Analysis
-
max time kernel
122s -
max time network
136s -
platform
windows10_x64 -
resource
win10 -
submitted
13-07-2020 08:05
Static task
static1
Behavioral task
behavioral1
Sample
MsSpellCheckingFacility.bin.exe
Resource
win7v200430
General
-
Target
MsSpellCheckingFacility.bin.exe
-
Size
104KB
-
MD5
b6830b6adf76aa6b4036f7c7456713ce
-
SHA1
3063f03906f8823068cc4a8464b28f4c96e663d4
-
SHA256
1ff36792edbc187f3c27fea4601240b03ebf68a35d99ee3b3aa98f27b4d04cf2
-
SHA512
bf43839b157e1ba8eff983ae94ac53f14f2713f8bf0a2d38641fb941f14b7d56d25dddb09e19baa09e310ed7f780c2a374599d673c0cb57ee89eddf681310bdb
Malware Config
Extracted
emotet
181.120.79.227:80
91.236.4.234:443
190.17.195.202:80
104.131.103.37:8080
190.147.137.153:443
186.3.232.68:80
190.163.1.31:8080
143.0.87.101:80
70.32.115.157:8080
177.66.190.130:80
82.196.15.205:8080
77.90.136.129:8080
175.114.178.83:443
46.28.111.142:7080
94.176.234.118:443
114.109.179.60:80
70.32.84.74:8080
172.104.169.32:8080
113.190.254.245:80
81.169.202.3:443
5.196.35.138:7080
89.32.150.160:8080
186.250.52.226:8080
187.51.47.26:80
104.236.161.64:8080
68.183.190.199:8080
80.249.176.206:80
12.162.84.2:8080
207.255.37.143:80
170.81.48.2:80
187.162.248.237:80
212.71.237.140:8080
190.229.148.144:80
177.139.131.143:443
192.241.143.52:8080
201.213.32.59:80
185.94.252.27:443
149.62.173.247:8080
61.92.159.208:8080
221.133.46.86:443
104.131.41.185:8080
192.241.146.84:8080
72.47.248.48:7080
45.161.242.102:80
190.194.242.254:443
204.225.249.100:7080
178.79.163.131:8080
219.92.13.25:80
185.94.252.13:443
190.6.193.152:8080
185.94.252.12:80
184.57.130.8:80
202.62.39.111:80
189.218.165.63:80
111.67.12.221:8080
177.72.13.80:80
190.181.235.46:80
181.31.211.181:80
2.47.112.152:80
217.13.106.14:8080
87.106.46.107:8080
46.214.11.172:80
77.55.211.77:8080
83.169.21.32:7080
203.25.159.3:8080
50.28.51.143:8080
Signatures
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3112 crypt32.exe 3112 crypt32.exe 3112 crypt32.exe 3112 crypt32.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 720 MsSpellCheckingFacility.bin.exe 720 MsSpellCheckingFacility.bin.exe 3112 crypt32.exe 3112 crypt32.exe -
Suspicious behavior: EmotetMutantsSpam 2 IoCs
pid Process 720 MsSpellCheckingFacility.bin.exe 3112 crypt32.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 720 MsSpellCheckingFacility.bin.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 720 wrote to memory of 3112 720 MsSpellCheckingFacility.bin.exe 67 PID 720 wrote to memory of 3112 720 MsSpellCheckingFacility.bin.exe 67 PID 720 wrote to memory of 3112 720 MsSpellCheckingFacility.bin.exe 67
Processes
-
C:\Users\Admin\AppData\Local\Temp\MsSpellCheckingFacility.bin.exe"C:\Users\Admin\AppData\Local\Temp\MsSpellCheckingFacility.bin.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: EmotetMutantsSpam
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:720 -
C:\Windows\SysWOW64\crypt32\crypt32.exe"C:\Windows\SysWOW64\crypt32\crypt32.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: EmotetMutantsSpam
PID:3112
-