Analysis
-
max time kernel
144s -
max time network
150s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
09-05-2021 21:24
Static task
static1
Behavioral task
behavioral1
Sample
be3be1dba4703a8d3d54a2db7d79a20ebe2b8956bd660a035fdeee87b1156ae3.exe
Resource
win7v20210410
General
-
Target
be3be1dba4703a8d3d54a2db7d79a20ebe2b8956bd660a035fdeee87b1156ae3.exe
-
Size
368KB
-
MD5
a1db88dad2e41285cfc785919b6ac861
-
SHA1
f72154d5a87dcf9e9fbb6481ed60bc853b3e47eb
-
SHA256
be3be1dba4703a8d3d54a2db7d79a20ebe2b8956bd660a035fdeee87b1156ae3
-
SHA512
13f87a57d7cd6205e52b5ed4472b217b1d92d3588aada9aa7183134929a85ec76f688eb079687e1c8a68f1aeccc88f7695fa6d2a05a6a341bd349605e18015eb
Malware Config
Extracted
emotet
Epoch2
149.135.10.19:80
91.231.166.124:8080
104.236.28.47:8080
46.105.131.87:80
100.6.23.40:80
200.41.121.90:80
66.34.201.20:7080
78.186.5.109:443
107.184.91.187:80
182.71.222.187:80
41.169.20.147:80
200.7.243.109:443
84.9.167.76:80
189.168.169.129:80
80.102.134.174:8080
60.250.78.22:443
24.196.13.216:80
75.133.26.185:80
37.139.21.175:8080
37.187.72.193:8080
58.171.38.26:80
190.53.135.159:21
180.92.239.110:8080
144.139.173.73:80
178.20.74.212:80
185.155.20.82:80
104.131.11.150:443
100.14.117.137:80
190.160.53.126:80
24.179.13.119:80
190.117.226.104:443
181.230.116.163:80
50.35.17.13:80
78.24.219.147:8080
120.151.135.224:80
118.69.70.109:80
87.106.139.101:8080
190.114.244.182:443
103.97.95.221:80
92.222.216.44:8080
41.60.200.34:80
200.116.145.225:443
88.249.120.205:80
101.187.134.207:8080
118.200.116.83:80
213.243.211.114:80
91.205.215.66:443
136.243.205.112:7080
46.105.131.69:443
60.130.173.117:80
31.172.240.91:8080
174.57.150.13:8080
156.67.114.199:80
98.15.140.226:80
139.130.242.43:80
58.177.172.160:80
24.249.73.48:80
115.65.111.148:443
80.11.158.65:8080
189.160.15.202:465
153.160.71.129:53
162.241.92.219:8080
200.85.110.240:8080
178.153.176.124:80
93.114.205.169:80
162.255.112.157:443
195.244.215.206:80
5.39.91.110:7080
202.175.121.202:8443
59.103.164.174:80
104.131.44.150:8080
45.33.49.124:443
42.200.191.247:80
173.21.26.90:80
5.88.27.67:8080
102.182.145.130:80
190.244.125.144:80
87.106.136.232:8080
169.239.182.217:8080
68.115.64.219:80
31.31.77.83:443
199.83.161.218:80
105.27.155.182:80
134.19.217.180:80
223.197.185.60:80
211.63.71.72:8080
45.55.65.123:8080
153.174.73.130:80
62.75.141.82:80
105.247.123.133:8080
101.187.97.173:80
200.123.150.89:443
190.55.181.54:443
113.61.66.94:80
74.130.137.231:80
209.141.54.221:8080
85.152.174.56:80
103.86.49.11:8080
23.92.16.164:8080
94.98.218.11:80
50.116.86.205:8080
24.94.237.248:80
5.196.74.210:8080
149.202.153.252:8080
51.77.108.17:80
210.56.10.58:80
120.150.246.241:80
176.9.43.37:8080
95.128.43.213:8080
91.242.138.11:80
59.148.227.190:80
104.236.246.93:8080
112.68.240.21:80
85.105.205.77:8080
201.173.217.124:443
181.167.53.79:443
95.213.236.64:8080
168.235.67.138:7080
216.132.25.162:80
54.39.187.202:443
209.97.168.52:8080
181.164.25.59:80
37.210.228.23:80
110.145.77.103:80
74.208.45.104:8080
98.156.206.153:80
210.6.85.121:80
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
mtstocom.exepid process 1596 mtstocom.exe 1596 mtstocom.exe 1596 mtstocom.exe 1596 mtstocom.exe 1596 mtstocom.exe 1596 mtstocom.exe 1596 mtstocom.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
be3be1dba4703a8d3d54a2db7d79a20ebe2b8956bd660a035fdeee87b1156ae3.exepid process 1208 be3be1dba4703a8d3d54a2db7d79a20ebe2b8956bd660a035fdeee87b1156ae3.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
be3be1dba4703a8d3d54a2db7d79a20ebe2b8956bd660a035fdeee87b1156ae3.exemtstocom.exepid process 1208 be3be1dba4703a8d3d54a2db7d79a20ebe2b8956bd660a035fdeee87b1156ae3.exe 1208 be3be1dba4703a8d3d54a2db7d79a20ebe2b8956bd660a035fdeee87b1156ae3.exe 1596 mtstocom.exe 1596 mtstocom.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
be3be1dba4703a8d3d54a2db7d79a20ebe2b8956bd660a035fdeee87b1156ae3.exedescription pid process target process PID 1208 wrote to memory of 1596 1208 be3be1dba4703a8d3d54a2db7d79a20ebe2b8956bd660a035fdeee87b1156ae3.exe mtstocom.exe PID 1208 wrote to memory of 1596 1208 be3be1dba4703a8d3d54a2db7d79a20ebe2b8956bd660a035fdeee87b1156ae3.exe mtstocom.exe PID 1208 wrote to memory of 1596 1208 be3be1dba4703a8d3d54a2db7d79a20ebe2b8956bd660a035fdeee87b1156ae3.exe mtstocom.exe PID 1208 wrote to memory of 1596 1208 be3be1dba4703a8d3d54a2db7d79a20ebe2b8956bd660a035fdeee87b1156ae3.exe mtstocom.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\be3be1dba4703a8d3d54a2db7d79a20ebe2b8956bd660a035fdeee87b1156ae3.exe"C:\Users\Admin\AppData\Local\Temp\be3be1dba4703a8d3d54a2db7d79a20ebe2b8956bd660a035fdeee87b1156ae3.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mtstocom\mtstocom.exe"C:\Windows\SysWOW64\mtstocom\mtstocom.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1208-59-0x0000000075561000-0x0000000075563000-memory.dmpFilesize
8KB
-
memory/1208-60-0x0000000000380000-0x000000000038C000-memory.dmpFilesize
48KB
-
memory/1208-62-0x0000000000370000-0x000000000037E000-memory.dmpFilesize
56KB
-
memory/1596-63-0x0000000000000000-mapping.dmp
-
memory/1596-65-0x0000000000390000-0x000000000039C000-memory.dmpFilesize
48KB