Analysis
-
max time kernel
142s -
max time network
145s -
platform
windows7_x64 -
resource
win7-en-20211014 -
submitted
19-11-2021 19:49
Static task
static1
Behavioral task
behavioral1
Sample
bad71.bin.exe
Resource
win7-en-20211014
General
-
Target
bad71.bin.exe
-
Size
752KB
-
MD5
b356ddc2348a102711ccd47a65b6cbcf
-
SHA1
9d72d0985e61dc81758e0afcb58375e6182e7d66
-
SHA256
5a89c0b4d52a8feb9b4bf7ebd49eb7a84b54b9cd94ced300b16202177926287f
-
SHA512
3eb612bdd8f01c3b182a980fe79d47980d16fd9d934e13bd5f2db06163b60e63e8054add2dcffedb0cb8a8e2d66d67838ab7cbf58c6125d35ea3f32edec73fc2
Malware Config
Extracted
emotet
Epoch2
217.160.19.232:8080
192.241.220.155:8080
167.99.105.223:7080
176.31.200.130:8080
91.205.215.66:8080
181.143.194.138:443
167.71.10.37:8080
133.167.80.63:7080
183.102.238.69:465
190.145.67.134:8090
169.239.182.217:8080
78.24.219.147:8080
92.222.216.44:8080
47.41.213.2:22
124.240.198.66:80
189.209.217.49:80
80.11.163.139:21
190.53.135.159:21
217.160.182.191:8080
87.230.19.21:8080
136.243.177.26:8080
178.79.161.166:443
144.139.247.220:80
103.39.131.88:80
192.81.213.192:8080
152.89.236.214:8080
62.75.187.192:8080
46.105.131.87:80
190.226.44.20:21
173.212.203.26:8080
181.31.213.158:8080
190.228.72.244:53
104.131.44.150:8080
95.128.43.213:8080
104.131.11.150:8080
186.4.172.5:20
94.205.247.10:80
200.71.148.138:8080
5.196.74.210:8080
37.157.194.134:443
200.51.94.251:80
171.101.153.86:990
45.33.49.124:443
181.143.53.227:21
86.22.221.170:80
87.106.139.101:8080
83.136.245.190:8080
94.177.216.217:8080
31.12.67.62:7080
138.201.140.110:8080
37.187.2.199:443
178.210.51.222:8080
186.4.172.5:443
190.211.207.11:443
186.75.241.230:80
87.106.136.232:8080
209.141.41.136:8080
173.249.47.77:8080
186.4.172.5:8080
159.65.25.128:8080
85.104.59.244:20
149.202.153.252:8080
31.172.240.91:8080
206.189.98.125:8080
212.71.234.16:8080
182.176.132.213:8090
104.236.246.93:8080
212.129.24.79:8080
211.63.71.72:8080
115.78.95.230:443
59.103.164.174:80
Signatures
-
Drops file in System32 directory 1 IoCs
Processes:
teapotcaching.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat teapotcaching.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 25 IoCs
Processes:
teapotcaching.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" teapotcaching.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0271AF7A-4677-4C25-BD6A-784087224B50}\WpadDecisionReason = "1" teapotcaching.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0271AF7A-4677-4C25-BD6A-784087224B50}\WpadDecisionTime = a090358086ddd701 teapotcaching.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\e2-99-3c-5b-5b-f8 teapotcaching.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" teapotcaching.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings teapotcaching.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 teapotcaching.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad teapotcaching.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0271AF7A-4677-4C25-BD6A-784087224B50}\e2-99-3c-5b-5b-f8 teapotcaching.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\e2-99-3c-5b-5b-f8\WpadDecisionTime = a090358086ddd701 teapotcaching.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\e2-99-3c-5b-5b-f8\WpadDetectedUrl teapotcaching.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0271AF7A-4677-4C25-BD6A-784087224B50}\WpadDecisionTime = 20fdefba86ddd701 teapotcaching.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections teapotcaching.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" teapotcaching.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0271AF7A-4677-4C25-BD6A-784087224B50} teapotcaching.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0271AF7A-4677-4C25-BD6A-784087224B50}\WpadDecision = "0" teapotcaching.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\e2-99-3c-5b-5b-f8\WpadDecisionReason = "1" teapotcaching.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\e2-99-3c-5b-5b-f8\WpadDecision = "0" teapotcaching.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000004000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0043000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 teapotcaching.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\e2-99-3c-5b-5b-f8\WpadDecisionTime = 20fdefba86ddd701 teapotcaching.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 teapotcaching.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0043000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 teapotcaching.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0271AF7A-4677-4C25-BD6A-784087224B50}\WpadNetworkName = "Network 3" teapotcaching.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings teapotcaching.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix teapotcaching.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
teapotcaching.exepid process 1920 teapotcaching.exe 1920 teapotcaching.exe 1920 teapotcaching.exe 1920 teapotcaching.exe 1920 teapotcaching.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
bad71.bin.exepid process 1292 bad71.bin.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
Processes:
bad71.bin.exebad71.bin.exeteapotcaching.exeteapotcaching.exepid process 524 bad71.bin.exe 524 bad71.bin.exe 1292 bad71.bin.exe 1292 bad71.bin.exe 1984 teapotcaching.exe 1984 teapotcaching.exe 1920 teapotcaching.exe 1920 teapotcaching.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
bad71.bin.exeteapotcaching.exedescription pid process target process PID 524 wrote to memory of 1292 524 bad71.bin.exe bad71.bin.exe PID 524 wrote to memory of 1292 524 bad71.bin.exe bad71.bin.exe PID 524 wrote to memory of 1292 524 bad71.bin.exe bad71.bin.exe PID 524 wrote to memory of 1292 524 bad71.bin.exe bad71.bin.exe PID 1984 wrote to memory of 1920 1984 teapotcaching.exe teapotcaching.exe PID 1984 wrote to memory of 1920 1984 teapotcaching.exe teapotcaching.exe PID 1984 wrote to memory of 1920 1984 teapotcaching.exe teapotcaching.exe PID 1984 wrote to memory of 1920 1984 teapotcaching.exe teapotcaching.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bad71.bin.exe"C:\Users\Admin\AppData\Local\Temp\bad71.bin.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\bad71.bin.exe--97c5adc2⤵
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\teapotcaching.exe"C:\Windows\SysWOW64\teapotcaching.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\teapotcaching.exe--73c721102⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/524-55-0x0000000075B71000-0x0000000075B73000-memory.dmpFilesize
8KB
-
memory/524-56-0x00000000003E0000-0x00000000003F7000-memory.dmpFilesize
92KB
-
memory/524-66-0x00000000003C0000-0x00000000003D1000-memory.dmpFilesize
68KB
-
memory/1292-60-0x0000000000000000-mapping.dmp
-
memory/1292-62-0x0000000000260000-0x0000000000277000-memory.dmpFilesize
92KB
-
memory/1920-72-0x0000000000000000-mapping.dmp
-
memory/1920-74-0x0000000000A90000-0x0000000000AA7000-memory.dmpFilesize
92KB
-
memory/1984-68-0x0000000000540000-0x0000000000557000-memory.dmpFilesize
92KB