Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
08-03-2024 12:42
Static task
static1
Behavioral task
behavioral1
Sample
bb49d3fbd4cb3fdc2bb2256463275826.exe
Resource
win7-20240221-en
General
-
Target
bb49d3fbd4cb3fdc2bb2256463275826.exe
-
Size
480KB
-
MD5
bb49d3fbd4cb3fdc2bb2256463275826
-
SHA1
ee7ad5be4550845f3cac328d2ece58b7225e900e
-
SHA256
65c97fcbc4483c7dbd4692342ce8c7089573603677f917e40b45cea43a30abab
-
SHA512
28d330283830844c13b2680e2569e2d686ff86b5d71b678e6dd24c17e42ec59517c3b032e5e9596340ddceaa7e7a08928a0e124a6bb8796091f0c4557a87fe99
-
SSDEEP
12288:L7seycbncWlgxDb3qhmic7zziD5ap/LeDeqwyx:cey8lgR31iFapSqqn
Malware Config
Extracted
emotet
Epoch3
152.169.31.120:8080
211.20.154.102:80
45.55.179.121:8080
198.211.121.27:8080
82.145.43.153:8080
139.59.12.63:8080
154.73.137.131:80
78.188.33.71:80
50.116.78.109:8080
187.72.47.161:443
195.250.143.182:80
42.51.192.231:8080
178.62.75.204:8080
187.177.155.123:990
189.235.233.119:80
101.141.5.17:80
181.167.35.84:80
183.82.123.60:443
77.74.78.80:443
177.144.130.105:443
88.247.53.159:443
98.192.74.164:80
42.115.22.145:80
1.217.126.11:443
212.112.113.235:80
81.214.142.115:80
98.15.140.226:80
172.104.70.207:8080
82.146.55.23:7080
91.117.31.181:80
195.201.56.70:8080
186.223.86.136:443
178.33.167.120:8080
192.210.217.94:8080
89.215.225.15:80
110.232.188.29:443
41.77.74.214:443
51.77.113.97:8080
150.246.246.238:80
88.248.140.80:80
78.188.170.128:80
201.183.251.100:80
50.251.171.165:80
60.130.173.117:80
41.185.29.128:8080
188.251.213.180:443
50.63.13.135:8080
91.117.131.122:80
175.127.140.68:80
60.151.66.216:443
154.70.158.97:80
190.171.153.139:80
5.32.84.54:80
112.186.195.176:80
125.209.114.180:443
88.225.230.33:80
220.247.70.174:80
185.244.167.25:443
177.103.240.93:80
184.162.115.11:443
181.196.27.123:80
175.181.7.188:80
156.155.163.232:80
196.6.119.137:80
88.247.26.78:80
190.63.7.166:8080
160.119.153.20:80
203.124.57.50:80
162.144.46.90:8080
190.17.94.108:443
192.241.220.183:8080
72.27.212.209:8080
81.82.247.216:80
85.100.122.211:80
162.154.175.215:80
82.79.244.92:80
41.215.79.182:80
82.165.15.188:8080
157.7.164.178:8081
1.221.254.82:80
183.87.40.21:8080
158.69.167.246:8080
217.12.70.226:80
75.86.6.174:80
37.46.129.215:8080
142.93.87.198:8080
109.236.109.159:8080
179.5.118.12:8080
182.71.222.187:80
51.38.134.203:8080
91.74.88.6:80
181.39.96.86:443
68.183.18.169:8080
190.5.162.204:80
176.58.93.123:80
95.66.182.136:80
91.83.93.103:443
46.32.229.152:8080
95.216.207.86:7080
85.109.190.235:443
46.17.6.116:8080
186.147.245.204:80
37.70.131.107:80
160.226.171.255:443
186.10.92.114:80
180.33.71.88:80
200.82.170.33:443
58.93.151.148:80
212.129.14.27:8080
182.187.137.199:8080
163.172.107.70:8080
110.2.118.164:80
210.213.85.43:8080
2.50.182.138:443
70.60.238.62:80
78.189.165.52:8080
153.137.36.142:80
182.176.116.139:995
183.131.156.10:7080
122.176.116.57:443
78.189.60.109:443
211.23.95.233:7080
181.143.101.18:8080
186.84.173.136:8080
185.192.75.240:443
80.211.32.88:8080
Signatures
-
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 sidebarwmp.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE sidebarwmp.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies sidebarwmp.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 sidebarwmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 3 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix sidebarwmp.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" sidebarwmp.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" sidebarwmp.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 4556 sidebarwmp.exe 4556 sidebarwmp.exe 4556 sidebarwmp.exe 4556 sidebarwmp.exe 4556 sidebarwmp.exe 4556 sidebarwmp.exe 4556 sidebarwmp.exe 4556 sidebarwmp.exe 4556 sidebarwmp.exe 4556 sidebarwmp.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1972 bb49d3fbd4cb3fdc2bb2256463275826.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
pid Process 4964 bb49d3fbd4cb3fdc2bb2256463275826.exe 4964 bb49d3fbd4cb3fdc2bb2256463275826.exe 1972 bb49d3fbd4cb3fdc2bb2256463275826.exe 1972 bb49d3fbd4cb3fdc2bb2256463275826.exe 4992 sidebarwmp.exe 4992 sidebarwmp.exe 4556 sidebarwmp.exe 4556 sidebarwmp.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4964 wrote to memory of 1972 4964 bb49d3fbd4cb3fdc2bb2256463275826.exe 98 PID 4964 wrote to memory of 1972 4964 bb49d3fbd4cb3fdc2bb2256463275826.exe 98 PID 4964 wrote to memory of 1972 4964 bb49d3fbd4cb3fdc2bb2256463275826.exe 98 PID 4992 wrote to memory of 4556 4992 sidebarwmp.exe 103 PID 4992 wrote to memory of 4556 4992 sidebarwmp.exe 103 PID 4992 wrote to memory of 4556 4992 sidebarwmp.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\bb49d3fbd4cb3fdc2bb2256463275826.exe"C:\Users\Admin\AppData\Local\Temp\bb49d3fbd4cb3fdc2bb2256463275826.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4964 -
C:\Users\Admin\AppData\Local\Temp\bb49d3fbd4cb3fdc2bb2256463275826.exe--a40aa9df2⤵
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
PID:1972
-
-
C:\Windows\SysWOW64\sidebarwmp.exe"C:\Windows\SysWOW64\sidebarwmp.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4992 -
C:\Windows\SysWOW64\sidebarwmp.exe--e45a34102⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4556
-