Analysis

  • max time kernel
    149s
  • max time network
    156s
  • platform
    windows7_x64
  • resource
    win7
  • submitted
    17-07-2020 20:45

General

  • Target

    44edd7336d5b638018a66a217f75c573d205af0a1eb317726f96b6e98f2764d9.exe

  • Size

    276KB

  • MD5

    194d1cb5c1cebab001a2b0061a892968

  • SHA1

    fef709af88ba6496ad67c2ed1bc53d4bb5b77933

  • SHA256

    44edd7336d5b638018a66a217f75c573d205af0a1eb317726f96b6e98f2764d9

  • SHA512

    65bcb9d1ee90e2ca17142a7764ff7e11d238425c4c723924e115410812346f1ca51cc7873016224aa8d71073c68429a9c6d4fe74472f60fa3da1dae6a51633dd

Score
10/10

Malware Config

Extracted

Family

emotet

C2

177.144.130.105:443

198.27.69.201:8080

157.7.164.178:8081

78.188.170.128:80

203.153.216.178:7080

77.74.78.80:443

178.33.167.120:8080

177.0.241.28:80

143.95.101.72:8080

51.38.201.19:7080

181.167.35.84:80

41.185.29.128:8080

192.163.221.191:8080

181.164.110.7:80

203.153.216.182:7080

80.211.32.88:8080

113.160.180.109:80

185.142.236.163:443

192.241.220.183:8080

87.106.231.60:8080

rsa_pubkey.plain
1
-----BEGIN PUBLIC KEY-----
2
MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAM/TXLLvX91I6dVMYe+T1PPO6mpcg7OJ
3
cMl9o/g4nUhZOp8fAAmQl8XMXeGvDhZXTyX1AXf401iPFui0RB6glhl/7/djvi7j
4
l32lAhyBANpKGty8xf3J5kGwwClnG/CXHQIDAQAB
5
-----END PUBLIC KEY-----
6

Signatures

  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: EmotetMutantsSpam 1 IoCs
  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

Processes

  • C:\Users\Admin\AppData\Local\Temp\44edd7336d5b638018a66a217f75c573d205af0a1eb317726f96b6e98f2764d9.exe
    "C:\Users\Admin\AppData\Local\Temp\44edd7336d5b638018a66a217f75c573d205af0a1eb317726f96b6e98f2764d9.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: EmotetMutantsSpam
    PID:316

Network

  • flag-unknown
    POST
    http://177.144.130.105:443/e9928zYzWIXpo/tuvJaWo/fQsYmkh1CgJXiTVbGmm/halE/IURuHRZXSfXEeFlXv/oT6I8wszB9jahc/
    44edd7336d5b638018a66a217f75c573d205af0a1eb317726f96b6e98f2764d9.exe
    Remote address:
    177.144.130.105:443
    Request
    POST /e9928zYzWIXpo/tuvJaWo/fQsYmkh1CgJXiTVbGmm/halE/IURuHRZXSfXEeFlXv/oT6I8wszB9jahc/ HTTP/1.1
    Referer: http://177.144.130.105/e9928zYzWIXpo/tuvJaWo/fQsYmkh1CgJXiTVbGmm/halE/IURuHRZXSfXEeFlXv/oT6I8wszB9jahc/
    Content-Type: multipart/form-data; boundary=---------------------------664844741793812
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
    Host: 177.144.130.105:443
    Content-Length: 4372
    Connection: Keep-Alive
    Cache-Control: no-cache
  • flag-unknown
    POST
    http://198.27.69.201:8080/XYkmG9I9ItI2N2/
    44edd7336d5b638018a66a217f75c573d205af0a1eb317726f96b6e98f2764d9.exe
    Remote address:
    198.27.69.201:8080
    Request
    POST /XYkmG9I9ItI2N2/ HTTP/1.1
    Referer: http://198.27.69.201/XYkmG9I9ItI2N2/
    Content-Type: multipart/form-data; boundary=---------------------------163300454208131
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
    Host: 198.27.69.201:8080
    Content-Length: 4388
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Fri, 17 Jul 2020 20:46:20 GMT
    Content-Type: text/html; charset=UTF-8
    Content-Length: 132
    Connection: keep-alive
  • flag-unknown
    DNS
    dns.msftncsi.com
    Remote address:
    8.8.8.8:53
    Request
    dns.msftncsi.com
    IN A
    Response
    dns.msftncsi.com
    IN A
    131.107.255.255
  • flag-unknown
    DNS
    dns.msftncsi.com
    Remote address:
    8.8.8.8:53
    Request
    dns.msftncsi.com
    IN AAAA
    Response
    dns.msftncsi.com
    IN AAAA
    fd3e:4f5a:5b81::1
  • 177.144.130.105:443
    http://177.144.130.105:443/e9928zYzWIXpo/tuvJaWo/fQsYmkh1CgJXiTVbGmm/halE/IURuHRZXSfXEeFlXv/oT6I8wszB9jahc/
    http
    44edd7336d5b638018a66a217f75c573d205af0a1eb317726f96b6e98f2764d9.exe
    5.4kB
    212 B
    9
    5

    HTTP Request

    POST http://177.144.130.105:443/e9928zYzWIXpo/tuvJaWo/fQsYmkh1CgJXiTVbGmm/halE/IURuHRZXSfXEeFlXv/oT6I8wszB9jahc/
  • 198.27.69.201:8080
    http://198.27.69.201:8080/XYkmG9I9ItI2N2/
    http
    44edd7336d5b638018a66a217f75c573d205af0a1eb317726f96b6e98f2764d9.exe
    5.5kB
    580 B
    15
    7

    HTTP Request

    POST http://198.27.69.201:8080/XYkmG9I9ItI2N2/

    HTTP Response

    200
  • 10.7.0.255:138
    netbios-dgm
    1.3kB
    6
  • 224.0.0.252:5355
    100 B
    2
  • 10.7.0.255:137
    netbios-ns
    234 B
    3
  • 239.255.255.250:1900
    966 B
    6
  • 239.255.255.250:1900
  • 8.8.8.8:53
    dns.msftncsi.com
    dns
    62 B
    78 B
    1
    1

    DNS Request

    dns.msftncsi.com

    DNS Response

    131.107.255.255

  • 8.8.8.8:53
    dns.msftncsi.com
    dns
    62 B
    90 B
    1
    1

    DNS Request

    dns.msftncsi.com

    DNS Response

    fd3e:4f5a:5b81::1

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/316-0-0x00000000002B0000-0x00000000002BC000-memory.dmp

    Filesize

    48KB

  • memory/316-1-0x0000000000400000-0x0000000000448000-memory.dmp

    Filesize

    288KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.