Analysis
-
max time kernel
144s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
24-05-2022 01:08
Behavioral task
behavioral1
Sample
3bebc167adc5cfc6df3e052fcc56cca0c5d91d30fe2791b2a5a6485878c3b2f1.exe
Resource
win7-20220414-en
General
-
Target
3bebc167adc5cfc6df3e052fcc56cca0c5d91d30fe2791b2a5a6485878c3b2f1.exe
-
Size
329KB
-
MD5
cc269eb719302c38ae0df44ca4833024
-
SHA1
d1d22fd4ea2a90099fdc76c0b2d150d61c2aef6b
-
SHA256
3bebc167adc5cfc6df3e052fcc56cca0c5d91d30fe2791b2a5a6485878c3b2f1
-
SHA512
a0ee73595b15f9e9b686b1206c71739992ca0c39792e086d3ce1b1cd4499beb01a15708c19f689dd38471759c49244b52e865ccb2473da9d8213cd4b6069200b
Malware Config
Extracted
emotet
Epoch2
186.4.172.5:443
117.197.124.36:443
37.208.39.59:7080
186.4.172.5:8080
182.176.106.43:995
178.62.37.188:443
92.51.129.249:4143
92.222.125.16:7080
142.44.162.209:8080
31.12.67.62:7080
46.105.131.87:80
92.222.216.44:8080
87.106.136.232:8080
103.97.95.218:143
190.145.67.134:8090
104.236.246.93:8080
88.156.97.210:80
175.100.138.82:22
78.24.219.147:8080
91.205.215.66:8080
185.94.252.13:443
138.201.140.110:8080
45.33.49.124:443
182.176.132.213:8090
186.4.194.153:993
179.32.19.219:22
91.83.93.103:7080
162.243.125.212:8080
188.166.253.46:8080
104.131.11.150:8080
206.189.98.125:8080
173.212.203.26:8080
31.172.240.91:8080
47.41.213.2:22
62.75.187.192:8080
190.53.135.159:21
95.128.43.213:8080
190.186.203.55:80
149.202.153.252:8080
152.169.236.172:80
189.209.217.49:80
136.243.177.26:8080
64.13.225.150:8080
87.106.139.101:8080
85.104.59.244:20
212.71.234.16:8080
87.230.19.21:8080
211.63.71.72:8080
94.205.247.10:80
177.246.193.139:20
222.214.218.192:8080
159.65.25.128:8080
124.121.192.163:8443
37.157.194.134:443
178.79.161.166:443
41.220.119.246:80
201.212.57.109:80
75.127.14.170:8080
144.139.247.220:80
45.123.3.54:443
125.99.106.226:80
169.239.182.217:8080
Signatures
-
Drops file in System32 directory 4 IoCs
Processes:
insettools.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 insettools.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 insettools.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE insettools.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies insettools.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 3 IoCs
Processes:
insettools.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix insettools.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" insettools.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" insettools.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
insettools.exepid process 1544 insettools.exe 1544 insettools.exe 1544 insettools.exe 1544 insettools.exe 1544 insettools.exe 1544 insettools.exe 1544 insettools.exe 1544 insettools.exe 1544 insettools.exe 1544 insettools.exe 1544 insettools.exe 1544 insettools.exe 1544 insettools.exe 1544 insettools.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
3bebc167adc5cfc6df3e052fcc56cca0c5d91d30fe2791b2a5a6485878c3b2f1.exepid process 4412 3bebc167adc5cfc6df3e052fcc56cca0c5d91d30fe2791b2a5a6485878c3b2f1.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
3bebc167adc5cfc6df3e052fcc56cca0c5d91d30fe2791b2a5a6485878c3b2f1.exeinsettools.exedescription pid process target process PID 3384 wrote to memory of 4412 3384 3bebc167adc5cfc6df3e052fcc56cca0c5d91d30fe2791b2a5a6485878c3b2f1.exe 3bebc167adc5cfc6df3e052fcc56cca0c5d91d30fe2791b2a5a6485878c3b2f1.exe PID 3384 wrote to memory of 4412 3384 3bebc167adc5cfc6df3e052fcc56cca0c5d91d30fe2791b2a5a6485878c3b2f1.exe 3bebc167adc5cfc6df3e052fcc56cca0c5d91d30fe2791b2a5a6485878c3b2f1.exe PID 3384 wrote to memory of 4412 3384 3bebc167adc5cfc6df3e052fcc56cca0c5d91d30fe2791b2a5a6485878c3b2f1.exe 3bebc167adc5cfc6df3e052fcc56cca0c5d91d30fe2791b2a5a6485878c3b2f1.exe PID 4192 wrote to memory of 1544 4192 insettools.exe insettools.exe PID 4192 wrote to memory of 1544 4192 insettools.exe insettools.exe PID 4192 wrote to memory of 1544 4192 insettools.exe insettools.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3bebc167adc5cfc6df3e052fcc56cca0c5d91d30fe2791b2a5a6485878c3b2f1.exe"C:\Users\Admin\AppData\Local\Temp\3bebc167adc5cfc6df3e052fcc56cca0c5d91d30fe2791b2a5a6485878c3b2f1.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3bebc167adc5cfc6df3e052fcc56cca0c5d91d30fe2791b2a5a6485878c3b2f1.exe--cc5ff0262⤵
- Suspicious behavior: RenamesItself
-
C:\Windows\SysWOW64\insettools.exe"C:\Windows\SysWOW64\insettools.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\insettools.exe--6cadf2d02⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1544-134-0x0000000000000000-mapping.dmp
-
memory/1544-136-0x0000000000400000-0x0000000000456000-memory.dmpFilesize
344KB
-
memory/3384-130-0x00000000021A0000-0x00000000021B3000-memory.dmpFilesize
76KB
-
memory/3384-131-0x0000000000400000-0x0000000000456000-memory.dmpFilesize
344KB
-
memory/4192-135-0x0000000000400000-0x0000000000419000-memory.dmpFilesize
100KB
-
memory/4412-132-0x0000000000000000-mapping.dmp
-
memory/4412-133-0x0000000000400000-0x0000000000456000-memory.dmpFilesize
344KB