Analysis
-
max time kernel
147s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240221-en -
resource tags
arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system -
submitted
26-02-2024 07:32
Static task
static1
Behavioral task
behavioral1
Sample
7da8527d7ca8da755504a1411a3c4434d52a2f35338084f86c8453d1b055d617.exe
Resource
win7-20240221-en
General
-
Target
7da8527d7ca8da755504a1411a3c4434d52a2f35338084f86c8453d1b055d617.exe
-
Size
848KB
-
MD5
bd67d1853d55ebc3b7ea8f8c7e00b1f1
-
SHA1
aaf34c8960a12f7df6a65d18d327e5c610b9217e
-
SHA256
7da8527d7ca8da755504a1411a3c4434d52a2f35338084f86c8453d1b055d617
-
SHA512
40827b0933aee9f267b01b19cc5c42b044023cb411a6fa9d46d27a91e7d24c2bd6386142b5e68194adad9879891c175b4687007a04ac5fa2fd4a982509e9fb8c
-
SSDEEP
6144:eTaQZdJnaB1kNO2FSm9Vc6c6c6c6c6c6c6c6c6cyI6HmMETLv3NIDK:eGQfJBFrnHFETL
Malware Config
Extracted
emotet
Epoch3
190.136.179.102:80
97.107.135.148:8080
94.102.209.63:7080
162.144.42.60:8080
81.214.253.80:443
87.106.231.60:8080
107.161.30.122:8080
66.61.94.36:80
139.59.12.63:8080
203.153.216.178:7080
178.33.167.120:8080
179.62.238.49:80
50.116.78.109:8080
74.208.173.91:8080
113.161.148.81:80
179.5.118.12:80
202.5.47.71:80
91.83.93.103:443
181.113.229.139:443
41.185.29.128:8080
37.205.9.252:7080
197.232.36.108:80
91.75.75.46:80
105.209.235.113:8080
181.137.229.1:80
172.105.78.244:8080
157.7.164.178:8081
190.55.186.229:80
192.163.221.191:8080
37.187.100.220:7080
5.79.70.250:8080
192.241.220.183:8080
168.0.97.6:80
46.32.229.152:8080
115.78.11.155:80
68.183.233.80:8080
190.96.15.50:80
175.29.183.2:80
118.101.24.148:80
157.245.138.101:7080
95.216.205.155:8080
46.105.131.68:8080
188.251.213.180:443
190.53.144.120:80
143.95.101.72:8080
88.249.181.198:443
2.144.244.204:443
177.32.8.85:80
190.212.140.6:80
185.86.148.68:443
54.38.143.245:8080
190.190.15.20:80
189.39.32.161:80
186.227.146.102:80
185.142.236.163:443
201.213.177.139:80
134.209.193.138:443
190.164.75.175:80
77.74.78.80:443
198.57.203.63:8080
103.80.51.61:8080
197.221.158.162:80
173.94.215.84:80
115.79.195.246:80
181.122.154.240:80
172.96.190.154:8080
82.239.200.118:80
81.17.93.134:80
201.235.10.215:80
178.87.171.199:80
24.26.151.3:80
75.127.14.170:8080
71.57.180.213:80
185.208.226.142:8080
177.144.130.105:443
31.146.61.34:80
60.125.114.64:443
188.0.135.237:80
181.126.54.234:80
162.249.220.190:80
220.254.198.228:443
177.94.227.143:80
113.203.250.121:443
37.46.129.215:8080
1.54.67.22:80
45.182.161.17:80
86.98.143.163:80
51.38.201.19:7080
192.210.217.94:8080
195.201.56.70:8080
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 3152 KBDIC.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\MrmCoreR\KBDIC.exe 7da8527d7ca8da755504a1411a3c4434d52a2f35338084f86c8453d1b055d617.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 3152 KBDIC.exe 3152 KBDIC.exe 3152 KBDIC.exe 3152 KBDIC.exe 3152 KBDIC.exe 3152 KBDIC.exe 3152 KBDIC.exe 3152 KBDIC.exe 3152 KBDIC.exe 3152 KBDIC.exe 3152 KBDIC.exe 3152 KBDIC.exe 3152 KBDIC.exe 3152 KBDIC.exe 3152 KBDIC.exe 3152 KBDIC.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2448 7da8527d7ca8da755504a1411a3c4434d52a2f35338084f86c8453d1b055d617.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2448 7da8527d7ca8da755504a1411a3c4434d52a2f35338084f86c8453d1b055d617.exe 2448 7da8527d7ca8da755504a1411a3c4434d52a2f35338084f86c8453d1b055d617.exe 3152 KBDIC.exe 3152 KBDIC.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2448 wrote to memory of 3152 2448 7da8527d7ca8da755504a1411a3c4434d52a2f35338084f86c8453d1b055d617.exe 86 PID 2448 wrote to memory of 3152 2448 7da8527d7ca8da755504a1411a3c4434d52a2f35338084f86c8453d1b055d617.exe 86 PID 2448 wrote to memory of 3152 2448 7da8527d7ca8da755504a1411a3c4434d52a2f35338084f86c8453d1b055d617.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\7da8527d7ca8da755504a1411a3c4434d52a2f35338084f86c8453d1b055d617.exe"C:\Users\Admin\AppData\Local\Temp\7da8527d7ca8da755504a1411a3c4434d52a2f35338084f86c8453d1b055d617.exe"1⤵
- Drops file in System32 directory
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Windows\SysWOW64\MrmCoreR\KBDIC.exe"C:\Windows\SysWOW64\MrmCoreR\KBDIC.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3152
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
848KB
MD5bd67d1853d55ebc3b7ea8f8c7e00b1f1
SHA1aaf34c8960a12f7df6a65d18d327e5c610b9217e
SHA2567da8527d7ca8da755504a1411a3c4434d52a2f35338084f86c8453d1b055d617
SHA51240827b0933aee9f267b01b19cc5c42b044023cb411a6fa9d46d27a91e7d24c2bd6386142b5e68194adad9879891c175b4687007a04ac5fa2fd4a982509e9fb8c