Analysis
-
max time kernel
26s -
max time network
147s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
12-01-2021 12:49
Static task
static1
Behavioral task
behavioral1
Sample
sucio_emotet.ps1
Resource
win7v20201028
General
-
Target
sucio_emotet.ps1
-
Size
2KB
-
MD5
d28c5040735a63198adc4b6e16ded5cd
-
SHA1
80eb0aaa6960b7e78df721b3b3329dbbaf60b6c8
-
SHA256
4e760d5dd0e4bea820703e9fed57e9f4dd5248959ce9c4bd91a5dd2d16170b82
-
SHA512
a3d62c329f4e7caca207b73ecf70c668bb54c8c2761d6bcde575bed7282dc5c3c15cb6c5742db2195d8216effddb705ef712488b43ef3689e731b172b05ac4aa
Malware Config
Extracted
emotet
Epoch1
152.170.79.100:80
190.247.139.101:80
138.197.99.250:8080
167.71.148.58:443
211.215.18.93:8080
191.241.233.198:80
83.169.21.32:7080
113.163.216.135:80
70.32.84.74:8080
217.13.106.14:8080
177.23.7.151:80
172.104.169.32:8080
187.39.237.56:8080
80.15.100.37:80
177.144.130.105:443
168.121.4.238:80
1.234.65.61:80
191.182.6.118:80
170.81.48.2:80
45.184.103.73:80
190.64.88.186:443
201.75.62.86:80
138.97.60.140:8080
45.16.226.117:443
186.177.174.163:80
202.79.24.136:443
181.61.182.143:80
137.74.106.111:7080
12.163.208.58:80
190.162.232.138:80
81.214.253.80:443
188.135.15.49:80
46.43.2.95:8080
84.5.104.93:80
209.236.123.42:8080
105.209.235.113:8080
51.15.7.145:80
94.176.234.118:443
110.39.162.2:443
46.105.114.137:8080
197.232.36.108:80
186.146.13.184:443
185.183.16.47:80
190.195.129.227:8090
155.186.9.160:80
12.162.84.2:8080
190.24.243.186:80
178.211.45.66:8080
138.97.60.141:7080
172.245.248.239:8080
51.255.165.160:8080
77.78.196.173:443
190.210.246.253:80
190.114.254.163:8080
82.48.39.246:80
192.175.111.212:7080
187.162.248.237:80
81.215.230.173:443
62.84.75.50:80
184.66.18.83:80
192.232.229.53:4143
104.131.41.185:8080
35.143.99.174:80
46.101.58.37:8080
190.136.176.89:80
60.93.23.51:80
190.45.24.210:80
152.169.22.67:80
68.183.170.114:8080
2.80.112.146:80
31.27.59.105:80
177.85.167.10:80
111.67.12.222:8080
5.196.35.138:7080
178.250.54.208:8080
81.213.175.132:80
181.120.29.49:80
1.226.84.243:8080
191.53.80.88:80
122.201.23.45:443
82.208.146.142:7080
185.94.252.27:443
95.76.153.115:80
59.148.253.194:8080
45.4.32.50:80
213.52.74.198:80
188.225.32.231:7080
68.183.190.199:8080
181.136.190.86:80
82.76.111.249:443
110.39.160.38:443
181.30.61.163:443
85.214.26.7:8080
192.232.229.54:7080
149.202.72.142:7080
187.162.250.23:443
202.134.4.210:7080
212.71.237.140:8080
70.32.115.157:8080
111.67.12.221:8080
50.28.51.143:8080
87.106.46.107:8080
108.4.209.15:80
190.251.216.100:80
200.24.255.23:80
191.223.36.170:80
177.144.130.105:8080
93.149.120.214:80
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
powershell.exerundll32.exeflow pid process 6 1744 powershell.exe 9 1484 rundll32.exe -
Loads dropped DLL 4 IoCs
Processes:
rundll32.exepid process 1012 rundll32.exe 1012 rundll32.exe 1012 rundll32.exe 1012 rundll32.exe -
Drops file in System32 directory 1 IoCs
Processes:
rundll32.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Mlpchqicoei\bmigqfzver.rkk rundll32.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
powershell.exerundll32.exepid process 1744 powershell.exe 1484 rundll32.exe 1484 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 1744 powershell.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
