3.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
Emotet (2).bin.exepid process 992 Emotet (2).bin.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
Emotet (2).bin.exedescription pid process target process PID 992 wrote to memory of 1632 992 Emotet (2).bin.exe msxml3.exe PID 992 wrote to memory of 1632 992 Emotet (2).bin.exe msxml3.exe PID 992 wrote to memory of 1632 992 Emotet (2).bin.exe msxml3.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
msxml3.exepid process 1632 msxml3.exe 1632 msxml3.exe 1632 msxml3.exe 1632 msxml3.exe 1632 msxml3.exe 1632 msxml3.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Emotet (2).bin.exe"C:\Users\Admin\AppData\Local\Temp\Emotet (2).bin.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: EmotetMutantsSpam
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:992 -
C:\Windows\SysWOW64\msxml3\msxml3.exe"C:\Windows\SysWOW64\msxml3\msxml3.exe"2⤵
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: EmotetMutantsSpam
- Suspicious behavior: EnumeratesProcesses
PID:1632
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/992-0-0x0000000000A00000-0x0000000000A0C000-memory.dmpFilesize
48KB
-
memory/992-1-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/1632-2-0x0000000000000000-mapping.dmp
-
memory/1632-3-0x00000000020E0000-0x00000000020EC000-memory.dmpFilesize
48KB
-
memory/1632-4-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB