33.0.0 White Diamond
IR
449959
CloudBasic
17:05:22
16/07/2021
mormanti.exe
default.jbs
Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
WINDOWS
6c94edfea6e5ee001b00122c9d01bd8a
a8d0cc5088ee86c2be77afe157695d12e951f369
0154d1d06e755bda091168038f25c1dde101e3b77c66f88b73c71be84ffdaf6e
Win32 Executable (generic) a (10002005/4) 99.96%
true
false
false
false
100
0
100
5
0
5
false
C:\ProgramData\Microsoft\Network\Downloader\edb.log
false
9EB1288EAAF777CF31B19FC8052D9DDD
D0366555B0FF7D5F716C215B7253373231FE1F4B
1AB4A321F9958011E0E2AA7DF522A3567EFC956F36513C512EEA3BBA3F7E2F22
C:\ProgramData\Microsoft\Network\Downloader\qmgr.db
false
01DC05B086437F44DADEBE72F42AE6E4
5ED9C40BDF29C734FDB24E80573BFAB46285828A
88194003F7E242AECDD75F00695B39A37441BF6C57A9812A12F9F7735BD43BA3
C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm
false
518B806DEB454B700E818B345A95C61C
53C2FB38B4AB68FC2414D36920212E45895260FB
6F4DEAA5EDE225FB203717C88BAE62EB1EE0789B07C1548185C9338FE5A29C7A
C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\SyncVerbose.etl
false
D8C933C4D3562115CDA8EC19E4C40BAB
B56A16C4CCB98D25D5DFE0F211C87C28F6BAE8D5
FAE8B7380E73264FFA75864B9F212C841A62D927153EC739D80DEDB876A482BB
C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\UnistackCircular.etl
false
9D91B6F5D908F8FA9457289284D99D90
7FA4F2CC6A51660A2767B533B9629484DD209C00
348FCA3B1B0151D5A3E0AB8F2EC51DD4404ABDB779CB3319255F5C4B7C7E77CF
C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\UnistackCritical.etl
false
0573B48E6E823B072B981744C4EC755A
B0AC5879397474AF40AEE8E06E193A277A89D30C
CAFED707C6D08E422CC295DD756129A2BDA528D830225142ABD5F4862CEAF3DC
C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
false
DCA83F08D448911A14C22EBCACC5AD57
91270525521B7FE0D986DB19747F47D34B6318AD
2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log
false
2CA5726DE33B7191699EBFEEC4F7210C
0613DF20921345EFB902DFE198764AEF58BF6C9E
00CFCED40E9C57E6C01FE432F6C4470A9330DE3DD47676C30294BB085A9EC9D5
149.62.173.247
191.182.6.118
104.131.103.37
204.225.249.100
94.176.234.118
70.32.84.74
177.73.0.98
12.162.84.2
116.125.120.88
58.171.153.81
170.81.48.2
219.92.13.25
202.62.39.111
209.236.123.42
213.181.91.224
5.196.35.138
187.162.248.237
189.2.177.210
93.151.186.85
217.199.160.224
114.109.179.60
143.0.87.101
186.103.141.250
77.90.136.129
181.129.96.162
50.28.51.143
68.183.190.199
94.206.45.18
190.17.195.202
73.116.193.136
82.76.111.249
189.194.58.119
80.249.176.206
145.236.8.174
191.99.160.58
217.13.106.14
147.91.184.91
68.183.170.114
81.198.69.61
177.66.190.130
177.72.13.80
61.92.159.208
178.79.163.131
46.28.111.142
127.0.0.1
77.55.211.77
190.163.31.26
137.74.106.111
172.104.169.32
72.47.248.48
181.120.79.227
89.32.150.160
104.131.41.185
186.250.52.226
87.106.46.107
177.144.135.2
217.160.182.191
201.213.156.176
83.169.21.32
70.32.115.157
213.60.96.117
212.231.60.98
181.36.42.205
104.131.103.128
190.190.148.27
190.6.193.152
51.255.165.160
212.71.237.140
185.94.252.27
2.47.112.152
104.236.161.64
192.241.143.52
192.241.146.84
45.161.242.102
66.228.49.173
190.147.137.153
82.196.15.205
111.67.12.221
177.74.228.34
91.219.169.180
185.94.252.12
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Drops executables to the windows directory (C:\Windows) and starts them
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Antivirus / Scanner detection for submitted sample
Found malware configuration
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Emotet