Resubmissions

13/02/2025, 01:26 UTC

250213-btppra1pcz 10

17/01/2025, 20:14 UTC

250117-yz7h3s1qfw 10

17/01/2025, 20:12 UTC

250117-yy9l2sslcr 10

17/01/2025, 17:25 UTC

250117-vy9p9sxpez 10

17/01/2025, 17:21 UTC

250117-vw8eesyjfp 10

17/01/2025, 14:16 UTC

250117-rk9ass1rhk 10

17/01/2025, 14:12 UTC

250117-rhv1ds1lds 10

16/01/2025, 12:52 UTC

250116-p4et7a1mez 10

Analysis

  • max time kernel
    136s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17/01/2025, 17:25 UTC

General

  • Target

    Malware-1-master/2530.exe

  • Size

    1.2MB

  • MD5

    568d17d6da77a46e35c8094a7c414375

  • SHA1

    500fa749471dad4ae40da6aa33fd6b2a53bcf200

  • SHA256

    0da56126ffb57acb5bb1a3ffa1c4c0c2605d257988b2d2964344b8f23173f615

  • SHA512

    7beb044f8bd366350b267c0fedc8466d2c5fd80b0f791f5697ce4577edced36b668401fd48df90b6c4ced05247d990c5e739e7232a2dcfc059dcc0c6a79d9427

  • SSDEEP

    12288:D+FwW6Se3oB/8WjH2fIGOVoDJLvfOqsUFY:D+qJSgZwEIGOVUJLnOqs+Y

Malware Config

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

  • Emotet family
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 22 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Malware-1-master\2530.exe
    "C:\Users\Admin\AppData\Local\Temp\Malware-1-master\2530.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4944
    • C:\Users\Admin\AppData\Local\Temp\Malware-1-master\2530.exe
      "C:\Users\Admin\AppData\Local\Temp\Malware-1-master\2530.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: RenamesItself
      PID:3964
  • C:\Windows\SysWOW64\spcpremium.exe
    "C:\Windows\SysWOW64\spcpremium.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4464
    • C:\Windows\SysWOW64\spcpremium.exe
      "C:\Windows\SysWOW64\spcpremium.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2976

Network

  • flag-us
    DNS
    196.249.167.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    196.249.167.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    33.107.17.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    33.107.17.2.in-addr.arpa
    IN PTR
    Response
    33.107.17.2.in-addr.arpa
    IN PTR
    a2-17-107-33deploystaticakamaitechnologiescom
  • flag-us
    DNS
    73.31.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    73.31.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    245.131.30.184.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    245.131.30.184.in-addr.arpa
    IN PTR
    Response
    245.131.30.184.in-addr.arpa
    IN PTR
    a184-30-131-245deploystaticakamaitechnologiescom
  • flag-us
    DNS
    232.168.11.51.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    232.168.11.51.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    154.239.44.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    154.239.44.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    50.23.12.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    50.23.12.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    241.42.69.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    241.42.69.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    GET
    http://38.140.147.42/
    spcpremium.exe
    Remote address:
    38.140.147.42:80
    Request
    GET / HTTP/1.1
    Cookie: 45995=XkolvxKdpaTOT2WLCxR54ZdE+eA3Ry0ZLubqrn3KrclHU6fhFcjvqMls2/iG4+75YB8zwN4a2HOFo+Ydyjzk+2AEg0UpZFqpMuUxIGy81HnVvcF8n+Ny1A325VgEwPM/7KpnPUjknG2ncNaPUziFguP2gvquWuJRN8TVQy9tetkUy4TjLuZ8rjuvnpoQSrMVFF+FrkVOloLK6r9BiRMpGP6dBLlFP2nA+ONGycW30pkIsnU3fog1BAZGB+4v5q+Lqg/Ff1IvtlZKem1Qe4hCDF3fmB89m5I47hiZvy9VJbuKnE4ftt16c2jwXzfXgK82g2rm8J2BXT9JUfkm4r7T29oce5KfazHDa2jHRejxMdHqLqcQLRv9bfyiMgbQNxVeu2a5Eexe7ZWQywcC2LxgOze7RnLVaue8Qu2WMnWxPQXI2KQzIxlFahJ2VqpvUQQRIKfwjAHsvBzwgtL1idhqX6M9cCs1zl1Tvv2hGo4cHh1eM1pfVIgG7mSjfGyeTsDGhGihhs82qPFi8PFd1rRL6fR8SNb1yt4TgDcTmWhWO0mNLaku
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
    Host: 38.140.147.42
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.0 200 OK
    Server: SonicWALL
    Expires: -1
    Cache-Control: no-cache
    Content-type: text/html; charset=UTF-8;
    X-Content-Type-Options: nosniff
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: SAMEORIGIN
    Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' blob: data: ws: wss: sonicwall.com *.sonicwall.com;
  • flag-us
    DNS
    42.147.140.38.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    42.147.140.38.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    59.83.221.88.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    59.83.221.88.in-addr.arpa
    IN PTR
    Response
    59.83.221.88.in-addr.arpa
    IN PTR
    a88-221-83-59deploystaticakamaitechnologiescom
  • flag-us
    DNS
    17.83.221.88.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    17.83.221.88.in-addr.arpa
    IN PTR
    Response
    17.83.221.88.in-addr.arpa
    IN PTR
    a88-221-83-17deploystaticakamaitechnologiescom
  • flag-us
    DNS
    14.227.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    14.227.111.52.in-addr.arpa
    IN PTR
    Response
  • 75.112.62.42:80
    spcpremium.exe
    260 B
    5
  • 107.13.144.134:80
    spcpremium.exe
    260 B
    5
  • 38.140.147.42:80
    http://38.140.147.42/
    http
    spcpremium.exe
    1.3kB
    3.4kB
    10
    7

