Analysis
-
max time kernel
49s -
max time network
11651379494s -
resource
win7
Task
task1
Sample
4dc7173f5dd9a8bc3a2188d861e5b63d4a88e92c30fec2e569449f3550f29453.exe
Resource
win7
0 signatures
Task
task2
Sample
4dc7173f5dd9a8bc3a2188d861e5b63d4a88e92c30fec2e569449f3550f29453.exe
Resource
win10
0 signatures
General
-
Target
4dc7173f5dd9a8bc3a2188d861e5b63d4a88e92c30fec2e569449f3550f29453
-
Sample
191001-73fng1evda
-
SHA256
4dc7173f5dd9a8bc3a2188d861e5b63d4a88e92c30fec2e569449f3550f29453
Score
N/A
Malware Config
Signatures
-
Suspicious use of SetWindowsHookEx
-
Suspicious use of WriteProcessMemory 2 IoCs
at description Process procid_target 655 PID 1384 wrote to memory of 1200 4dc7173f5dd9a8bc3a2188d861e5b63d4a88e92c30fec2e569449f3550f29453.exe 25 9173 PID 1120 wrote to memory of 1108 loadarouter.exe 27 -
description ioc Process Mutant created Global\I64C019BB 4dc7173f5dd9a8bc3a2188d861e5b63d4a88e92c30fec2e569449f3550f29453.exe Mutant created Global\I64C019BB loadarouter.exe -
description ioc Process Mutant created Global\M64C019BB 4dc7173f5dd9a8bc3a2188d861e5b63d4a88e92c30fec2e569449f3550f29453.exe Mutant created Global\M64C019BB loadarouter.exe -
Drops file in system dir 2 IoCs
at description ioc Process 8861 File renamed C:\Users\Admin\AppData\Local\Temp\4dc7173f5dd9a8bc3a2188d861e5b63d4a88e92c30fec2e569449f3550f29453.exe => C:\Windows\SysWOW64\loadarouter.exe 4dc7173f5dd9a8bc3a2188d861e5b63d4a88e92c30fec2e569449f3550f29453.exe 25397 File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat loadarouter.exe -
Suspicious behavior: RenamesItself
-
Suspicious behavior: EnumeratesProcesses
-
emotet family
Processes
-
C:\Users\Admin\AppData\Local\Temp\4dc7173f5dd9a8bc3a2188d861e5b63d4a88e92c30fec2e569449f3550f29453.exe"C:\Users\Admin\AppData\Local\Temp\4dc7173f5dd9a8bc3a2188d861e5b63d4a88e92c30fec2e569449f3550f29453.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1384
-
C:\Users\Admin\AppData\Local\Temp\4dc7173f5dd9a8bc3a2188d861e5b63d4a88e92c30fec2e569449f3550f29453.exe--b56845ad1⤵
- Emotet Mutex I
- Emotet Mutex II
- Drops file in system dir
PID:1200
-
C:\Windows\SysWOW64\loadarouter.exe"C:\Windows\SysWOW64\loadarouter.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1120
-
C:\Windows\SysWOW64\loadarouter.exe--f7a216da1⤵
- Emotet Mutex I
- Emotet Mutex II
- Drops file in system dir
PID:1108