Analysis
-
max time kernel
145s -
max time network
144s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
06-05-2021 02:29
Static task
static1
Behavioral task
behavioral1
Sample
ea1025ebfb2cbc8b7ee79006a44c6c036329701015d45f6f3777e58915b83726_yzXwDsU.exe
Resource
win7v20210408
General
-
Target
ea1025ebfb2cbc8b7ee79006a44c6c036329701015d45f6f3777e58915b83726_yzXwDsU.exe
-
Size
419KB
-
MD5
9cf2c56ef2d9ed4c679013369c6bf4c0
-
SHA1
77a2d90daf8ccff12ba036924d49c0d57cfbc89b
-
SHA256
ea1025ebfb2cbc8b7ee79006a44c6c036329701015d45f6f3777e58915b83726
-
SHA512
824fa156c422176b7f41aeae17fe10ea40bd0cb4337a3093b76b7416add2412d6de606d12b0f50a9de0b68e92456728b4b6e1829f2c2324a667282c73a0e6598
Malware Config
Extracted
emotet
Epoch2
47.148.241.179:80
24.204.47.87:80
80.86.91.91:8080
104.236.28.47:8080
87.106.136.232:8080
211.63.71.72:8080
113.52.123.226:7080
78.101.70.199:443
76.86.17.1:80
222.144.13.169:80
47.155.214.239:80
181.143.126.170:80
169.239.182.217:8080
181.126.70.117:80
209.137.209.84:443
207.177.72.129:8080
37.139.21.175:8080
149.202.153.252:8080
108.6.170.195:80
37.187.72.193:8080
190.220.19.82:443
206.81.10.215:8080
92.222.216.44:8080
104.131.44.150:8080
103.86.49.11:8080
78.186.5.109:443
62.75.187.192:8080
76.104.80.47:80
176.9.43.37:8080
31.172.240.91:8080
66.34.201.20:7080
125.207.127.86:80
85.152.174.56:80
78.189.180.107:80
23.92.16.164:8080
178.153.176.124:80
74.208.45.104:8080
177.239.160.121:80
47.156.70.145:80
217.160.182.191:8080
223.197.185.60:80
95.213.236.64:8080
190.143.39.231:80
173.73.87.96:80
46.105.131.87:80
93.147.141.5:443
105.27.155.182:80
209.146.22.34:443
174.53.195.88:80
59.20.65.102:80
205.185.117.108:8080
200.21.90.5:443
5.32.55.214:80
95.128.43.213:8080
108.191.2.72:80
105.247.123.133:8080
70.187.114.147:80
190.53.135.159:21
178.20.74.212:80
101.100.137.135:80
210.6.85.121:80
50.116.86.205:8080
70.180.35.211:80
162.241.92.219:8080
5.196.74.210:8080
201.173.217.124:443
91.242.136.103:80
45.33.49.124:443
59.103.164.174:80
47.6.15.79:80
201.184.105.242:443
71.222.233.135:443
24.105.202.216:443
76.104.80.47:443
188.0.135.237:80
60.231.217.199:8080
31.31.77.83:443
190.12.119.180:443
62.138.26.28:8080
47.153.183.211:80
71.126.247.90:80
189.212.199.126:443
200.116.145.225:443
139.130.241.252:443
90.69.145.210:8080
75.114.235.105:80
74.130.83.133:80
24.164.79.147:8080
190.114.244.182:443
180.92.239.110:8080
108.190.109.107:80
181.13.24.82:80
74.108.124.180:80
209.141.54.221:8080
110.36.217.66:8080
174.83.116.77:80
47.155.214.239:443
85.105.205.77:8080
179.13.185.19:80
139.130.242.43:80
160.16.215.66:8080
45.55.65.123:8080
41.60.200.34:80
88.249.120.205:80
98.239.119.52:80
2.237.76.249:80
173.21.26.90:80
202.175.121.202:8090
87.106.139.101:8080
121.88.5.176:443
120.150.246.241:80
190.146.205.227:8080
195.244.215.206:80
68.114.229.171:80
46.105.131.69:443
104.236.246.93:8080
110.44.113.2:80
60.250.78.22:443
70.184.9.39:8080
209.97.168.52:8080
47.26.155.17:80
101.187.197.33:443
115.65.111.148:443
98.156.206.153:80
70.127.155.33:80
65.184.222.119:80
152.168.248.128:443
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
MSVideoDSP.exepid process 1120 MSVideoDSP.exe 1120 MSVideoDSP.exe 1120 MSVideoDSP.exe 1120 MSVideoDSP.exe 1120 MSVideoDSP.exe 1120 MSVideoDSP.exe 1120 MSVideoDSP.exe 1120 MSVideoDSP.exe 1120 MSVideoDSP.exe 1120 MSVideoDSP.exe 1120 MSVideoDSP.exe 1120 MSVideoDSP.exe 1120 MSVideoDSP.exe 1120 MSVideoDSP.exe 1120 MSVideoDSP.exe 1120 MSVideoDSP.exe 1120 MSVideoDSP.exe 1120 MSVideoDSP.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
ea1025ebfb2cbc8b7ee79006a44c6c036329701015d45f6f3777e58915b83726_yzXwDsU.exepid process 3896 ea1025ebfb2cbc8b7ee79006a44c6c036329701015d45f6f3777e58915b83726_yzXwDsU.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
ea1025ebfb2cbc8b7ee79006a44c6c036329701015d45f6f3777e58915b83726_yzXwDsU.exeMSVideoDSP.exepid process 3896 ea1025ebfb2cbc8b7ee79006a44c6c036329701015d45f6f3777e58915b83726_yzXwDsU.exe 1120 MSVideoDSP.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
ea1025ebfb2cbc8b7ee79006a44c6c036329701015d45f6f3777e58915b83726_yzXwDsU.exedescription pid process target process PID 3896 wrote to memory of 1120 3896 ea1025ebfb2cbc8b7ee79006a44c6c036329701015d45f6f3777e58915b83726_yzXwDsU.exe MSVideoDSP.exe PID 3896 wrote to memory of 1120 3896 ea1025ebfb2cbc8b7ee79006a44c6c036329701015d45f6f3777e58915b83726_yzXwDsU.exe MSVideoDSP.exe PID 3896 wrote to memory of 1120 3896 ea1025ebfb2cbc8b7ee79006a44c6c036329701015d45f6f3777e58915b83726_yzXwDsU.exe MSVideoDSP.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ea1025ebfb2cbc8b7ee79006a44c6c036329701015d45f6f3777e58915b83726_yzXwDsU.exe"C:\Users\Admin\AppData\Local\Temp\ea1025ebfb2cbc8b7ee79006a44c6c036329701015d45f6f3777e58915b83726_yzXwDsU.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3896 -
C:\Windows\SysWOW64\MSVideoDSP\MSVideoDSP.exe"C:\Windows\SysWOW64\MSVideoDSP\MSVideoDSP.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1120
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1120-117-0x0000000000000000-mapping.dmp
-
memory/1120-118-0x0000000000C20000-0x0000000000C2C000-memory.dmpFilesize
48KB
-
memory/3896-114-0x0000000002240000-0x000000000224C000-memory.dmpFilesize
48KB
-
memory/3896-116-0x0000000002230000-0x000000000223A000-memory.dmpFilesize
40KB