Analysis
-
max time kernel
176s -
max time network
185s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
31-07-2022 05:23
Static task
static1
Behavioral task
behavioral1
Sample
tgwbgggc.exe
Resource
win7-20220715-en
General
-
Target
tgwbgggc.exe
-
Size
361KB
-
MD5
59c99c0fc4184d2d5e9b6772262a19cc
-
SHA1
10abdb7d7a54de2fe34a21253903cf6dd4821d03
-
SHA256
3c1d3f81ebcc0000c838b73398fc229e5d81e00e5c7924e9e92a929b62e7fc97
-
SHA512
5710e088c47249ff3d19eae9434c6a1e6c9af7dc77b555918e81e1d31aa46b60893f818f292b4d906575f610f13b309c37bf436fce0f0ceedb62c651e154f2b7
Malware Config
Extracted
emotet
Epoch1
2.45.176.233:80
98.103.204.12:443
172.86.186.21:8080
192.175.111.214:8080
109.190.249.106:80
177.144.130.105:8080
70.32.84.74:8080
192.81.38.31:80
138.97.60.140:8080
189.223.16.99:80
175.143.12.123:8080
190.115.18.139:8080
170.81.48.2:80
5.196.35.138:7080
172.104.169.32:8080
178.250.54.208:8080
185.94.252.27:443
46.105.114.137:8080
79.118.74.90:80
70.169.17.134:80
60.93.23.51:80
45.46.37.97:80
50.121.220.50:80
209.236.123.42:8080
138.97.60.141:7080
87.106.46.107:8080
212.71.237.140:8080
177.73.0.98:443
111.67.12.221:8080
83.169.21.32:7080
185.183.16.47:80
177.129.17.170:443
77.78.196.173:443
68.183.190.199:8080
51.38.124.206:80
64.201.88.132:80
174.118.202.24:443
177.74.228.34:80
190.24.243.186:80
188.157.101.114:80
202.134.4.210:7080
191.182.6.118:80
137.74.106.111:7080
189.2.177.210:443
186.222.250.115:8080
74.58.215.226:80
5.189.178.202:8080
105.209.235.113:8080
12.163.208.58:80
85.214.26.7:8080
37.187.161.206:8080
68.183.170.114:8080
46.101.58.37:8080
217.13.106.14:8080
5.89.33.136:80
177.23.7.151:80
188.135.15.49:80
45.33.77.42:8080
190.96.15.50:80
190.188.245.242:80
192.232.229.54:7080
46.43.2.95:8080
185.94.252.12:80
201.213.177.139:80
98.13.75.196:80
12.162.84.2:8080
190.190.219.184:80
51.255.165.160:8080
149.202.72.142:7080
213.52.74.198:80
81.215.230.173:443
192.241.143.52:8080
37.179.145.105:80
183.176.82.231:80
152.169.22.67:80
216.47.196.104:80
74.135.120.91:80
128.92.203.42:80
213.197.182.158:8080
94.176.234.118:443
177.144.130.105:443
181.129.96.162:8080
200.127.14.97:80
51.75.33.127:80
186.70.127.199:8090
109.190.35.249:80
104.131.41.185:8080
50.28.51.143:8080
51.15.7.189:80
1.226.84.243:8080
178.211.45.66:8080
219.92.13.25:80
103.236.179.162:80
51.15.7.145:80
186.103.141.250:443
24.232.228.233:80
70.32.115.157:8080
82.76.111.249:443
191.191.23.135:80
62.84.75.50:80
77.238.212.227:80
181.30.61.163:443
Signatures
-
Processes:
resource yara_rule behavioral2/memory/5104-130-0x00000000022D0000-0x00000000022EC000-memory.dmp emotet behavioral2/memory/5104-134-0x00000000022F0000-0x000000000230B000-memory.dmp emotet behavioral2/memory/5104-138-0x00000000022A0000-0x00000000022BA000-memory.dmp emotet behavioral2/memory/3184-141-0x0000000002170000-0x000000000218C000-memory.dmp emotet behavioral2/memory/3184-145-0x0000000002190000-0x00000000021AB000-memory.dmp emotet -
Executes dropped EXE 1 IoCs
Processes:
umpdc.exepid process 3184 umpdc.exe -
Drops file in System32 directory 1 IoCs
Processes:
tgwbgggc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Windows.Internal.Management\umpdc.exe tgwbgggc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
umpdc.exepid process 3184 umpdc.exe 3184 umpdc.exe 3184 umpdc.exe 3184 umpdc.exe 3184 umpdc.exe 3184 umpdc.exe 3184 umpdc.exe 3184 umpdc.exe 3184 umpdc.exe 3184 umpdc.exe 3184 umpdc.exe 3184 umpdc.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
tgwbgggc.exepid process 5104 tgwbgggc.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
tgwbgggc.exeumpdc.exepid process 5104 tgwbgggc.exe 3184 umpdc.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
tgwbgggc.exedescription pid process target process PID 5104 wrote to memory of 3184 5104 tgwbgggc.exe umpdc.exe PID 5104 wrote to memory of 3184 5104 tgwbgggc.exe umpdc.exe PID 5104 wrote to memory of 3184 5104 tgwbgggc.exe umpdc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\tgwbgggc.exe"C:\Users\Admin\AppData\Local\Temp\tgwbgggc.exe"1⤵
- Drops file in System32 directory
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Windows.Internal.Management\umpdc.exe"C:\Windows\SysWOW64\Windows.Internal.Management\umpdc.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\Windows.Internal.Management\umpdc.exeFilesize
361KB
MD559c99c0fc4184d2d5e9b6772262a19cc
SHA110abdb7d7a54de2fe34a21253903cf6dd4821d03
SHA2563c1d3f81ebcc0000c838b73398fc229e5d81e00e5c7924e9e92a929b62e7fc97
SHA5125710e088c47249ff3d19eae9434c6a1e6c9af7dc77b555918e81e1d31aa46b60893f818f292b4d906575f610f13b309c37bf436fce0f0ceedb62c651e154f2b7
-
memory/3184-139-0x0000000000000000-mapping.dmp
-
memory/3184-141-0x0000000002170000-0x000000000218C000-memory.dmpFilesize
112KB
-
memory/3184-145-0x0000000002190000-0x00000000021AB000-memory.dmpFilesize
108KB
-
memory/5104-130-0x00000000022D0000-0x00000000022EC000-memory.dmpFilesize
112KB
-
memory/5104-134-0x00000000022F0000-0x000000000230B000-memory.dmpFilesize
108KB
-
memory/5104-138-0x00000000022A0000-0x00000000022BA000-memory.dmpFilesize
104KB