Analysis
-
max time kernel
151s -
max time network
157s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
06-05-2021 03:02
Static task
static1
Behavioral task
behavioral1
Sample
9cf2c56e_by_Libranalysis.exe
Resource
win7v20210410
General
-
Target
9cf2c56e_by_Libranalysis.exe
-
Size
419KB
-
MD5
9cf2c56ef2d9ed4c679013369c6bf4c0
-
SHA1
77a2d90daf8ccff12ba036924d49c0d57cfbc89b
-
SHA256
ea1025ebfb2cbc8b7ee79006a44c6c036329701015d45f6f3777e58915b83726
-
SHA512
824fa156c422176b7f41aeae17fe10ea40bd0cb4337a3093b76b7416add2412d6de606d12b0f50a9de0b68e92456728b4b6e1829f2c2324a667282c73a0e6598
Malware Config
Extracted
emotet
Epoch2
47.148.241.179:80
24.204.47.87:80
80.86.91.91:8080
104.236.28.47:8080
87.106.136.232:8080
211.63.71.72:8080
113.52.123.226:7080
78.101.70.199:443
76.86.17.1:80
222.144.13.169:80
47.155.214.239:80
181.143.126.170:80
169.239.182.217:8080
181.126.70.117:80
209.137.209.84:443
207.177.72.129:8080
37.139.21.175:8080
149.202.153.252:8080
108.6.170.195:80
37.187.72.193:8080
190.220.19.82:443
206.81.10.215:8080
92.222.216.44:8080
104.131.44.150:8080
103.86.49.11:8080
78.186.5.109:443
62.75.187.192:8080
76.104.80.47:80
176.9.43.37:8080
31.172.240.91:8080
66.34.201.20:7080
125.207.127.86:80
85.152.174.56:80
78.189.180.107:80
23.92.16.164:8080
178.153.176.124:80
74.208.45.104:8080
177.239.160.121:80
47.156.70.145:80
217.160.182.191:8080
223.197.185.60:80
95.213.236.64:8080
190.143.39.231:80
173.73.87.96:80
46.105.131.87:80
93.147.141.5:443
105.27.155.182:80
209.146.22.34:443
174.53.195.88:80
59.20.65.102:80
205.185.117.108:8080
200.21.90.5:443
5.32.55.214:80
95.128.43.213:8080
108.191.2.72:80
105.247.123.133:8080
70.187.114.147:80
190.53.135.159:21
178.20.74.212:80
101.100.137.135:80
210.6.85.121:80
50.116.86.205:8080
70.180.35.211:80
162.241.92.219:8080
5.196.74.210:8080
201.173.217.124:443
91.242.136.103:80
45.33.49.124:443
59.103.164.174:80
47.6.15.79:80
201.184.105.242:443
71.222.233.135:443
24.105.202.216:443
76.104.80.47:443
188.0.135.237:80
60.231.217.199:8080
31.31.77.83:443
190.12.119.180:443
62.138.26.28:8080
47.153.183.211:80
71.126.247.90:80
189.212.199.126:443
200.116.145.225:443
139.130.241.252:443
90.69.145.210:8080
75.114.235.105:80
74.130.83.133:80
24.164.79.147:8080
190.114.244.182:443
180.92.239.110:8080
108.190.109.107:80
181.13.24.82:80
74.108.124.180:80
209.141.54.221:8080
110.36.217.66:8080
174.83.116.77:80
47.155.214.239:443
85.105.205.77:8080
179.13.185.19:80
139.130.242.43:80
160.16.215.66:8080
45.55.65.123:8080
41.60.200.34:80
88.249.120.205:80
98.239.119.52:80
2.237.76.249:80
173.21.26.90:80
202.175.121.202:8090
87.106.139.101:8080
121.88.5.176:443
120.150.246.241:80
190.146.205.227:8080
195.244.215.206:80
68.114.229.171:80
46.105.131.69:443
104.236.246.93:8080
110.44.113.2:80
60.250.78.22:443
70.184.9.39:8080
209.97.168.52:8080
47.26.155.17:80
101.187.197.33:443
115.65.111.148:443
98.156.206.153:80
70.127.155.33:80
65.184.222.119:80
152.168.248.128:443
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
cabapi.exepid process 200 cabapi.exe 200 cabapi.exe 200 cabapi.exe 200 cabapi.exe 200 cabapi.exe 200 cabapi.exe 200 cabapi.exe 200 cabapi.exe 200 cabapi.exe 200 cabapi.exe 200 cabapi.exe 200 cabapi.exe 200 cabapi.exe 200 cabapi.exe 200 cabapi.exe 200 cabapi.exe 200 cabapi.exe 200 cabapi.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
9cf2c56e_by_Libranalysis.exepid process 904 9cf2c56e_by_Libranalysis.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
9cf2c56e_by_Libranalysis.execabapi.exepid process 904 9cf2c56e_by_Libranalysis.exe 200 cabapi.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
9cf2c56e_by_Libranalysis.exedescription pid process target process PID 904 wrote to memory of 200 904 9cf2c56e_by_Libranalysis.exe cabapi.exe PID 904 wrote to memory of 200 904 9cf2c56e_by_Libranalysis.exe cabapi.exe PID 904 wrote to memory of 200 904 9cf2c56e_by_Libranalysis.exe cabapi.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9cf2c56e_by_Libranalysis.exe"C:\Users\Admin\AppData\Local\Temp\9cf2c56e_by_Libranalysis.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cabapi\cabapi.exe"C:\Windows\SysWOW64\cabapi\cabapi.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/200-117-0x0000000000000000-mapping.dmp
-
memory/200-119-0x00000000005D0000-0x00000000005DC000-memory.dmpFilesize
48KB
-
memory/200-120-0x00000000005C0000-0x000000000070A000-memory.dmpFilesize
1.3MB
-
memory/904-114-0x0000000000570000-0x000000000057C000-memory.dmpFilesize
48KB
-
memory/904-116-0x0000000000560000-0x000000000056A000-memory.dmpFilesize
40KB