2db032cc5094301f6d8cec29704880c595a19cbaae211e64e364e3217afa3ebe

General
Target

2db032cc5094301f6d8cec29704880c595a19cbaae211e64e364e3217afa3ebe.exe

Filesize

572KB

Completed

07-04-2021 13:11

Score
10/10
MD5

c882de666f59cdeff7c0f5611d18fa3f

SHA1

2cd4c99affc6aaeae73c0899a77b18d66c9ff2fb

SHA256

2db032cc5094301f6d8cec29704880c595a19cbaae211e64e364e3217afa3ebe

Malware Config
Signatures 9

Filter: none

Discovery
  • Emotet

    Description

    Emotet is a trojan that is primarily spread through spam emails.

  • Drops file in System32 directory
    inboxinbox.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5inboxinbox.exe
    File opened for modificationC:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.datinboxinbox.exe
    File opened for modificationC:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5inboxinbox.exe
    File opened for modificationC:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IEinboxinbox.exe
    File opened for modificationC:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookiesinboxinbox.exe
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Modifies data under HKEY_USERS
    inboxinbox.exe

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefixinboxinbox.exe
    Set value (str)\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"inboxinbox.exe
    Set value (str)\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"inboxinbox.exe
  • Suspicious behavior: EmotetMutantsSpam
    2db032cc5094301f6d8cec29704880c595a19cbaae211e64e364e3217afa3ebe.exeinboxinbox.exe

    Reported IOCs

    pidprocess
    15002db032cc5094301f6d8cec29704880c595a19cbaae211e64e364e3217afa3ebe.exe
    2212inboxinbox.exe
  • Suspicious behavior: EnumeratesProcesses
    inboxinbox.exe

    Reported IOCs

    pidprocess
    2212inboxinbox.exe
    2212inboxinbox.exe
    2212inboxinbox.exe
    2212inboxinbox.exe
    2212inboxinbox.exe
    2212inboxinbox.exe
    2212inboxinbox.exe
    2212inboxinbox.exe
    2212inboxinbox.exe
    2212inboxinbox.exe
    2212inboxinbox.exe
    2212inboxinbox.exe
    2212inboxinbox.exe
    2212inboxinbox.exe
    2212inboxinbox.exe
    2212inboxinbox.exe
    2212inboxinbox.exe
    2212inboxinbox.exe
  • Suspicious behavior: RenamesItself
    2db032cc5094301f6d8cec29704880c595a19cbaae211e64e364e3217afa3ebe.exe

    Reported IOCs

    pidprocess
    15002db032cc5094301f6d8cec29704880c595a19cbaae211e64e364e3217afa3ebe.exe
  • Suspicious use of SetWindowsHookEx
    2db032cc5094301f6d8cec29704880c595a19cbaae211e64e364e3217afa3ebe.exe2db032cc5094301f6d8cec29704880c595a19cbaae211e64e364e3217afa3ebe.exeinboxinbox.exeinboxinbox.exe

    Reported IOCs

    pidprocess
    35762db032cc5094301f6d8cec29704880c595a19cbaae211e64e364e3217afa3ebe.exe
    15002db032cc5094301f6d8cec29704880c595a19cbaae211e64e364e3217afa3ebe.exe
    3720inboxinbox.exe
    2212inboxinbox.exe
  • Suspicious use of WriteProcessMemory
    2db032cc5094301f6d8cec29704880c595a19cbaae211e64e364e3217afa3ebe.exeinboxinbox.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 3576 wrote to memory of 150035762db032cc5094301f6d8cec29704880c595a19cbaae211e64e364e3217afa3ebe.exe2db032cc5094301f6d8cec29704880c595a19cbaae211e64e364e3217afa3ebe.exe
    PID 3576 wrote to memory of 150035762db032cc5094301f6d8cec29704880c595a19cbaae211e64e364e3217afa3ebe.exe2db032cc5094301f6d8cec29704880c595a19cbaae211e64e364e3217afa3ebe.exe
    PID 3576 wrote to memory of 150035762db032cc5094301f6d8cec29704880c595a19cbaae211e64e364e3217afa3ebe.exe2db032cc5094301f6d8cec29704880c595a19cbaae211e64e364e3217afa3ebe.exe
    PID 3720 wrote to memory of 22123720inboxinbox.exeinboxinbox.exe
    PID 3720 wrote to memory of 22123720inboxinbox.exeinboxinbox.exe
    PID 3720 wrote to memory of 22123720inboxinbox.exeinboxinbox.exe
Processes 4
  • C:\Users\Admin\AppData\Local\Temp\2db032cc5094301f6d8cec29704880c595a19cbaae211e64e364e3217afa3ebe.exe
    "C:\Users\Admin\AppData\Local\Temp\2db032cc5094301f6d8cec29704880c595a19cbaae211e64e364e3217afa3ebe.exe"
    Suspicious use of SetWindowsHookEx
    Suspicious use of WriteProcessMemory
    PID:3576
    • C:\Users\Admin\AppData\Local\Temp\2db032cc5094301f6d8cec29704880c595a19cbaae211e64e364e3217afa3ebe.exe
      --ca061b2d
      Suspicious behavior: EmotetMutantsSpam
      Suspicious behavior: RenamesItself
      Suspicious use of SetWindowsHookEx
      PID:1500
  • C:\Windows\SysWOW64\inboxinbox.exe
    "C:\Windows\SysWOW64\inboxinbox.exe"
    Suspicious use of SetWindowsHookEx
    Suspicious use of WriteProcessMemory
    PID:3720
    • C:\Windows\SysWOW64\inboxinbox.exe
      --55f44a92
      Drops file in System32 directory
      Modifies data under HKEY_USERS
      Suspicious behavior: EmotetMutantsSpam
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:2212
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Persistence
                      Privilege Escalation
                        Replay Monitor
                        00:00 00:00
                        Downloads
                        • C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\b36208c2e0ba1c7f0e7f094499ea3452_72727c5d-8d0e-47bb-8579-8067735277ff

                          MD5

                          d854e5bf32f6eff669679c3a9acd847a

                          SHA1

                          0d43be3bd4161a1cbb329c910fdf62346fa45b20

                          SHA256

                          5a08f974f0f6e267fb0a7658b1d80e809a3f4f1293a9149238b647f3ed305660

                          SHA512

                          2dafe095dadaf0536ab48043a05b71900717e49c6a344e3fcd4fa1282db0a46559e67528d541195efaafc77e53d2e69cbe6da46f4ce0fcf827f9d94c4bb48259

                        • memory/1500-2-0x0000000000000000-mapping.dmp

                        • memory/1500-4-0x0000000000400000-0x0000000000493000-memory.dmp

                        • memory/2212-6-0x0000000000000000-mapping.dmp

                        • memory/2212-9-0x0000000000400000-0x0000000000493000-memory.dmp

                        • memory/3576-3-0x0000000000570000-0x0000000000581000-memory.dmp