Analysis
-
max time kernel
85s -
max time network
88s -
platform
windows10_x64 -
resource
win10-en -
submitted
16-09-2021 17:30
General
-
Target
381fe5b3c4d640baf1495ad7f3e111af78c88df250895d87979834f952953580.exe
-
Size
474KB
-
MD5
604a044f20590d8486489d2b736e47fa
-
SHA1
8152a4a20292751f381b4a6d0bbce1c2f04739af
-
SHA256
381fe5b3c4d640baf1495ad7f3e111af78c88df250895d87979834f952953580
-
SHA512
89ba0d68c69ceef5956e692c2b6a8c07ff62ff0f1931b339d60252481864960c0109cd19731fca10acd659c3f7f52f7b94d8b060d4cf6483c653967dc1eedf39
Malware Config
Extracted
emotet
Epoch2
124.240.198.66:80
186.75.241.230:80
181.143.194.138:443
45.79.188.67:8080
77.237.248.136:8080
185.142.236.163:443
63.142.253.122:8080
178.254.6.27:7080
190.211.207.11:443
78.188.105.159:21
182.176.106.43:995
178.79.161.166:443
206.189.98.125:8080
87.230.19.21:8080
80.11.163.139:443
101.187.237.217:20
190.18.146.70:80
86.98.25.30:53
92.222.125.16:7080
186.4.172.5:443
169.239.182.217:8080
189.209.217.49:80
104.236.246.93:8080
190.228.72.244:53
88.247.163.44:80
45.123.3.54:443
91.205.215.66:8080
190.106.97.230:443
199.19.237.192:80
186.4.172.5:20
94.205.247.10:80
104.131.11.150:8080
144.139.247.220:80
119.15.153.237:80
173.212.203.26:8080
136.243.177.26:8080
5.196.74.210:8080
85.104.59.244:20
190.186.203.55:80
187.144.189.58:50000
78.24.219.147:8080
186.4.172.5:8080
46.105.131.87:80
149.167.86.174:990
222.214.218.192:8080
88.156.97.210:80
185.94.252.13:443
190.226.44.20:21
217.145.83.44:80
80.11.163.139:21
138.201.140.110:8080
190.53.135.159:21
31.172.240.91:8080
92.222.216.44:8080
87.106.139.101:8080
159.65.25.128:8080
31.12.67.62:7080
211.63.71.72:8080
179.32.19.219:22
92.233.128.13:143
87.106.136.232:8080
182.176.132.213:8090
37.157.194.134:443
181.143.53.227:21
188.166.253.46:8080
41.220.119.246:80
95.128.43.213:8080
103.97.95.218:143
201.251.43.69:8080
190.108.228.48:990
149.202.153.252:8080
24.51.106.145:21
182.76.6.2:8080
85.106.1.166:50000
62.75.187.192:8080
142.44.162.209:8080
45.33.49.124:443
27.147.163.188:8080
217.160.182.191:8080
212.71.234.16:8080
83.136.245.190:8080
47.41.213.2:22
103.255.150.84:80
200.71.148.138:8080
190.145.67.134:8090
Signatures
-
Drops file in System32 directory 5 IoCs
Processes:
windowshell.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 windowshell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE windowshell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies windowshell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 windowshell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat windowshell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 3 IoCs
Processes:
windowshell.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix windowshell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" windowshell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" windowshell.exe -
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
windowshell.exepid process 3972 windowshell.exe 3972 windowshell.exe 3972 windowshell.exe 3972 windowshell.exe 3972 windowshell.exe 3972 windowshell.exe 3972 windowshell.exe 3972 windowshell.exe 3972 windowshell.exe 3972 windowshell.exe 3972 windowshell.exe 3972 windowshell.exe 3972 windowshell.exe 3972 windowshell.exe 3972 windowshell.exe 3972 windowshell.exe 3972 windowshell.exe 3972 windowshell.exe 3972 windowshell.exe 3972 windowshell.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
381fe5b3c4d640baf1495ad7f3e111af78c88df250895d87979834f952953580.exepid process 752 381fe5b3c4d640baf1495ad7f3e111af78c88df250895d87979834f952953580.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
381fe5b3c4d640baf1495ad7f3e111af78c88df250895d87979834f952953580.exewindowshell.exedescription pid process target process PID 3156 wrote to memory of 752 3156 381fe5b3c4d640baf1495ad7f3e111af78c88df250895d87979834f952953580.exe 381fe5b3c4d640baf1495ad7f3e111af78c88df250895d87979834f952953580.exe PID 3156 wrote to memory of 752 3156 381fe5b3c4d640baf1495ad7f3e111af78c88df250895d87979834f952953580.exe 381fe5b3c4d640baf1495ad7f3e111af78c88df250895d87979834f952953580.exe PID 3156 wrote to memory of 752 3156 381fe5b3c4d640baf1495ad7f3e111af78c88df250895d87979834f952953580.exe 381fe5b3c4d640baf1495ad7f3e111af78c88df250895d87979834f952953580.exe PID 316 wrote to memory of 3972 316 windowshell.exe windowshell.exe PID 316 wrote to memory of 3972 316 windowshell.exe windowshell.exe PID 316 wrote to memory of 3972 316 windowshell.exe windowshell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\381fe5b3c4d640baf1495ad7f3e111af78c88df250895d87979834f952953580.exe"C:\Users\Admin\AppData\Local\Temp\381fe5b3c4d640baf1495ad7f3e111af78c88df250895d87979834f952953580.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\381fe5b3c4d640baf1495ad7f3e111af78c88df250895d87979834f952953580.exe--f8e7cfe62⤵
- Suspicious behavior: RenamesItself
-
C:\Windows\SysWOW64\windowshell.exe"C:\Windows\SysWOW64\windowshell.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\windowshell.exe--b2d594b62⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses