Analysis

  • max time kernel
    30s
  • max time network
    32s
  • platform
    windows10_x64
  • resource
    win10v200722
  • submitted
    29-07-2020 01:39

General

  • Target

    31c2a836abfd0ba5fd361b73af5de04191b0ab878daf50cf045526f8f5f6bba5.exe

  • Size

    668KB

  • MD5

    21d37a1bbfac4766df8e494d63802c76

  • SHA1

    371a58eb1894d1a0a822945c7ed40a3cc1f8606f

  • SHA256

    31c2a836abfd0ba5fd361b73af5de04191b0ab878daf50cf045526f8f5f6bba5

  • SHA512

    b3dd4a539e7e5111376ff54a72e7179d1f22b467a053c7ea8819d7cba4449d1195728632ed2d9f29b29bb4259270fad095c68f64f31c9d4ce85a8e277296dffc

Score
10/10

Malware Config

Extracted

Family

emotet

C2

76.27.179.47:80

212.51.142.238:8080

189.212.199.126:443

61.19.246.238:443

162.154.38.103:80

91.211.88.52:7080

83.110.223.58:443

124.45.106.173:443

116.203.32.252:8080

109.117.53.230:443

5.196.74.210:8080

75.139.38.211:80

168.235.67.138:7080

176.111.60.55:8080

169.239.182.217:8080

74.208.45.104:8080

31.31.77.83:443

222.214.218.37:4143

37.139.21.175:8080

91.205.215.66:443

rsa_pubkey.plain

Signatures

  • Suspicious use of WriteProcessMemory 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Emotet Payload 2 IoCs

    Detects Emotet payload in memory.

  • Drops file in System32 directory 1 IoCs
  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\31c2a836abfd0ba5fd361b73af5de04191b0ab878daf50cf045526f8f5f6bba5.exe
    "C:\Users\Admin\AppData\Local\Temp\31c2a836abfd0ba5fd361b73af5de04191b0ab878daf50cf045526f8f5f6bba5.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    • Drops file in System32 directory
    • Suspicious use of SetWindowsHookEx
    • Suspicious behavior: RenamesItself
    PID:484
    • C:\Windows\SysWOW64\Windows.Security.Credentials.UI.CredentialPicker\wmpshell.exe
      "C:\Windows\SysWOW64\Windows.Security.Credentials.UI.CredentialPicker\wmpshell.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:716

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\Windows.Security.Credentials.UI.CredentialPicker\wmpshell.exe

  • memory/484-0-0x0000000000600000-0x000000000060C000-memory.dmp

    Filesize

    48KB

  • memory/716-1-0x0000000000000000-mapping.dmp

  • memory/716-3-0x0000000000630000-0x000000000063C000-memory.dmp

    Filesize

    48KB