faca543878c17e6a54140eb3307d5f9c948fe517b74fb731413af4fe39a163c5

General
Target

faca543878c17e6a54140eb3307d5f9c948fe517b74fb731413af4fe39a163c5.exe

Filesize

572KB

Completed

07-04-2021 15:29

Score
10/10
MD5

2c4e3add87c219ec974b2ebc2551307f

SHA1

51d0f3d119718b236c2afc964df6ea43d80d1988

SHA256

faca543878c17e6a54140eb3307d5f9c948fe517b74fb731413af4fe39a163c5

Malware Config

Extracted

Family emotet
Botnet Epoch2
C2

212.186.191.177:80

91.242.138.5:80

173.13.135.102:80

59.110.18.236:443

45.56.88.91:443

51.68.220.244:8080

206.81.10.215:8080

80.11.163.139:21

182.176.132.213:8090

165.227.156.155:443

118.201.230.249:80

138.201.140.110:8080

46.105.131.87:80

87.106.139.101:8080

24.45.193.161:7080

209.97.168.52:8080

190.12.119.180:443

190.147.215.53:22

191.92.209.110:7080

91.205.215.66:8080

190.211.207.11:443

186.75.241.230:80

173.212.203.26:8080

67.225.179.64:8080

31.12.67.62:7080

128.65.154.183:443

189.209.217.49:80

107.2.2.28:80

167.99.105.223:7080

12.229.155.122:80

104.236.246.93:8080

178.209.71.63:8080

212.129.24.79:8080

95.128.43.213:8080

178.210.51.222:8080

5.88.182.250:80

91.231.166.126:8080

176.31.200.130:8080

192.81.213.192:8080

103.39.131.88:80

164.68.101.171:80

201.184.105.242:443

213.179.105.214:8080

149.202.153.252:8080

47.50.251.130:80

93.147.141.5:80

37.157.194.134:443

181.57.193.14:80

45.33.49.124:443

192.241.255.77:8080

rsa_pubkey.plain
Signatures 9

Filter: none

Discovery
  • Emotet

    Description

    Emotet is a trojan that is primarily spread through spam emails.

  • Drops file in System32 directory
    sitkamonthly.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.datsitkamonthly.exe
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Modifies data under HKEY_USERS
    sitkamonthly.exe

    Reported IOCs

    descriptioniocprocess
    Set value (data)\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000sitkamonthly.exe
    Set value (str)\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C88B0D75-95D7-40B2-89BD-4A3AD4DC11FD}\WpadNetworkName = "Network"sitkamonthly.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connectionssitkamonthly.exe
    Set value (data)\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000sitkamonthly.exe
    Set value (str)\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefixsitkamonthly.exe
    Set value (int)\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C88B0D75-95D7-40B2-89BD-4A3AD4DC11FD}\WpadDecisionReason = "1"sitkamonthly.exe
    Set value (data)\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C88B0D75-95D7-40B2-89BD-4A3AD4DC11FD}\WpadDecisionTime = 30c4ce0dc32bd701sitkamonthly.exe
    Set value (int)\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecision = "0"sitkamonthly.exe
    Set value (str)\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDetectedUrlsitkamonthly.exe
    Set value (data)\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000004000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a07004b000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000sitkamonthly.exe
    Set value (str)\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"sitkamonthly.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settingssitkamonthly.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpadsitkamonthly.exe
    Set value (data)\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecisionTime = d0cd6149c32bd701sitkamonthly.exe
    Set value (data)\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C88B0D75-95D7-40B2-89BD-4A3AD4DC11FD}\WpadDecisionTime = d0cd6149c32bd701sitkamonthly.exe
    Set value (int)\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"sitkamonthly.exe
    Set value (data)\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a07004b000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000sitkamonthly.exe
    Key created\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C88B0D75-95D7-40B2-89BD-4A3AD4DC11FD}\32-e2-17-db-d2-77sitkamonthly.exe
    Set value (int)\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C88B0D75-95D7-40B2-89BD-4A3AD4DC11FD}\WpadDecision = "0"sitkamonthly.exe
    Key created\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77sitkamonthly.exe
    Set value (int)\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecisionReason = "1"sitkamonthly.exe
    Set value (data)\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecisionTime = 30c4ce0dc32bd701sitkamonthly.exe
    Key created\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settingssitkamonthly.exe
    Set value (str)\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"sitkamonthly.exe
    Key created\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C88B0D75-95D7-40B2-89BD-4A3AD4DC11FD}sitkamonthly.exe
  • Suspicious behavior: EmotetMutantsSpam
    faca543878c17e6a54140eb3307d5f9c948fe517b74fb731413af4fe39a163c5.exesitkamonthly.exe

    Reported IOCs

    pidprocess
    1736faca543878c17e6a54140eb3307d5f9c948fe517b74fb731413af4fe39a163c5.exe
    1584sitkamonthly.exe
  • Suspicious behavior: EnumeratesProcesses
    sitkamonthly.exe

