Analysis

  • max time kernel
    29s
  • max time network
    30s
  • platform
    windows10_x64
  • resource
    win10v200722
  • submitted
    29-07-2020 00:23

General

  • Target

    53c36c90f88f924fd19fc272e41454fb01aba0fc492ae74a3001b59b51d275f2.exe

  • Size

    668KB

  • MD5

    e1a72766b78745bdbb969e64f89bfbb9

  • SHA1

    7acb5b8d297e70600c55538a2359212ad6c05dcf

  • SHA256

    53c36c90f88f924fd19fc272e41454fb01aba0fc492ae74a3001b59b51d275f2

  • SHA512

    52240e63495d26f9efc1030046bb26b35266bec6ee83e944a00f86b0117adc5966108e44f3b88d39a0de71b34f249341cc1b641446ab09d11ece8bf7149b1952

Score
10/10

Malware Config

Extracted

Family

emotet

C2

179.60.229.168:443

185.94.252.13:443

189.218.165.63:80

77.90.136.129:8080

217.199.160.224:7080

104.131.41.185:8080

2.47.112.152:80

185.94.252.27:443

186.250.52.226:8080

51.255.165.160:8080

68.183.170.114:8080

191.99.160.58:80

104.131.103.37:8080

181.31.211.181:80

202.62.39.111:80

83.169.21.32:7080

87.106.46.107:8080

72.47.248.48:7080

177.75.143.112:443

190.17.195.202:80

rsa_pubkey.plain
1
-----BEGIN PUBLIC KEY-----
2
MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAOZ9fLJ8UrI0OZURpPsR3eijAyfPj3z6
3
uS75f2igmYFW2aWgNcFIzsAYQleKzD0nlCFHOo7Zf8/4wY2UW0CJ4dJEHnE/PHlz
4
6uNk3pxjm7o4eCDyiJbzf+k0Azjl0q54FQIDAQAB
5
-----END PUBLIC KEY-----
6

Signatures

  • Executes dropped EXE 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Emotet Payload 2 IoCs

    Detects Emotet payload in memory.

  • Drops file in System32 directory 1 IoCs
  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\53c36c90f88f924fd19fc272e41454fb01aba0fc492ae74a3001b59b51d275f2.exe
    "C:\Users\Admin\AppData\Local\Temp\53c36c90f88f924fd19fc272e41454fb01aba0fc492ae74a3001b59b51d275f2.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious use of SetWindowsHookEx
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:3908
    • C:\Windows\SysWOW64\ddisplay\msdtcVSp1res.exe
      "C:\Windows\SysWOW64\ddisplay\msdtcVSp1res.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:2540

Network

  • flag-unknown
    POST
    http://185.94.252.13:443/X5n2juPwpur/5pdyj9ZdzDZF3N5/LqcUrLSc9LXM7oLq/29RUlITRk3uk/Lq0b1pUeXG/1jIrK5FcXK/
    msdtcVSp1res.exe
    Remote address:
    185.94.252.13:443
    Request
    POST /X5n2juPwpur/5pdyj9ZdzDZF3N5/LqcUrLSc9LXM7oLq/29RUlITRk3uk/Lq0b1pUeXG/1jIrK5FcXK/ HTTP/1.1
    Referer: http://185.94.252.13/X5n2juPwpur/5pdyj9ZdzDZF3N5/LqcUrLSc9LXM7oLq/29RUlITRk3uk/Lq0b1pUeXG/1jIrK5FcXK/
    Content-Type: multipart/form-data; boundary=---------------------------724930553348132
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
    Host: 185.94.252.13:443
    Content-Length: 4468
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Wed, 29 Jul 2020 00:24:24 GMT
    Content-Type: text/html; charset=UTF-8
    Content-Length: 132
    Connection: keep-alive
  • 179.60.229.168:443
    msdtcVSp1res.exe
    156 B
    120 B
    3
    3
  • 185.94.252.13:443
    http://185.94.252.13:443/X5n2juPwpur/5pdyj9ZdzDZF3N5/LqcUrLSc9LXM7oLq/29RUlITRk3uk/Lq0b1pUeXG/1jIrK5FcXK/
    http
    msdtcVSp1res.exe
    5.4kB
    540 B
    8
    6

    HTTP Request

    POST http://185.94.252.13:443/X5n2juPwpur/5pdyj9ZdzDZF3N5/LqcUrLSc9LXM7oLq/29RUlITRk3uk/Lq0b1pUeXG/1jIrK5FcXK/

    HTTP Response

    200
No results found

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2540-3-0x0000000000560000-0x000000000056C000-memory.dmp

    Filesize

    48KB

  • memory/3908-0-0x00000000005A0000-0x00000000005AC000-memory.dmp

    Filesize

    48KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.