Analysis
-
max time kernel
150s -
max time network
156s -
platform
windows7_x64 -
resource
win7 -
submitted
01-08-2020 19:34
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Trojan.Emotet.987.23049.3767.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
General
-
Target
SecuriteInfo.com.Trojan.Emotet.987.23049.3767.exe
-
Size
36KB
-
MD5
f1f8814239371bbaa60f2d2bced185e4
-
SHA1
117dea564d6f7ed5c6741b8fd5a87bcac5765722
-
SHA256
b20ffc1d22dbcae7052b7414d7ed19303ec13f419d41dd976806de7f86bc9b31
-
SHA512
4b3a0f5029544a3b94d735a2c609fce17fad47e9d9bfb210b68eb0da1e572e6831492317415b2bcf23c542fa024e50a1fe44d5586d8c9a855003090e1d87a87c
Score
10/10
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
SecuriteInfo.com.Trojan.Emotet.987.23049.3767.exeserver.exedescription pid process target process PID 1464 wrote to memory of 736 1464 SecuriteInfo.com.Trojan.Emotet.987.23049.3767.exe server.exe PID 1464 wrote to memory of 736 1464 SecuriteInfo.com.Trojan.Emotet.987.23049.3767.exe server.exe PID 1464 wrote to memory of 736 1464 SecuriteInfo.com.Trojan.Emotet.987.23049.3767.exe server.exe PID 1464 wrote to memory of 736 1464 SecuriteInfo.com.Trojan.Emotet.987.23049.3767.exe server.exe PID 736 wrote to memory of 1700 736 server.exe netsh.exe PID 736 wrote to memory of 1700 736 server.exe netsh.exe PID 736 wrote to memory of 1700 736 server.exe netsh.exe PID 736 wrote to memory of 1700 736 server.exe netsh.exe -
Executes dropped EXE 1 IoCs
Processes:
server.exepid process 736 server.exe -
Modifies Windows Firewall 1 TTPs
-
Modifies service 2 TTPs 5 IoCs
Processes:
netsh.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\UI netsh.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\LocalConfig netsh.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\Enroll\HcsGroups netsh.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Shas netsh.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Qecs netsh.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of AdjustPrivilegeToken 32 IoCs
Processes:
SecuriteInfo.com.Trojan.Emotet.987.23049.3767.exeserver.exedescription pid process Token: SeDebugPrivilege 1464 SecuriteInfo.com.Trojan.Emotet.987.23049.3767.exe Token: SeDebugPrivilege 736 server.exe Token: 33 736 server.exe Token: SeIncBasePriorityPrivilege 736 server.exe Token: 33 736 server.exe Token: SeIncBasePriorityPrivilege 736 server.exe Token: 33 736 server.exe Token: SeIncBasePriorityPrivilege 736 server.exe Token: 33 736 server.exe Token: SeIncBasePriorityPrivilege 736 server.exe Token: 33 736 server.exe Token: SeIncBasePriorityPrivilege 736 server.exe Token: 33 736 server.exe Token: SeIncBasePriorityPrivilege 736 server.exe Token: 33 736 server.exe Token: SeIncBasePriorityPrivilege 736 server.exe Token: 33 736 server.exe Token: SeIncBasePriorityPrivilege 736 server.exe Token: 33 736 server.exe Token: SeIncBasePriorityPrivilege 736 server.exe Token: 33 736 server.exe Token: SeIncBasePriorityPrivilege 736 server.exe Token: 33 736 server.exe Token: SeIncBasePriorityPrivilege 736 server.exe Token: 33 736 server.exe Token: SeIncBasePriorityPrivilege 736 server.exe Token: 33 736 server.exe Token: SeIncBasePriorityPrivilege 736 server.exe Token: 33 736 server.exe Token: SeIncBasePriorityPrivilege 736 server.exe Token: 33 736 server.exe Token: SeIncBasePriorityPrivilege 736 server.exe -
Loads dropped DLL 1 IoCs
Processes:
SecuriteInfo.com.Trojan.Emotet.987.23049.3767.exepid process 1464 SecuriteInfo.com.Trojan.Emotet.987.23049.3767.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Emotet.987.23049.3767.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Emotet.987.23049.3767.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\server.exe"C:\Users\Admin\AppData\Roaming\server.exe"2⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE3⤵
- Modifies service