Analysis
-
max time kernel
29s -
max time network
30s -
platform
windows10_x64 -
resource
win10v200722 -
submitted
29-07-2020 00:23
Static task
static1
General
-
Target
53c36c90f88f924fd19fc272e41454fb01aba0fc492ae74a3001b59b51d275f2.exe
-
Size
668KB
-
MD5
e1a72766b78745bdbb969e64f89bfbb9
-
SHA1
7acb5b8d297e70600c55538a2359212ad6c05dcf
-
SHA256
53c36c90f88f924fd19fc272e41454fb01aba0fc492ae74a3001b59b51d275f2
-
SHA512
52240e63495d26f9efc1030046bb26b35266bec6ee83e944a00f86b0117adc5966108e44f3b88d39a0de71b34f249341cc1b641446ab09d11ece8bf7149b1952
Malware Config
Extracted
emotet
179.60.229.168:443
185.94.252.13:443
189.218.165.63:80
77.90.136.129:8080
217.199.160.224:7080
104.131.41.185:8080
2.47.112.152:80
185.94.252.27:443
186.250.52.226:8080
51.255.165.160:8080
68.183.170.114:8080
191.99.160.58:80
104.131.103.37:8080
181.31.211.181:80
202.62.39.111:80
83.169.21.32:7080
87.106.46.107:8080
72.47.248.48:7080
177.75.143.112:443
190.17.195.202:80
137.74.106.111:7080
181.129.96.162:8080
82.196.15.205:8080
61.92.159.208:8080
190.6.193.152:8080
181.167.96.215:80
143.0.87.101:80
12.162.84.2:8080
212.71.237.140:8080
217.13.106.14:8080
46.214.11.172:80
114.109.179.60:80
89.32.150.160:8080
185.94.252.12:80
177.72.13.80:80
192.241.146.84:8080
189.1.185.98:8080
187.106.41.99:80
219.92.13.25:80
181.30.69.50:80
68.183.190.199:8080
212.231.60.98:80
190.181.235.46:80
157.7.199.53:8080
178.79.163.131:8080
77.55.211.77:8080
204.225.249.100:7080
170.81.48.2:80
104.236.161.64:8080
5.196.35.138:7080
190.194.242.254:443
50.28.51.143:8080
187.162.248.237:80
46.28.111.142:7080
70.32.84.74:8080
203.25.159.3:8080
190.163.31.26:80
177.144.135.2:80
177.73.0.98:443
177.139.131.143:443
177.74.228.34:80
191.182.6.118:80
94.176.234.118:443
45.161.242.102:80
149.62.173.247:8080
144.139.91.187:443
181.120.79.227:80
80.249.176.206:80
71.50.31.38:80
172.104.169.32:8080
192.241.143.52:8080
111.67.12.221:8080
190.96.118.251:443
186.70.127.199:8090
190.147.137.153:443
177.66.190.130:80
70.32.115.157:8080
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2540 msdtcVSp1res.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2540 msdtcVSp1res.exe 2540 msdtcVSp1res.exe 2540 msdtcVSp1res.exe 2540 msdtcVSp1res.exe 2540 msdtcVSp1res.exe 2540 msdtcVSp1res.exe -
Emotet Payload 2 IoCs
Detects Emotet payload in memory.
resource yara_rule behavioral1/memory/3908-0-0x00000000005A0000-0x00000000005AC000-memory.dmp emotet behavioral1/memory/2540-3-0x0000000000560000-0x000000000056C000-memory.dmp emotet -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\ddisplay\msdtcVSp1res.exe 53c36c90f88f924fd19fc272e41454fb01aba0fc492ae74a3001b59b51d275f2.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 3908 53c36c90f88f924fd19fc272e41454fb01aba0fc492ae74a3001b59b51d275f2.exe 3908 53c36c90f88f924fd19fc272e41454fb01aba0fc492ae74a3001b59b51d275f2.exe 2540 msdtcVSp1res.exe 2540 msdtcVSp1res.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 3908 53c36c90f88f924fd19fc272e41454fb01aba0fc492ae74a3001b59b51d275f2.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3908 wrote to memory of 2540 3908 53c36c90f88f924fd19fc272e41454fb01aba0fc492ae74a3001b59b51d275f2.exe 66 PID 3908 wrote to memory of 2540 3908 53c36c90f88f924fd19fc272e41454fb01aba0fc492ae74a3001b59b51d275f2.exe 66 PID 3908 wrote to memory of 2540 3908 53c36c90f88f924fd19fc272e41454fb01aba0fc492ae74a3001b59b51d275f2.exe 66
Processes
-
C:\Users\Admin\AppData\Local\Temp\53c36c90f88f924fd19fc272e41454fb01aba0fc492ae74a3001b59b51d275f2.exe"C:\Users\Admin\AppData\Local\Temp\53c36c90f88f924fd19fc272e41454fb01aba0fc492ae74a3001b59b51d275f2.exe"1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:3908 -
C:\Windows\SysWOW64\ddisplay\msdtcVSp1res.exe"C:\Windows\SysWOW64\ddisplay\msdtcVSp1res.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2540
-
Network
-
POSThttp://185.94.252.13:443/X5n2juPwpur/5pdyj9ZdzDZF3N5/LqcUrLSc9LXM7oLq/29RUlITRk3uk/Lq0b1pUeXG/1jIrK5FcXK/msdtcVSp1res.exeRemote address:185.94.252.13:443RequestPOST /X5n2juPwpur/5pdyj9ZdzDZF3N5/LqcUrLSc9LXM7oLq/29RUlITRk3uk/Lq0b1pUeXG/1jIrK5FcXK/ HTTP/1.1
Referer: http://185.94.252.13/X5n2juPwpur/5pdyj9ZdzDZF3N5/LqcUrLSc9LXM7oLq/29RUlITRk3uk/Lq0b1pUeXG/1jIrK5FcXK/
Content-Type: multipart/form-data; boundary=---------------------------724930553348132
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Host: 185.94.252.13:443
Content-Length: 4468
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Wed, 29 Jul 2020 00:24:24 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 132
Connection: keep-alive
-
156 B 120 B 3 3
-
185.94.252.13:443http://185.94.252.13:443/X5n2juPwpur/5pdyj9ZdzDZF3N5/LqcUrLSc9LXM7oLq/29RUlITRk3uk/Lq0b1pUeXG/1jIrK5FcXK/httpmsdtcVSp1res.exe5.4kB 540 B 8 6
HTTP Request
POST http://185.94.252.13:443/X5n2juPwpur/5pdyj9ZdzDZF3N5/LqcUrLSc9LXM7oLq/29RUlITRk3uk/Lq0b1pUeXG/1jIrK5FcXK/HTTP Response
200