Analysis
-
max time kernel
253s -
max time network
281s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
30-11-2022 16:25
Behavioral task
behavioral1
Sample
55a80b03ee90e27367da501b1c944d33bbaa8d602a02ea827aca646a40381eaf.exe
Resource
win7-20220812-en
General
-
Target
55a80b03ee90e27367da501b1c944d33bbaa8d602a02ea827aca646a40381eaf.exe
-
Size
474KB
-
MD5
1caf518700f8a969fe59ea7c35d13995
-
SHA1
7f6133ad68ba50920d5d353d346ec7ee7393b883
-
SHA256
55a80b03ee90e27367da501b1c944d33bbaa8d602a02ea827aca646a40381eaf
-
SHA512
f6e3e6c93a3afe7b8ce2b8b84e71c61527795728c8ab7121bc875d1731b9b4f97f56defcdba6109fcbc7d353dc4a555f87a42a75944242e79941144614e84bf5
-
SSDEEP
6144:ieFrEMus74tW3HvPgADDnz/HXnr/vYitorLFDPMTJYhr64Fg0:ntEMus70imrLFPMdV4Fg0
Malware Config
Extracted
emotet
Epoch3
110.36.234.146:80
197.211.244.6:443
125.99.61.162:7080
115.88.70.226:7080
162.241.232.82:8080
194.50.163.106:8080
162.214.27.219:7080
203.150.19.63:443
179.62.18.56:443
93.78.205.196:443
176.58.93.123:80
138.197.140.163:8080
181.113.229.139:990
201.244.125.210:995
186.10.16.244:53
83.169.33.157:8080
45.33.1.161:8080
186.117.174.26:80
186.93.167.147:443
148.240.52.172:80
186.29.155.101:50000
190.92.103.7:80
113.52.135.33:7080
70.45.30.28:80
5.189.148.98:8080
181.55.171.237:8080
143.95.101.72:8080
190.55.86.138:8443
181.165.150.211:143
190.96.118.15:443
190.117.206.153:443
41.60.202.26:22
216.70.88.55:8080
139.59.242.76:8080
190.13.146.47:443
178.249.187.150:7080
190.55.39.215:80
200.114.134.8:20
78.109.34.178:443
46.32.229.152:8080
216.154.222.52:7080
181.230.126.152:8090
152.170.220.95:80
51.38.134.203:8080
94.177.253.126:80
108.179.216.46:8080
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: RenamesItself 1 IoCs
Processes:
55a80b03ee90e27367da501b1c944d33bbaa8d602a02ea827aca646a40381eaf.exepid process 4288 55a80b03ee90e27367da501b1c944d33bbaa8d602a02ea827aca646a40381eaf.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
AUDIODG.EXEdescription pid process Token: 33 632 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 632 AUDIODG.EXE -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
55a80b03ee90e27367da501b1c944d33bbaa8d602a02ea827aca646a40381eaf.exedescription pid process target process PID 4196 wrote to memory of 4288 4196 55a80b03ee90e27367da501b1c944d33bbaa8d602a02ea827aca646a40381eaf.exe 55a80b03ee90e27367da501b1c944d33bbaa8d602a02ea827aca646a40381eaf.exe PID 4196 wrote to memory of 4288 4196 55a80b03ee90e27367da501b1c944d33bbaa8d602a02ea827aca646a40381eaf.exe 55a80b03ee90e27367da501b1c944d33bbaa8d602a02ea827aca646a40381eaf.exe PID 4196 wrote to memory of 4288 4196 55a80b03ee90e27367da501b1c944d33bbaa8d602a02ea827aca646a40381eaf.exe 55a80b03ee90e27367da501b1c944d33bbaa8d602a02ea827aca646a40381eaf.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\55a80b03ee90e27367da501b1c944d33bbaa8d602a02ea827aca646a40381eaf.exe"C:\Users\Admin\AppData\Local\Temp\55a80b03ee90e27367da501b1c944d33bbaa8d602a02ea827aca646a40381eaf.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\55a80b03ee90e27367da501b1c944d33bbaa8d602a02ea827aca646a40381eaf.exe--7a82e46f2⤵
- Suspicious behavior: RenamesItself
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x468 0x3fc1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4196-132-0x00000000028B0000-0x00000000028C5000-memory.dmpFilesize
84KB
-
memory/4196-135-0x0000000000400000-0x0000000000416000-memory.dmpFilesize
88KB
-
memory/4196-134-0x00000000028B0000-0x00000000028C5000-memory.dmpFilesize
84KB
-
memory/4288-133-0x0000000000000000-mapping.dmp
-
memory/4288-136-0x0000000000400000-0x0000000000478000-memory.dmpFilesize
480KB
-
memory/4288-137-0x0000000000400000-0x0000000000478000-memory.dmpFilesize
480KB