Analysis

  • max time kernel
    137s
  • max time network
    146s
  • platform
    windows10_x64
  • resource
    win10v200430
  • submitted
    18-07-2020 23:44

General

  • Target

    791ff666a9252220e614e2b76b276886f9b377b8cb3f4345a48dad89a3a52303.exe

  • Size

    100KB

  • MD5

    47a4dd37d99f3fd0c9512a9ca0357cbc

  • SHA1

    b4aff4edc15be59d2bc42d974843901e7576ffd8

  • SHA256

    791ff666a9252220e614e2b76b276886f9b377b8cb3f4345a48dad89a3a52303

  • SHA512

    5aae9d9660524aaa3bab9ac2782f6c81c0c44f467d413816581a108f270c055f0215514d85f99078a87686ad8e58a694de7949ecd49a6c9a6c4a1b21331344f7

Score
10/10

Malware Config

Extracted

Family

emotet

C2

109.117.53.230:443

212.51.142.238:8080

190.160.53.126:80

139.59.60.244:8080

91.211.88.52:7080

190.108.228.62:443

186.208.123.210:443

46.105.131.87:80

173.91.22.41:80

222.214.218.37:4143

31.31.77.83:443

62.75.141.82:80

93.156.165.186:80

93.51.50.171:8080

185.94.252.104:443

78.189.165.52:8080

95.179.229.244:8080

73.11.153.178:8080

203.153.216.189:7080

95.213.236.64:8080

rsa_pubkey.plain
1
-----BEGIN PUBLIC KEY-----
2
MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhANQOcBKvh5xEW7VcJ9totsjdBwuAclxS
3
Q0e09fk8V053lktpW3TRrzAW63yt6j1KWnyxMrU3igFXypBoI4lVNmkje4UPtIIS
4
fkzjEIvG1v/ZNn1k0J0PfFTxbFFeUEs3AwIDAQAB
5
-----END PUBLIC KEY-----
6

Signatures

  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious behavior: EmotetMutantsSpam 1 IoCs
  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

Processes

  • C:\Users\Admin\AppData\Local\Temp\791ff666a9252220e614e2b76b276886f9b377b8cb3f4345a48dad89a3a52303.exe
    "C:\Users\Admin\AppData\Local\Temp\791ff666a9252220e614e2b76b276886f9b377b8cb3f4345a48dad89a3a52303.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: EmotetMutantsSpam
    PID:2536

Network

  • flag-unknown
    DNS
    dns.msftncsi.com
    Remote address:
    8.8.8.8:53
    Request
    dns.msftncsi.com
    IN A
    Response
    dns.msftncsi.com
    IN A
    131.107.255.255
  • flag-unknown
    POST
    http://212.51.142.238:8080/62NxV1/r6X760G3B0UsJHhmh4T/M061t3t/
    791ff666a9252220e614e2b76b276886f9b377b8cb3f4345a48dad89a3a52303.exe
    Remote address:
    212.51.142.238:8080
    Request
    POST /62NxV1/r6X760G3B0UsJHhmh4T/M061t3t/ HTTP/1.1
    Referer: http://212.51.142.238/62NxV1/r6X760G3B0UsJHhmh4T/M061t3t/
    Content-Type: multipart/form-data; boundary=---------------------------025966902934043
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
    Host: 212.51.142.238:8080
    Content-Length: 4500
    Connection: Keep-Alive
    Cache-Control: no-cache
  • flag-unknown
    DNS
    dns.msftncsi.com
    Remote address:
    8.8.8.8:53
    Request
    dns.msftncsi.com
    IN A
    Response
    dns.msftncsi.com
    IN A
    131.107.255.255
  • flag-unknown
    DNS
    dns.msftncsi.com
    Remote address:
    8.8.8.8:53
    Request
    dns.msftncsi.com
    IN A
    Response
    dns.msftncsi.com
    IN A
    131.107.255.255
  • 109.117.53.230:443
    791ff666a9252220e614e2b76b276886f9b377b8cb3f4345a48dad89a3a52303.exe
    156 B
    3
  • 212.51.142.238:8080
    http://212.51.142.238:8080/62NxV1/r6X760G3B0UsJHhmh4T/M061t3t/
    http
    791ff666a9252220e614e2b76b276886f9b377b8cb3f4345a48dad89a3a52303.exe
    5.3kB
    252 B
    8
    6

    HTTP Request

    POST http://212.51.142.238:8080/62NxV1/r6X760G3B0UsJHhmh4T/M061t3t/
  • 190.160.53.126:80
    791ff666a9252220e614e2b76b276886f9b377b8cb3f4345a48dad89a3a52303.exe
    156 B
    3
  • 139.59.60.244:8080
    791ff666a9252220e614e2b76b276886f9b377b8cb3f4345a48dad89a3a52303.exe
    156 B
    120 B
    3
    3
  • 91.211.88.52:7080
    791ff666a9252220e614e2b76b276886f9b377b8cb3f4345a48dad89a3a52303.exe
    156 B
    120 B
    3
    3
  • 190.108.228.62:443
    791ff666a9252220e614e2b76b276886f9b377b8cb3f4345a48dad89a3a52303.exe
    156 B
    3
  • 186.208.123.210:443
    791ff666a9252220e614e2b76b276886f9b377b8cb3f4345a48dad89a3a52303.exe
    156 B
    3
  • 239.255.255.250:1900
    825 B
    5
  • 239.255.255.250:1900
  • 10.10.0.255:137
    netbios-ns
    1.1kB
    13
  • 10.10.0.25:137
    netbios-ns
    270 B
    3
  • 8.8.8.8:53
    dns.msftncsi.com
    dns
    62 B
    78 B
    1
    1

    DNS Request

    dns.msftncsi.com

    DNS Response

    131.107.255.255

  • 10.10.0.39:137
    netbios-ns
    270 B
    3
  • 8.8.8.8:53
    dns.msftncsi.com
    dns
    62 B
    78 B
    1
    1

    DNS Request

    dns.msftncsi.com

    DNS Response

    131.107.255.255

  • 8.8.8.8:53
    dns.msftncsi.com
    dns
    62 B
    78 B
    1
    1

    DNS Request

    dns.msftncsi.com

    DNS Response

    131.107.255.255

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2536-0-0x00000000006F0000-0x00000000006FC000-memory.dmp

    Filesize

    48KB

  • memory/2536-1-0x0000000000400000-0x0000000000419000-memory.dmp

    Filesize

    100KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.