Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
01-07-2024 03:27
Static task
static1
Behavioral task
behavioral1
Sample
c920c740d3031ea8916bf0161321eab0.exe
Resource
win7-20231129-en
General
-
Target
c920c740d3031ea8916bf0161321eab0.exe
-
Size
367KB
-
MD5
c920c740d3031ea8916bf0161321eab0
-
SHA1
2ee470647ebe5f02769e3bb91f81d2d4e6bf36a1
-
SHA256
4486df42daa7ab38f95aea8cfcb28f11ab5fc2706771f5477133b16eb84dac6a
-
SHA512
65ce3deb25240ceb340fcf2d2fac7663d9415241958e3273c30306d6d6b2d2767bbffb8700f97c697dd484137738b7f8893508903e535ef4072a218b1bdcd33c
-
SSDEEP
6144:Psu+CmpsozV6ydTHpITptLaOkACUkoHl6QeKkCi/wA82VAyF+HYG:kucV62HpI4zUke6Wk9gKAyF+HYG
Malware Config
Extracted
emotet
Epoch1
201.213.100.141:443
189.160.234.67:80
103.31.232.93:443
91.236.4.234:443
164.77.130.222:80
200.69.224.73:80
187.162.250.23:80
152.170.222.65:80
104.131.103.37:8080
186.68.48.204:443
70.32.84.74:8080
177.66.190.130:80
181.61.224.26:80
190.47.227.130:443
178.79.163.131:8080
120.150.76.215:80
185.94.252.12:80
2.47.112.152:80
5.196.35.138:7080
47.150.248.161:80
46.214.11.172:80
179.62.26.236:80
91.219.169.180:80
181.10.204.106:80
187.162.248.237:80
190.24.243.186:80
212.71.237.140:8080
77.55.211.77:8080
77.90.136.129:8080
12.162.84.2:8080
203.25.159.3:8080
203.122.18.234:8080
181.31.211.181:80
83.169.21.32:7080
187.51.47.26:80
186.3.232.68:80
120.150.142.241:80
143.0.87.101:80
192.241.143.52:8080
65.24.85.214:80
82.240.207.95:443
179.127.59.210:443
68.183.190.199:8080
217.199.160.224:8080
109.73.110.33:80
59.120.5.154:80
189.1.185.248:80
67.20.141.76:80
192.241.146.84:8080
151.237.36.220:80
113.190.254.245:80
190.181.235.46:80
172.104.169.32:8080
190.229.148.144:80
200.123.183.137:443
81.169.202.3:443
104.131.41.185:8080
168.197.252.178:80
212.156.219.6:8080
188.129.197.149:80
204.225.249.100:7080
46.28.111.142:7080
201.213.32.59:80
111.67.12.221:8080
94.176.234.118:443
190.97.30.167:990
72.47.248.48:7080
190.147.137.153:443
45.161.242.102:80
190.210.236.139:80
152.170.108.99:443
118.69.71.14:80
2.28.113.59:80
190.57.130.142:443
113.161.147.51:80
184.57.130.8:80
70.32.115.157:8080
200.126.237.113:80
175.114.178.83:443
202.62.39.111:80
104.236.161.64:8080
221.133.46.86:443
114.109.179.60:80
201.213.100.141:8080
186.33.141.88:80
93.147.157.195:80
110.143.8.89:80
91.204.163.19:8090
190.147.165.160:465
181.164.215.193:80
73.239.11.159:80
49.176.162.90:80
82.196.15.205:8080
190.17.195.202:80
177.188.121.26:443
177.103.159.44:80
91.83.93.124:7080
61.92.159.208:8080
5.45.108.146:8080
73.155.126.84:80
185.94.252.13:443
37.187.6.63:8080
50.28.51.143:8080
177.139.131.143:443
201.91.28.210:80
181.30.69.50:80
170.82.195.50:80
177.72.13.80:80
149.62.173.247:8080
152.231.89.226:80
177.73.3.204:80
185.94.252.27:443
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
NAPMONTR.exepid process 2880 NAPMONTR.exe 2880 NAPMONTR.exe 2880 NAPMONTR.exe 2880 NAPMONTR.exe 2880 NAPMONTR.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
c920c740d3031ea8916bf0161321eab0.exepid process 2168 c920c740d3031ea8916bf0161321eab0.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
c920c740d3031ea8916bf0161321eab0.exeNAPMONTR.exepid process 2168 c920c740d3031ea8916bf0161321eab0.exe 2168 c920c740d3031ea8916bf0161321eab0.exe 2880 NAPMONTR.exe 2880 NAPMONTR.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
c920c740d3031ea8916bf0161321eab0.exedescription pid process target process PID 2168 wrote to memory of 2880 2168 c920c740d3031ea8916bf0161321eab0.exe NAPMONTR.exe PID 2168 wrote to memory of 2880 2168 c920c740d3031ea8916bf0161321eab0.exe NAPMONTR.exe PID 2168 wrote to memory of 2880 2168 c920c740d3031ea8916bf0161321eab0.exe NAPMONTR.exe PID 2168 wrote to memory of 2880 2168 c920c740d3031ea8916bf0161321eab0.exe NAPMONTR.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c920c740d3031ea8916bf0161321eab0.exe"C:\Users\Admin\AppData\Local\Temp\c920c740d3031ea8916bf0161321eab0.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\NAPMONTR\NAPMONTR.exe"C:\Windows\SysWOW64\NAPMONTR\NAPMONTR.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2168-0-0x0000000000310000-0x000000000031C000-memory.dmpFilesize
48KB
-
memory/2168-3-0x00000000002F0000-0x00000000002FA000-memory.dmpFilesize
40KB
-
memory/2168-4-0x0000000000400000-0x0000000000462000-memory.dmpFilesize
392KB
-
memory/2880-5-0x0000000000260000-0x000000000026C000-memory.dmpFilesize
48KB