Analysis
-
max time kernel
118s -
max time network
121s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
20-04-2024 18:18
Static task
static1
General
-
Target
run.ps1
-
Size
285B
-
MD5
79d5729de7996aefc02ce1f13579caaa
-
SHA1
263eb9ac39024ad390c369f5e51736801ee7178d
-
SHA256
5be3a53440a1422f853358cf0bf0b60cbb08ab943d989faaac2865207b8c5661
-
SHA512
3c82f11f72266d7a175c47ad7b4e39ed8ab5446b169358083f9848d7fdd762da15273b6793d710e2f253b058ebd31a6e2d4f135d126fea7af02231e981f056b4
Malware Config
Extracted
emotet
Epoch5
178.238.225.252:8080
139.196.72.155:8080
36.67.23.59:443
103.56.149.105:8080
37.44.244.177:8080
85.25.120.45:8080
202.134.4.210:7080
78.47.204.80:443
83.229.80.93:8080
93.104.209.107:8080
80.211.107.116:8080
165.22.254.236:8080
104.244.79.94:443
185.148.169.10:8080
190.145.8.4:443
175.126.176.79:8080
139.59.80.108:8080
188.165.79.151:443
128.199.217.206:443
64.227.55.231:8080
218.38.121.17:443
103.71.99.57:8080
103.224.241.74:8080
128.199.242.164:8080
85.214.67.203:8080
103.254.12.236:7080
46.101.98.60:8080
178.62.112.199:8080
210.57.209.142:8080
195.77.239.39:8080
103.126.216.86:443
82.98.180.154:7080
202.28.34.99:8080
174.138.33.49:7080
160.16.143.191:8080
51.75.33.122:443
103.41.204.169:8080
186.250.48.5:443
87.106.97.83:7080
118.98.72.86:443
196.44.98.190:8080
103.85.95.4:8080
62.171.178.147:8080
54.37.228.122:443
114.79.130.68:443
198.199.70.22:8080
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
powershell.exeflow pid process 9 3516 powershell.exe 13 3516 powershell.exe -
Loads dropped DLL 2 IoCs
Processes:
regsvr32.exeregsvr32.exepid process 1716 regsvr32.exe 1280 regsvr32.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
powershell.exeregsvr32.exeregsvr32.exepid process 3516 powershell.exe 3516 powershell.exe 1716 regsvr32.exe 1716 regsvr32.exe 1280 regsvr32.exe 1280 regsvr32.exe 1280 regsvr32.exe 1280 regsvr32.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
powershell.exe7z.exedescription pid process Token: SeDebugPrivilege 3516 powershell.exe Token: SeRestorePrivilege 2060 7z.exe Token: 35 2060 7z.exe Token: SeSecurityPrivilege 2060 7z.exe Token: SeSecurityPrivilege 2060 7z.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
powershell.execmd.execmd.execmd.exeregsvr32.exedescription pid process target process PID 3516 wrote to memory of 2060 3516 powershell.exe 7z.exe PID 3516 wrote to memory of 2060 3516 powershell.exe 7z.exe PID 3516 wrote to memory of 2700 3516 powershell.exe cmd.exe PID 3516 wrote to memory of 2700 3516 powershell.exe cmd.exe PID 2700 wrote to memory of 4996 2700 cmd.exe regsvr32.exe PID 2700 wrote to memory of 4996 2700 cmd.exe regsvr32.exe PID 3436 wrote to memory of 4784 3436 cmd.exe regsvr32.exe PID 3436 wrote to memory of 4784 3436 cmd.exe regsvr32.exe PID 2256 wrote to memory of 436 2256 cmd.exe regsvr32.exe PID 2256 wrote to memory of 436 2256 cmd.exe regsvr32.exe PID 2256 wrote to memory of 1716 2256 cmd.exe regsvr32.exe PID 2256 wrote to memory of 1716 2256 cmd.exe regsvr32.exe PID 2256 wrote to memory of 3912 2256 cmd.exe regsvr32.exe PID 2256 wrote to memory of 3912 2256 cmd.exe regsvr32.exe PID 1716 wrote to memory of 1280 1716 regsvr32.exe regsvr32.exe PID 1716 wrote to memory of 1280 1716 regsvr32.exe regsvr32.exe
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\run.ps11⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files\7-Zip\7z.exe"C:\Program Files\7-Zip\7z.exe" x -pinfected C:\Users\Admin\AppData\Local\Temp\emotet.zip -oC:\Users\Admin\AppData\Local\Temp2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "regsvr32.exe /s '%temp%\emotet.dll'"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\regsvr32.exeregsvr32.exe /s 'C:\Users\Admin\AppData\Local\Temp\emotet.dll'3⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c "regsvr32 /s 'C:\Users\Admin\AppData\Local\Temp\emotet.dll'"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\regsvr32.exeregsvr32 /s 'C:\Users\Admin\AppData\Local\Temp\emotet.dll'2⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k "regsvr32 /s 'C:\Users\Admin\AppData\Local\Temp\emotet.dll'"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\regsvr32.exeregsvr32 /s 'C:\Users\Admin\AppData\Local\Temp\emotet.dll'2⤵
-
C:\Windows\system32\regsvr32.exeregsvr32 /s "C:\Users\Admin\AppData\Local\Temp\emotet.dll"2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe "C:\Windows\system32\RdNhGeYLjVOuZ\lyVmvfVpyZ.dll"3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\regsvr32.exeregsvr32 "C:\Users\Admin\AppData\Local\Temp\emotet.dll"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5w50xf0z.a5w.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\emotet.dllFilesize
534KB
MD556bb8500d7ab6860760eddd7a55e9456
SHA1e9b38c5fb51ce1a038f65c1620115a9bba1e383d
SHA256b4bead39ead2a29de2f0a6fb52eea172cfe25224b71e4a9b1418f55c8b053d59
SHA51283ceff476d071412b02bab0753bd3c4440937b663397d73349fa90c38d96cf88051b645c781cbe5de281aa3bd45e71da7fcc8c99c2846ce29c2f36c3e1307a84
-
C:\Users\Admin\AppData\Local\Temp\emotet.zipFilesize
289KB
MD5ebe6bc9eab807cdd910976a341bc070d
SHA11052700b1945bb1754f3cadad669fc4a99f5607b
SHA256b0353f4547466a0a402198b3750d928fc7c4e96dd3adc00b181e9d98e4602ea7
SHA5129a6bfcb90c1e24be1b930990dd2af72e889f71ad7e1a7b8353b6522a625e2ae36013793ee2c159880bd510b8f785ce4c9dfced1d2901d3ca8f091e26084185a8
-
memory/1716-22-0x0000000002E10000-0x0000000002E40000-memory.dmpFilesize
192KB
-
memory/1716-25-0x0000000001640000-0x0000000001641000-memory.dmpFilesize
4KB
-
memory/3516-0-0x000001B4A1CF0000-0x000001B4A1D12000-memory.dmpFilesize
136KB
-
memory/3516-10-0x00007FFECA640000-0x00007FFECB101000-memory.dmpFilesize
10.8MB
-
memory/3516-11-0x000001B488E50000-0x000001B488E60000-memory.dmpFilesize
64KB
-
memory/3516-12-0x000001B488E50000-0x000001B488E60000-memory.dmpFilesize
64KB
-
memory/3516-19-0x00007FFECA640000-0x00007FFECB101000-memory.dmpFilesize
10.8MB