Analysis
-
max time kernel
60s -
max time network
11651379494s -
resource
win7
Task
task1
Sample
a7d4e5a49d72ebfe3970d430a9dbeb51e548b8b25dfb8132af6dd2fe33ab36e2.exe
Resource
win7
0 signatures
Task
task2
Sample
a7d4e5a49d72ebfe3970d430a9dbeb51e548b8b25dfb8132af6dd2fe33ab36e2.exe
Resource
win10
0 signatures
General
-
Target
a7d4e5a49d72ebfe3970d430a9dbeb51e548b8b25dfb8132af6dd2fe33ab36e2
-
Sample
191008-5z1jsq6d9a
-
SHA256
a7d4e5a49d72ebfe3970d430a9dbeb51e548b8b25dfb8132af6dd2fe33ab36e2
Score
N/A
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 2 IoCs
at description Process procid_target 514 PID 1452 wrote to memory of 1368 a7d4e5a49d72ebfe3970d430a9dbeb51e548b8b25dfb8132af6dd2fe33ab36e2.exe 25 7753 PID 1372 wrote to memory of 1120 loadarouter.exe 27 -
description ioc Process Event created Global\E64C019BB a7d4e5a49d72ebfe3970d430a9dbeb51e548b8b25dfb8132af6dd2fe33ab36e2.exe -
Suspicious behavior: EmotetMutantsSpam
-
Drops file in system dir 13 IoCs
at description ioc Process 7379 File renamed C:\Users\Admin\AppData\Local\Temp\a7d4e5a49d72ebfe3970d430a9dbeb51e548b8b25dfb8132af6dd2fe33ab36e2.exe => C:\Windows\SysWOW64\loadarouter.exe a7d4e5a49d72ebfe3970d430a9dbeb51e548b8b25dfb8132af6dd2fe33ab36e2.exe 27612 File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat loadarouter.exe 34055 File created (read-only) C:\Windows\TEMP\E9E1.tmp loadarouter.exe 34055 File deleted C:\Windows\Temp\E9E1.tmp loadarouter.exe 34086 File created (read-only) C:\Windows\TEMP\EA01.tmp loadarouter.exe 34086 File deleted C:\Windows\Temp\EA01.tmp loadarouter.exe 34086 File created (read-only) C:\Windows\TEMP\EA02.tmp loadarouter.exe 34086 File deleted C:\Windows\Temp\EA02.tmp loadarouter.exe 34101 File created C:\Windows\SysWOW64\loadaroutera.exe loadarouter.exe 34101 File opened for modification C:\Windows\SysWOW64\loadaroutera.exe loadarouter.exe 34101 File created C:\Windows\SysWOW64\loadarouterb.exe loadarouter.exe 34133 File deleted C:\Windows\SysWOW64\loadarouterb.exe loadarouter.exe 34148 File deleted C:\Windows\SysWOW64\loadaroutera.exe loadarouter.exe -
Suspicious behavior: EnumeratesProcesses
-
emotet family
Processes
-
C:\Users\Admin\AppData\Local\Temp\a7d4e5a49d72ebfe3970d430a9dbeb51e548b8b25dfb8132af6dd2fe33ab36e2.exe"C:\Users\Admin\AppData\Local\Temp\a7d4e5a49d72ebfe3970d430a9dbeb51e548b8b25dfb8132af6dd2fe33ab36e2.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1452
-
C:\Users\Admin\AppData\Local\Temp\a7d4e5a49d72ebfe3970d430a9dbeb51e548b8b25dfb8132af6dd2fe33ab36e2.exe--bcf840b81⤵
- Emotet Sync
- Drops file in system dir
PID:1368
-
C:\Windows\SysWOW64\loadarouter.exe"C:\Windows\SysWOW64\loadarouter.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1372
-
C:\Windows\SysWOW64\loadarouter.exe--f7a216da1⤵
- Drops file in system dir
PID:1120