Analysis
-
max time kernel
137s -
max time network
147s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
18-11-2020 21:57
Static task
static1
Behavioral task
behavioral1
Sample
emotet.exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
General
-
Target
emotet.exe
-
Size
213KB
-
MD5
3135be2c48f42ef0f3540f7434eb9f39
-
SHA1
6c8773fd797cad0e05ee4c27658d484576bca4f4
-
SHA256
47ce4a3551cfd77c69cb0615b6e3a40f78a57f8321477654dd6b06512070f1ae
-
SHA512
03d6fc239d9f47975592f78e4a31ec8d30a414768f017dded7c5ca7f1fc877bf8561f85b1ed8ed1335177e5cb6300b3359032370e325aaa508e1be9989f370e7
Malware Config
Signatures
-
Drops file in System32 directory 1 IoCs
Processes:
tabbtndeep.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat tabbtndeep.exe -
Modifies data under HKEY_USERS 22 IoCs
Processes:
tabbtndeep.exedescription ioc process Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 tabbtndeep.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77 tabbtndeep.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C88B0D75-95D7-40B2-89BD-4A3AD4DC11FD}\32-e2-17-db-d2-77 tabbtndeep.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecision = "0" tabbtndeep.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDetectedUrl tabbtndeep.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecisionTime = 9033f39af5bdd601 tabbtndeep.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings tabbtndeep.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 tabbtndeep.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a07005f000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 tabbtndeep.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C88B0D75-95D7-40B2-89BD-4A3AD4DC11FD} tabbtndeep.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C88B0D75-95D7-40B2-89BD-4A3AD4DC11FD}\WpadDecisionTime = d099cf63f5bdd601 tabbtndeep.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C88B0D75-95D7-40B2-89BD-4A3AD4DC11FD}\WpadDecision = "0" tabbtndeep.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C88B0D75-95D7-40B2-89BD-4A3AD4DC11FD}\WpadNetworkName = "Network" tabbtndeep.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecisionReason = "1" tabbtndeep.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections tabbtndeep.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C88B0D75-95D7-40B2-89BD-4A3AD4DC11FD}\WpadDecisionReason = "1" tabbtndeep.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings tabbtndeep.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad tabbtndeep.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecisionTime = d099cf63f5bdd601 tabbtndeep.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000004000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a07005f000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 tabbtndeep.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C88B0D75-95D7-40B2-89BD-4A3AD4DC11FD}\WpadDecisionTime = 9033f39af5bdd601 tabbtndeep.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" tabbtndeep.exe -
Suspicious behavior: EmotetMutantsSpam 2 IoCs
Processes:
emotet.exetabbtndeep.exepid process 1924 emotet.exe 1408 tabbtndeep.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
emotet.exeemotet.exetabbtndeep.exetabbtndeep.exepid process 1704 emotet.exe 1924 emotet.exe 1272 tabbtndeep.exe 1408 tabbtndeep.exe 1408 tabbtndeep.exe 1408 tabbtndeep.exe 1408 tabbtndeep.exe 1408 tabbtndeep.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
emotet.exepid process 1924 emotet.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
emotet.exetabbtndeep.exedescription pid process target process PID 1704 wrote to memory of 1924 1704 emotet.exe emotet.exe PID 1704 wrote to memory of 1924 1704 emotet.exe emotet.exe PID 1704 wrote to memory of 1924 1704 emotet.exe emotet.exe PID 1704 wrote to memory of 1924 1704 emotet.exe emotet.exe PID 1272 wrote to memory of 1408 1272 tabbtndeep.exe tabbtndeep.exe PID 1272 wrote to memory of 1408 1272 tabbtndeep.exe tabbtndeep.exe PID 1272 wrote to memory of 1408 1272 tabbtndeep.exe tabbtndeep.exe PID 1272 wrote to memory of 1408 1272 tabbtndeep.exe tabbtndeep.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\emotet.exe"C:\Users\Admin\AppData\Local\Temp\emotet.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\emotet.exe"C:\Users\Admin\AppData\Local\Temp\emotet.exe"2⤵
- Suspicious behavior: EmotetMutantsSpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
-
C:\Windows\SysWOW64\tabbtndeep.exe"C:\Windows\SysWOW64\tabbtndeep.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\tabbtndeep.exe"C:\Windows\SysWOW64\tabbtndeep.exe"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EmotetMutantsSpam
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1272-4-0x0000000000290000-0x00000000002A7000-memory.dmpFilesize
92KB
-
memory/1408-5-0x0000000000000000-mapping.dmp
-
memory/1408-6-0x0000000000260000-0x0000000000277000-memory.dmpFilesize
92KB
-
memory/1408-7-0x0000000000B80000-0x0000000000BB9000-memory.dmpFilesize
228KB
-
memory/1704-0-0x00000000001D0000-0x00000000001E7000-memory.dmpFilesize
92KB
-
memory/1924-1-0x0000000000000000-mapping.dmp
-
memory/1924-2-0x00000000001D0000-0x00000000001E7000-memory.dmpFilesize
92KB
-
memory/1924-3-0x0000000000B80000-0x0000000000BB9000-memory.dmpFilesize
228KB