Analysis
-
max time kernel
143s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
22-12-2023 16:13
Static task
static1
Behavioral task
behavioral1
Sample
eba98abe00f0a411e6736cf916d05c70.exe
Resource
win7-20231215-en
General
-
Target
eba98abe00f0a411e6736cf916d05c70.exe
-
Size
572KB
-
MD5
eba98abe00f0a411e6736cf916d05c70
-
SHA1
fba38ef52ce7f582ffa8582dafc7517b310c396b
-
SHA256
7c017123bdcb32ece3624c846e7262f9b9cd04ce4e8608e5f3d02448ea9c1bbc
-
SHA512
1df1c131751fb709778c61e3de005ea295661fbf9556ff0c90659fdba62b129c7b758bc7fea14e3705c178fbe9641f8ac5ce7fb56eae43533dde11d2e5db4cc7
-
SSDEEP
6144:hLOYXpa/ummNl/C5lXS/U6zJjSOd77yPZ5qxSorTCQ2z07517k0bbS9ZuXCBnS91:h6ummjiX6B+PZC+OByZJS9rVFN
Malware Config
Extracted
emotet
Epoch2
2.38.99.79:80
98.24.231.64:80
47.156.70.145:80
37.59.24.177:8080
66.34.201.20:7080
108.179.206.219:8080
45.56.88.91:443
206.189.112.148:8080
120.150.246.241:80
190.56.255.118:80
200.71.148.138:8080
192.241.255.77:8080
211.63.71.72:8080
190.53.135.159:21
183.102.238.69:465
108.191.2.72:80
107.170.24.125:8080
167.114.242.226:8080
91.73.197.90:80
178.209.71.63:8080
217.160.182.191:8080
45.51.40.140:80
189.209.217.49:80
128.65.154.183:443
91.205.215.66:8080
95.128.43.213:8080
190.12.119.180:443
62.75.187.192:8080
12.176.19.218:80
178.210.51.222:8080
87.230.19.21:8080
110.143.57.109:80
61.197.110.214:80
67.225.179.64:8080
74.105.102.97:8080
190.226.44.20:21
93.147.141.5:80
5.196.74.210:8080
212.64.171.206:80
173.13.135.102:80
190.147.215.53:22
201.184.105.242:443
78.24.219.147:8080
201.173.217.124:443
92.186.52.193:80
12.229.155.122:80
165.228.24.197:80
31.31.77.83:443
58.171.42.66:8080
181.31.213.158:8080
101.187.247.29:80
86.98.156.239:443
87.106.139.101:8080
181.57.193.14:80
116.48.142.21:443
164.68.101.171:80
176.31.200.130:8080
209.97.168.52:8080
46.105.131.87:80
24.45.193.161:7080
190.211.207.11:443
210.6.85.121:80
139.130.241.252:443
59.103.164.174:80
176.106.183.253:8080
66.76.63.99:80
92.222.216.44:8080
159.65.25.128:8080
206.81.10.215:8080
31.172.240.91:8080
212.186.191.177:80
195.244.215.206:80
209.141.54.221:8080
104.131.44.150:8080
37.157.194.134:443
107.2.2.28:80
50.116.86.205:8080
45.33.49.124:443
91.242.138.5:80
91.231.166.126:8080
100.14.117.137:80
188.152.7.140:80
80.11.163.139:21
144.139.247.220:80
182.176.132.213:8090
212.129.24.79:8080
110.142.38.16:80
167.71.10.37:8080
87.106.136.232:8080
1.33.230.137:80
104.131.11.150:8080
101.187.134.207:443
185.159.102.74:80
70.175.171.251:80
167.99.105.223:7080
104.236.246.93:8080
197.254.221.174:80
73.11.153.178:8080
149.202.153.252:8080
169.239.182.217:8080
5.88.182.250:80
165.227.156.155:443
173.70.81.77:80
91.187.80.246:80
186.75.241.230:80
200.7.243.108:443
83.136.245.190:8080
181.143.194.138:443
80.21.182.46:80
Signatures
-
Drops file in System32 directory 1 IoCs
Processes:
scanmalert.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat scanmalert.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 21 IoCs
Processes:
scanmalert.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" scanmalert.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 scanmalert.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix scanmalert.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections scanmalert.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" scanmalert.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings scanmalert.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2C7E7326-C2AC-40C8-B3F5-4EB6B0A8D363} scanmalert.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2C7E7326-C2AC-40C8-B3F5-4EB6B0A8D363}\WpadDecision = "0" scanmalert.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\3e-9e-dd-ac-b5-86\WpadDecisionTime = 10d7a8fc2e36da01 scanmalert.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings scanmalert.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2C7E7326-C2AC-40C8-B3F5-4EB6B0A8D363}\3e-9e-dd-ac-b5-86 scanmalert.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00cc000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 scanmalert.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" scanmalert.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad scanmalert.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2C7E7326-C2AC-40C8-B3F5-4EB6B0A8D363}\WpadDecisionReason = "1" scanmalert.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2C7E7326-C2AC-40C8-B3F5-4EB6B0A8D363}\WpadDecisionTime = 10d7a8fc2e36da01 scanmalert.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2C7E7326-C2AC-40C8-B3F5-4EB6B0A8D363}\WpadNetworkName = "Network 3" scanmalert.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\3e-9e-dd-ac-b5-86 scanmalert.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\3e-9e-dd-ac-b5-86\WpadDecisionReason = "1" scanmalert.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 scanmalert.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\3e-9e-dd-ac-b5-86\WpadDecision = "0" scanmalert.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
scanmalert.exepid process 2860 scanmalert.exe 2860 scanmalert.exe 2860 scanmalert.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
eba98abe00f0a411e6736cf916d05c70.exepid process 2296 eba98abe00f0a411e6736cf916d05c70.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
Processes:
eba98abe00f0a411e6736cf916d05c70.exeeba98abe00f0a411e6736cf916d05c70.exescanmalert.exescanmalert.exepid process 2756 eba98abe00f0a411e6736cf916d05c70.exe 2756 eba98abe00f0a411e6736cf916d05c70.exe 2296 eba98abe00f0a411e6736cf916d05c70.exe 2296 eba98abe00f0a411e6736cf916d05c70.exe 2724 scanmalert.exe 2724 scanmalert.exe 2860 scanmalert.exe 2860 scanmalert.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
eba98abe00f0a411e6736cf916d05c70.exescanmalert.exedescription pid process target process PID 2756 wrote to memory of 2296 2756 eba98abe00f0a411e6736cf916d05c70.exe eba98abe00f0a411e6736cf916d05c70.exe PID 2756 wrote to memory of 2296 2756 eba98abe00f0a411e6736cf916d05c70.exe eba98abe00f0a411e6736cf916d05c70.exe PID 2756 wrote to memory of 2296 2756 eba98abe00f0a411e6736cf916d05c70.exe eba98abe00f0a411e6736cf916d05c70.exe PID 2756 wrote to memory of 2296 2756 eba98abe00f0a411e6736cf916d05c70.exe eba98abe00f0a411e6736cf916d05c70.exe PID 2724 wrote to memory of 2860 2724 scanmalert.exe scanmalert.exe PID 2724 wrote to memory of 2860 2724 scanmalert.exe scanmalert.exe PID 2724 wrote to memory of 2860 2724 scanmalert.exe scanmalert.exe PID 2724 wrote to memory of 2860 2724 scanmalert.exe scanmalert.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\eba98abe00f0a411e6736cf916d05c70.exe"C:\Users\Admin\AppData\Local\Temp\eba98abe00f0a411e6736cf916d05c70.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\eba98abe00f0a411e6736cf916d05c70.exe--9927d7e72⤵
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\scanmalert.exe"C:\Windows\SysWOW64\scanmalert.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\scanmalert.exe--c910d2be2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2296-6-0x0000000000380000-0x0000000000397000-memory.dmpFilesize
92KB
-
memory/2724-11-0x0000000000610000-0x0000000000627000-memory.dmpFilesize
92KB
-
memory/2756-0-0x0000000000390000-0x00000000003A7000-memory.dmpFilesize
92KB
-
memory/2756-4-0x00000000002E0000-0x00000000002F1000-memory.dmpFilesize
68KB
-
memory/2860-16-0x0000000000630000-0x0000000000647000-memory.dmpFilesize
92KB