Overview
overview
10Static
static
0374bb627e...71.dll
windows7_x64
100374bb627e...71.dll
windows10-2004_x64
100ba117fd39...35.exe
windows7_x64
100ba117fd39...35.exe
windows10-2004_x64
10196c17a866...fe.exe
windows7_x64
10196c17a866...fe.exe
windows10-2004_x64
101e0215f67f...53.exe
windows7_x64
101e0215f67f...53.exe
windows10-2004_x64
1025d04d6314...de.exe
windows7_x64
1025d04d6314...de.exe
windows10-2004_x64
10428ff553b6...50.exe
windows7_x64
10428ff553b6...50.exe
windows10-2004_x64
10455d08a5e2...ce.exe
windows7_x64
10455d08a5e2...ce.exe
windows10-2004_x64
104dbd0cd1e0...59.dll
windows7_x64
104dbd0cd1e0...59.dll
windows10-2004_x64
104febaf5c3e...92.exe
windows7_x64
104febaf5c3e...92.exe
windows10-2004_x64
105282f373b4...ff.exe
windows7_x64
95282f373b4...ff.exe
windows10-2004_x64
96c2e494f16...47.exe
windows7_x64
106c2e494f16...47.exe
windows10-2004_x64
106c95be6a53...65.exe
windows7_x64
106c95be6a53...65.exe
windows10-2004_x64
1075a5b0e0e9...1a.exe
windows7_x64
1075a5b0e0e9...1a.exe
windows10-2004_x64
107dd89cf8a1...d2.exe
windows7_x64
107dd89cf8a1...d2.exe
windows10-2004_x64
1081fa8a3bdc...77.exe
windows7_x64
1081fa8a3bdc...77.exe
windows10-2004_x64
109268e1f0af...b0.dll
windows7_x64
109268e1f0af...b0.dll
windows10-2004_x64
10Analysis
-
max time kernel
280s -
max time network
297s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20-06-2022 13:51
Static task
static1
Behavioral task
behavioral1
Sample
0374bb627e51aa5fa5df0640a5468939cf190a1a1bc0c8a0f3df4bc9b3e92171.dll
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
0374bb627e51aa5fa5df0640a5468939cf190a1a1bc0c8a0f3df4bc9b3e92171.dll
Resource
win10v2004-20220414-en
Behavioral task
behavioral3
Sample
0ba117fd394120dbe7fef45f244ab20d476e595fd900ce56c4fced0941e8a635.exe
Resource
win7-20220414-en
Behavioral task
behavioral4
Sample
0ba117fd394120dbe7fef45f244ab20d476e595fd900ce56c4fced0941e8a635.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral5
Sample
196c17a866c395520e3440779c11fa79063127efb81cfb5d44f9c664f6a790fe.exe
Resource
win7-20220414-en
Behavioral task
behavioral6
Sample
196c17a866c395520e3440779c11fa79063127efb81cfb5d44f9c664f6a790fe.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral7
Sample
1e0215f67fb7b02bc44f33bf6a5b884c3061cbeb38e0150b559635458951fa53.exe
Resource
win7-20220414-en
Behavioral task
behavioral8
Sample
1e0215f67fb7b02bc44f33bf6a5b884c3061cbeb38e0150b559635458951fa53.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral9
Sample
25d04d6314390db9f02656b70f9d0da208b7d3e4dd47ece7cb907854a2c07dde.exe
Resource
win7-20220414-en
Behavioral task
behavioral10
Sample
25d04d6314390db9f02656b70f9d0da208b7d3e4dd47ece7cb907854a2c07dde.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral11
Sample
428ff553b67cd782e6d0227ae09c83ba8074fa11cf4bfd91703b2043aa5f6c50.exe
Resource
win7-20220414-en
Behavioral task
behavioral12
Sample
428ff553b67cd782e6d0227ae09c83ba8074fa11cf4bfd91703b2043aa5f6c50.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral13
Sample
455d08a5e2a10427eb1aec8f9ee931a5ae10b41acb9cf0e9090f87722a96b9ce.exe
Resource
win7-20220414-en
Behavioral task
behavioral14
Sample
455d08a5e2a10427eb1aec8f9ee931a5ae10b41acb9cf0e9090f87722a96b9ce.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral15
Sample
4dbd0cd1e0f85d16cb65f376880ca9ba247bd1f81542f135610f951349909959.dll
Resource
win7-20220414-en
Behavioral task
behavioral16
Sample
4dbd0cd1e0f85d16cb65f376880ca9ba247bd1f81542f135610f951349909959.dll
Resource
win10v2004-20220414-en
