Analysis
-
max time kernel
151s -
max time network
161s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
30-11-2022 16:25
Behavioral task
behavioral1
Sample
55a80b03ee90e27367da501b1c944d33bbaa8d602a02ea827aca646a40381eaf.exe
Resource
win7-20220812-en
General
-
Target
55a80b03ee90e27367da501b1c944d33bbaa8d602a02ea827aca646a40381eaf.exe
-
Size
474KB
-
MD5
1caf518700f8a969fe59ea7c35d13995
-
SHA1
7f6133ad68ba50920d5d353d346ec7ee7393b883
-
SHA256
55a80b03ee90e27367da501b1c944d33bbaa8d602a02ea827aca646a40381eaf
-
SHA512
f6e3e6c93a3afe7b8ce2b8b84e71c61527795728c8ab7121bc875d1731b9b4f97f56defcdba6109fcbc7d353dc4a555f87a42a75944242e79941144614e84bf5
-
SSDEEP
6144:ieFrEMus74tW3HvPgADDnz/HXnr/vYitorLFDPMTJYhr64Fg0:ntEMus70imrLFPMdV4Fg0
Malware Config
Extracted
emotet
Epoch3
110.36.234.146:80
197.211.244.6:443
125.99.61.162:7080
115.88.70.226:7080
162.241.232.82:8080
194.50.163.106:8080
162.214.27.219:7080
203.150.19.63:443
179.62.18.56:443
93.78.205.196:443
176.58.93.123:80
138.197.140.163:8080
181.113.229.139:990
201.244.125.210:995
186.10.16.244:53
83.169.33.157:8080
45.33.1.161:8080
186.117.174.26:80
186.93.167.147:443
148.240.52.172:80
186.29.155.101:50000
190.92.103.7:80
113.52.135.33:7080
70.45.30.28:80
5.189.148.98:8080
181.55.171.237:8080
143.95.101.72:8080
190.55.86.138:8443
181.165.150.211:143
190.96.118.15:443
190.117.206.153:443
41.60.202.26:22
216.70.88.55:8080
139.59.242.76:8080
190.13.146.47:443
178.249.187.150:7080
190.55.39.215:80
200.114.134.8:20
78.109.34.178:443
46.32.229.152:8080
216.154.222.52:7080
181.230.126.152:8090
152.170.220.95:80
51.38.134.203:8080
94.177.253.126:80
108.179.216.46:8080
Signatures
-
Drops file in System32 directory 1 IoCs
Processes:
tlbmira.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat tlbmira.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 21 IoCs
Processes:
tlbmira.exedescription ioc process Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\1e-99-72-cf-ac-0a\WpadDecisionTime = 401f36726706d901 tlbmira.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections tlbmira.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 tlbmira.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings tlbmira.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 tlbmira.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0080000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 tlbmira.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{75538D86-5D3D-416F-AD75-E96D1A96F6C3}\WpadDecision = "0" tlbmira.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\1e-99-72-cf-ac-0a\WpadDecisionReason = "1" tlbmira.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix tlbmira.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" tlbmira.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\1e-99-72-cf-ac-0a tlbmira.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings tlbmira.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" tlbmira.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad tlbmira.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{75538D86-5D3D-416F-AD75-E96D1A96F6C3} tlbmira.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{75538D86-5D3D-416F-AD75-E96D1A96F6C3}\WpadDecisionReason = "1" tlbmira.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{75538D86-5D3D-416F-AD75-E96D1A96F6C3}\1e-99-72-cf-ac-0a tlbmira.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\1e-99-72-cf-ac-0a\WpadDecision = "0" tlbmira.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" tlbmira.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{75538D86-5D3D-416F-AD75-E96D1A96F6C3}\WpadDecisionTime = 401f36726706d901 tlbmira.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{75538D86-5D3D-416F-AD75-E96D1A96F6C3}\WpadNetworkName = "Network 3" tlbmira.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
