Analysis

  • max time kernel
    111s
  • max time network
    141s
  • platform
    windows7_x64
  • resource
    win7
  • submitted
    18-07-2020 13:30

General

  • Target

    76603c40c56c3935e8d8b5a11e4f4bad585639e61e23ad84c37e0c3526954399.exe

  • Size

    100KB

  • MD5

    d7d8478309ea5ef8b9648816d1ef395c

  • SHA1

    aebe27c156a3c662ea1c64b8aa677e15f60d1da1

  • SHA256

    76603c40c56c3935e8d8b5a11e4f4bad585639e61e23ad84c37e0c3526954399

  • SHA512

    483603b169f6209c6e12443986c0e41eb87472745c76583a68d5bf8ef57c1ce34098a12566296169b28342dcd52fa087f08ead031fab901c95bd834b895017d1

Score
10/10

Malware Config

Extracted

Family

emotet

C2

177.144.130.105:443

198.27.69.201:8080

157.7.164.178:8081

78.188.170.128:80

203.153.216.178:7080

77.74.78.80:443

178.33.167.120:8080

177.0.241.28:80

143.95.101.72:8080

51.38.201.19:7080

181.167.35.84:80

41.185.29.128:8080

192.163.221.191:8080

181.164.110.7:80

203.153.216.182:7080

80.211.32.88:8080

113.160.180.109:80

185.142.236.163:443

192.241.220.183:8080

87.106.231.60:8080

rsa_pubkey.plain
1
-----BEGIN PUBLIC KEY-----
2
MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAM/TXLLvX91I6dVMYe+T1PPO6mpcg7OJ
3
cMl9o/g4nUhZOp8fAAmQl8XMXeGvDhZXTyX1AXf401iPFui0RB6glhl/7/djvi7j
4
l32lAhyBANpKGty8xf3J5kGwwClnG/CXHQIDAQAB
5
-----END PUBLIC KEY-----
6

Signatures

  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious behavior: EmotetMutantsSpam 1 IoCs
  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

Processes

  • C:\Users\Admin\AppData\Local\Temp\76603c40c56c3935e8d8b5a11e4f4bad585639e61e23ad84c37e0c3526954399.exe
    "C:\Users\Admin\AppData\Local\Temp\76603c40c56c3935e8d8b5a11e4f4bad585639e61e23ad84c37e0c3526954399.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: EmotetMutantsSpam
    PID:1448

Network

  • flag-unknown
    POST
    http://177.144.130.105:443/4ZK3j5uR/
    76603c40c56c3935e8d8b5a11e4f4bad585639e61e23ad84c37e0c3526954399.exe
    Remote address:
    177.144.130.105:443
    Request
    POST /4ZK3j5uR/ HTTP/1.1
    Referer: http://177.144.130.105/4ZK3j5uR/
    Content-Type: multipart/form-data; boundary=---------------------------495990703952073
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
    Host: 177.144.130.105:443
    Content-Length: 4372
    Connection: Keep-Alive
    Cache-Control: no-cache
  • flag-unknown
    POST
    http://77.74.78.80:443/FtVGTWq9Yw0mj6u/xTpFWdQQZkjw/
    76603c40c56c3935e8d8b5a11e4f4bad585639e61e23ad84c37e0c3526954399.exe
    Remote address:
    77.74.78.80:443
    Request
    POST /FtVGTWq9Yw0mj6u/xTpFWdQQZkjw/ HTTP/1.1
    Referer: http://77.74.78.80/FtVGTWq9Yw0mj6u/xTpFWdQQZkjw/
    Content-Type: multipart/form-data; boundary=---------------------------861812131195582
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
    Host: 77.74.78.80:443
    Content-Length: 4388
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Sat, 18 Jul 2020 13:29:48 GMT
    Content-Type: text/html; charset=UTF-8
    Content-Length: 132
    Connection: keep-alive
  • 177.144.130.105:443
    http://177.144.130.105:443/4ZK3j5uR/
    http
    76603c40c56c3935e8d8b5a11e4f4bad585639e61e23ad84c37e0c3526954399.exe
    5.2kB
    212 B
    9
    5

    HTTP Request

    POST http://177.144.130.105:443/4ZK3j5uR/
  • 198.27.69.201:8080
    76603c40c56c3935e8d8b5a11e4f4bad585639e61e23ad84c37e0c3526954399.exe
    152 B
    120 B
    3
    3
  • 198.27.69.201:8080
    76603c40c56c3935e8d8b5a11e4f4bad585639e61e23ad84c37e0c3526954399.exe
    152 B
    120 B
    3
    3
  • 157.7.164.178:8081
    76603c40c56c3935e8d8b5a11e4f4bad585639e61e23ad84c37e0c3526954399.exe
    152 B
    120 B
    3
    3
  • 157.7.164.178:8081
    76603c40c56c3935e8d8b5a11e4f4bad585639e61e23ad84c37e0c3526954399.exe
    152 B
    120 B
    3
    3
  • 78.188.170.128:80
    76603c40c56c3935e8d8b5a11e4f4bad585639e61e23ad84c37e0c3526954399.exe
    152 B
    3
  • 78.188.170.128:80
    76603c40c56c3935e8d8b5a11e4f4bad585639e61e23ad84c37e0c3526954399.exe
    152 B
    3
  • 203.153.216.178:7080
    76603c40c56c3935e8d8b5a11e4f4bad585639e61e23ad84c37e0c3526954399.exe
    152 B
    120 B
    3
    3
  • 203.153.216.178:7080
    76603c40c56c3935e8d8b5a11e4f4bad585639e61e23ad84c37e0c3526954399.exe
    152 B
    120 B
    3
    3
  • 77.74.78.80:443
    http://77.74.78.80:443/FtVGTWq9Yw0mj6u/xTpFWdQQZkjw/
    http
    76603c40c56c3935e8d8b5a11e4f4bad585639e61e23ad84c37e0c3526954399.exe
    5.3kB
    660 B
    10
    9

    HTTP Request

    POST http://77.74.78.80:443/FtVGTWq9Yw0mj6u/xTpFWdQQZkjw/

    HTTP Response

    200
  • 10.7.0.255:138
    netbios-dgm
    1.3kB
    6
  • 224.0.0.252:5355
    100 B
    2
  • 10.7.0.255:137
    netbios-ns
    468 B
    6
  • 224.0.0.252:5355
    100 B
    2
  • 239.255.255.250:1900
    966 B
    6
  • 239.255.255.250:1900

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1448-0-0x0000000000460000-0x000000000046C000-memory.dmp

    Filesize

    48KB

  • memory/1448-1-0x0000000000400000-0x0000000000419000-memory.dmp

    Filesize

    100KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.