Overview

overview

10

Static

static

04353446c2...37.exe

windows7_x64

10

04353446c2...37.exe

windows10_x64

5

Analysis

  • max time kernel
    136s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7
  • submitted
    14-07-2020 21:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    04353446c29fd35b28ee9b67f8bd44979478501cca7c954753a79c52b68d9037.exe

  • Size

    213KB

  • MD5

    2653622242078de7e4a9d55e66cbcdc6

  • SHA1

    7513efc0bbafb9cc0a7a0d93fdb82190616a97b1

  • SHA256

    04353446c29fd35b28ee9b67f8bd44979478501cca7c954753a79c52b68d9037

  • SHA512

    74ce7462caf2d509e0a87ae6dab1dd49dfbd33c448db78869e33500953a2cd80a9c9c0f9b8668c6e4b6323a15649462b0a459c063a14bc4c25c2b1e068a1b15c

Score
10/10
emotetbankertrojan

Malware Config

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

    trojanbankeremotet
  • Drops file in System32 directory 1 IoCs
  • Modifies data under HKEY_USERS 18 IoCs
  • Suspicious behavior: EmotetMutantsSpam 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\04353446c29fd35b28ee9b67f8bd44979478501cca7c954753a79c52b68d9037.exe
    "C:\Users\Admin\AppData\Local\Temp\04353446c29fd35b28ee9b67f8bd44979478501cca7c954753a79c52b68d9037.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1124
    • C:\Users\Admin\AppData\Local\Temp\04353446c29fd35b28ee9b67f8bd44979478501cca7c954753a79c52b68d9037.exe
      "C:\Users\Admin\AppData\Local\Temp\04353446c29fd35b28ee9b67f8bd44979478501cca7c954753a79c52b68d9037.exe"
      2⤵
      • Suspicious behavior: EmotetMutantsSpam
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: RenamesItself
      PID:1276
  • C:\Windows\SysWOW64\msrasync.exe
    "C:\Windows\SysWOW64\msrasync.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:744
    • C:\Windows\SysWOW64\msrasync.exe
      "C:\Windows\SysWOW64\msrasync.exe"
      2⤵
      • Drops file in System32 directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EmotetMutantsSpam
      • Suspicious behavior: EnumeratesProcesses
      PID:1608

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1124-0-0x0000000000260000-0x0000000000277000-memory.dmp

    Filesize

    92KB

    Download

  • memory/1276-2-0x0000000000270000-0x0000000000287000-memory.dmp

    Filesize

    92KB

    Download

  • memory/1276-3-0x0000000000400000-0x0000000000438000-memory.dmp

    Filesize

    224KB

    Download

  • memory/1608-6-0x00000000003E0000-0x00000000003F7000-memory.dmp

    Filesize

    92KB

    Download