Analysis
-
max time kernel
128s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 18:31
Static task
static1
Behavioral task
behavioral1
Sample
sample.exe
Resource
win7-20220414-en
General
-
Target
sample.exe
-
Size
76KB
-
MD5
60c962bc466dcfdf2fcac0537a604d00
-
SHA1
2646680fdc77b08e8ee9554dbaf508054e5809bb
-
SHA256
98819ebaafe2af78b7d5bf5ccc3791a298a77fe4333e9b422703ab54aee515ed
-
SHA512
25236658547258ce024fdb7e57326ed10f729ac2ab329c1c177d696706e5c0d9835b115118ab5aca0061478680c938fba286600c74022724050dfe65adfc7b24
Malware Config
Extracted
emotet
Epoch1
82.163.245.38:80
209.126.6.222:8080
5.153.250.14:8080
186.70.127.199:8090
190.128.173.10:80
190.195.129.227:8090
91.219.169.180:80
45.173.88.33:80
185.33.0.233:80
188.2.217.94:80
207.144.103.227:80
45.161.242.102:80
219.92.13.25:80
190.163.31.26:80
68.183.170.114:8080
191.99.160.58:80
73.213.208.163:80
94.176.234.118:443
104.131.41.185:8080
45.33.77.42:8080
114.109.179.60:80
213.60.96.117:80
41.84.248.134:443
83.169.21.32:7080
82.76.111.249:443
217.199.160.224:7080
80.249.176.206:80
82.196.15.205:8080
204.225.249.100:7080
190.6.193.152:8080
189.2.177.210:443
177.72.13.80:80
24.135.1.177:80
190.115.18.139:8080
192.241.146.84:8080
209.236.123.42:8080
213.176.36.147:8080
5.196.35.138:7080
104.131.103.37:8080
51.159.23.217:443
190.147.137.153:443
149.62.173.247:8080
137.74.106.111:7080
61.92.159.208:8080
177.73.0.98:443
24.135.198.218:80
85.105.140.135:443
187.162.248.237:80
46.28.111.142:7080
116.125.120.88:443
87.106.46.107:8080
212.71.237.140:8080
12.162.84.2:8080
178.79.163.131:8080
111.67.12.221:8080
95.9.180.128:80
192.241.143.52:8080
201.171.150.41:443
24.148.98.177:80
190.190.148.27:8080
186.103.141.250:443
72.47.248.48:7080
68.183.190.199:8080
172.104.169.32:8080
185.94.252.12:80
178.250.54.208:8080
91.222.77.105:80
217.13.106.14:8080
77.90.136.129:8080
2.47.112.152:80
95.180.234.21:80
186.250.52.226:8080
181.129.96.162:8080
77.55.211.77:8080
185.94.252.27:443
174.100.27.229:80
177.74.228.34:80
67.247.242.247:80
95.85.151.205:80
70.32.115.157:8080
89.32.150.160:8080
212.93.117.170:80
50.28.51.143:8080
94.206.45.18:80
202.4.57.96:80
191.182.6.118:80
58.171.153.81:80
143.0.87.101:80
51.255.165.160:8080
70.32.84.74:8080
73.116.193.136:80
170.81.48.2:80
Signatures
-
suricata: ET MALWARE Win32/Emotet CnC Activity (POST) M8
suricata: ET MALWARE Win32/Emotet CnC Activity (POST) M8
-
suricata: ET MALWARE Win32/Emotet CnC Activity (POST) M9
suricata: ET MALWARE Win32/Emotet CnC Activity (POST) M9
-
Processes:
resource yara_rule behavioral2/memory/3184-130-0x0000000000A10000-0x0000000000A1C000-memory.dmp emotet behavioral2/memory/3184-134-0x0000000000A00000-0x0000000000A09000-memory.dmp emotet behavioral2/memory/1664-137-0x00000000021F0000-0x00000000021FC000-memory.dmp emotet -
Executes dropped EXE 1 IoCs
Processes:
AboveLockAppHost.exepid process 1664 AboveLockAppHost.exe -
Drops file in System32 directory 1 IoCs
Processes:
sample.exedescription ioc process File opened for modification C:\Windows\SysWOW64\rdvgu1132\AboveLockAppHost.exe sample.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
AboveLockAppHost.exepid process 1664 AboveLockAppHost.exe 1664 AboveLockAppHost.exe 1664 AboveLockAppHost.exe 1664 AboveLockAppHost.exe 1664 AboveLockAppHost.exe 1664 AboveLockAppHost.exe 1664 AboveLockAppHost.exe 1664 AboveLockAppHost.exe 1664 AboveLockAppHost.exe 1664 AboveLockAppHost.exe 1664 AboveLockAppHost.exe 1664 AboveLockAppHost.exe 1664 AboveLockAppHost.exe 1664 AboveLockAppHost.exe 1664 AboveLockAppHost.exe 1664 AboveLockAppHost.exe 1664 AboveLockAppHost.exe 1664 AboveLockAppHost.exe 1664 AboveLockAppHost.exe 1664 AboveLockAppHost.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
sample.exepid process 3184 sample.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
sample.exeAboveLockAppHost.exepid process 3184 sample.exe 3184 sample.exe 1664 AboveLockAppHost.exe 1664 AboveLockAppHost.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
sample.exedescription pid process target process PID 3184 wrote to memory of 1664 3184 sample.exe AboveLockAppHost.exe PID 3184 wrote to memory of 1664 3184 sample.exe AboveLockAppHost.exe PID 3184 wrote to memory of 1664 3184 sample.exe AboveLockAppHost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\sample.exe"C:\Users\Admin\AppData\Local\Temp\sample.exe"1⤵
- Drops file in System32 directory
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rdvgu1132\AboveLockAppHost.exe"C:\Windows\SysWOW64\rdvgu1132\AboveLockAppHost.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\rdvgu1132\AboveLockAppHost.exeFilesize
76KB
MD560c962bc466dcfdf2fcac0537a604d00
SHA12646680fdc77b08e8ee9554dbaf508054e5809bb
SHA25698819ebaafe2af78b7d5bf5ccc3791a298a77fe4333e9b422703ab54aee515ed
SHA51225236658547258ce024fdb7e57326ed10f729ac2ab329c1c177d696706e5c0d9835b115118ab5aca0061478680c938fba286600c74022724050dfe65adfc7b24
-
memory/1664-135-0x0000000000000000-mapping.dmp
-
memory/1664-137-0x00000000021F0000-0x00000000021FC000-memory.dmpFilesize
48KB
-
memory/3184-130-0x0000000000A10000-0x0000000000A1C000-memory.dmpFilesize
48KB
-
memory/3184-134-0x0000000000A00000-0x0000000000A09000-memory.dmpFilesize
36KB