Analysis
-
max time kernel
145s -
max time network
183s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
16-09-2021 11:56
Behavioral task
behavioral1
Sample
381fe5b3c4d640baf1495ad7f3e111af78c88df250895d87979834f952953580.exe
Resource
win7v20210408
General
-
Target
381fe5b3c4d640baf1495ad7f3e111af78c88df250895d87979834f952953580.exe
-
Size
474KB
-
MD5
604a044f20590d8486489d2b736e47fa
-
SHA1
8152a4a20292751f381b4a6d0bbce1c2f04739af
-
SHA256
381fe5b3c4d640baf1495ad7f3e111af78c88df250895d87979834f952953580
-
SHA512
89ba0d68c69ceef5956e692c2b6a8c07ff62ff0f1931b339d60252481864960c0109cd19731fca10acd659c3f7f52f7b94d8b060d4cf6483c653967dc1eedf39
Malware Config
Extracted
emotet
Epoch2
124.240.198.66:80
186.75.241.230:80
181.143.194.138:443
45.79.188.67:8080
77.237.248.136:8080
185.142.236.163:443
63.142.253.122:8080
178.254.6.27:7080
190.211.207.11:443
78.188.105.159:21
182.176.106.43:995
178.79.161.166:443
206.189.98.125:8080
87.230.19.21:8080
80.11.163.139:443
101.187.237.217:20
190.18.146.70:80
86.98.25.30:53
92.222.125.16:7080
186.4.172.5:443
169.239.182.217:8080
189.209.217.49:80
104.236.246.93:8080
190.228.72.244:53
88.247.163.44:80
45.123.3.54:443
91.205.215.66:8080
190.106.97.230:443
199.19.237.192:80
186.4.172.5:20
94.205.247.10:80
104.131.11.150:8080
144.139.247.220:80
119.15.153.237:80
173.212.203.26:8080
136.243.177.26:8080
5.196.74.210:8080
85.104.59.244:20
190.186.203.55:80
187.144.189.58:50000
78.24.219.147:8080
186.4.172.5:8080
46.105.131.87:80
149.167.86.174:990
222.214.218.192:8080
88.156.97.210:80
185.94.252.13:443
190.226.44.20:21
217.145.83.44:80
80.11.163.139:21
138.201.140.110:8080
190.53.135.159:21
31.172.240.91:8080
92.222.216.44:8080
87.106.139.101:8080
159.65.25.128:8080
31.12.67.62:7080
211.63.71.72:8080
179.32.19.219:22
92.233.128.13:143
87.106.136.232:8080
182.176.132.213:8090
37.157.194.134:443
181.143.53.227:21
188.166.253.46:8080
41.220.119.246:80
95.128.43.213:8080
103.97.95.218:143
201.251.43.69:8080
190.108.228.48:990
149.202.153.252:8080
24.51.106.145:21
182.76.6.2:8080
85.106.1.166:50000
62.75.187.192:8080
142.44.162.209:8080
45.33.49.124:443
27.147.163.188:8080
217.160.182.191:8080
212.71.234.16:8080
83.136.245.190:8080
47.41.213.2:22
103.255.150.84:80
200.71.148.138:8080
190.145.67.134:8090
Signatures
-
Drops file in System32 directory 1 IoCs
Processes:
shellcues.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat shellcues.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 21 IoCs
Processes:
shellcues.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings shellcues.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" shellcues.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" shellcues.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad shellcues.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3A33DB50-CC69-497D-AB93-6EAB524EB9A7}\WpadNetworkName = "Network" shellcues.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3A33DB50-CC69-497D-AB93-6EAB524EB9A7}\de-33-32-3b-7f-b9 shellcues.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections shellcues.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 shellcues.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" shellcues.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\de-33-32-3b-7f-b9 shellcues.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\de-33-32-3b-7f-b9\WpadDecisionReason = "1" shellcues.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\de-33-32-3b-7f-b9\WpadDecisionTime = 80c8e3dd02abd701 shellcues.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix shellcues.