Analysis
-
max time kernel
46s -
max time network
51s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
03-04-2024 23:20
Static task
static1
Behavioral task
behavioral1
Sample
6TYwBEsuS3j14dCM.exe
Resource
win10v2004-20240226-en
General
-
Target
6TYwBEsuS3j14dCM.exe
-
Size
318KB
-
MD5
4a77d07c69aab90716bda7e5fdc02409
-
SHA1
d9bf0be971efc8136cdcb06c48ad59530de7d22c
-
SHA256
065e6e0ac102dda862b7f3301e0975be468877ae269779def89af5bcf4a6f605
-
SHA512
16fb7380682c7913c8fe69f3cb3ed76e08a7871a7bdf15d6fab334f3ab14c3ba26b8e5c505c4f18751ee2d5b48f7cddd5c28f9dd719a0f686d5894141fe64e20
-
SSDEEP
6144:9U39yixK0dkI6ukU1EqlhVLLiLLwLL5ZbgiUPbY:4rxRdbDHTC3P
Malware Config
Extracted
emotet
Epoch1
50.121.220.50:80
51.75.33.122:80
54.37.42.48:8080
91.121.54.71:8080
45.16.226.117:443
68.69.155.181:80
213.60.96.117:80
77.55.211.77:8080
152.169.22.67:80
110.142.219.51:80
2.47.112.152:80
206.15.68.237:443
217.13.106.14:8080
191.99.160.58:80
189.131.57.131:80
213.197.182.158:8080
94.176.234.118:443
61.92.159.208:8080
190.128.173.10:80
219.92.8.17:8080
190.115.18.139:8080
190.147.137.153:443
5.196.35.138:7080
190.163.31.26:80
70.32.115.157:8080
114.109.179.60:80
58.171.153.81:80
174.100.27.229:80
104.131.103.37:8080
68.183.190.199:8080
181.30.61.163:443
184.66.18.83:80
87.106.46.107:8080
82.76.111.249:443
192.241.146.84:8080
73.213.208.163:80
104.131.41.185:8080
181.129.96.162:8080
82.196.15.205:8080
186.70.127.199:8090
68.183.170.114:8080
111.67.12.221:8080
172.104.169.32:8080
219.92.13.25:80
45.33.77.42:8080
185.94.252.12:80
46.28.111.142:7080
51.255.165.160:8080
45.173.88.33:80
190.24.243.186:80
45.161.242.102:80
77.238.212.227:80
177.72.13.80:80
65.36.62.20:80
190.2.31.172:80
212.71.237.140:8080
64.201.88.132:80
91.219.169.180:80
212.174.55.22:443
95.9.180.128:80
72.135.200.124:80
178.250.54.208:8080
187.162.248.237:80
178.79.163.131:8080
77.90.136.129:8080
70.32.84.74:8080
98.13.75.196:80
190.6.193.152:8080
192.241.143.52:8080
83.169.21.32:7080
138.97.60.141:7080
137.74.106.111:7080
209.236.123.42:8080
199.203.62.165:80
51.159.23.217:443
50.28.51.143:8080
24.135.1.177:80
177.73.0.98:443
188.2.217.94:80
170.81.48.2:80
186.103.141.250:443
188.135.15.49:80
185.94.252.27:443
72.47.248.48:7080
177.74.228.34:80
216.10.40.16:80
103.106.236.83:8080
217.199.160.224:7080
190.190.148.27:8080
12.162.84.2:8080
85.109.159.61:443
85.105.140.135:443
204.225.249.100:7080
67.247.242.247:80
191.182.6.118:80
189.2.177.210:443
178.148.55.236:8080
72.167.223.217:8080
71.197.211.156:80
190.195.129.227:8090
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
msvcp110.exepid process 2328 msvcp110.exe -
Drops file in System32 directory 1 IoCs
Processes:
6TYwBEsuS3j14dCM.exedescription ioc process File opened for modification C:\Windows\SysWOW64\networkexplorer\msvcp110.exe 6TYwBEsuS3j14dCM.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
msvcp110.exepid process 2328 msvcp110.exe 2328 msvcp110.exe 2328 msvcp110.exe 2328 msvcp110.exe 2328 msvcp110.exe 2328 msvcp110.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
6TYwBEsuS3j14dCM.exepid process 4976 6TYwBEsuS3j14dCM.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
6TYwBEsuS3j14dCM.exedescription pid process target process PID 4976 wrote to memory of 2328 4976 6TYwBEsuS3j14dCM.exe msvcp110.exe PID 4976 wrote to memory of 2328 4976 6TYwBEsuS3j14dCM.exe msvcp110.exe PID 4976 wrote to memory of 2328 4976 6TYwBEsuS3j14dCM.exe msvcp110.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6TYwBEsuS3j14dCM.exe"C:\Users\Admin\AppData\Local\Temp\6TYwBEsuS3j14dCM.exe"1⤵
- Drops file in System32 directory
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\networkexplorer\msvcp110.exe"C:\Windows\SysWOW64\networkexplorer\msvcp110.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\networkexplorer\msvcp110.exeFilesize
318KB
MD54a77d07c69aab90716bda7e5fdc02409
SHA1d9bf0be971efc8136cdcb06c48ad59530de7d22c
SHA256065e6e0ac102dda862b7f3301e0975be468877ae269779def89af5bcf4a6f605
SHA51216fb7380682c7913c8fe69f3cb3ed76e08a7871a7bdf15d6fab334f3ab14c3ba26b8e5c505c4f18751ee2d5b48f7cddd5c28f9dd719a0f686d5894141fe64e20
-
memory/2328-6-0x0000000000710000-0x000000000071C000-memory.dmpFilesize
48KB
-
memory/2328-10-0x0000000000710000-0x000000000071C000-memory.dmpFilesize
48KB
-
memory/2328-11-0x00000000020C0000-0x00000000020F2000-memory.dmpFilesize
200KB
-
memory/4976-0-0x0000000001400000-0x000000000140C000-memory.dmpFilesize
48KB
-
memory/4976-1-0x00000000013F0000-0x00000000013F9000-memory.dmpFilesize
36KB