Analysis
-
max time kernel
142s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220722-en -
resource tags
arch:x64arch:x86image:win10v2004-20220722-enlocale:en-usos:windows10-2004-x64system -
submitted
31-07-2022 05:21
Static task
static1
Behavioral task
behavioral1
Sample
rimidkjf.exe
Resource
win7-20220715-en
General
-
Target
rimidkjf.exe
-
Size
840KB
-
MD5
406ac12181bdbb42a750ef38545afe02
-
SHA1
7f51b30226520b2e6865ed808bc1d01dd64d78cc
-
SHA256
fdc0245a18ce0dabe29c6ae596c7ca4144778923f71712f27c0f53b4114c2b1a
-
SHA512
b80274c1cc8a2db6a70317b9cf557d083d39d45725af93dda855c00bb8ac45d4c37aa711c3e10b706826727646ce1fce4516ad80df035bebf736bf77b8e022bd
Malware Config
Extracted
emotet
Epoch1
197.245.25.228:80
98.103.204.12:443
59.148.253.194:8080
173.212.197.71:8080
87.106.46.107:8080
50.28.51.143:8080
177.73.0.98:443
213.197.182.158:8080
185.94.252.12:80
189.223.16.99:80
5.189.178.202:8080
186.103.141.250:443
181.129.96.162:8080
190.101.156.139:80
46.105.114.137:8080
51.15.7.145:80
98.13.75.196:80
202.134.4.210:7080
104.131.41.185:8080
181.123.6.86:80
60.93.23.51:80
201.71.228.86:80
128.92.203.42:80
174.118.202.24:443
2.45.176.233:80
181.30.61.163:443
70.32.84.74:8080
177.144.130.105:443
181.56.32.36:80
81.215.230.173:443
82.76.111.249:443
64.201.88.132:80
103.236.179.162:80
76.121.199.225:80
137.74.106.111:7080
152.169.22.67:80
178.250.54.208:8080
170.81.48.2:80
138.97.60.141:7080
1.226.84.243:8080
70.169.17.134:80
85.214.26.7:8080
192.232.229.54:7080
181.61.182.143:80
74.58.215.226:80
192.241.143.52:8080
209.236.123.42:8080
217.13.106.14:8080
201.213.177.139:80
45.46.37.97:80
74.135.120.91:80
190.190.219.184:80
51.75.33.127:80
62.84.75.50:80
213.52.74.198:80
37.179.145.105:80
189.2.177.210:443
68.183.170.114:8080
45.33.77.42:8080
177.129.17.170:443
185.94.252.27:443
186.189.249.2:80
77.78.196.173:443
191.97.154.2:80
190.24.243.186:80
94.176.234.118:443
68.183.190.199:8080
5.89.33.136:80
191.182.6.118:80
46.101.58.37:8080
77.238.212.227:80
12.162.84.2:8080
37.183.81.217:80
173.68.199.157:80
37.187.161.206:8080
149.202.72.142:7080
219.92.13.25:80
109.190.249.106:80
172.86.186.21:8080
109.190.35.249:80
70.32.115.157:8080
185.183.16.47:80
186.70.127.199:8090
24.232.228.233:80
175.143.12.123:8080
178.211.45.66:8080
51.255.165.160:8080
46.43.2.95:8080
181.58.181.9:80
190.188.245.242:80
177.23.7.151:80
212.71.237.140:8080
83.169.21.32:7080
200.59.6.174:80
190.115.18.139:8080
2.85.9.41:8080
188.135.15.49:80
172.104.169.32:8080
51.15.7.189:80
111.67.12.221:8080
5.196.35.138:7080
12.163.208.58:80
188.251.213.180:80
177.144.130.105:8080
138.97.60.140:8080
188.157.101.114:80
216.47.196.104:80
183.176.82.231:80
79.118.74.90:80
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3336-132-0x0000000002290000-0x00000000022A8000-memory.dmp emotet behavioral2/memory/3336-136-0x0000000002340000-0x0000000002357000-memory.dmp emotet behavioral2/memory/3336-140-0x0000000002270000-0x0000000002286000-memory.dmp emotet behavioral2/memory/4732-143-0x00000000007B0000-0x00000000007C8000-memory.dmp emotet behavioral2/memory/4732-147-0x0000000002100000-0x0000000002117000-memory.dmp emotet -
Executes dropped EXE 1 IoCs
Processes:
ExecModelClient.exepid process 4732 ExecModelClient.exe -
Drops file in System32 directory 1 IoCs
Processes:
rimidkjf.exedescription ioc process File opened for modification C:\Windows\SysWOW64\wiashext\ExecModelClient.exe rimidkjf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
ExecModelClient.exepid process 4732 ExecModelClient.exe 4732 ExecModelClient.exe 4732 ExecModelClient.exe 4732 ExecModelClient.exe 4732 ExecModelClient.exe 4732 ExecModelClient.exe 4732 ExecModelClient.exe 4732 ExecModelClient.exe 4732 ExecModelClient.exe 4732 ExecModelClient.exe 4732 ExecModelClient.exe 4732 ExecModelClient.exe 4732 ExecModelClient.exe 4732 ExecModelClient.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
rimidkjf.exepid process 3336 rimidkjf.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
rimidkjf.exeExecModelClient.exepid process 3336 rimidkjf.exe 4732 ExecModelClient.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rimidkjf.exedescription pid process target process PID 3336 wrote to memory of 4732 3336 rimidkjf.exe ExecModelClient.exe PID 3336 wrote to memory of 4732 3336 rimidkjf.exe ExecModelClient.exe PID 3336 wrote to memory of 4732 3336 rimidkjf.exe ExecModelClient.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\rimidkjf.exe"C:\Users\Admin\AppData\Local\Temp\rimidkjf.exe"1⤵
- Drops file in System32 directory
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wiashext\ExecModelClient.exe"C:\Windows\SysWOW64\wiashext\ExecModelClient.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\wiashext\ExecModelClient.exeFilesize
840KB
MD5406ac12181bdbb42a750ef38545afe02
SHA17f51b30226520b2e6865ed808bc1d01dd64d78cc
SHA256fdc0245a18ce0dabe29c6ae596c7ca4144778923f71712f27c0f53b4114c2b1a
SHA512b80274c1cc8a2db6a70317b9cf557d083d39d45725af93dda855c00bb8ac45d4c37aa711c3e10b706826727646ce1fce4516ad80df035bebf736bf77b8e022bd
-
memory/3336-132-0x0000000002290000-0x00000000022A8000-memory.dmpFilesize
96KB
-
memory/3336-136-0x0000000002340000-0x0000000002357000-memory.dmpFilesize
92KB
-
memory/3336-140-0x0000000002270000-0x0000000002286000-memory.dmpFilesize
88KB
-
memory/4732-141-0x0000000000000000-mapping.dmp
-
memory/4732-143-0x00000000007B0000-0x00000000007C8000-memory.dmpFilesize
96KB
-
memory/4732-147-0x0000000002100000-0x0000000002117000-memory.dmpFilesize
92KB