Analysis
-
max time kernel
156s -
max time network
174s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
24-05-2022 01:08
Behavioral task
behavioral1
Sample
3bebc167adc5cfc6df3e052fcc56cca0c5d91d30fe2791b2a5a6485878c3b2f1.exe
Resource
win7-20220414-en
General
-
Target
3bebc167adc5cfc6df3e052fcc56cca0c5d91d30fe2791b2a5a6485878c3b2f1.exe
-
Size
329KB
-
MD5
cc269eb719302c38ae0df44ca4833024
-
SHA1
d1d22fd4ea2a90099fdc76c0b2d150d61c2aef6b
-
SHA256
3bebc167adc5cfc6df3e052fcc56cca0c5d91d30fe2791b2a5a6485878c3b2f1
-
SHA512
a0ee73595b15f9e9b686b1206c71739992ca0c39792e086d3ce1b1cd4499beb01a15708c19f689dd38471759c49244b52e865ccb2473da9d8213cd4b6069200b
Malware Config
Extracted
emotet
Epoch2
186.4.172.5:443
117.197.124.36:443
37.208.39.59:7080
186.4.172.5:8080
182.176.106.43:995
178.62.37.188:443
92.51.129.249:4143
92.222.125.16:7080
142.44.162.209:8080
31.12.67.62:7080
46.105.131.87:80
92.222.216.44:8080
87.106.136.232:8080
103.97.95.218:143
190.145.67.134:8090
104.236.246.93:8080
88.156.97.210:80
175.100.138.82:22
78.24.219.147:8080
91.205.215.66:8080
185.94.252.13:443
138.201.140.110:8080
45.33.49.124:443
182.176.132.213:8090
186.4.194.153:993
179.32.19.219:22
91.83.93.103:7080
162.243.125.212:8080
188.166.253.46:8080
104.131.11.150:8080
206.189.98.125:8080
173.212.203.26:8080
31.172.240.91:8080
47.41.213.2:22
62.75.187.192:8080
190.53.135.159:21
95.128.43.213:8080
190.186.203.55:80
149.202.153.252:8080
152.169.236.172:80
189.209.217.49:80
136.243.177.26:8080
64.13.225.150:8080
87.106.139.101:8080
85.104.59.244:20
212.71.234.16:8080
87.230.19.21:8080
211.63.71.72:8080
94.205.247.10:80
177.246.193.139:20
222.214.218.192:8080
159.65.25.128:8080
124.121.192.163:8443
37.157.194.134:443
178.79.161.166:443
41.220.119.246:80
201.212.57.109:80
75.127.14.170:8080
144.139.247.220:80
45.123.3.54:443
125.99.106.226:80
169.239.182.217:8080
Signatures
-
Drops file in System32 directory 1 IoCs
Processes:
nextdrawa.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat nextdrawa.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 21 IoCs
Processes:
nextdrawa.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings nextdrawa.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings nextdrawa.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0094000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 nextdrawa.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{88B295A5-0AEA-43FD-A52B-69F1BB33E05E}\WpadDecisionTime = 80d2c0d71b6fd801 nextdrawa.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{88B295A5-0AEA-43FD-A52B-69F1BB33E05E}\WpadNetworkName = "Network 2" nextdrawa.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{88B295A5-0AEA-43FD-A52B-69F1BB33E05E}\12-9c-46-85-ff-ff nextdrawa.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\12-9c-46-85-ff-ff\WpadDecision = "0" nextdrawa.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections nextdrawa.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\12-9c-46-85-ff-ff\WpadDecisionReason = "1" nextdrawa.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 nextdrawa.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix nextdrawa.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 nextdrawa.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad nextdrawa.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{88B295A5-0AEA-43FD-A52B-69F1BB33E05E}\WpadDecisionReason = "1" nextdrawa.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\12-9c-46-85-ff-ff nextdrawa.