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a070027000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 shellcues.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3A33DB50-CC69-497D-AB93-6EAB524EB9A7}\WpadDecision = "0" shellcues.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\de-33-32-3b-7f-b9\WpadDecision = "0" shellcues.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings shellcues.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 shellcues.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3A33DB50-CC69-497D-AB93-6EAB524EB9A7} shellcues.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3A33DB50-CC69-497D-AB93-6EAB524EB9A7}\WpadDecisionReason = "1" shellcues.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3A33DB50-CC69-497D-AB93-6EAB524EB9A7}\WpadDecisionTime = 80c8e3dd02abd701 shellcues.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
shellcues.exepid process 1120 shellcues.exe 1120 shellcues.exe 1120 shellcues.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
381fe5b3c4d640baf1495ad7f3e111af78c88df250895d87979834f952953580.exepid process 1988 381fe5b3c4d640baf1495ad7f3e111af78c88df250895d87979834f952953580.exe -
Suspicious use of UnmapMainImage 4 IoCs
Processes:
381fe5b3c4d640baf1495ad7f3e111af78c88df250895d87979834f952953580.exe381fe5b3c4d640baf1495ad7f3e111af78c88df250895d87979834f952953580.exeshellcues.exeshellcues.exepid process 2020 381fe5b3c4d640baf1495ad7f3e111af78c88df250895d87979834f952953580.exe 1988 381fe5b3c4d640baf1495ad7f3e111af78c88df250895d87979834f952953580.exe 1032 shellcues.exe 1120 shellcues.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
381fe5b3c4d640baf1495ad7f3e111af78c88df250895d87979834f952953580.exeshellcues.exedescription pid process target process PID 2020 wrote to memory of 1988 2020 381fe5b3c4d640baf1495ad7f3e111af78c88df250895d87979834f952953580.exe 381fe5b3c4d640baf1495ad7f3e111af78c88df250895d87979834f952953580.exe PID 2020 wrote to memory of 1988 2020 381fe5b3c4d640baf1495ad7f3e111af78c88df250895d87979834f952953580.exe 381fe5b3c4d640baf1495ad7f3e111af78c88df250895d87979834f952953580.exe PID 2020 wrote to memory of 1988 2020 381fe5b3c4d640baf1495ad7f3e111af78c88df250895d87979834f952953580.exe 381fe5b3c4d640baf1495ad7f3e111af78c88df250895d87979834f952953580.exe PID 2020 wrote to memory of 1988 2020 381fe5b3c4d640baf1495ad7f3e111af78c88df250895d87979834f952953580.exe 381fe5b3c4d640baf1495ad7f3e111af78c88df250895d87979834f952953580.exe PID 1032 wrote to memory of 1120 1032 shellcues.exe shellcues.exe PID 1032 wrote to memory of 1120 1032 shellcues.exe shellcues.exe PID 1032 wrote to memory of 1120 1032 shellcues.exe shellcues.exe PID 1032 wrote to memory of 1120 1032 shellcues.exe shellcues.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\381fe5b3c4d640baf1495ad7f3e111af78c88df250895d87979834f952953580.exe"C:\Users\Admin\AppData\Local\Temp\381fe5b3c4d640baf1495ad7f3e111af78c88df250895d87979834f952953580.exe"1⤵
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\381fe5b3c4d640baf1495ad7f3e111af78c88df250895d87979834f952953580.exe--f8e7cfe62⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
-
C:\Windows\SysWOW64\shellcues.exe"C:\Windows\SysWOW64\shellcues.exe"1⤵
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\shellcues.exe--6e5b42c62⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1120-66-0x0000000000000000-mapping.dmp
-
memory/1988-62-0x0000000000000000-mapping.dmp
-
memory/2020-60-0x00000000754F1000-0x00000000754F3000-memory.dmpFilesize
8KB
-
memory/2020-61-0x00000000002D0000-0x00000000002E5000-memory.dmpFilesize
84KB
-
memory/2020-64-0x0000000000400000-0x0000000000478000-memory.dmpFilesize
480KB