Analysis
-
max time kernel
134s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
26-03-2023 01:46
Static task
static1
Behavioral task
behavioral1
Sample
ccd380ea868ffad4f960d7455fecf88c2ac3550001bbb6c21c31ae70b3bbf4f6.exe
Resource
win7-20230220-en
General
-
Target
ccd380ea868ffad4f960d7455fecf88c2ac3550001bbb6c21c31ae70b3bbf4f6.exe
-
Size
848KB
-
MD5
a4513379dad5233afa402cc56a8b9222
-
SHA1
805727279208de9cf49e6374b1f3a6dc0052620e
-
SHA256
ccd380ea868ffad4f960d7455fecf88c2ac3550001bbb6c21c31ae70b3bbf4f6
-
SHA512
10b23a9721bc9692f225a864f541d722761e622ff94e92f08c367a14fb7398199d4f4d3895ca456064889871246c6cbfc15fb2e593be21f384fb49e084cf3f9f
-
SSDEEP
6144:/TaQZdJnaB1kNOlFSm9tc6c6c6c6c6c6c6c6c6csImOksMWNIDK:/GQfJyFrz7
Malware Config
Extracted
emotet
Epoch2
67.68.210.95:80
162.241.242.173:8080
45.55.36.51:443
45.55.219.163:443
68.188.112.97:80
46.105.131.79:8080
78.24.219.147:8080
37.70.8.161:80
153.232.188.106:80
209.141.54.221:8080
203.117.253.142:80
152.168.248.128:443
93.147.212.206:80
24.137.76.62:80
189.212.199.126:443
204.197.146.48:80
137.119.36.33:80
185.94.252.104:443
139.130.242.43:80
203.153.216.189:7080
200.114.213.233:8080
41.60.200.34:80
107.5.122.110:80
139.162.108.71:8080
137.59.187.107:8080
181.230.116.163:80
24.43.99.75:80
83.169.36.251:8080
95.179.229.244:8080
85.152.162.105:80
37.139.21.175:8080
98.109.204.230:80
139.59.60.244:8080
75.139.38.211:80
61.19.246.238:443
79.98.24.39:8080
69.30.203.214:8080
68.171.118.7:80
50.81.3.113:80
89.205.113.80:80
87.106.136.232:8080
74.109.108.202:80
95.213.236.64:8080
24.179.13.119:80
121.124.124.40:7080
70.121.172.89:80
74.120.55.163:80
104.131.44.150:8080
74.208.45.104:8080
1.221.254.82:80
187.161.206.24:80
188.219.31.12:80
180.92.239.110:8080
47.146.117.214:80
103.86.49.11:8080
190.55.181.54:443
104.236.246.93:8080
97.82.79.83:80
91.211.88.52:7080
84.39.182.7:80
110.145.77.103:80
94.23.237.171:443
85.105.205.77:8080
87.106.139.101:8080
200.41.121.90:80
157.245.99.39:8080
169.239.182.217:8080
67.205.85.243:8080
176.111.60.55:8080
174.45.13.118:80
167.86.90.214:8080
174.102.48.180:443
112.185.64.233:80
173.81.218.65:80
139.99.158.11:443
113.160.130.116:8443
201.173.217.124:443
62.75.141.82:80
174.137.65.18:80
172.91.208.86:80
5.196.74.210:8080
85.66.181.138:80
47.144.21.12:443
194.187.133.160:443
168.235.67.138:7080
104.131.11.150:443
190.160.53.126:80
37.187.72.193:8080
109.74.5.95:8080
120.150.60.189:80
94.200.114.161:80
216.208.76.186:80
173.62.217.22:443
62.30.7.67:443
5.39.91.110:7080
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
wscinterop.exepid process 2496 wscinterop.exe -
Drops file in System32 directory 1 IoCs
Processes:
