Analysis
-
max time kernel
116s -
max time network
114s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
19/12/2024, 02:52
Behavioral task
behavioral1
Sample
5cd688e40e512b7ad59f876094f487eee410a4433c39012c61c6e839f64858ca.exe
Resource
win7-20240903-en
windows7-x64
10 signatures
120 seconds
General
-
Target
5cd688e40e512b7ad59f876094f487eee410a4433c39012c61c6e839f64858ca.exe
-
Size
154KB
-
MD5
b83b722b2bd8310b051fc3c97fd68008
-
SHA1
5700e9ccbc5802bb88c57caf7a084277e10e8720
-
SHA256
5cd688e40e512b7ad59f876094f487eee410a4433c39012c61c6e839f64858ca
-
SHA512
9b9baa58e4c4bf683fb6fba14485606f40e4a2fb57d004cac1f9adb9a31b74477642ec4f0912e8e2ea6de5dd6cbbbe05131e56affff2ab7f658137583f65d553
-
SSDEEP
3072:uxwGkliAs4eOWdCYhG2rV5yhNFIWps3d78Mw+dXM47ulimTt8G5s6aT:YulPynhRrV5ceof4CN84U
Malware Config
Extracted
Family
emotet
Botnet
Epoch2
C2
186.75.241.230:80
181.143.194.138:443
181.143.53.227:21
85.104.59.244:20
80.11.163.139:443
167.71.10.37:8080
104.131.44.150:8080
185.187.198.15:80
133.167.80.63:7080
198.199.114.69:8080
144.139.247.220:80
152.89.236.214:8080
78.24.219.147:8080
92.222.216.44:8080
46.105.131.87:80
190.226.44.20:21
182.176.132.213:8090
85.54.169.141:8080
192.81.213.192:8080
101.187.237.217:20
211.63.71.72:8080
5.196.74.210:8080
27.4.80.183:443
27.147.163.188:8080
222.214.218.192:8080
104.236.246.93:8080
91.205.215.66:8080
190.18.146.70:80
138.201.140.110:8080
190.108.228.48:990
206.189.98.125:8080
178.79.161.166:443
182.76.6.2:8080
115.78.95.230:443
24.45.195.162:7080
173.212.203.26:8080
87.106.139.101:8080
182.176.106.43:995
199.255.156.210:8080
37.157.194.134:443
192.254.173.31:8080
87.106.136.232:8080
190.53.135.159:21
85.106.1.166:50000
200.71.148.138:8080
47.41.213.2:22
149.202.153.252:8080
190.211.207.11:443
62.75.187.192:8080
24.45.195.162:8443
212.71.234.16:8080
189.209.217.49:80
201.251.43.69:8080
45.33.49.124:443
86.98.25.30:53
95.128.43.213:8080
136.243.177.26:8080
159.65.25.128:8080
185.94.252.13:443
31.172.240.91:8080
92.233.128.13:143
41.220.119.246:80
31.12.67.62:7080
201.184.105.242:443
190.145.67.134:8090
181.31.213.158:8080
80.11.163.139:21
59.103.164.174:80
124.240.198.66:80
104.131.11.150:8080
190.106.97.230:443
94.192.225.46:80
67.225.229.55:8080
190.228.72.244:53
94.205.247.10:80
169.239.182.217:8080
217.160.182.191:8080
87.230.19.21:8080
rsa_pubkey.plain
Signatures
-
Emotet family
-
Drops file in System32 directory 5 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357 umxafter.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357 umxafter.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat umxafter.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 umxafter.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 umxafter.exe -
resource yara_rule behavioral1/memory/2452-0-0x0000000000400000-0x0000000000465000-memory.dmp upx behavioral1/memory/2104-10-0x0000000000400000-0x0000000000465000-memory.dmp upx behavioral1/memory/2452-9-0x0000000000400000-0x0000000000465000-memory.dmp upx behavioral1/memory/2104-25-0x0000000000400000-0x0000000000465000-memory.dmp upx behavioral1/memory/1708-24-0x0000000000400000-0x0000000000465000-memory.dmp upx behavioral1/memory/2744-22-0x0000000000400000-0x0000000000465000-memory.dmp upx behavioral1/memory/1708-31-0x0000000000400000-0x0000000000465000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5cd688e40e512b7ad59f876094f487eee410a4433c39012c61c6e839f64858ca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5cd688e40e512b7ad59f876094f487eee410a4433c39012c61c6e839f64858ca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language umxafter.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language umxafter.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates umxafter.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates umxafter.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\2e-8f-20-da-30-64 umxafter.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" umxafter.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs umxafter.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs umxafter.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs umxafter.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA umxafter.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs umxafter.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed umxafter.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" umxafter.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FDB79F6B-DB68-4FE9-BD08-B5B640F9D55B}\WpadDecisionReason = "1" umxafter.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\2e-8f-20-da-30-64\WpadDecisionReason = "1" umxafter.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root umxafter.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot umxafter.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FDB79F6B-DB68-4FE9-BD08-B5B640F9D55B}\2e-8f-20-da-30-64 umxafter.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\2e-8f-20-da-30-64\WpadDecision = "0" umxafter.