Analysis
-
max time kernel
151s -
max time network
151s -
platform
windows7_x64 -
resource
win7v200722 -
submitted
31-07-2020 16:49
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Heur.Pack.Emotet.3.27704.83.exe
Resource
win7v200722
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
SecuriteInfo.com.Heur.Pack.Emotet.3.27704.83.exe
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
SecuriteInfo.com.Heur.Pack.Emotet.3.27704.83.exe
-
Size
140KB
-
MD5
9ba8d7669017fbd7c2677d235be96ca9
-
SHA1
c56c670e725bca22732e5c72131d766566a0dffa
-
SHA256
8154634cf63366e94e2550188d6936858b24fc17ec8a2290f9c4f35d01d29c2b
-
SHA512
3762ef7df0e1d3fda30254901efd30f6350adf7abb18a4d9417cbdda3a50cc583af6199f66c86169dd6598f29918a3deb0366ee41b6c5859c15734c650725cb0
Score
8/10
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
fgnfxh.exepid process 1576 fgnfxh.exe -
Drops file in Windows directory 2 IoCs
Processes:
SecuriteInfo.com.Heur.Pack.Emotet.3.27704.83.exedescription ioc process File opened for modification C:\Windows\Tasks\fgnfxh.job SecuriteInfo.com.Heur.Pack.Emotet.3.27704.83.exe File created C:\Windows\Tasks\fgnfxh.job SecuriteInfo.com.Heur.Pack.Emotet.3.27704.83.exe -
Looks up external IP address via web service 8 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 7 api.ipify.org 8 api.ipify.org 20 api.ipify.org 21 api.ipify.org 47 api.ipify.org 58 api.ipify.org 59 api.ipify.org 75 api.ipify.org -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
SecuriteInfo.com.Heur.Pack.Emotet.3.27704.83.exepid process 1060 SecuriteInfo.com.Heur.Pack.Emotet.3.27704.83.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
taskeng.exedescription pid process target process PID 1420 wrote to memory of 1576 1420 taskeng.exe fgnfxh.exe PID 1420 wrote to memory of 1576 1420 taskeng.exe fgnfxh.exe PID 1420 wrote to memory of 1576 1420 taskeng.exe fgnfxh.exe PID 1420 wrote to memory of 1576 1420 taskeng.exe fgnfxh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.Pack.Emotet.3.27704.83.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.Pack.Emotet.3.27704.83.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\taskeng.exetaskeng.exe {68F54961-68AC-458E-8D1D-FC32431B34D8} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\akocv\fgnfxh.exeC:\ProgramData\akocv\fgnfxh.exe start2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\akocv\fgnfxh.exe
-
C:\ProgramData\akocv\fgnfxh.exe
-
memory/1060-0-0x00000000033A6000-0x00000000033A7000-memory.dmpFilesize
4KB
-
memory/1060-1-0x0000000004D80000-0x0000000004D91000-memory.dmpFilesize
68KB
-
memory/1576-3-0x0000000000000000-mapping.dmp
-
memory/1576-5-0x00000000033D6000-0x00000000033D7000-memory.dmpFilesize
4KB
-
memory/1576-6-0x00000000037D0000-0x00000000037E1000-memory.dmpFilesize
68KB