Analysis
-
max time kernel
150s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
13-03-2023 07:44
Static task
static1
Behavioral task
behavioral1
Sample
task1.exe
Resource
win7-20230220-en
General
-
Target
task1.exe
-
Size
188KB
-
MD5
2ba73d2d47cf2d388446b781613b7eff
-
SHA1
c75c7eb4814835388881d1b4c2db67e64a023e1e
-
SHA256
06c6442d5bb110140ac1cdbcf1be52388441b9a0750d59b743acc6b52d19582b
-
SHA512
667ddc16765d8c3c3596bb734174862db1f2ac24037c361a2e37ec9824c35a8926728400025d62c62c361b1b1e1a9d1e3b4c38c2c5989eee832e083481e50caa
-
SSDEEP
3072:0O7Mn+0UNzRqN7GZDA62KrcNaQV/7T9kSjkltZJmHcPz6HEJE:kUGJeD8HVOSqBmHbk
Malware Config
Extracted
emotet
Epoch2
74.219.172.26:80
134.209.36.254:8080
104.156.59.7:8080
120.138.30.150:8080
194.187.133.160:443
104.236.246.93:8080
74.208.45.104:8080
78.187.156.31:80
187.161.206.24:80
94.23.216.33:80
172.91.208.86:80
91.211.88.52:7080
50.91.114.38:80
200.123.150.89:443
121.124.124.40:7080
62.75.141.82:80
5.196.74.210:8080
24.137.76.62:80
85.105.205.77:8080
139.130.242.43:80
82.225.49.121:80
110.145.77.103:80
195.251.213.56:80
46.105.131.79:8080
87.106.136.232:8080
75.139.38.211:80
124.41.215.226:80
203.153.216.189:7080
162.241.242.173:8080
219.74.18.66:443
174.45.13.118:80
68.188.112.97:80
200.114.213.233:8080
213.196.135.145:80
61.92.17.12:80
61.19.246.238:443
219.75.128.166:80
120.150.60.189:80
123.176.25.234:80
1.221.254.82:80
137.119.36.33:80
94.23.237.171:443
74.120.55.163:80
62.30.7.67:443
104.131.11.150:443
139.59.67.118:443
209.141.54.221:8080
79.137.83.50:443
84.39.182.7:80
97.82.79.83:80
87.106.139.101:8080
94.1.108.190:443
37.187.72.193:8080
139.162.108.71:8080
93.147.212.206:80
74.134.41.124:80
103.86.49.11:8080
75.80.124.4:80
109.74.5.95:8080
153.232.188.106:80
168.235.67.138:7080
50.35.17.13:80
42.200.107.142:80
82.80.155.43:80
78.24.219.147:8080
24.43.99.75:80
107.5.122.110:80
156.155.166.221:80
83.169.36.251:8080
47.144.21.12:443
79.98.24.39:8080
181.169.34.190:80
139.59.60.244:8080
85.152.162.105:80
185.94.252.104:443
110.5.16.198:80
174.102.48.180:443
140.186.212.146:80
95.179.229.244:8080
104.32.141.43:80
169.239.182.217:8080
121.7.127.163:80
94.200.114.161:80
201.173.217.124:443
104.131.44.150:8080
137.59.187.107:8080
5.39.91.110:7080
203.117.253.142:80
157.245.99.39:8080
176.111.60.55:8080
95.213.236.64:8080
220.245.198.194:80
37.139.21.175:8080
89.216.122.92:80
139.99.158.11:443
24.179.13.119:80
188.219.31.12:80
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1596-54-0x0000000000260000-0x0000000000272000-memory.dmp emotet behavioral1/memory/1596-58-0x0000000000280000-0x0000000000290000-memory.dmp emotet behavioral1/memory/1596-62-0x00000000001D0000-0x00000000001DF000-memory.dmp emotet -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 9 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_CLASSES\vsw_auto_file rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_CLASSES\vsw_auto_file\ rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_CLASSES\vsw_auto_file\shell\Read rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_CLASSES\vsw_auto_file\shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_CLASSES\vsw_auto_file\shell\Read\command rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_CLASSES\.vsw rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_CLASSES\.vsw\ = "vsw_auto_file" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_CLASSES\vsw_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
task1.exepid process 1596 task1.exe 1596 task1.exe 1596 task1.exe 1596 task1.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
AUDIODG.EXEdescription pid process Token: 33 612 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 612 AUDIODG.EXE Token: 33 612 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 612 AUDIODG.EXE -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
task1.exeAcroRd32.exepid process 1596 task1.exe 1596 task1.exe 928 AcroRd32.exe 928 AcroRd32.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
rundll32.exedescription pid process target process PID 1956 wrote to memory of 928 1956 rundll32.exe AcroRd32.exe PID 1956 wrote to memory of 928 1956 rundll32.exe AcroRd32.exe PID 1956 wrote to memory of 928 1956 rundll32.exe AcroRd32.exe PID 1956 wrote to memory of 928 1956 rundll32.exe AcroRd32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\task1.exe"C:\Users\Admin\AppData\Local\Temp\task1.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5841⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\RestartStart.vsw1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\Desktop\RestartStart.vsw"2⤵
- Suspicious use of SetWindowsHookEx