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs umxafter.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs umxafter.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates umxafter.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs umxafter.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs umxafter.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs umxafter.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 umxafter.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad umxafter.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FDB79F6B-DB68-4FE9-BD08-B5B640F9D55B} umxafter.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" umxafter.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\2e-8f-20-da-30-64\WpadDecisionTime = b0221212c151db01 umxafter.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust umxafter.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates umxafter.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates umxafter.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 umxafter.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings umxafter.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" umxafter.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates umxafter.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" umxafter.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f007c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 umxafter.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs umxafter.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed umxafter.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs umxafter.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix umxafter.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FDB79F6B-DB68-4FE9-BD08-B5B640F9D55B}\WpadDecisionTime = b0221212c151db01 umxafter.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA umxafter.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs umxafter.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing umxafter.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates umxafter.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs umxafter.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ umxafter.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My umxafter.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs umxafter.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs umxafter.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs umxafter.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs umxafter.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust umxafter.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates umxafter.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings umxafter.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 umxafter.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs umxafter.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs umxafter.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs umxafter.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FDB79F6B-DB68-4FE9-BD08-B5B640F9D55B}\WpadDecision = "0" umxafter.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople umxafter.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople umxafter.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates umxafter.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1708 umxafter.exe 1708 umxafter.exe 1708 umxafter.exe 1708 umxafter.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2104 5cd688e40e512b7ad59f876094f487eee410a4433c39012c61c6e839f64858ca.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2452 wrote to memory of 2104 2452 5cd688e40e512b7ad59f876094f487eee410a4433c39012c61c6e839f64858ca.exe 31 PID 2452 wrote to memory of 2104 2452 5cd688e40e512b7ad59f876094f487eee410a4433c39012c61c6e839f64858ca.exe 31 PID 2452 wrote to memory of 2104 2452 5cd688e40e512b7ad59f876094f487eee410a4433c39012c61c6e839f64858ca.exe 31 PID 2452 wrote to memory of 2104 2452 5cd688e40e512b7ad59f876094f487eee410a4433c39012c61c6e839f64858ca.exe 31 PID 2744 wrote to memory of 1708 2744 umxafter.exe 33 PID 2744 wrote to memory of 1708 2744 umxafter.exe 33 PID 2744 wrote to memory of 1708 2744 umxafter.exe 33 PID 2744 wrote to memory of 1708 2744 umxafter.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\5cd688e40e512b7ad59f876094f487eee410a4433c39012c61c6e839f64858ca.exe"C:\Users\Admin\AppData\Local\Temp\5cd688e40e512b7ad59f876094f487eee410a4433c39012c61c6e839f64858ca.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Users\Admin\AppData\Local\Temp\5cd688e40e512b7ad59f876094f487eee410a4433c39012c61c6e839f64858ca.exe--8de85ba12⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
PID:2104
-
-
C:\Windows\SysWOW64\umxafter.exe"C:\Windows\SysWOW64\umxafter.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\SysWOW64\umxafter.exe--334e000e2⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1708
-