Behavioral task
behavioral17
Sample
4febaf5c3eb1938f657200df1141457d1bb34b9b67222f2e889c9785dd99e492.exe
Resource
win7-20220414-en
Behavioral task
behavioral18
Sample
4febaf5c3eb1938f657200df1141457d1bb34b9b67222f2e889c9785dd99e492.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral19
Sample
5282f373b4dbab1b939b625d05d45442e8c008eeb6fa5d3c1f587cf80afa21ff.exe
Resource
win7-20220414-en
Behavioral task
behavioral20
Sample
5282f373b4dbab1b939b625d05d45442e8c008eeb6fa5d3c1f587cf80afa21ff.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral21
Sample
6c2e494f16262d6e4b2eaa552971b562a2bb87ac71a73a8be8638aefb47f1a47.exe
Resource
win7-20220414-en
Behavioral task
behavioral22
Sample
6c2e494f16262d6e4b2eaa552971b562a2bb87ac71a73a8be8638aefb47f1a47.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral23
Sample
6c95be6a536264db1dcb3c13b03b6f67d04b75a49cb9411fa294352590df2e65.exe
Resource
win7-20220414-en
Behavioral task
behavioral24
Sample
6c95be6a536264db1dcb3c13b03b6f67d04b75a49cb9411fa294352590df2e65.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral25
Sample
75a5b0e0e96691e1aacf99aba23f9b2a53ef8c349a8822494b7b82c400b5a61a.exe
Resource
win7-20220414-en
Behavioral task
behavioral26
Sample
75a5b0e0e96691e1aacf99aba23f9b2a53ef8c349a8822494b7b82c400b5a61a.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral27
Sample
7dd89cf8a1fd81909f2dd9b75cffa1f7ed98ae94c381a6c92ffd0a0dee7707d2.exe
Resource
win7-20220414-en
Behavioral task
behavioral28
Sample
7dd89cf8a1fd81909f2dd9b75cffa1f7ed98ae94c381a6c92ffd0a0dee7707d2.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral29
Sample
81fa8a3bdc452dd2b279b61fed92fe83d65e650e06bca9ee4dfcf991a4a59e77.exe
Resource
win7-20220414-en
Behavioral task
behavioral30
Sample
81fa8a3bdc452dd2b279b61fed92fe83d65e650e06bca9ee4dfcf991a4a59e77.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral31
Sample
9268e1f0af209ecb3d16ddbb4b5f294194c62b54812b02aba7efc7b1306c0fb0.dll
Resource
win7-20220414-en
General
-
Target
196c17a866c395520e3440779c11fa79063127efb81cfb5d44f9c664f6a790fe.exe
-
Size
384KB
-
MD5
e5fbc1da28635c999735d46d021c1b69
-
SHA1
98bd51f54697562312fabfea5dcadd3eed997207
-
SHA256
196c17a866c395520e3440779c11fa79063127efb81cfb5d44f9c664f6a790fe
-
SHA512
8c0f3a35bdfd4e7821f72793595f576a836d5d52ed650d7291c87673489452ef55c5b6182666a678edbf32f4aabc4f8a18fa5e88261c4c919cb012ec585d2fae
Malware Config
Extracted
emotet
Epoch2
99.247.33.186:80
181.165.68.127:80
64.207.182.168:8080
51.89.36.180:443
51.89.199.141:8080
87.106.139.101:8080
139.162.60.124:8080
74.208.45.104:8080
209.141.54.221:7080
173.173.254.105:80
217.20.166.178:7080
208.74.26.234:80
88.153.35.32:80
216.139.123.119:80
110.145.101.66:443
176.111.60.55:8080
139.99.158.11:443
109.116.245.80:80
172.86.188.251:8080
115.94.207.99:443
139.59.60.244:8080
24.178.90.49:80
112.185.64.233:80
187.161.206.24:80
172.104.97.173:8080
182.208.30.18:443
78.24.219.147:8080
190.162.215.233:80
71.15.245.148:8080
62.75.141.82:80
200.116.145.225:443
62.30.7.67:443
138.68.87.218:443
76.27.179.47:80
201.171.244.130:80
46.105.131.79:8080
220.245.198.194:80
89.216.122.92:80
78.125.252.112:80
94.23.237.171:443
109.74.5.95:8080
50.91.114.38:80
47.36.140.164:80
190.146.92.48:80
61.19.246.238:443
96.245.227.43:80
190.29.166.0:80
185.94.252.104:443
168.235.67.138:7080
202.141.243.254:443
186.74.215.34:80
190.108.228.27:443
12.184.217.101:80
119.59.116.21:8080
74.40.205.197:443
174.106.122.139:80
194.4.58.192:7080
85.105.111.166:80
157.245.99.39:8080