powershell.exerundll32.exerundll32.exedescription pid process target process PID 1744 wrote to memory of 1672 1744 powershell.exe rundll32.exe PID 1744 wrote to memory of 1672 1744 powershell.exe rundll32.exe PID 1744 wrote to memory of 1672 1744 powershell.exe rundll32.exe PID 1672 wrote to memory of 1012 1672 rundll32.exe rundll32.exe PID 1672 wrote to memory of 1012 1672 rundll32.exe rundll32.exe PID 1672 wrote to memory of 1012 1672 rundll32.exe rundll32.exe PID 1672 wrote to memory of 1012 1672 rundll32.exe rundll32.exe PID 1672 wrote to memory of 1012 1672 rundll32.exe rundll32.exe PID 1672 wrote to memory of 1012 1672 rundll32.exe rundll32.exe PID 1672 wrote to memory of 1012 1672 rundll32.exe rundll32.exe PID 1012 wrote to memory of 1484 1012 rundll32.exe rundll32.exe PID 1012 wrote to memory of 1484 1012 rundll32.exe rundll32.exe PID 1012 wrote to memory of 1484 1012 rundll32.exe rundll32.exe PID 1012 wrote to memory of 1484 1012 rundll32.exe rundll32.exe PID 1012 wrote to memory of 1484 1012 rundll32.exe rundll32.exe PID 1012 wrote to memory of 1484 1012 rundll32.exe rundll32.exe PID 1012 wrote to memory of 1484 1012 rundll32.exe rundll32.exe
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\sucio_emotet.ps11⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Users\Admin\Jxk4jr_\Dhuljgz\D71J.dll Control_RunDLL2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Users\Admin\Jxk4jr_\Dhuljgz\D71J.dll Control_RunDLL3⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Mlpchqicoei\bmigqfzver.rkk",Control_RunDLL4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Jxk4jr_\Dhuljgz\D71J.dllMD5
01bf9ef0d2e74e0940683ba8e92d89f1
SHA1227a9276875c1e744366511cd83e593b6b36d454
SHA25657473964ae8ded06fcf30de51ac032091eb6a92ccfd6c6c2a495af557e6e4432
SHA51244195ab49b340a5e0bb19f49112563b10718f6a1a03d67c8d80ea890ca7b04a8d2f34e158cacee2835cb937845c7573c59fd9f11364bc1190842b4600f1c4dda
-
\Users\Admin\Jxk4jr_\Dhuljgz\D71J.dllMD5
01bf9ef0d2e74e0940683ba8e92d89f1
SHA1227a9276875c1e744366511cd83e593b6b36d454
SHA25657473964ae8ded06fcf30de51ac032091eb6a92ccfd6c6c2a495af557e6e4432
SHA51244195ab49b340a5e0bb19f49112563b10718f6a1a03d67c8d80ea890ca7b04a8d2f34e158cacee2835cb937845c7573c59fd9f11364bc1190842b4600f1c4dda
-
\Users\Admin\Jxk4jr_\Dhuljgz\D71J.dllMD5
01bf9ef0d2e74e0940683ba8e92d89f1
SHA1227a9276875c1e744366511cd83e593b6b36d454
SHA25657473964ae8ded06fcf30de51ac032091eb6a92ccfd6c6c2a495af557e6e4432
SHA51244195ab49b340a5e0bb19f49112563b10718f6a1a03d67c8d80ea890ca7b04a8d2f34e158cacee2835cb937845c7573c59fd9f11364bc1190842b4600f1c4dda
-
\Users\Admin\Jxk4jr_\Dhuljgz\D71J.dllMD5
01bf9ef0d2e74e0940683ba8e92d89f1
SHA1227a9276875c1e744366511cd83e593b6b36d454
SHA25657473964ae8ded06fcf30de51ac032091eb6a92ccfd6c6c2a495af557e6e4432
SHA51244195ab49b340a5e0bb19f49112563b10718f6a1a03d67c8d80ea890ca7b04a8d2f34e158cacee2835cb937845c7573c59fd9f11364bc1190842b4600f1c4dda
-
\Users\Admin\Jxk4jr_\Dhuljgz\D71J.dllMD5
01bf9ef0d2e74e0940683ba8e92d89f1
SHA1227a9276875c1e744366511cd83e593b6b36d454
SHA25657473964ae8ded06fcf30de51ac032091eb6a92ccfd6c6c2a495af557e6e4432
SHA51244195ab49b340a5e0bb19f49112563b10718f6a1a03d67c8d80ea890ca7b04a8d2f34e158cacee2835cb937845c7573c59fd9f11364bc1190842b4600f1c4dda
-
memory/1012-16-0x0000000000760000-0x000000000077F000-memory.dmpFilesize
124KB
-
memory/1012-11-0x0000000000000000-mapping.dmp
-
memory/1484-18-0x0000000000280000-0x000000000029F000-memory.dmpFilesize
124KB
-
memory/1484-17-0x0000000000000000-mapping.dmp
-
memory/1672-9-0x0000000000000000-mapping.dmp
-
memory/1744-8-0x000000001C660000-0x000000001C661000-memory.dmpFilesize
4KB
-
memory/1744-3-0x0000000002010000-0x0000000002011000-memory.dmpFilesize
4KB
-
memory/1744-2-0x000007FEF56D0000-0x000007FEF60BC000-memory.dmpFilesize
9.9MB
-
memory/1744-4-0x000000001AB30000-0x000000001AB31000-memory.dmpFilesize
4KB
-
memory/1744-5-0x00000000023C0000-0x00000000023C1000-memory.dmpFilesize
4KB
-
memory/1744-7-0x000000001C420000-0x000000001C421000-memory.dmpFilesize
4KB
-
memory/1744-6-0x0000000002480000-0x0000000002481000-memory.dmpFilesize
4KB
-
memory/1816-19-0x000007FEF63D0000-0x000007FEF664A000-memory.dmpFilesize
2.5MB