Analysis

  • max time kernel
    149s
  • max time network
    155s
  • platform
    windows7_x64
  • resource
    win7
  • submitted
    18-07-2020 20:54

General

  • Target

    d780d55de80d35b357900a0e940968759c92301f2c00103a761b0cb1c8f5e0e4.exe

  • Size

    100KB

  • MD5

    0799dbf677e8bca0f57051d0b4d4af12

  • SHA1

    8dc3992099533d0327b2549f5fab779b63143a5c

  • SHA256

    d780d55de80d35b357900a0e940968759c92301f2c00103a761b0cb1c8f5e0e4

  • SHA512

    a10344d01d9002ac87a8e7240169617c0dd303d6ff4e5edb004300ce05a8d5f857f05fd4081570f45bea3b4dc9e8588272ee50f1590f015f6e3ec00ed8f8ec28

Score
10/10

Malware Config

Extracted

Family

emotet

C2

109.117.53.230:443

212.51.142.238:8080

190.160.53.126:80

139.59.60.244:8080

91.211.88.52:7080

190.108.228.62:443

186.208.123.210:443

46.105.131.87:80

173.91.22.41:80

222.214.218.37:4143

31.31.77.83:443

62.75.141.82:80

93.156.165.186:80

93.51.50.171:8080

185.94.252.104:443

78.189.165.52:8080

95.179.229.244:8080

73.11.153.178:8080

203.153.216.189:7080

95.213.236.64:8080

rsa_pubkey.plain
1
-----BEGIN PUBLIC KEY-----
2
MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhANQOcBKvh5xEW7VcJ9totsjdBwuAclxS
3
Q0e09fk8V053lktpW3TRrzAW63yt6j1KWnyxMrU3igFXypBoI4lVNmkje4UPtIIS
4
fkzjEIvG1v/ZNn1k0J0PfFTxbFFeUEs3AwIDAQAB
5
-----END PUBLIC KEY-----
6

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d780d55de80d35b357900a0e940968759c92301f2c00103a761b0cb1c8f5e0e4.exe
    "C:\Users\Admin\AppData\Local\Temp\d780d55de80d35b357900a0e940968759c92301f2c00103a761b0cb1c8f5e0e4.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious behavior: EnumeratesProcesses
    PID:1124

Network

  • flag-unknown
    DNS
    dns.msftncsi.com
    Remote address:
    8.8.8.8:53
    Request
    dns.msftncsi.com
    IN A
    Response
    dns.msftncsi.com
    IN A
    131.107.255.255
  • flag-unknown
    DNS
    dns.msftncsi.com
    Remote address:
    8.8.8.8:53
    Request
    dns.msftncsi.com
    IN AAAA
    Response
    dns.msftncsi.com
    IN AAAA
    fd3e:4f5a:5b81::1
  • flag-unknown
    POST
    http://212.51.142.238:8080/0PPcrkogUIu0k/5vxrp2fm5HPpJRZGwg0/TLsuovb/nd4Gne4F0cPhTohY/h6vvk4Rj7BWWj/UH3NRn7TH51l01l/
    d780d55de80d35b357900a0e940968759c92301f2c00103a761b0cb1c8f5e0e4.exe
    Remote address:
    212.51.142.238:8080
    Request
    POST /0PPcrkogUIu0k/5vxrp2fm5HPpJRZGwg0/TLsuovb/nd4Gne4F0cPhTohY/h6vvk4Rj7BWWj/UH3NRn7TH51l01l/ HTTP/1.1
    Referer: http://212.51.142.238/0PPcrkogUIu0k/5vxrp2fm5HPpJRZGwg0/TLsuovb/nd4Gne4F0cPhTohY/h6vvk4Rj7BWWj/UH3NRn7TH51l01l/
    Content-Type: multipart/form-data; boundary=---------------------------473359031387181
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
    Host: 212.51.142.238:8080
    Content-Length: 4388
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Sat, 18 Jul 2020 20:55:29 GMT
    Content-Type: text/html; charset=UTF-8
    Content-Length: 132
    Connection: keep-alive
  • flag-unknown
    DNS
    dns.msftncsi.com
    Remote address:
    8.8.8.8:53
    Request
    dns.msftncsi.com
    IN A
    Response
    dns.msftncsi.com
    IN A
    131.107.255.255
  • flag-unknown
    DNS
    dns.msftncsi.com
    Remote address:
    8.8.8.8:53
    Request
    dns.msftncsi.com
    IN AAAA
    Response
    dns.msftncsi.com
    IN AAAA
    fd3e:4f5a:5b81::1
  • 109.117.53.230:443
    d780d55de80d35b357900a0e940968759c92301f2c00103a761b0cb1c8f5e0e4.exe
    152 B
    3
  • 109.117.53.230:443
    d780d55de80d35b357900a0e940968759c92301f2c00103a761b0cb1c8f5e0e4.exe
    152 B
    3
  • 212.51.142.238:8080
    http://212.51.142.238:8080/0PPcrkogUIu0k/5vxrp2fm5HPpJRZGwg0/TLsuovb/nd4Gne4F0cPhTohY/h6vvk4Rj7BWWj/UH3NRn7TH51l01l/
    http
    d780d55de80d35b357900a0e940968759c92301f2c00103a761b0cb1c8f5e0e4.exe
    5.7kB
    948 B
    16
    9

    HTTP Request

    POST http://212.51.142.238:8080/0PPcrkogUIu0k/5vxrp2fm5HPpJRZGwg0/TLsuovb/nd4Gne4F0cPhTohY/h6vvk4Rj7BWWj/UH3NRn7TH51l01l/

    HTTP Response

    200
  • 10.7.0.255:138
    netbios-dgm
    1.3kB
    6
  • 224.0.0.252:5355
    100 B
    2
  • 10.7.0.255:137
    netbios-ns
    234 B
    3
  • 8.8.8.8:53
    dns.msftncsi.com
    dns
    62 B
    78 B
    1
    1

    DNS Request

    dns.msftncsi.com

    DNS Response

    131.107.255.255

  • 8.8.8.8:53
    dns.msftncsi.com
    dns
    62 B
    90 B
    1
    1

    DNS Request

    dns.msftncsi.com

    DNS Response

    fd3e:4f5a:5b81::1

  • 239.255.255.250:1900
    966 B
    6
  • 239.255.255.250:1900
  • 8.8.8.8:53
    dns.msftncsi.com
    dns
    62 B
    78 B
    1
    1

    DNS Request

    dns.msftncsi.com

    DNS Response

    131.107.255.255

  • 8.8.8.8:53
    dns.msftncsi.com
    dns
    62 B
    90 B
    1
    1

    DNS Request

    dns.msftncsi.com

    DNS Response

    fd3e:4f5a:5b81::1

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1124-0-0x00000000003E0000-0x00000000003EC000-memory.dmp

    Filesize

    48KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.