    Reported IOCs

    pidprocess
    1584sitkamonthly.exe
    1584sitkamonthly.exe
    1584sitkamonthly.exe
    1584sitkamonthly.exe
    1584sitkamonthly.exe
  • Suspicious behavior: RenamesItself
    faca543878c17e6a54140eb3307d5f9c948fe517b74fb731413af4fe39a163c5.exe

    Reported IOCs

    pidprocess
    1736faca543878c17e6a54140eb3307d5f9c948fe517b74fb731413af4fe39a163c5.exe
  • Suspicious use of SetWindowsHookEx
    faca543878c17e6a54140eb3307d5f9c948fe517b74fb731413af4fe39a163c5.exefaca543878c17e6a54140eb3307d5f9c948fe517b74fb731413af4fe39a163c5.exesitkamonthly.exesitkamonthly.exe

    Reported IOCs

    pidprocess
    776faca543878c17e6a54140eb3307d5f9c948fe517b74fb731413af4fe39a163c5.exe
    1736faca543878c17e6a54140eb3307d5f9c948fe517b74fb731413af4fe39a163c5.exe
    1524sitkamonthly.exe
    1584sitkamonthly.exe
  • Suspicious use of WriteProcessMemory
    faca543878c17e6a54140eb3307d5f9c948fe517b74fb731413af4fe39a163c5.exesitkamonthly.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 776 wrote to memory of 1736776faca543878c17e6a54140eb3307d5f9c948fe517b74fb731413af4fe39a163c5.exefaca543878c17e6a54140eb3307d5f9c948fe517b74fb731413af4fe39a163c5.exe
    PID 776 wrote to memory of 1736776faca543878c17e6a54140eb3307d5f9c948fe517b74fb731413af4fe39a163c5.exefaca543878c17e6a54140eb3307d5f9c948fe517b74fb731413af4fe39a163c5.exe
    PID 776 wrote to memory of 1736776faca543878c17e6a54140eb3307d5f9c948fe517b74fb731413af4fe39a163c5.exefaca543878c17e6a54140eb3307d5f9c948fe517b74fb731413af4fe39a163c5.exe
    PID 776 wrote to memory of 1736776faca543878c17e6a54140eb3307d5f9c948fe517b74fb731413af4fe39a163c5.exefaca543878c17e6a54140eb3307d5f9c948fe517b74fb731413af4fe39a163c5.exe
    PID 1524 wrote to memory of 15841524sitkamonthly.exesitkamonthly.exe
    PID 1524 wrote to memory of 15841524sitkamonthly.exesitkamonthly.exe
    PID 1524 wrote to memory of 15841524sitkamonthly.exesitkamonthly.exe
    PID 1524 wrote to memory of 15841524sitkamonthly.exesitkamonthly.exe
Processes 4
  • C:\Users\Admin\AppData\Local\Temp\faca543878c17e6a54140eb3307d5f9c948fe517b74fb731413af4fe39a163c5.exe
    "C:\Users\Admin\AppData\Local\Temp\faca543878c17e6a54140eb3307d5f9c948fe517b74fb731413af4fe39a163c5.exe"
    Suspicious use of SetWindowsHookEx
    Suspicious use of WriteProcessMemory
    PID:776
    • C:\Users\Admin\AppData\Local\Temp\faca543878c17e6a54140eb3307d5f9c948fe517b74fb731413af4fe39a163c5.exe
      --3c8a43ec
      Suspicious behavior: EmotetMutantsSpam
      Suspicious behavior: RenamesItself
      Suspicious use of SetWindowsHookEx
      PID:1736
  • C:\Windows\SysWOW64\sitkamonthly.exe
    "C:\Windows\SysWOW64\sitkamonthly.exe"
    Suspicious use of SetWindowsHookEx
    Suspicious use of WriteProcessMemory
    PID:1524
    • C:\Windows\SysWOW64\sitkamonthly.exe
      --2e9150cb
      Drops file in System32 directory
      Modifies data under HKEY_USERS
      Suspicious behavior: EmotetMutantsSpam
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:1584
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Persistence
                      Privilege Escalation
                        Replay Monitor
                        00:00 00:00
                        Downloads
                        • memory/776-2-0x0000000076071000-0x0000000076073000-memory.dmp

                        • memory/776-3-0x0000000000260000-0x0000000000277000-memory.dmp

                        • memory/776-6-0x00000000001B0000-0x00000000001C1000-memory.dmp

                        • memory/1524-11-0x0000000000630000-0x0000000000647000-memory.dmp

                        • memory/1584-15-0x00000000003B0000-0x00000000003C7000-memory.dmp

                        • memory/1584-12-0x0000000000000000-mapping.dmp

                        • memory/1584-16-0x0000000000400000-0x0000000000493000-memory.dmp

                        • memory/1736-7-0x00000000002A0000-0x00000000002B7000-memory.dmp

                        • memory/1736-8-0x0000000000400000-0x0000000000493000-memory.dmp

                        • memory/1736-4-0x0000000000000000-mapping.dmp