Analysis

  • max time kernel
    150s
  • max time network
    156s
  • platform
    windows7_x64
  • resource
    win7v200430
  • submitted
    17-07-2020 23:09

General

  • Target

    6487f0b369dd1e63e4e71534312b10b9e9ceb3fc1d8317f409a850da112700dd.exe

  • Size

    273KB

  • MD5

    f7f50687c0de6e9d6bd7f765fa69ee3e

  • SHA1

    79e28abc3083c63ba76a99ae4eeb9f4d671c7267

  • SHA256

    6487f0b369dd1e63e4e71534312b10b9e9ceb3fc1d8317f409a850da112700dd

  • SHA512

    13fbaaf80bb19346d8f02c0d3039c07e1c9ec938c87a4832cf28021789214ab7bb62057a9355b6b0ff46f9c1791b62c3232ea8086a89271c82c25ebe27dc999d

Score
10/10

Malware Config

Extracted

Family

emotet

C2

177.144.130.105:443

198.27.69.201:8080

157.7.164.178:8081

78.188.170.128:80

203.153.216.178:7080

77.74.78.80:443

178.33.167.120:8080

177.0.241.28:80

143.95.101.72:8080

51.38.201.19:7080

181.167.35.84:80

41.185.29.128:8080

192.163.221.191:8080

181.164.110.7:80

203.153.216.182:7080

80.211.32.88:8080

113.160.180.109:80

185.142.236.163:443

192.241.220.183:8080

87.106.231.60:8080

rsa_pubkey.plain
1
-----BEGIN PUBLIC KEY-----
2
MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAM/TXLLvX91I6dVMYe+T1PPO6mpcg7OJ
3
cMl9o/g4nUhZOp8fAAmQl8XMXeGvDhZXTyX1AXf401iPFui0RB6glhl/7/djvi7j
4
l32lAhyBANpKGty8xf3J5kGwwClnG/CXHQIDAQAB
5
-----END PUBLIC KEY-----
6

Signatures

  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: EmotetMutantsSpam 1 IoCs
  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

Processes

  • C:\Users\Admin\AppData\Local\Temp\6487f0b369dd1e63e4e71534312b10b9e9ceb3fc1d8317f409a850da112700dd.exe
    "C:\Users\Admin\AppData\Local\Temp\6487f0b369dd1e63e4e71534312b10b9e9ceb3fc1d8317f409a850da112700dd.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: EmotetMutantsSpam
    PID:880

Network

  • flag-unknown
    POST
    http://177.144.130.105:443/v9WNh2IsfZwWSs8/w0qaYZV/
    6487f0b369dd1e63e4e71534312b10b9e9ceb3fc1d8317f409a850da112700dd.exe
    Remote address:
    177.144.130.105:443
    Request
    POST /v9WNh2IsfZwWSs8/w0qaYZV/ HTTP/1.1
    Referer: http://177.144.130.105/v9WNh2IsfZwWSs8/w0qaYZV/
    Content-Type: multipart/form-data; boundary=---------------------------432967480134938
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
    Host: 177.144.130.105:443
    Content-Length: 4372
    Connection: Keep-Alive
    Cache-Control: no-cache
  • flag-unknown
    POST
    http://198.27.69.201:8080/5TfV9OuhDm/tkrVL/wlZQsYhzgOyrPvl/
    6487f0b369dd1e63e4e71534312b10b9e9ceb3fc1d8317f409a850da112700dd.exe
    Remote address:
    198.27.69.201:8080
    Request
    POST /5TfV9OuhDm/tkrVL/wlZQsYhzgOyrPvl/ HTTP/1.1
    Referer: http://198.27.69.201/5TfV9OuhDm/tkrVL/wlZQsYhzgOyrPvl/
    Content-Type: multipart/form-data; boundary=---------------------------313526552817897
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
    Host: 198.27.69.201:8080
    Content-Length: 4388
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Fri, 17 Jul 2020 23:10:43 GMT
    Content-Type: text/html; charset=UTF-8
    Content-Length: 132
    Connection: keep-alive
  • flag-unknown
    DNS
    dns.msftncsi.com
    Remote address:
    8.8.8.8:53
    Request
    dns.msftncsi.com
    IN A
    Response
    dns.msftncsi.com
    IN A
    131.107.255.255
  • flag-unknown
    DNS
    dns.msftncsi.com
    Remote address:
    8.8.8.8:53
    Request
    dns.msftncsi.com
    IN AAAA
    Response
    dns.msftncsi.com
    IN AAAA
    fd3e:4f5a:5b81::1
  • 177.144.130.105:443
    http://177.144.130.105:443/v9WNh2IsfZwWSs8/w0qaYZV/
    http
    6487f0b369dd1e63e4e71534312b10b9e9ceb3fc1d8317f409a850da112700dd.exe
    5.3kB
    212 B
    9
    5

    HTTP Request

    POST http://177.144.130.105:443/v9WNh2IsfZwWSs8/w0qaYZV/
  • 198.27.69.201:8080
    http://198.27.69.201:8080/5TfV9OuhDm/tkrVL/wlZQsYhzgOyrPvl/
    http
    6487f0b369dd1e63e4e71534312b10b9e9ceb3fc1d8317f409a850da112700dd.exe
    5.6kB
    580 B
    15
    7

    HTTP Request

    POST http://198.27.69.201:8080/5TfV9OuhDm/tkrVL/wlZQsYhzgOyrPvl/

    HTTP Response

    200
  • 224.0.0.252:5355
    100 B
    2
  • 10.7.0.255:137
    netbios-ns
    234 B
    3
  • 239.255.255.250:1900
    966 B
    6
  • 239.255.255.250:1900
  • 8.8.8.8:53
    dns.msftncsi.com
    dns
    62 B
    78 B
    1
    1

    DNS Request

    dns.msftncsi.com

    DNS Response

    131.107.255.255

  • 8.8.8.8:53
    dns.msftncsi.com
    dns
    62 B
    90 B
    1
    1

    DNS Request

    dns.msftncsi.com

    DNS Response

    fd3e:4f5a:5b81::1

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/880-0-0x00000000003A0000-0x00000000003AC000-memory.dmp

    Filesize

    48KB

  • memory/880-1-0x0000000000400000-0x0000000000449000-memory.dmp

    Filesize

    292KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.