Analysis
-
max time kernel
139s -
max time network
163s -
platform
windows10-2004_x64 -
resource
win10v2004-20220718-en -
resource tags
arch:x64arch:x86image:win10v2004-20220718-enlocale:en-usos:windows10-2004-x64system -
submitted
20-07-2022 17:59
Static task
static1
Behavioral task
behavioral1
Sample
4e5257f3269d45a08e9aebc15fbc27c0de9c5b5481008b2158f164b1c6d0d697.exe
Resource
win7-20220718-en
General
-
Target
4e5257f3269d45a08e9aebc15fbc27c0de9c5b5481008b2158f164b1c6d0d697.exe
-
Size
607KB
-
MD5
781a26507093dd6c3f2e38e6864fc502
-
SHA1
33e84acc42351abfabd8481d4c53a48412400e4e
-
SHA256
4e5257f3269d45a08e9aebc15fbc27c0de9c5b5481008b2158f164b1c6d0d697
-
SHA512
d0e707e62175e0ca3557262d517e84e1401646448c67f94c2039c51ed2128cc2393f70348c5f30a63c4c46d7857dbea1524c4071579f162a40aa1aca207b12ff
Malware Config
Extracted
emotet
Epoch1
186.90.29.228:443
181.135.153.203:443
74.208.68.48:8080
104.131.58.132:8080
68.183.190.199:8080
50.28.51.143:8080
77.55.211.77:8080
181.29.101.13:8080
178.79.163.131:8080
5.1.86.195:8080
187.188.166.192:80
203.25.159.3:8080
139.5.237.27:443
190.1.37.125:443
200.58.171.51:80
186.1.41.111:443
46.29.183.211:8080
109.169.86.13:8080
71.244.60.231:7080
159.203.204.126:8080
110.36.234.146:80
125.99.61.162:7080
119.159.150.176:443
181.51.251.236:443
181.44.166.242:80
149.62.173.247:8080
123.168.4.66:22
82.196.15.205:8080
138.68.106.4:7080
87.106.77.40:7080
190.230.60.129:80
185.86.148.222:8080
217.199.160.224:8080
81.169.140.14:443
88.250.223.190:8080
185.187.198.10:8080
62.75.143.100:7080
51.15.8.192:8080
190.38.14.52:80
46.101.212.195:8080
114.79.134.129:443
190.97.30.167:990
68.183.170.114:8080
190.104.253.234:990
181.36.42.205:443
109.104.79.48:8080
14.160.93.230:80
190.85.152.186:8080
151.80.142.33:80
46.28.111.142:7080
181.143.101.18:8080
181.59.253.20:21
212.71.237.140:8080
184.69.214.94:20
200.57.102.71:8443
119.59.124.163:8080
89.188.124.145:443
76.69.29.42:80
178.249.187.151:8080
77.245.101.134:8080
94.183.71.206:7080
183.82.97.25:80
201.163.74.202:443
62.75.160.178:8080
80.85.87.122:8080
200.51.94.251:143
86.42.166.147:80
170.84.133.72:8443
170.84.133.72:7080
71.244.60.230:7080
79.143.182.254:8080
119.92.51.40:8080
46.41.151.103:8080
46.163.144.228:80
91.205.215.57:7080
181.188.149.134:80
91.83.93.124:7080
190.230.60.129:8080
186.0.95.172:80
201.199.93.30:443
5.196.35.138:7080
189.166.68.89:443
190.10.194.42:8080
142.93.82.57:8080
79.129.0.173:8080
Signatures
-
Drops file in System32 directory 4 IoCs
Processes:
svcswithout.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 svcswithout.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE svcswithout.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies svcswithout.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 svcswithout.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 3 IoCs
Processes:
svcswithout.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix svcswithout.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" svcswithout.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" svcswithout.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
svcswithout.exepid process 1008 svcswithout.exe 1008 svcswithout.exe 1008 svcswithout.exe 1008 svcswithout.exe 1008 svcswithout.exe 1008 svcswithout.exe 1008 svcswithout.exe 1008 svcswithout.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
4e5257f3269d45a08e9aebc15fbc27c0de9c5b5481008b2158f164b1c6d0d697.exepid process 4496 4e5257f3269d45a08e9aebc15fbc27c0de9c5b5481008b2158f164b1c6d0d697.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
4e5257f3269d45a08e9aebc15fbc27c0de9c5b5481008b2158f164b1c6d0d697.exe4e5257f3269d45a08e9aebc15fbc27c0de9c5b5481008b2158f164b1c6d0d697.exesvcswithout.exesvcswithout.exepid process 4756 4e5257f3269d45a08e9aebc15fbc27c0de9c5b5481008b2158f164b1c6d0d697.exe 4496 4e5257f3269d45a08e9aebc15fbc27c0de9c5b5481008b2158f164b1c6d0d697.exe 4752 svcswithout.exe 1008 svcswithout.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
4e5257f3269d45a08e9aebc15fbc27c0de9c5b5481008b2158f164b1c6d0d697.exesvcswithout.exedescription pid process target process PID 4756 wrote to memory of 4496 4756 4e5257f3269d45a08e9aebc15fbc27c0de9c5b5481008b2158f164b1c6d0d697.exe 4e5257f3269d45a08e9aebc15fbc27c0de9c5b5481008b2158f164b1c6d0d697.exe PID 4756 wrote to memory of 4496 4756 4e5257f3269d45a08e9aebc15fbc27c0de9c5b5481008b2158f164b1c6d0d697.exe 4e5257f3269d45a08e9aebc15fbc27c0de9c5b5481008b2158f164b1c6d0d697.exe PID 4756 wrote to memory of 4496 4756 4e5257f3269d45a08e9aebc15fbc27c0de9c5b5481008b2158f164b1c6d0d697.exe 4e5257f3269d45a08e9aebc15fbc27c0de9c5b5481008b2158f164b1c6d0d697.exe PID 4752 wrote to memory of 1008 4752 svcswithout.exe svcswithout.exe PID 4752 wrote to memory of 1008 4752 svcswithout.exe svcswithout.exe PID 4752 wrote to memory of 1008 4752 svcswithout.exe svcswithout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4e5257f3269d45a08e9aebc15fbc27c0de9c5b5481008b2158f164b1c6d0d697.exe"C:\Users\Admin\AppData\Local\Temp\4e5257f3269d45a08e9aebc15fbc27c0de9c5b5481008b2158f164b1c6d0d697.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\4e5257f3269d45a08e9aebc15fbc27c0de9c5b5481008b2158f164b1c6d0d697.exe--680385a72⤵
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\svcswithout.exe"C:\Windows\SysWOW64\svcswithout.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svcswithout.exe--d4be45eb2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1008-147-0x0000000000000000-mapping.dmp
-
memory/1008-148-0x0000000000D90000-0x0000000000DA7000-memory.dmpFilesize
92KB
-
memory/4496-135-0x0000000000000000-mapping.dmp
-
memory/4496-136-0x0000000000640000-0x0000000000657000-memory.dmpFilesize
92KB
-
memory/4752-143-0x0000000000E10000-0x0000000000E27000-memory.dmpFilesize
92KB
-
memory/4756-130-0x0000000002290000-0x00000000022A7000-memory.dmpFilesize
92KB
-
memory/4756-141-0x0000000002280000-0x0000000002290000-memory.dmpFilesize
64KB