Analysis
-
max time kernel
144s -
max time network
149s -
platform
windows10_x64 -
resource
win10 -
submitted
01-08-2020 19:34
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Trojan.Emotet.987.23049.3767.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
General
-
Target
SecuriteInfo.com.Trojan.Emotet.987.23049.3767.exe
-
Size
36KB
-
MD5
f1f8814239371bbaa60f2d2bced185e4
-
SHA1
117dea564d6f7ed5c6741b8fd5a87bcac5765722
-
SHA256
b20ffc1d22dbcae7052b7414d7ed19303ec13f419d41dd976806de7f86bc9b31
-
SHA512
4b3a0f5029544a3b94d735a2c609fce17fad47e9d9bfb210b68eb0da1e572e6831492317415b2bcf23c542fa024e50a1fe44d5586d8c9a855003090e1d87a87c
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
SecuriteInfo.com.Trojan.Emotet.987.23049.3767.exeserver.exedescription pid process target process PID 720 wrote to memory of 3872 720 SecuriteInfo.com.Trojan.Emotet.987.23049.3767.exe server.exe PID 720 wrote to memory of 3872 720 SecuriteInfo.com.Trojan.Emotet.987.23049.3767.exe server.exe PID 720 wrote to memory of 3872 720 SecuriteInfo.com.Trojan.Emotet.987.23049.3767.exe server.exe PID 3872 wrote to memory of 3780 3872 server.exe netsh.exe PID 3872 wrote to memory of 3780 3872 server.exe netsh.exe PID 3872 wrote to memory of 3780 3872 server.exe netsh.exe -
Executes dropped EXE 1 IoCs
Processes:
server.exepid process 3872 server.exe -
Modifies Windows Firewall 1 TTPs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of AdjustPrivilegeToken 34 IoCs
Processes:
SecuriteInfo.com.Trojan.Emotet.987.23049.3767.exeserver.exedescription pid process Token: SeDebugPrivilege 720 SecuriteInfo.com.Trojan.Emotet.987.23049.3767.exe Token: SeDebugPrivilege 3872 server.exe Token: 33 3872 server.exe Token: SeIncBasePriorityPrivilege 3872 server.exe Token: 33 3872 server.exe Token: SeIncBasePriorityPrivilege 3872 server.exe Token: 33 3872 server.exe Token: SeIncBasePriorityPrivilege 3872 server.exe Token: 33 3872 server.exe Token: SeIncBasePriorityPrivilege 3872 server.exe Token: 33 3872 server.exe Token: SeIncBasePriorityPrivilege 3872 server.exe Token: 33 3872 server.exe Token: SeIncBasePriorityPrivilege 3872 server.exe Token: 33 3872 server.exe Token: SeIncBasePriorityPrivilege 3872 server.exe Token: 33 3872 server.exe Token: SeIncBasePriorityPrivilege 3872 server.exe Token: 33 3872 server.exe Token: SeIncBasePriorityPrivilege 3872 server.exe Token: 33 3872 server.exe Token: SeIncBasePriorityPrivilege 3872 server.exe Token: 33 3872 server.exe Token: SeIncBasePriorityPrivilege 3872 server.exe Token: 33 3872 server.exe Token: SeIncBasePriorityPrivilege 3872 server.exe Token: 33 3872 server.exe Token: SeIncBasePriorityPrivilege 3872 server.exe Token: 33 3872 server.exe Token: SeIncBasePriorityPrivilege 3872 server.exe Token: 33 3872 server.exe Token: SeIncBasePriorityPrivilege 3872 server.exe Token: 33 3872 server.exe Token: SeIncBasePriorityPrivilege 3872 server.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Emotet.987.23049.3767.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Emotet.987.23049.3767.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\server.exe"C:\Users\Admin\AppData\Roaming\server.exe"2⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE3⤵