Analysis

  • max time kernel
    120s
  • max time network
    128s
  • platform
    windows10_x64
  • resource
    win10
  • submitted
    19-07-2020 04:48

General

  • Target

    027128a2234ba231391d3508c39fd7d13073d4f82d6952b85c36722e376796ef.exe

  • Size

    100KB

  • MD5

    9c1b1dea4ba95b2a4e53173224cc2e9f

  • SHA1

    9e6926523f18a38fb3b673c3942e84835281940c

  • SHA256

    027128a2234ba231391d3508c39fd7d13073d4f82d6952b85c36722e376796ef

  • SHA512

    26dc5f948a102920e4f9898e990113f8715bccad98e7e3a255e4d2835f0aac0b5e78e710d1a2af76ae50c67e1cf07e0c30ebfbbb964ec687935aecd491b898a6

Score
10/10

Malware Config

Extracted

Family

emotet

C2

109.117.53.230:443

212.51.142.238:8080

190.160.53.126:80

139.59.60.244:8080

91.211.88.52:7080

190.108.228.62:443

186.208.123.210:443

46.105.131.87:80

173.91.22.41:80

222.214.218.37:4143

31.31.77.83:443

62.75.141.82:80

93.156.165.186:80

93.51.50.171:8080

185.94.252.104:443

78.189.165.52:8080

95.179.229.244:8080

73.11.153.178:8080

203.153.216.189:7080

95.213.236.64:8080

rsa_pubkey.plain
1
-----BEGIN PUBLIC KEY-----
2
MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhANQOcBKvh5xEW7VcJ9totsjdBwuAclxS
3
Q0e09fk8V053lktpW3TRrzAW63yt6j1KWnyxMrU3igFXypBoI4lVNmkje4UPtIIS
4
fkzjEIvG1v/ZNn1k0J0PfFTxbFFeUEs3AwIDAQAB
5
-----END PUBLIC KEY-----
6

Signatures

  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

Processes

  • C:\Users\Admin\AppData\Local\Temp\027128a2234ba231391d3508c39fd7d13073d4f82d6952b85c36722e376796ef.exe
    "C:\Users\Admin\AppData\Local\Temp\027128a2234ba231391d3508c39fd7d13073d4f82d6952b85c36722e376796ef.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious behavior: EnumeratesProcesses
    PID:3676

Network

  • flag-unknown
    POST
    http://109.117.53.230:443/Pi5U/p293WO2EdcElKuRutZJ/BFgj/
    027128a2234ba231391d3508c39fd7d13073d4f82d6952b85c36722e376796ef.exe
    Remote address:
    109.117.53.230:443
    Request
    POST /Pi5U/p293WO2EdcElKuRutZJ/BFgj/ HTTP/1.1
    Referer: http://109.117.53.230/Pi5U/p293WO2EdcElKuRutZJ/BFgj/
    Content-Type: multipart/form-data; boundary=---------------------------990269501079315
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
    Host: 109.117.53.230:443
    Content-Length: 4484
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Sun, 19 Jul 2020 04:49:06 GMT
    Content-Type: text/html; charset=UTF-8
    Content-Length: 132
    Connection: keep-alive
  • 109.117.53.230:443
    http://109.117.53.230:443/Pi5U/p293WO2EdcElKuRutZJ/BFgj/
    http
    027128a2234ba231391d3508c39fd7d13073d4f82d6952b85c36722e376796ef.exe
    5.4kB
    540 B
    10
    6

    HTTP Request

    POST http://109.117.53.230:443/Pi5U/p293WO2EdcElKuRutZJ/BFgj/

    HTTP Response

    200
  • 127.0.0.1:47001
  • 10.10.0.255:138
    netbios-dgm
    1.3kB
    6
  • 239.255.255.250:1900
    1.3kB
    8
  • 239.255.255.250:1900
  • 10.10.0.255:137
    netbios-ns
    702 B
    9

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/3676-0-0x00000000006E0000-0x00000000006EC000-memory.dmp

    Filesize

    48KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.