Analysis
-
max time kernel
146s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
01-07-2024 03:49
Static task
static1
Behavioral task
behavioral1
Sample
df7483be5406be695b50b1f15d83bbb8.exe
Resource
win7-20240508-en
General
-
Target
df7483be5406be695b50b1f15d83bbb8.exe
-
Size
671KB
-
MD5
df7483be5406be695b50b1f15d83bbb8
-
SHA1
69de8d0c0cead028805e8ac93ac6aa1bc95850aa
-
SHA256
011280573f3ffbf712b5c146749878c18d8f94d57f325c7f9435fc886331c09a
-
SHA512
7b73ee755af1365a32ac70b4b8658283089e35b3c967b2328b6ab2a9e36881083a87c03d072acfd47eb9fb7d010ae48c8c55a2ebf00bf30b748f4473aff0eb02
-
SSDEEP
12288:BhGEsm5TpQrNAosJcRl7Bflkby3SJTGfRCK8lizPpZlySdpvIWjuZ:f5v0rNAMXBflkG3BCKiizxhjuZ
Malware Config
Extracted
emotet
Epoch1
152.170.196.157:443
103.31.232.93:443
200.123.183.137:443
201.213.100.141:8080
70.32.115.157:8080
164.77.130.222:80
203.25.159.3:8080
184.57.130.8:80
190.147.137.153:443
91.83.93.124:7080
217.199.160.224:8080
190.57.130.142:443
185.94.252.12:80
77.55.211.77:8080
111.67.12.221:8080
5.45.108.146:8080
73.155.126.84:80
212.71.237.140:8080
5.196.35.138:7080
188.129.197.149:80
212.156.219.6:8080
113.190.254.245:80
37.187.6.63:8080
204.225.249.100:7080
152.231.89.226:80
177.66.190.130:80
149.62.173.247:8080
189.1.185.248:80
200.69.224.73:80
201.91.28.210:80
168.197.252.178:80
190.161.45.112:80
201.213.100.141:443
187.51.47.26:80
221.133.46.86:443
202.62.39.111:80
192.241.146.84:8080
93.147.137.162:80
47.150.248.161:80
190.210.236.139:80
65.24.85.214:80
177.139.131.143:443
114.109.179.60:80
151.237.36.220:80
185.94.252.13:443
177.73.3.204:80
152.170.108.99:443
46.214.11.172:80
177.188.121.26:443
181.31.211.181:80
186.3.232.68:80
12.162.84.2:8080
110.143.8.89:80
170.82.195.50:80
175.114.178.83:443
82.196.15.205:8080
190.229.148.144:80
170.81.48.2:80
181.30.69.50:80
91.236.4.234:443
190.147.165.160:465
203.122.18.234:8080
81.169.202.3:443
113.161.147.51:80
104.131.103.37:8080
61.92.159.208:8080
94.176.234.118:443
187.162.248.237:80
190.196.143.58:80
93.147.157.195:80
83.169.21.32:7080
190.181.235.46:80
143.0.87.101:80
172.104.169.32:8080
200.126.237.113:80
192.241.143.52:8080
186.68.48.204:443
50.28.51.143:8080
45.161.242.102:80
177.103.159.44:80
181.164.215.193:80
178.79.163.131:8080
201.213.32.59:80
104.236.161.64:8080
73.239.11.159:80
152.170.222.65:80
118.69.71.14:80
91.204.163.19:8090
181.61.224.26:80
104.131.41.185:8080
82.240.207.95:443
68.183.190.199:8080
2.47.112.152:80
49.176.162.90:80
59.120.5.154:80
190.24.243.186:80
77.90.136.129:8080
190.17.195.202:80
46.28.111.142:7080
187.162.250.23:80
179.127.59.210:443
72.47.248.48:7080
186.33.141.88:80
181.10.204.106:80
177.72.13.80:80
70.32.84.74:8080
185.94.252.27:443
177.38.15.151:80
179.62.26.236:80
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
relog.exepid process 1776 relog.exe 1776 relog.exe 1776 relog.exe 1776 relog.exe 1776 relog.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
df7483be5406be695b50b1f15d83bbb8.exepid process 2976 df7483be5406be695b50b1f15d83bbb8.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
df7483be5406be695b50b1f15d83bbb8.exerelog.exepid process 2976 df7483be5406be695b50b1f15d83bbb8.exe 2976 df7483be5406be695b50b1f15d83bbb8.exe 1776 relog.exe 1776 relog.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
df7483be5406be695b50b1f15d83bbb8.exedescription pid process target process PID 2976 wrote to memory of 1776 2976 df7483be5406be695b50b1f15d83bbb8.exe relog.exe PID 2976 wrote to memory of 1776 2976 df7483be5406be695b50b1f15d83bbb8.exe relog.exe PID 2976 wrote to memory of 1776 2976 df7483be5406be695b50b1f15d83bbb8.exe relog.exe PID 2976 wrote to memory of 1776 2976 df7483be5406be695b50b1f15d83bbb8.exe relog.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\df7483be5406be695b50b1f15d83bbb8.exe"C:\Users\Admin\AppData\Local\Temp\df7483be5406be695b50b1f15d83bbb8.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\relog\relog.exe"C:\Windows\SysWOW64\relog\relog.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-268080393-3149932598-1824759070-1000\0f5007522459c86e95ffcc62f32308f1_84f733b4-eea8-4063-a7fc-81d3a2fcb37cFilesize
1KB
MD51d793222a442bbb9bda26e899810b868
SHA14177c37130f2295407898c0198f4d4dda3802749
SHA256c41053595b27c8ac5388b3003bda5abc653f9ca271b424b43b13baecb6af427e
SHA5120c8dbd5bf7dbd95db6c6a99d3cbde2065f0a8f8240badd52a04a710da5c1e44db547efdfb5cd3c60f1236f1eacb634910f54cbf7b88d3fe24f82d104570f7794
-
memory/1776-13-0x00000000003E0000-0x00000000003EC000-memory.dmpFilesize
48KB
-
memory/2976-7-0x00000000003F0000-0x00000000003FA000-memory.dmpFilesize
40KB
-
memory/2976-4-0x0000000001C20000-0x0000000001C2C000-memory.dmpFilesize
48KB
-
memory/2976-0-0x0000000001BD0000-0x0000000001BD2000-memory.dmpFilesize
8KB
-
memory/2976-8-0x0000000000400000-0x00000000004AE000-memory.dmpFilesize
696KB