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" nextdrawa.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" nextdrawa.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" nextdrawa.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{88B295A5-0AEA-43FD-A52B-69F1BB33E05E} nextdrawa.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{88B295A5-0AEA-43FD-A52B-69F1BB33E05E}\WpadDecision = "0" nextdrawa.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\12-9c-46-85-ff-ff\WpadDecisionTime = 80d2c0d71b6fd801 nextdrawa.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
nextdrawa.exepid process 1668 nextdrawa.exe 1668 nextdrawa.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
3bebc167adc5cfc6df3e052fcc56cca0c5d91d30fe2791b2a5a6485878c3b2f1.exepid process 1724 3bebc167adc5cfc6df3e052fcc56cca0c5d91d30fe2791b2a5a6485878c3b2f1.exe -
Suspicious use of UnmapMainImage 4 IoCs
Processes:
3bebc167adc5cfc6df3e052fcc56cca0c5d91d30fe2791b2a5a6485878c3b2f1.exe3bebc167adc5cfc6df3e052fcc56cca0c5d91d30fe2791b2a5a6485878c3b2f1.exenextdrawa.exenextdrawa.exepid process 1064 3bebc167adc5cfc6df3e052fcc56cca0c5d91d30fe2791b2a5a6485878c3b2f1.exe 1724 3bebc167adc5cfc6df3e052fcc56cca0c5d91d30fe2791b2a5a6485878c3b2f1.exe 1784 nextdrawa.exe 1668 nextdrawa.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
3bebc167adc5cfc6df3e052fcc56cca0c5d91d30fe2791b2a5a6485878c3b2f1.exenextdrawa.exedescription pid process target process PID 1064 wrote to memory of 1724 1064 3bebc167adc5cfc6df3e052fcc56cca0c5d91d30fe2791b2a5a6485878c3b2f1.exe 3bebc167adc5cfc6df3e052fcc56cca0c5d91d30fe2791b2a5a6485878c3b2f1.exe PID 1064 wrote to memory of 1724 1064 3bebc167adc5cfc6df3e052fcc56cca0c5d91d30fe2791b2a5a6485878c3b2f1.exe 3bebc167adc5cfc6df3e052fcc56cca0c5d91d30fe2791b2a5a6485878c3b2f1.exe PID 1064 wrote to memory of 1724 1064 3bebc167adc5cfc6df3e052fcc56cca0c5d91d30fe2791b2a5a6485878c3b2f1.exe 3bebc167adc5cfc6df3e052fcc56cca0c5d91d30fe2791b2a5a6485878c3b2f1.exe PID 1064 wrote to memory of 1724 1064 3bebc167adc5cfc6df3e052fcc56cca0c5d91d30fe2791b2a5a6485878c3b2f1.exe 3bebc167adc5cfc6df3e052fcc56cca0c5d91d30fe2791b2a5a6485878c3b2f1.exe PID 1784 wrote to memory of 1668 1784 nextdrawa.exe nextdrawa.exe PID 1784 wrote to memory of 1668 1784 nextdrawa.exe nextdrawa.exe PID 1784 wrote to memory of 1668 1784 nextdrawa.exe nextdrawa.exe PID 1784 wrote to memory of 1668 1784 nextdrawa.exe nextdrawa.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3bebc167adc5cfc6df3e052fcc56cca0c5d91d30fe2791b2a5a6485878c3b2f1.exe"C:\Users\Admin\AppData\Local\Temp\3bebc167adc5cfc6df3e052fcc56cca0c5d91d30fe2791b2a5a6485878c3b2f1.exe"1⤵
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3bebc167adc5cfc6df3e052fcc56cca0c5d91d30fe2791b2a5a6485878c3b2f1.exe--cc5ff0262⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
-
C:\Windows\SysWOW64\nextdrawa.exe"C:\Windows\SysWOW64\nextdrawa.exe"1⤵
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\nextdrawa.exe--72ce4c802⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1064-54-0x00000000769D1000-0x00000000769D3000-memory.dmpFilesize
8KB
-
memory/1064-56-0x00000000001B0000-0x00000000001C3000-memory.dmpFilesize
76KB
-
memory/1064-58-0x0000000000400000-0x0000000000419000-memory.dmpFilesize
100KB
-
memory/1668-61-0x0000000000000000-mapping.dmp
-
memory/1668-63-0x00000000001B0000-0x00000000001C3000-memory.dmpFilesize
76KB
-
memory/1724-55-0x0000000000000000-mapping.dmp
-
memory/1724-59-0x0000000000400000-0x0000000000456000-memory.dmpFilesize
344KB