Analysis
-
max time kernel
146s -
max time network
152s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
09-05-2021 22:38
Static task
static1
Behavioral task
behavioral1
Sample
61a2f90d5f2c5c539d72b37f98163e58a34f1724d284ed0a1f3ceb46f1b3f642.exe
Resource
win7v20210408
General
-
Target
61a2f90d5f2c5c539d72b37f98163e58a34f1724d284ed0a1f3ceb46f1b3f642.exe
-
Size
368KB
-
MD5
6dd10b32ae1922ed8d8bc12dbe37bc99
-
SHA1
46c753db17c369d6cff7ac117593f5e0696e752b
-
SHA256
61a2f90d5f2c5c539d72b37f98163e58a34f1724d284ed0a1f3ceb46f1b3f642
-
SHA512
fc52c8b1d66de0dedf12c12d2100971181a5c46cf769ae819a9a8257c2543a2c9af533cc29908bb69a1a44f71de65a818b96db2b235c7697dddba40cc90e6eaa
Malware Config
Extracted
emotet
Epoch1
177.103.159.44:80
113.190.254.245:80
103.31.232.93:443
91.236.4.234:443
110.145.124.178:443
120.150.76.215:80
45.161.242.102:80
82.240.207.95:443
177.66.190.130:80
203.25.159.3:8080
91.191.206.60:443
89.19.20.202:443
177.72.13.80:80
188.129.197.149:80
73.239.11.159:80
181.61.224.26:80
190.210.236.139:80
68.183.190.199:8080
47.150.248.161:80
152.231.89.226:80
185.94.252.27:443
189.1.185.248:80
186.68.48.204:443
175.114.178.83:443
5.196.35.138:7080
190.147.137.153:443
217.199.160.224:8080
177.38.15.151:80
177.139.131.143:443
177.144.135.2:80
190.147.165.160:465
93.147.157.195:80
70.32.115.157:8080
200.83.209.144:80
200.45.187.90:80
202.62.39.111:80
200.126.237.113:80
190.210.184.138:995
190.57.130.142:443
200.108.250.176:80
118.70.126.251:443
37.187.6.63:8080
164.77.130.222:80
203.122.18.234:8080
59.120.5.154:80
50.28.51.143:8080
77.55.211.77:8080
91.219.169.180:80
201.17.193.151:443
201.213.32.59:80
181.60.247.8:443
204.225.249.100:7080
120.150.142.241:80
187.51.47.26:80
186.138.210.130:80
201.213.100.141:8080
190.2.31.172:80
83.169.21.32:7080
5.45.108.146:8080
104.131.103.37:8080
118.69.71.14:80
186.3.232.68:80
212.71.237.140:8080
184.57.130.8:80
2.42.173.240:80
181.129.96.162:990
47.146.123.171:80
190.13.215.114:80
143.0.87.101:80
67.20.141.76:80
116.90.229.22:80
81.169.202.3:443
189.154.68.123:143
94.176.234.118:443
177.188.121.26:443
61.92.159.208:8080
2.47.112.152:80
46.28.111.142:7080
90.79.26.91:8080
192.241.143.52:8080
77.90.136.129:8080
113.161.147.51:80
104.236.161.64:8080
111.67.12.221:8080
190.47.227.130:443
110.143.8.89:80
152.170.108.99:443
200.58.180.130:80
190.17.195.202:80
187.162.248.237:80
43.231.62.58:80
91.205.215.57:7080
70.32.84.74:8080
190.190.134.145:80
72.47.248.48:7080
189.201.197.106:8080
183.91.15.80:8080
185.94.252.13:443
177.73.3.204:80
179.184.65.222:80
190.24.243.186:80
181.31.211.181:80
104.131.41.185:8080
91.204.163.19:8090
152.170.196.157:443
120.151.194.117:80
12.162.84.2:8080
82.196.15.205:8080
185.94.252.12:80
189.253.255.142:80
178.79.163.131:8080
189.42.145.34:80
186.33.141.88:80
189.26.118.194:80
192.241.146.84:8080
200.116.191.114:80
187.162.250.23:80
91.83.93.124:7080
168.197.252.178:80
172.104.169.32:8080
190.186.164.23:80
149.62.173.247:8080
49.176.162.90:80
114.109.179.60:80
212.156.219.6:8080
186.167.16.242:80
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
KBDINBE1.exepid process 3344 KBDINBE1.exe 3344 KBDINBE1.exe 3344 KBDINBE1.exe 3344 KBDINBE1.exe 3344 KBDINBE1.exe 3344 KBDINBE1.exe 3344 KBDINBE1.exe 3344 KBDINBE1.exe 3344 KBDINBE1.exe 3344 KBDINBE1.exe 3344 KBDINBE1.exe 3344 KBDINBE1.exe 3344 KBDINBE1.exe 3344 KBDINBE1.exe 3344 KBDINBE1.exe 3344 KBDINBE1.exe 3344 KBDINBE1.exe 3344 KBDINBE1.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
61a2f90d5f2c5c539d72b37f98163e58a34f1724d284ed0a1f3ceb46f1b3f642.exepid process 3912 61a2f90d5f2c5c539d72b37f98163e58a34f1724d284ed0a1f3ceb46f1b3f642.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
61a2f90d5f2c5c539d72b37f98163e58a34f1724d284ed0a1f3ceb46f1b3f642.exeKBDINBE1.exepid process 3912 61a2f90d5f2c5c539d72b37f98163e58a34f1724d284ed0a1f3ceb46f1b3f642.exe 3912 61a2f90d5f2c5c539d72b37f98163e58a34f1724d284ed0a1f3ceb46f1b3f642.exe 3344 KBDINBE1.exe 3344 KBDINBE1.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
61a2f90d5f2c5c539d72b37f98163e58a34f1724d284ed0a1f3ceb46f1b3f642.exedescription pid process target process PID 3912 wrote to memory of 3344 3912 61a2f90d5f2c5c539d72b37f98163e58a34f1724d284ed0a1f3ceb46f1b3f642.exe KBDINBE1.exe PID 3912 wrote to memory of 3344 3912 61a2f90d5f2c5c539d72b37f98163e58a34f1724d284ed0a1f3ceb46f1b3f642.exe KBDINBE1.exe PID 3912 wrote to memory of 3344 3912 61a2f90d5f2c5c539d72b37f98163e58a34f1724d284ed0a1f3ceb46f1b3f642.exe KBDINBE1.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\61a2f90d5f2c5c539d72b37f98163e58a34f1724d284ed0a1f3ceb46f1b3f642.exe"C:\Users\Admin\AppData\Local\Temp\61a2f90d5f2c5c539d72b37f98163e58a34f1724d284ed0a1f3ceb46f1b3f642.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\KBDINBE1\KBDINBE1.exe"C:\Windows\SysWOW64\KBDINBE1\KBDINBE1.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3344-117-0x0000000000000000-mapping.dmp
-
memory/3344-119-0x0000000000700000-0x000000000070C000-memory.dmpFilesize
48KB
-
memory/3344-120-0x00000000006F0000-0x0000000000747000-memory.dmpFilesize
348KB
-
memory/3912-114-0x00000000006C0000-0x00000000006CC000-memory.dmpFilesize
48KB
-
memory/3912-116-0x00000000006B0000-0x00000000006BE000-memory.dmpFilesize
56KB