Overview
overview
10Static
static
10Malware-1-...30.exe
windows7-x64
10Malware-1-...30.exe
windows10-2004-x64
10Malware-1-...40.exe
windows7-x64
10Malware-1-...40.exe
windows10-2004-x64
10Malware-1-...32.exe
windows7-x64
10Malware-1-...32.exe
windows10-2004-x64
Malware-1-.../5.exe
windows7-x64
10Malware-1-.../5.exe
windows10-2004-x64
10Malware-1-...91.exe
windows7-x64
10Malware-1-...91.exe
windows10-2004-x64
10Malware-1-...ey.exe
windows7-x64
7Malware-1-...ey.exe
windows10-2004-x64
7Malware-1-...ad.exe
windows7-x64
3Malware-1-...ad.exe
windows10-2004-x64
3Malware-1-...ti.exe
windows7-x64
5Malware-1-...ti.exe
windows10-2004-x64
5Malware-1-...an.bat
windows7-x64
7Malware-1-...an.bat
windows10-2004-x64
7Malware-1-...an.exe
windows7-x64
3Malware-1-...an.exe
windows10-2004-x64
7Malware-1-...ve.bat
windows7-x64
7Malware-1-...ve.bat
windows10-2004-x64
7Malware-1-...ve.exe
windows7-x64
6Malware-1-...ve.exe
windows10-2004-x64
7Malware-1-...ya.exe
windows7-x64
6Malware-1-...ya.exe
windows10-2004-x64
Malware-1-...re.exe
windows7-x64
10Malware-1-...re.exe
windows10-2004-x64
10Malware-1-...ry.exe
windows7-x64
10Malware-1-...ry.exe
windows10-2004-x64
10Malware-1-...ck.exe
windows7-x64
3Malware-1-...ck.exe
windows10-2004-x64
3Resubmissions
13/02/2025, 01:26 UTC
250213-btppra1pcz 1017/01/2025, 20:14 UTC
250117-yz7h3s1qfw 1017/01/2025, 20:12 UTC
250117-yy9l2sslcr 1017/01/2025, 17:25 UTC
250117-vy9p9sxpez 1017/01/2025, 17:21 UTC
250117-vw8eesyjfp 1017/01/2025, 14:16 UTC
250117-rk9ass1rhk 1017/01/2025, 14:12 UTC
250117-rhv1ds1lds 1016/01/2025, 12:52 UTC
250116-p4et7a1mez 10Analysis
-
max time kernel
136s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
17/01/2025, 17:25 UTC
Behavioral task
behavioral1
Sample
Malware-1-master/2530.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Malware-1-master/2530.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
Malware-1-master/2887140.exe
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
Malware-1-master/2887140.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
Malware-1-master/32.exe
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
Malware-1-master/32.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
Malware-1-master/5.exe
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
Malware-1-master/5.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
Malware-1-master/96591.exe
Resource
win7-20240729-en
Behavioral task
behavioral10
Sample
Malware-1-master/96591.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
Malware-1-master/Amadey.exe
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
Malware-1-master/Amadey.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
Malware-1-master/Download.exe
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
Malware-1-master/Download.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
Malware-1-master/Illuminati.exe
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
Malware-1-master/Illuminati.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral17
Sample
Malware-1-master/MEMZ-Clean.bat
Resource
win7-20240903-en
Behavioral task
behavioral18
Sample
Malware-1-master/MEMZ-Clean.bat
Resource
win10v2004-20241007-en
Behavioral task
behavioral19
Sample
Malware-1-master/MEMZ-Clean.exe
Resource
win7-20241010-en
Behavioral task
behavioral20
Sample
Malware-1-master/MEMZ-Clean.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral21
Sample
Malware-1-master/MEMZ-Destructive.bat
Resource
win7-20240903-en
Behavioral task
behavioral22
Sample
Malware-1-master/MEMZ-Destructive.bat
Resource
win10v2004-20241007-en
Behavioral task
behavioral23
Sample
Malware-1-master/MEMZ-Destructive.exe
Resource
win7-20240729-en
Behavioral task
behavioral24
Sample
Malware-1-master/MEMZ-Destructive.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral25
Sample
Malware-1-master/Petya.exe
Resource
win7-20240903-en
Behavioral task
behavioral26
Sample
Malware-1-master/Petya.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral27
Sample
Malware-1-master/Software.exe
Resource
win7-20240903-en
Behavioral task
behavioral28
Sample
Malware-1-master/Software.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral29
Sample
Malware-1-master/WannaCry.exe
Resource
win7-20240903-en
Behavioral task
behavioral30
Sample
Malware-1-master/WannaCry.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral31
Sample
Malware-1-master/Win32.EvilClusterFuck.exe
Resource
win7-20241023-en
Behavioral task
behavioral32
Sample
Malware-1-master/Win32.EvilClusterFuck.exe
Resource
win10v2004-20241007-en
General
-
Target
Malware-1-master/2530.exe
-
Size
1.2MB
-
MD5
568d17d6da77a46e35c8094a7c414375
-
SHA1
500fa749471dad4ae40da6aa33fd6b2a53bcf200
-
SHA256
0da56126ffb57acb5bb1a3ffa1c4c0c2605d257988b2d2964344b8f23173f615
-
SHA512
7beb044f8bd366350b267c0fedc8466d2c5fd80b0f791f5697ce4577edced36b668401fd48df90b6c4ced05247d990c5e739e7232a2dcfc059dcc0c6a79d9427