ccd380ea868ffad4f960d7455fecf88c2ac3550001bbb6c21c31ae70b3bbf4f6.exedescription ioc process File opened for modification C:\Windows\SysWOW64\winrssrv\wscinterop.exe ccd380ea868ffad4f960d7455fecf88c2ac3550001bbb6c21c31ae70b3bbf4f6.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
wscinterop.exepid process 2496 wscinterop.exe 2496 wscinterop.exe 2496 wscinterop.exe 2496 wscinterop.exe 2496 wscinterop.exe 2496 wscinterop.exe 2496 wscinterop.exe 2496 wscinterop.exe 2496 wscinterop.exe 2496 wscinterop.exe 2496 wscinterop.exe 2496 wscinterop.exe 2496 wscinterop.exe 2496 wscinterop.exe 2496 wscinterop.exe 2496 wscinterop.exe 2496 wscinterop.exe 2496 wscinterop.exe 2496 wscinterop.exe 2496 wscinterop.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
ccd380ea868ffad4f960d7455fecf88c2ac3550001bbb6c21c31ae70b3bbf4f6.exepid process 2704 ccd380ea868ffad4f960d7455fecf88c2ac3550001bbb6c21c31ae70b3bbf4f6.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
ccd380ea868ffad4f960d7455fecf88c2ac3550001bbb6c21c31ae70b3bbf4f6.exewscinterop.exepid process 2704 ccd380ea868ffad4f960d7455fecf88c2ac3550001bbb6c21c31ae70b3bbf4f6.exe 2704 ccd380ea868ffad4f960d7455fecf88c2ac3550001bbb6c21c31ae70b3bbf4f6.exe 2496 wscinterop.exe 2496 wscinterop.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
ccd380ea868ffad4f960d7455fecf88c2ac3550001bbb6c21c31ae70b3bbf4f6.exedescription pid process target process PID 2704 wrote to memory of 2496 2704 ccd380ea868ffad4f960d7455fecf88c2ac3550001bbb6c21c31ae70b3bbf4f6.exe wscinterop.exe PID 2704 wrote to memory of 2496 2704 ccd380ea868ffad4f960d7455fecf88c2ac3550001bbb6c21c31ae70b3bbf4f6.exe wscinterop.exe PID 2704 wrote to memory of 2496 2704 ccd380ea868ffad4f960d7455fecf88c2ac3550001bbb6c21c31ae70b3bbf4f6.exe wscinterop.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ccd380ea868ffad4f960d7455fecf88c2ac3550001bbb6c21c31ae70b3bbf4f6.exe"C:\Users\Admin\AppData\Local\Temp\ccd380ea868ffad4f960d7455fecf88c2ac3550001bbb6c21c31ae70b3bbf4f6.exe"1⤵
- Drops file in System32 directory
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\winrssrv\wscinterop.exe"C:\Windows\SysWOW64\winrssrv\wscinterop.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\winrssrv\wscinterop.exeFilesize
848KB
MD5a4513379dad5233afa402cc56a8b9222
SHA1805727279208de9cf49e6374b1f3a6dc0052620e
SHA256ccd380ea868ffad4f960d7455fecf88c2ac3550001bbb6c21c31ae70b3bbf4f6
SHA51210b23a9721bc9692f225a864f541d722761e622ff94e92f08c367a14fb7398199d4f4d3895ca456064889871246c6cbfc15fb2e593be21f384fb49e084cf3f9f
-
memory/2496-140-0x00000000020D0000-0x00000000020DC000-memory.dmpFilesize
48KB
-
memory/2496-144-0x00000000020D0000-0x00000000020DC000-memory.dmpFilesize
48KB
-
memory/2704-133-0x0000000002430000-0x000000000243C000-memory.dmpFilesize
48KB
-
memory/2704-137-0x00000000022E0000-0x00000000022E1000-memory.dmpFilesize
4KB
-
memory/2704-138-0x0000000002320000-0x0000000002329000-memory.dmpFilesize
36KB