Analysis
-
max time kernel
77s -
max time network
152s -
platform
windows10_x64 -
resource
win10v200722 -
submitted
09-09-2020 17:32
Static task
static1
Behavioral task
behavioral1
Sample
E3.bin.exe
Resource
win7
General
-
Target
E3.bin.exe
-
Size
608KB
-
MD5
2f29d97e32543fc84bcce2329f7fa67a
-
SHA1
10a01a286ccd88c8d4851d99a3ed35fd080eeb3a
-
SHA256
b1bea682ad5cd9c75f156c91d950baf9e7b6e2febc2c775f5f7eefe681c6bda4
-
SHA512
b2e46a07daa43eef710a9a1911a09a4022eda136c822fbdaf4c264e6664e5a8009cf84ab2d91a0e41b533525b8fdd959edbf071f772df524fbcba9d5bd7112d7
Malware Config
Extracted
emotet
190.194.12.132:80
51.254.140.91:7080
51.75.163.68:7080
162.144.42.60:8080
77.74.78.80:443
143.95.101.72:8080
81.214.253.80:443
222.159.240.58:80
37.205.9.252:7080
45.182.161.17:80
188.0.135.237:80
118.10.44.53:80
223.17.215.76:80
80.200.62.81:20
179.191.239.255:80
172.105.78.244:8080
181.122.154.240:80
41.185.29.128:8080
198.57.203.63:8080
179.62.238.49:80
54.38.143.245:8080
37.187.100.220:7080
5.79.70.250:8080
81.17.93.134:80
190.190.15.20:80
91.83.93.103:443
153.198.1.184:443
58.27.215.3:8080
185.208.226.142:8080
91.105.94.200:80
128.106.187.110:80
114.158.45.53:80
179.5.118.12:80
91.75.75.46:80
192.163.221.191:8080
190.212.133.239:443
66.61.94.36:80
37.46.129.215:8080
185.86.148.68:443
157.245.138.101:7080
8.4.9.137:8080
201.213.177.139:80
113.156.82.32:80
188.251.213.180:443
74.208.173.91:8080
181.137.229.1:80
113.161.148.81:80
157.7.164.178:8081
89.2.145.86:80
172.96.190.154:8080
139.59.12.63:8080
50.116.78.109:8080
95.216.205.155:8080
86.98.143.163:80
73.84.105.76:80
167.71.227.113:8080
190.164.75.175:80
103.80.51.61:8080
88.247.58.26:80
46.105.131.68:8080
88.249.181.198:443
190.53.144.120:80
203.153.216.178:7080
185.142.236.163:443
51.38.201.19:7080
192.241.220.183:8080
178.33.167.120:8080
60.125.114.64:443
190.96.15.50:80
177.144.130.105:443
175.29.183.2:80
197.232.36.108:80
115.78.11.155:80
24.26.151.3:80
115.79.195.246:80
46.32.229.152:8080
192.210.217.94:8080
195.201.56.70:8080
75.127.14.170:8080
36.91.44.183:80
190.136.179.102:80
190.212.140.6:80
118.101.24.148:80
105.209.235.113:8080
2.144.244.204:443
177.94.227.143:80
Signatures
-
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\ServiceProfiles\LocalService\winhttp\cachev3.dat svchost.exe -
Modifies data under HKEY_USERS 5 IoCs
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecisionTime = 2ee99c7bdf86d601 svchost.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecision = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad svchost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7 svchost.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecisionReason = "1" svchost.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3888 E3.bin.exe 3888 E3.bin.exe 3888 E3.bin.exe 3888 E3.bin.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeShutdownPrivilege 3272 svchost.exe Token: SeCreatePagefilePrivilege 3272 svchost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3888 E3.bin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\E3.bin.exe"C:\Users\Admin\AppData\Local\Temp\E3.bin.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3888
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3272