-
SSDEEP
12288:D+FwW6Se3oB/8WjH2fIGOVoDJLvfOqsUFY:D+qJSgZwEIGOVUJLnOqs+Y
Malware Config
Signatures
-
Emotet family
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spcpremium.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spcpremium.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2530.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2530.exe -
Suspicious behavior: EnumeratesProcesses 22 IoCs
pid Process 4944 2530.exe 4944 2530.exe 3964 2530.exe 3964 2530.exe 4464 spcpremium.exe 4464 spcpremium.exe 2976 spcpremium.exe 2976 spcpremium.exe 2976 spcpremium.exe 2976 spcpremium.exe 2976 spcpremium.exe 2976 spcpremium.exe 2976 spcpremium.exe 2976 spcpremium.exe 2976 spcpremium.exe 2976 spcpremium.exe 2976 spcpremium.exe 2976 spcpremium.exe 2976 spcpremium.exe 2976 spcpremium.exe 2976 spcpremium.exe 2976 spcpremium.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 3964 2530.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4944 wrote to memory of 3964 4944 2530.exe 82 PID 4944 wrote to memory of 3964 4944 2530.exe 82 PID 4944 wrote to memory of 3964 4944 2530.exe 82 PID 4464 wrote to memory of 2976 4464 spcpremium.exe 85 PID 4464 wrote to memory of 2976 4464 spcpremium.exe 85 PID 4464 wrote to memory of 2976 4464 spcpremium.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\Malware-1-master\2530.exe"C:\Users\Admin\AppData\Local\Temp\Malware-1-master\2530.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4944 -
C:\Users\Admin\AppData\Local\Temp\Malware-1-master\2530.exe"C:\Users\Admin\AppData\Local\Temp\Malware-1-master\2530.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
PID:3964
-
-
C:\Windows\SysWOW64\spcpremium.exe"C:\Windows\SysWOW64\spcpremium.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4464 -
C:\Windows\SysWOW64\spcpremium.exe"C:\Windows\SysWOW64\spcpremium.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2976
-
Network
-
Remote address:8.8.8.8:53Request196.249.167.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request33.107.17.2.in-addr.arpaIN PTRResponse33.107.17.2.in-addr.arpaIN PTRa2-17-107-33deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request73.31.126.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request245.131.30.184.in-addr.arpaIN PTRResponse245.131.30.184.in-addr.arpaIN PTRa184-30-131-245deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request232.168.11.51.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request154.239.44.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request50.23.12.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request241.42.69.40.in-addr.arpaIN PTRResponse
-
Remote address:38.140.147.42:80RequestGET / HTTP/1.1
Cookie: 45995=XkolvxKdpaTOT2WLCxR54ZdE+eA3Ry0ZLubqrn3KrclHU6fhFcjvqMls2/iG4+75YB8zwN4a2HOFo+Ydyjzk+2AEg0UpZFqpMuUxIGy81HnVvcF8n+Ny1A325VgEwPM/7KpnPUjknG2ncNaPUziFguP2gvquWuJRN8TVQy9tetkUy4TjLuZ8rjuvnpoQSrMVFF+FrkVOloLK6r9BiRMpGP6dBLlFP2nA+ONGycW30pkIsnU3fog1BAZGB+4v5q+Lqg/Ff1IvtlZKem1Qe4hCDF3fmB89m5I47hiZvy9VJbuKnE4ftt16c2jwXzfXgK82g2rm8J2BXT9JUfkm4r7T29oce5KfazHDa2jHRejxMdHqLqcQLRv9bfyiMgbQNxVeu2a5Eexe7ZWQywcC2LxgOze7RnLVaue8Qu2WMnWxPQXI2KQzIxlFahJ2VqpvUQQRIKfwjAHsvBzwgtL1idhqX6M9cCs1zl1Tvv2hGo4cHh1eM1pfVIgG7mSjfGyeTsDGhGihhs82qPFi8PFd1rRL6fR8SNb1yt4TgDcTmWhWO0mNLaku
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Host: 38.140.147.42
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.0 200 OK
Expires: -1
Cache-Control: no-cache
Content-type: text/html; charset=UTF-8;
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' blob: data: ws: wss: sonicwall.com *.sonicwall.com;
-
Remote address:8.8.8.8:53Request42.147.140.38.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request59.83.221.88.in-addr.arpaIN PTRResponse59.83.221.88.in-addr.arpaIN PTRa88-221-83-59deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request17.83.221.88.in-addr.arpaIN PTRResponse17.83.221.88.in-addr.arpaIN PTRa88-221-83-17deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request14.227.111.52.in-addr.arpaIN PTRResponse
-
260 B 5
-
260 B 5
-
1.3kB 3.4kB 10 7
HTTP Request
GET http://38.140.147.42/HTTP Response
200 -
260 B 5
-
260 B 5
-
260 B 5
-
260 B 5
-
73 B 147 B 1 1
DNS Request
196.249.167.52.in-addr.arpa
-
70 B 133 B 1 1
DNS Request
33.107.17.2.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
73.31.126.40.in-addr.arpa
-
73 B 139 B 1 1
DNS Request
245.131.30.184.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
232.168.11.51.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
154.239.44.20.in-addr.arpa
-
70 B 156 B 1 1
DNS Request
50.23.12.20.in-addr.arpa
-
71 B 145 B 1 1
DNS Request
241.42.69.40.in-addr.arpa
-
72 B 130 B 1 1
DNS Request
42.147.140.38.in-addr.arpa
-
71 B 135 B 1 1
DNS Request
59.83.221.88.in-addr.arpa
-
71 B 135 B 1 1
DNS Request
17.83.221.88.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
14.227.111.52.in-addr.arpa