Analysis
-
max time kernel
23s -
max time network
25s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
20-04-2024 18:21
Static task
static1
General
-
Target
script.ps1
-
Size
285B
-
MD5
8dd91f9af4b71220f2b2e28f6ac12dc1
-
SHA1
af75d53cdc45819058b7f5d76fc224d8ed46eb10
-
SHA256
0aae097d8d7904effeed44dcfe0d0bf1aa6675dfe5d645e271b19efe36d370e1
-
SHA512
29a4d2471a5ececbb27159b736ade805c160be670702090444e60fac749f609b6b4fe88ad5e16228619ad60c908dd54f16f8e95d9bc498ec9ff17354bca2b47e
Malware Config
Extracted
emotet
Epoch5
178.238.225.252:8080
139.196.72.155:8080
36.67.23.59:443
103.56.149.105:8080
37.44.244.177:8080
85.25.120.45:8080
202.134.4.210:7080
78.47.204.80:443
83.229.80.93:8080
93.104.209.107:8080
80.211.107.116:8080
165.22.254.236:8080
104.244.79.94:443
185.148.169.10:8080
190.145.8.4:443
175.126.176.79:8080
139.59.80.108:8080
188.165.79.151:443
128.199.217.206:443
64.227.55.231:8080
218.38.121.17:443
103.71.99.57:8080
103.224.241.74:8080
128.199.242.164:8080
85.214.67.203:8080
103.254.12.236:7080
46.101.98.60:8080
178.62.112.199:8080
210.57.209.142:8080
195.77.239.39:8080
103.126.216.86:443
82.98.180.154:7080
202.28.34.99:8080
174.138.33.49:7080
160.16.143.191:8080
51.75.33.122:443
103.41.204.169:8080
186.250.48.5:443
87.106.97.83:7080
118.98.72.86:443
196.44.98.190:8080
103.85.95.4:8080
62.171.178.147:8080
54.37.228.122:443
114.79.130.68:443
198.199.70.22:8080
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
powershell.exeflow pid process 5 1392 powershell.exe 10 1392 powershell.exe -
Loads dropped DLL 2 IoCs
Processes:
regsvr32.exeregsvr32.exepid process 3196 regsvr32.exe 4508 regsvr32.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
powershell.exeregsvr32.exeregsvr32.exepid process 1392 powershell.exe 1392 powershell.exe 3196 regsvr32.exe 3196 regsvr32.exe 4508 regsvr32.exe 4508 regsvr32.exe 4508 regsvr32.exe 4508 regsvr32.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
powershell.exe7z.exedescription pid process Token: SeDebugPrivilege 1392 powershell.exe Token: SeRestorePrivilege 5044 7z.exe Token: 35 5044 7z.exe Token: SeSecurityPrivilege 5044 7z.exe Token: SeSecurityPrivilege 5044 7z.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
powershell.execmd.exeregsvr32.exedescription pid process target process PID 1392 wrote to memory of 5044 1392 powershell.exe 7z.exe PID 1392 wrote to memory of 5044 1392 powershell.exe 7z.exe PID 1392 wrote to memory of 2756 1392 powershell.exe cmd.exe PID 1392 wrote to memory of 2756 1392 powershell.exe cmd.exe PID 2756 wrote to memory of 3196 2756 cmd.exe regsvr32.exe PID 2756 wrote to memory of 3196 2756 cmd.exe regsvr32.exe PID 3196 wrote to memory of 4508 3196 regsvr32.exe regsvr32.exe PID 3196 wrote to memory of 4508 3196 regsvr32.exe regsvr32.exe
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\script.ps11⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files\7-Zip\7z.exe"C:\Program Files\7-Zip\7z.exe" x -pinfected C:\Users\Admin\AppData\Local\Temp\emotet.zip -oC:\Users\Admin\AppData\Local\Temp2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "regsvr32.exe /s "%temp%\emotet.dll""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\regsvr32.exeregsvr32.exe /s "C:\Users\Admin\AppData\Local\Temp\emotet.dll"3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe "C:\Windows\system32\WZJZQ\uJMxwtZSlqOY.dll"4⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gjodrieq.gxk.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\emotet.dllFilesize
534KB
MD556bb8500d7ab6860760eddd7a55e9456
SHA1e9b38c5fb51ce1a038f65c1620115a9bba1e383d
SHA256b4bead39ead2a29de2f0a6fb52eea172cfe25224b71e4a9b1418f55c8b053d59
SHA51283ceff476d071412b02bab0753bd3c4440937b663397d73349fa90c38d96cf88051b645c781cbe5de281aa3bd45e71da7fcc8c99c2846ce29c2f36c3e1307a84
-
C:\Users\Admin\AppData\Local\Temp\emotet.zipFilesize
289KB
MD5ebe6bc9eab807cdd910976a341bc070d
SHA11052700b1945bb1754f3cadad669fc4a99f5607b
SHA256b0353f4547466a0a402198b3750d928fc7c4e96dd3adc00b181e9d98e4602ea7
SHA5129a6bfcb90c1e24be1b930990dd2af72e889f71ad7e1a7b8353b6522a625e2ae36013793ee2c159880bd510b8f785ce4c9dfced1d2901d3ca8f091e26084185a8
-
memory/1392-5-0x0000028CD85C0000-0x0000028CD85E2000-memory.dmpFilesize
136KB
-
memory/1392-10-0x00007FFE22E80000-0x00007FFE23941000-memory.dmpFilesize
10.8MB
-
memory/1392-12-0x0000028CBF660000-0x0000028CBF670000-memory.dmpFilesize
64KB
-
memory/1392-11-0x0000028CBF660000-0x0000028CBF670000-memory.dmpFilesize
64KB
-
memory/1392-26-0x00007FFE22E80000-0x00007FFE23941000-memory.dmpFilesize
10.8MB
-
memory/3196-19-0x0000000002BD0000-0x0000000002C00000-memory.dmpFilesize
192KB
-
memory/3196-22-0x0000000000ED0000-0x0000000000ED1000-memory.dmpFilesize
4KB