79.137.83.50:443
184.180.181.202:80
80.227.52.78:80
172.105.13.66:443
37.187.72.193:8080
67.170.250.203:443
104.32.141.43:80
95.213.236.64:8080
120.150.218.241:443
76.175.162.101:80
202.134.4.216:8080
154.0.8.2:443
49.50.209.131:80
98.150.169.135:80
142.112.10.95:20
118.83.154.64:443
137.59.187.107:8080
203.153.216.189:7080
120.150.60.189:80
123.176.25.234:80
103.86.49.11:8080
108.46.29.236:80
37.179.204.33:80
104.131.11.150:443
78.188.106.53:443
2.58.16.89:8080
194.190.67.75:80
95.9.5.93:80
75.143.247.51:80
27.114.9.93:80
190.164.104.62:80
72.186.136.247:443
91.211.88.52:7080
5.2.212.254:80
24.137.76.62:80
202.134.4.211:8080
201.241.127.190:80
134.209.144.106:443
74.75.104.224:80
167.114.153.111:8080
113.61.66.94:80
110.145.77.103:80
172.91.208.86:80
37.139.21.175:8080
94.230.70.6:80
24.179.13.119:80
94.200.114.161:80
41.185.28.84:8080
155.186.9.160:80
173.63.222.65:80
5.39.91.110:7080
121.124.124.40:7080
188.219.31.12:80
50.245.107.73:443
100.37.240.62:80
62.171.142.179:8080
190.240.194.77:443
110.142.236.207:80
Signatures
-
suricata: ET MALWARE Win32/Emotet CnC Activity (POST) M11
suricata: ET MALWARE Win32/Emotet CnC Activity (POST) M11
-
resource yara_rule behavioral5/memory/1064-55-0x0000000000230000-0x0000000000242000-memory.dmp emotet behavioral5/memory/1064-59-0x0000000000250000-0x0000000000260000-memory.dmp emotet behavioral5/memory/1064-62-0x0000000000220000-0x000000000022F000-memory.dmp emotet -
Executes dropped EXE 1 IoCs
pid Process 1088 cmlua.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\fmifs\cmlua.exe 196c17a866c395520e3440779c11fa79063127efb81cfb5d44f9c664f6a790fe.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\notepad.exe 196c17a866c395520e3440779c11fa79063127efb81cfb5d44f9c664f6a790fe.exe File opened for modification C:\Windows\notepad.exe cmlua.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 1088 cmlua.exe 1088 cmlua.exe 1088 cmlua.exe 1088 cmlua.exe 1088 cmlua.exe 1088 cmlua.exe 1088 cmlua.exe 1088 cmlua.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1064 196c17a866c395520e3440779c11fa79063127efb81cfb5d44f9c664f6a790fe.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1064 196c17a866c395520e3440779c11fa79063127efb81cfb5d44f9c664f6a790fe.exe 1088 cmlua.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1064 wrote to memory of 1088 1064 196c17a866c395520e3440779c11fa79063127efb81cfb5d44f9c664f6a790fe.exe 28 PID 1064 wrote to memory of 1088 1064 196c17a866c395520e3440779c11fa79063127efb81cfb5d44f9c664f6a790fe.exe 28 PID 1064 wrote to memory of 1088 1064 196c17a866c395520e3440779c11fa79063127efb81cfb5d44f9c664f6a790fe.exe 28 PID 1064 wrote to memory of 1088 1064 196c17a866c395520e3440779c11fa79063127efb81cfb5d44f9c664f6a790fe.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\196c17a866c395520e3440779c11fa79063127efb81cfb5d44f9c664f6a790fe.exe"C:\Users\Admin\AppData\Local\Temp\196c17a866c395520e3440779c11fa79063127efb81cfb5d44f9c664f6a790fe.exe"1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1064 -
C:\Windows\SysWOW64\fmifs\cmlua.exe"C:\Windows\SysWOW64\fmifs\cmlua.exe"2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1088
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
384KB
MD5e5fbc1da28635c999735d46d021c1b69
SHA198bd51f54697562312fabfea5dcadd3eed997207
SHA256196c17a866c395520e3440779c11fa79063127efb81cfb5d44f9c664f6a790fe
SHA5128c0f3a35bdfd4e7821f72793595f576a836d5d52ed650d7291c87673489452ef55c5b6182666a678edbf32f4aabc4f8a18fa5e88261c4c919cb012ec585d2fae