    HTTP Request

    GET http://38.140.147.42/

    HTTP Response

    200
  • 192.24.7.148:80
    spcpremium.exe
    260 B
    5
  • 70.27.207.164:7080
    spcpremium.exe
    260 B
    5
  • 153.101.7.207:8443
    spcpremium.exe
    260 B
    5
  • 47.189.188.195:80
    spcpremium.exe
    260 B
    5
  • 8.8.8.8:53
    196.249.167.52.in-addr.arpa
    dns
    73 B
    147 B
    1
    1

    DNS Request

    196.249.167.52.in-addr.arpa

  • 8.8.8.8:53
    33.107.17.2.in-addr.arpa
    dns
    70 B
    133 B
    1
    1

    DNS Request

    33.107.17.2.in-addr.arpa

  • 8.8.8.8:53
    73.31.126.40.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    73.31.126.40.in-addr.arpa

  • 8.8.8.8:53
    245.131.30.184.in-addr.arpa
    dns
    73 B
    139 B
    1
    1

    DNS Request

    245.131.30.184.in-addr.arpa

  • 8.8.8.8:53
    232.168.11.51.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    232.168.11.51.in-addr.arpa

  • 8.8.8.8:53
    154.239.44.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    154.239.44.20.in-addr.arpa

  • 8.8.8.8:53
    50.23.12.20.in-addr.arpa
    dns
    70 B
    156 B
    1
    1

    DNS Request

    50.23.12.20.in-addr.arpa

  • 8.8.8.8:53
    241.42.69.40.in-addr.arpa
    dns
    71 B
    145 B
    1
    1

    DNS Request

    241.42.69.40.in-addr.arpa

  • 8.8.8.8:53
    42.147.140.38.in-addr.arpa
    dns
    72 B
    130 B
    1
    1

    DNS Request

    42.147.140.38.in-addr.arpa

  • 8.8.8.8:53
    59.83.221.88.in-addr.arpa
    dns
    71 B
    135 B
    1
    1

    DNS Request

    59.83.221.88.in-addr.arpa

  • 8.8.8.8:53
    17.83.221.88.in-addr.arpa
    dns
    71 B
    135 B
    1
    1

    DNS Request

    17.83.221.88.in-addr.arpa

  • 8.8.8.8:53
    14.227.111.52.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    14.227.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2976-22-0x0000000000C20000-0x0000000000C39000-memory.dmp

    Filesize

    100KB

  • memory/2976-33-0x0000000000C00000-0x0000000000C19000-memory.dmp

    Filesize

    100KB

  • memory/2976-27-0x0000000000C00000-0x0000000000C19000-memory.dmp

    Filesize

    100KB

  • memory/2976-28-0x0000000000680000-0x0000000000690000-memory.dmp

    Filesize

    64KB

  • memory/2976-26-0x0000000000C20000-0x0000000000C39000-memory.dmp

    Filesize

    100KB

  • memory/3964-29-0x0000000000700000-0x0000000000719000-memory.dmp

    Filesize

    100KB

  • memory/3964-11-0x0000000000720000-0x0000000000739000-memory.dmp

    Filesize

    100KB

  • memory/3964-13-0x0000000000740000-0x0000000000750000-memory.dmp

    Filesize

    64KB

  • memory/3964-31-0x0000000000400000-0x000000000052A000-memory.dmp

    Filesize

    1.2MB

  • memory/3964-32-0x0000000000700000-0x0000000000719000-memory.dmp

    Filesize

    100KB

  • memory/3964-7-0x0000000000720000-0x0000000000739000-memory.dmp

    Filesize

    100KB

  • memory/3964-12-0x0000000000700000-0x0000000000719000-memory.dmp

    Filesize

    100KB

  • memory/4464-20-0x0000000000680000-0x0000000000699000-memory.dmp

    Filesize

    100KB

  • memory/4464-15-0x00000000006A0000-0x00000000006B9000-memory.dmp

    Filesize

    100KB

  • memory/4464-19-0x00000000006A0000-0x00000000006B9000-memory.dmp

    Filesize

    100KB

  • memory/4464-30-0x0000000000680000-0x0000000000699000-memory.dmp

    Filesize

    100KB

  • memory/4464-21-0x0000000000590000-0x00000000005A0000-memory.dmp

    Filesize

    64KB

  • memory/4944-0-0x0000000000810000-0x0000000000829000-memory.dmp

    Filesize

    100KB

  • memory/4944-5-0x00000000007F0000-0x0000000000809000-memory.dmp

    Filesize

    100KB

  • memory/4944-6-0x0000000000830000-0x0000000000840000-memory.dmp

    Filesize

    64KB

  • memory/4944-14-0x00000000007F0000-0x0000000000809000-memory.dmp

    Filesize

    100KB

  • memory/4944-4-0x0000000000810000-0x0000000000829000-memory.dmp

    Filesize

    100KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.