Analysis
-
max time kernel
137s -
max time network
147s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
18-11-2020 21:57
Static task
static1
Behavioral task
behavioral1
Sample
emotet.exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
General
-
Target
emotet.exe
-
Size
213KB
-
MD5
3135be2c48f42ef0f3540f7434eb9f39
-
SHA1
6c8773fd797cad0e05ee4c27658d484576bca4f4
-
SHA256
47ce4a3551cfd77c69cb0615b6e3a40f78a57f8321477654dd6b06512070f1ae
-
SHA512
03d6fc239d9f47975592f78e4a31ec8d30a414768f017dded7c5ca7f1fc877bf8561f85b1ed8ed1335177e5cb6300b3359032370e325aaa508e1be9989f370e7
Malware Config
Signatures
-
Drops file in System32 directory 1 IoCs
Processes:
loadavolume.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat loadavolume.exe -
Suspicious behavior: EmotetMutantsSpam 2 IoCs
Processes:
emotet.exeloadavolume.exepid process 2724 emotet.exe 4000 loadavolume.exe -
Suspicious behavior: EnumeratesProcesses 22 IoCs
Processes:
emotet.exeemotet.exeloadavolume.exeloadavolume.exepid process 2604 emotet.exe 2604 emotet.exe 2724 emotet.exe 2724 emotet.exe 1928 loadavolume.exe 1928 loadavolume.exe 4000 loadavolume.exe 4000 loadavolume.exe 4000 loadavolume.exe 4000 loadavolume.exe 4000 loadavolume.exe 4000 loadavolume.exe 4000 loadavolume.exe 4000 loadavolume.exe 4000 loadavolume.exe 4000 loadavolume.exe 4000 loadavolume.exe 4000 loadavolume.exe 4000 loadavolume.exe 4000 loadavolume.exe 4000 loadavolume.exe 4000 loadavolume.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
emotet.exepid process 2724 emotet.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
emotet.exeloadavolume.exedescription pid process target process PID 2604 wrote to memory of 2724 2604 emotet.exe emotet.exe PID 2604 wrote to memory of 2724 2604 emotet.exe emotet.exe PID 2604 wrote to memory of 2724 2604 emotet.exe emotet.exe PID 1928 wrote to memory of 4000 1928 loadavolume.exe loadavolume.exe PID 1928 wrote to memory of 4000 1928 loadavolume.exe loadavolume.exe PID 1928 wrote to memory of 4000 1928 loadavolume.exe loadavolume.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\emotet.exe"C:\Users\Admin\AppData\Local\Temp\emotet.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\emotet.exe"C:\Users\Admin\AppData\Local\Temp\emotet.exe"2⤵
- Suspicious behavior: EmotetMutantsSpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
-
C:\Windows\SysWOW64\loadavolume.exe"C:\Windows\SysWOW64\loadavolume.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\loadavolume.exe"C:\Windows\SysWOW64\loadavolume.exe"2⤵
- Drops file in System32 directory
- Suspicious behavior: EmotetMutantsSpam
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1928-4-0x00000000001F0000-0x0000000000207000-memory.dmpFilesize
92KB
-
memory/2604-0-0x0000000001160000-0x0000000001177000-memory.dmpFilesize
92KB
-
memory/2724-1-0x0000000000000000-mapping.dmp
-
memory/2724-2-0x00000000021B0000-0x00000000021C7000-memory.dmpFilesize
92KB
-
memory/2724-3-0x0000000000070000-0x00000000000A9000-memory.dmpFilesize
228KB
-
memory/4000-5-0x0000000000000000-mapping.dmp
-
memory/4000-6-0x0000000000DB0000-0x0000000000DC7000-memory.dmpFilesize
92KB
-
memory/4000-7-0x0000000000070000-0x00000000000A9000-memory.dmpFilesize
228KB