Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
07-04-2021 13:08
Static task
static1
Behavioral task
behavioral1
Sample
2db032cc5094301f6d8cec29704880c595a19cbaae211e64e364e3217afa3ebe.exe
Resource
win7v20201028
General
-
Target
2db032cc5094301f6d8cec29704880c595a19cbaae211e64e364e3217afa3ebe.exe
-
Size
572KB
-
MD5
c882de666f59cdeff7c0f5611d18fa3f
-
SHA1
2cd4c99affc6aaeae73c0899a77b18d66c9ff2fb
-
SHA256
2db032cc5094301f6d8cec29704880c595a19cbaae211e64e364e3217afa3ebe
-
SHA512
b5dd9fccc39b8131937d7a3e44487427c6f981cdba4d146a149d0801be115ec8a879da000ed40a79594458300df305d4ee6cf37bed437396fbdf3451114f6e9a
Malware Config
Signatures
-
Drops file in System32 directory 5 IoCs
Processes:
inboxinbox.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 inboxinbox.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat inboxinbox.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 inboxinbox.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE inboxinbox.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies inboxinbox.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 3 IoCs
Processes:
inboxinbox.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix inboxinbox.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" inboxinbox.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" inboxinbox.exe -
Suspicious behavior: EmotetMutantsSpam 2 IoCs
Processes:
2db032cc5094301f6d8cec29704880c595a19cbaae211e64e364e3217afa3ebe.exeinboxinbox.exepid process 1500 2db032cc5094301f6d8cec29704880c595a19cbaae211e64e364e3217afa3ebe.exe 2212 inboxinbox.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
inboxinbox.exepid process 2212 inboxinbox.exe 2212 inboxinbox.exe 2212 inboxinbox.exe 2212 inboxinbox.exe 2212 inboxinbox.exe 2212 inboxinbox.exe 2212 inboxinbox.exe 2212 inboxinbox.exe 2212 inboxinbox.exe 2212 inboxinbox.exe 2212 inboxinbox.exe 2212 inboxinbox.exe 2212 inboxinbox.exe 2212 inboxinbox.exe 2212 inboxinbox.exe 2212 inboxinbox.exe 2212 inboxinbox.exe 2212 inboxinbox.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
2db032cc5094301f6d8cec29704880c595a19cbaae211e64e364e3217afa3ebe.exepid process 1500 2db032cc5094301f6d8cec29704880c595a19cbaae211e64e364e3217afa3ebe.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
2db032cc5094301f6d8cec29704880c595a19cbaae211e64e364e3217afa3ebe.exe2db032cc5094301f6d8cec29704880c595a19cbaae211e64e364e3217afa3ebe.exeinboxinbox.exeinboxinbox.exepid process 3576 2db032cc5094301f6d8cec29704880c595a19cbaae211e64e364e3217afa3ebe.exe 1500 2db032cc5094301f6d8cec29704880c595a19cbaae211e64e364e3217afa3ebe.exe 3720 inboxinbox.exe 2212 inboxinbox.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
2db032cc5094301f6d8cec29704880c595a19cbaae211e64e364e3217afa3ebe.exeinboxinbox.exedescription pid process target process PID 3576 wrote to memory of 1500 3576 2db032cc5094301f6d8cec29704880c595a19cbaae211e64e364e3217afa3ebe.exe 2db032cc5094301f6d8cec29704880c595a19cbaae211e64e364e3217afa3ebe.exe PID 3576 wrote to memory of 1500 3576 2db032cc5094301f6d8cec29704880c595a19cbaae211e64e364e3217afa3ebe.exe 2db032cc5094301f6d8cec29704880c595a19cbaae211e64e364e3217afa3ebe.exe PID 3576 wrote to memory of 1500 3576 2db032cc5094301f6d8cec29704880c595a19cbaae211e64e364e3217afa3ebe.exe 2db032cc5094301f6d8cec29704880c595a19cbaae211e64e364e3217afa3ebe.exe PID 3720 wrote to memory of 2212 3720 inboxinbox.exe inboxinbox.exe PID 3720 wrote to memory of 2212 3720 inboxinbox.exe inboxinbox.exe PID 3720 wrote to memory of 2212 3720 inboxinbox.exe inboxinbox.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2db032cc5094301f6d8cec29704880c595a19cbaae211e64e364e3217afa3ebe.exe"C:\Users\Admin\AppData\Local\Temp\2db032cc5094301f6d8cec29704880c595a19cbaae211e64e364e3217afa3ebe.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\2db032cc5094301f6d8cec29704880c595a19cbaae211e64e364e3217afa3ebe.exe--ca061b2d2⤵
- Suspicious behavior: EmotetMutantsSpam
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\inboxinbox.exe"C:\Windows\SysWOW64\inboxinbox.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\inboxinbox.exe--55f44a922⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EmotetMutantsSpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\b36208c2e0ba1c7f0e7f094499ea3452_72727c5d-8d0e-47bb-8579-8067735277ffMD5
d854e5bf32f6eff669679c3a9acd847a
SHA10d43be3bd4161a1cbb329c910fdf62346fa45b20
SHA2565a08f974f0f6e267fb0a7658b1d80e809a3f4f1293a9149238b647f3ed305660
SHA5122dafe095dadaf0536ab48043a05b71900717e49c6a344e3fcd4fa1282db0a46559e67528d541195efaafc77e53d2e69cbe6da46f4ce0fcf827f9d94c4bb48259
-
memory/1500-2-0x0000000000000000-mapping.dmp
-
memory/1500-4-0x0000000000400000-0x0000000000493000-memory.dmpFilesize
588KB
-
memory/2212-6-0x0000000000000000-mapping.dmp
-
memory/2212-9-0x0000000000400000-0x0000000000493000-memory.dmpFilesize
588KB
-
memory/3576-3-0x0000000000570000-0x0000000000581000-memory.dmpFilesize
68KB