Analysis
-
max time kernel
118s -
max time network
122s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19/12/2024, 05:26
Behavioral task
behavioral1
Sample
d47313c13f3cecc8963c1ad3d29c112768ead5c2622f0d97dd7fc40be72276f9N.exe
Resource
win7-20241010-en
windows7-x64
10 signatures
120 seconds
General
-
Target
d47313c13f3cecc8963c1ad3d29c112768ead5c2622f0d97dd7fc40be72276f9N.exe
-
Size
154KB
-
MD5
dee1c6afa33364f1244e862316f175d0
-
SHA1
c9b6b1b89d26c74809816f6800f4adbc814b8a70
-
SHA256
d47313c13f3cecc8963c1ad3d29c112768ead5c2622f0d97dd7fc40be72276f9
-
SHA512
5260f6b1a1e842c78b5d7949f02883486ade94b799d0315800c39517224eb4b918f0b1931d9b15e28467f24ba87b9fdf35abecfa9380c25dc8c4925a7e44bbfb
-
SSDEEP
3072:uxwGkliAs4eOWdCYhG2rV5yhNFIWps3d78Mw+dXM47ulimTt8G5s6a:YulPynhRrV5ceof4CN84
Malware Config
Extracted
Family
emotet
Botnet
Epoch2
C2
186.75.241.230:80
181.143.194.138:443
181.143.53.227:21
85.104.59.244:20
80.11.163.139:443
167.71.10.37:8080
104.131.44.150:8080
185.187.198.15:80
133.167.80.63:7080
198.199.114.69:8080
144.139.247.220:80
152.89.236.214:8080
78.24.219.147:8080
92.222.216.44:8080
46.105.131.87:80
190.226.44.20:21
182.176.132.213:8090
85.54.169.141:8080
192.81.213.192:8080
101.187.237.217:20
211.63.71.72:8080
5.196.74.210:8080
27.4.80.183:443
27.147.163.188:8080
222.214.218.192:8080
104.236.246.93:8080
91.205.215.66:8080
190.18.146.70:80
138.201.140.110:8080
190.108.228.48:990
206.189.98.125:8080
178.79.161.166:443
182.76.6.2:8080
115.78.95.230:443
24.45.195.162:7080
173.212.203.26:8080
87.106.139.101:8080
182.176.106.43:995
199.255.156.210:8080
37.157.194.134:443
192.254.173.31:8080
87.106.136.232:8080
190.53.135.159:21
85.106.1.166:50000
200.71.148.138:8080
47.41.213.2:22
149.202.153.252:8080
190.211.207.11:443
62.75.187.192:8080
24.45.195.162:8443
212.71.234.16:8080
189.209.217.49:80
201.251.43.69:8080
45.33.49.124:443
86.98.25.30:53
95.128.43.213:8080
136.243.177.26:8080
159.65.25.128:8080
185.94.252.13:443
31.172.240.91:8080
92.233.128.13:143
41.220.119.246:80
31.12.67.62:7080
201.184.105.242:443
190.145.67.134:8090
181.31.213.158:8080
80.11.163.139:21
59.103.164.174:80
124.240.198.66:80
104.131.11.150:8080
190.106.97.230:443
94.192.225.46:80
67.225.229.55:8080
190.228.72.244:53
94.205.247.10:80
169.239.182.217:8080
217.160.182.191:8080
87.230.19.21:8080
rsa_pubkey.plain
Signatures
-
Emotet family
-
Drops file in System32 directory 10 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft chorecap.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData chorecap.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 chorecap.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 chorecap.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 chorecap.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE chorecap.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies chorecap.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 chorecap.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache chorecap.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content chorecap.exe -
resource yara_rule behavioral2/memory/3592-0-0x0000000000400000-0x0000000000465000-memory.dmp upx behavioral2/memory/3592-8-0x0000000000400000-0x0000000000465000-memory.dmp upx behavioral2/memory/1436-20-0x0000000000400000-0x0000000000465000-memory.dmp upx behavioral2/memory/2296-21-0x0000000000400000-0x0000000000465000-memory.dmp upx behavioral2/memory/4728-23-0x0000000000400000-0x0000000000465000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d47313c13f3cecc8963c1ad3d29c112768ead5c2622f0d97dd7fc40be72276f9N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d47313c13f3cecc8963c1ad3d29c112768ead5c2622f0d97dd7fc40be72276f9n.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chorecap.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chorecap.exe -
Modifies data under HKEY_USERS 49 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" chorecap.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates chorecap.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed chorecap.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates chorecap.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs chorecap.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs chorecap.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs chorecap.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" chorecap.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" chorecap.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" chorecap.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates chorecap.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs chorecap.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs chorecap.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root chorecap.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs chorecap.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs chorecap.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust chorecap.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs chorecap.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs chorecap.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs chorecap.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates chorecap.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs chorecap.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs chorecap.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs chorecap.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates chorecap.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs chorecap.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix chorecap.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA chorecap.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs chorecap.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates chorecap.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" chorecap.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed chorecap.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates chorecap.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs chorecap.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA chorecap.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs chorecap.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs chorecap.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs chorecap.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates chorecap.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot chorecap.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople chorecap.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates chorecap.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" chorecap.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ chorecap.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing chorecap.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates chorecap.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs chorecap.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople chorecap.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust chorecap.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 2296 chorecap.exe 2296 chorecap.exe 2296 chorecap.exe 2296 chorecap.exe 2296 chorecap.exe 2296 chorecap.exe 2296 chorecap.exe 2296 chorecap.exe 2296 chorecap.exe 2296 chorecap.exe 2296 chorecap.exe 2296 chorecap.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 4728 d47313c13f3cecc8963c1ad3d29c112768ead5c2622f0d97dd7fc40be72276f9n.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3592 wrote to memory of 4728 3592 d47313c13f3cecc8963c1ad3d29c112768ead5c2622f0d97dd7fc40be72276f9N.exe 82 PID 3592 wrote to memory of 4728 3592 d47313c13f3cecc8963c1ad3d29c112768ead5c2622f0d97dd7fc40be72276f9N.exe 82 PID 3592 wrote to memory of 4728 3592 d47313c13f3cecc8963c1ad3d29c112768ead5c2622f0d97dd7fc40be72276f9N.exe 82 PID 1436 wrote to memory of 2296 1436 chorecap.exe 86 PID 1436 wrote to memory of 2296 1436 chorecap.exe 86 PID 1436 wrote to memory of 2296 1436 chorecap.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\d47313c13f3cecc8963c1ad3d29c112768ead5c2622f0d97dd7fc40be72276f9N.exe"C:\Users\Admin\AppData\Local\Temp\d47313c13f3cecc8963c1ad3d29c112768ead5c2622f0d97dd7fc40be72276f9N.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3592 -
C:\Users\Admin\AppData\Local\Temp\d47313c13f3cecc8963c1ad3d29c112768ead5c2622f0d97dd7fc40be72276f9n.exe--982a12a12⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
PID:4728
-
-
C:\Windows\SysWOW64\chorecap.exe"C:\Windows\SysWOW64\chorecap.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1436 -
C:\Windows\SysWOW64\chorecap.exe--5294a9a72⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2296
-