tlbmira.exepid process 1052 tlbmira.exe 1052 tlbmira.exe 1052 tlbmira.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
55a80b03ee90e27367da501b1c944d33bbaa8d602a02ea827aca646a40381eaf.exepid process 1112 55a80b03ee90e27367da501b1c944d33bbaa8d602a02ea827aca646a40381eaf.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
AUDIODG.EXEdescription pid process Token: 33 1484 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1484 AUDIODG.EXE Token: 33 1484 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1484 AUDIODG.EXE -
Suspicious use of UnmapMainImage 4 IoCs
Processes:
55a80b03ee90e27367da501b1c944d33bbaa8d602a02ea827aca646a40381eaf.exe55a80b03ee90e27367da501b1c944d33bbaa8d602a02ea827aca646a40381eaf.exetlbmira.exetlbmira.exepid process 1668 55a80b03ee90e27367da501b1c944d33bbaa8d602a02ea827aca646a40381eaf.exe 1112 55a80b03ee90e27367da501b1c944d33bbaa8d602a02ea827aca646a40381eaf.exe 1992 tlbmira.exe 1052 tlbmira.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
55a80b03ee90e27367da501b1c944d33bbaa8d602a02ea827aca646a40381eaf.exetlbmira.exedescription pid process target process PID 1668 wrote to memory of 1112 1668 55a80b03ee90e27367da501b1c944d33bbaa8d602a02ea827aca646a40381eaf.exe 55a80b03ee90e27367da501b1c944d33bbaa8d602a02ea827aca646a40381eaf.exe PID 1668 wrote to memory of 1112 1668 55a80b03ee90e27367da501b1c944d33bbaa8d602a02ea827aca646a40381eaf.exe 55a80b03ee90e27367da501b1c944d33bbaa8d602a02ea827aca646a40381eaf.exe PID 1668 wrote to memory of 1112 1668 55a80b03ee90e27367da501b1c944d33bbaa8d602a02ea827aca646a40381eaf.exe 55a80b03ee90e27367da501b1c944d33bbaa8d602a02ea827aca646a40381eaf.exe PID 1668 wrote to memory of 1112 1668 55a80b03ee90e27367da501b1c944d33bbaa8d602a02ea827aca646a40381eaf.exe 55a80b03ee90e27367da501b1c944d33bbaa8d602a02ea827aca646a40381eaf.exe PID 1992 wrote to memory of 1052 1992 tlbmira.exe tlbmira.exe PID 1992 wrote to memory of 1052 1992 tlbmira.exe tlbmira.exe PID 1992 wrote to memory of 1052 1992 tlbmira.exe tlbmira.exe PID 1992 wrote to memory of 1052 1992 tlbmira.exe tlbmira.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\55a80b03ee90e27367da501b1c944d33bbaa8d602a02ea827aca646a40381eaf.exe"C:\Users\Admin\AppData\Local\Temp\55a80b03ee90e27367da501b1c944d33bbaa8d602a02ea827aca646a40381eaf.exe"1⤵
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\55a80b03ee90e27367da501b1c944d33bbaa8d602a02ea827aca646a40381eaf.exe--7a82e46f2⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5601⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\tlbmira.exe"C:\Windows\SysWOW64\tlbmira.exe"1⤵
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\tlbmira.exe--1be86acb2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1052-62-0x0000000000000000-mapping.dmp
-
memory/1112-56-0x0000000000000000-mapping.dmp
-
memory/1112-60-0x0000000000400000-0x0000000000478000-memory.dmpFilesize
480KB
-
memory/1112-63-0x0000000000400000-0x0000000000416000-memory.dmpFilesize
88KB
-
memory/1668-54-0x0000000075241000-0x0000000075243000-memory.dmpFilesize
8KB
-
memory/1668-55-0x00000000002C0000-0x00000000002D5000-memory.dmpFilesize
84KB
-
memory/1668-59-0x0000000000400000-0x0000000000416000-memory.dmpFilesize
88KB
-
memory/1668-57-0x00000000002C0000-0x00000000002D5000-memory.dmpFilesize
84KB