Analysis
-
max time kernel
147s -
max time network
149s -
platform
windows10_x64 -
resource
win10-en -
submitted
13-09-2021 08:58
Static task
static1
Behavioral task
behavioral1
Sample
3942341d32ac846fddd15dad7e14e0f52437f136e97c7baafe247c79b7ebdd1a.exe
Resource
win7v20210408
General
-
Target
3942341d32ac846fddd15dad7e14e0f52437f136e97c7baafe247c79b7ebdd1a.exe
-
Size
1.0MB
-
MD5
752c55f5b44f362188a7bd114a22c04e
-
SHA1
7b75db98c3833ec7d8d75aa70243cabb1ac108c3
-
SHA256
3942341d32ac846fddd15dad7e14e0f52437f136e97c7baafe247c79b7ebdd1a
-
SHA512
f6f73a3eb687a63723b778f3ed73cfe8121e6cd4156c86690c23217bdd814d298d0f664d094187c953759d9712947a99b5f1404f21787056de2e96fc9df3505f
Malware Config
Extracted
emotet
Epoch3
176.202.106.124:80
185.135.109.128:443
64.13.225.150:8080
149.210.171.237:8080
75.127.14.170:8080
200.82.88.254:80
181.39.96.86:443
182.71.222.187:80
139.59.12.63:8080
150.246.246.238:80
58.93.151.148:80
162.154.175.215:80
125.139.65.177:80
186.10.92.114:80
178.62.75.204:8080
184.162.115.11:443
212.129.14.27:8080
59.135.126.129:443
95.66.182.136:80
110.232.188.29:443
5.32.84.54:80
203.153.216.178:7080
186.223.86.136:443
181.167.35.84:80
68.183.18.169:8080
105.209.235.113:8080
196.6.119.137:80
61.204.119.188:443
182.187.137.199:8080
70.45.30.28:80
183.87.40.21:8080
72.27.212.209:8080
61.195.228.54:80
190.171.153.139:80
85.100.122.211:80
186.147.245.204:80
88.247.53.159:443
46.32.229.152:8080
186.84.173.136:8080
41.185.29.128:8080
101.141.5.17:80
45.55.179.121:8080
156.155.163.232:80
50.63.13.135:8080
185.63.32.149:80
187.72.47.161:443
51.77.113.97:8080
178.33.167.120:8080
80.211.32.88:8080
82.146.55.23:7080
185.142.236.163:443
175.181.7.188:80
78.210.132.35:80
190.5.162.204:80
192.241.220.183:8080
60.130.173.117:80
95.130.37.244:443
190.63.7.166:8080
185.244.167.25:443
78.189.60.109:443
189.235.233.119:80
81.214.142.115:80
157.7.164.178:8081
220.247.70.174:80
1.217.126.11:443
195.201.56.70:8080
88.247.26.78:80
172.104.70.207:8080
88.248.140.80:80
88.225.230.33:80
177.144.130.105:443
203.124.57.50:80
50.116.78.109:8080
24.249.63.138:80
188.251.213.180:443
51.38.134.203:8080
153.137.36.142:80
94.206.82.254:443
203.153.216.182:7080
154.73.137.131:80
73.32.177.21:80
1.221.254.82:80
78.188.33.71:80
41.215.79.182:80
158.69.167.246:8080
212.112.113.235:80
50.251.171.165:80
98.192.74.164:80
64.207.176.4:8080
125.209.114.180:443
142.93.87.198:8080
91.117.131.122:80
162.144.46.90:8080
144.76.56.36:8080
185.192.75.240:443
78.189.165.52:8080
182.176.116.139:995
110.2.118.164:80
183.82.123.60:443
160.226.171.255:443
201.183.251.100:80
91.117.31.181:80
190.17.94.108:443
109.236.109.159:8080
122.176.116.57:443
177.103.240.93:80
2.45.165.235:80
181.196.27.123:80
163.172.107.70:8080
42.51.192.231:8080
192.210.217.94:8080
46.17.6.116:8080
210.213.85.43:8080
110.142.161.90:80
60.151.66.216:443
37.46.129.215:8080
2.50.182.138:443
217.12.70.226:80
82.165.15.188:8080
98.15.140.226:80
77.74.78.80:443
91.83.93.103:443
183.131.156.10:7080
211.23.95.233:7080
89.215.225.15:80
37.70.131.107:80
82.145.43.153:8080
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
xolehlp.exepid process 3340 xolehlp.exe 3340 xolehlp.exe 3340 xolehlp.exe 3340 xolehlp.exe 3340 xolehlp.exe 3340 xolehlp.exe 3340 xolehlp.exe 3340 xolehlp.exe 3340 xolehlp.exe 3340 xolehlp.exe 3340 xolehlp.exe 3340 xolehlp.exe 3340 xolehlp.exe 3340 xolehlp.exe 3340 xolehlp.exe 3340 xolehlp.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
3942341d32ac846fddd15dad7e14e0f52437f136e97c7baafe247c79b7ebdd1a.exepid process 3996 3942341d32ac846fddd15dad7e14e0f52437f136e97c7baafe247c79b7ebdd1a.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
3942341d32ac846fddd15dad7e14e0f52437f136e97c7baafe247c79b7ebdd1a.exexolehlp.exepid process 3996 3942341d32ac846fddd15dad7e14e0f52437f136e97c7baafe247c79b7ebdd1a.exe 3340 xolehlp.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
3942341d32ac846fddd15dad7e14e0f52437f136e97c7baafe247c79b7ebdd1a.exedescription pid process target process PID 3996 wrote to memory of 3340 3996 3942341d32ac846fddd15dad7e14e0f52437f136e97c7baafe247c79b7ebdd1a.exe xolehlp.exe PID 3996 wrote to memory of 3340 3996 3942341d32ac846fddd15dad7e14e0f52437f136e97c7baafe247c79b7ebdd1a.exe xolehlp.exe PID 3996 wrote to memory of 3340 3996 3942341d32ac846fddd15dad7e14e0f52437f136e97c7baafe247c79b7ebdd1a.exe xolehlp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3942341d32ac846fddd15dad7e14e0f52437f136e97c7baafe247c79b7ebdd1a.exe"C:\Users\Admin\AppData\Local\Temp\3942341d32ac846fddd15dad7e14e0f52437f136e97c7baafe247c79b7ebdd1a.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\xolehlp\xolehlp.exe"C:\Windows\SysWOW64\xolehlp\xolehlp.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3340-118-0x0000000000000000-mapping.dmp
-
memory/3340-119-0x0000000000A00000-0x0000000000A0C000-memory.dmpFilesize
48KB
-
memory/3996-116-0x00000000006C0000-0x00000000006CC000-memory.dmpFilesize
48KB
-
memory/3996-117-0x0000000000620000-0x000000000062A000-memory.dmpFilesize
40KB