Analysis

  • max time kernel
    280s
  • max time network
    297s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    20-06-2022 13:51

General

  • Target

    196c17a866c395520e3440779c11fa79063127efb81cfb5d44f9c664f6a790fe.exe

  • Size

    384KB

  • MD5

    e5fbc1da28635c999735d46d021c1b69

  • SHA1

    98bd51f54697562312fabfea5dcadd3eed997207

  • SHA256

    196c17a866c395520e3440779c11fa79063127efb81cfb5d44f9c664f6a790fe

  • SHA512

    8c0f3a35bdfd4e7821f72793595f576a836d5d52ed650d7291c87673489452ef55c5b6182666a678edbf32f4aabc4f8a18fa5e88261c4c919cb012ec585d2fae

Malware Config

Extracted

Family

emotet

Botnet

Epoch2

C2

99.247.33.186:80

181.165.68.127:80

64.207.182.168:8080

51.89.36.180:443

51.89.199.141:8080

87.106.139.101:8080

139.162.60.124:8080

74.208.45.104:8080

209.141.54.221:7080

173.173.254.105:80

217.20.166.178:7080

208.74.26.234:80

88.153.35.32:80

216.139.123.119:80

110.145.101.66:443

176.111.60.55:8080

139.99.158.11:443

109.116.245.80:80

172.86.188.251:8080

115.94.207.99:443

rsa_pubkey.plain

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

  • suricata: ET MALWARE Win32/Emotet CnC Activity (POST) M11

    suricata: ET MALWARE Win32/Emotet CnC Activity (POST) M11

  • Emotet Payload 3 IoCs

    Detects Emotet payload in memory.

  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\196c17a866c395520e3440779c11fa79063127efb81cfb5d44f9c664f6a790fe.exe
    "C:\Users\Admin\AppData\Local\Temp\196c17a866c395520e3440779c11fa79063127efb81cfb5d44f9c664f6a790fe.exe"
    1⤵
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Suspicious behavior: RenamesItself
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1064
    • C:\Windows\SysWOW64\fmifs\cmlua.exe
      "C:\Windows\SysWOW64\fmifs\cmlua.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:1088

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\fmifs\cmlua.exe

    Filesize

    384KB

    MD5

    e5fbc1da28635c999735d46d021c1b69

    SHA1

    98bd51f54697562312fabfea5dcadd3eed997207

    SHA256

    196c17a866c395520e3440779c11fa79063127efb81cfb5d44f9c664f6a790fe

    SHA512

    8c0f3a35bdfd4e7821f72793595f576a836d5d52ed650d7291c87673489452ef55c5b6182666a678edbf32f4aabc4f8a18fa5e88261c4c919cb012ec585d2fae

  • memory/1064-54-0x00000000769D1000-0x00000000769D3000-memory.dmp

    Filesize

    8KB

  • memory/1064-55-0x0000000000230000-0x0000000000242000-memory.dmp

    Filesize

    72KB

  • memory/1064-59-0x0000000000250000-0x0000000000260000-memory.dmp

    Filesize

    64KB

  • memory/1064-62-0x0000000000220000-0x000000000022F000-memory.dmp

    Filesize

    60KB