2db032cc5094301f6d8cec29704880c595a19cbaae211e64e364e3217afa3ebe
General
Target
Filesize
Completed
2db032cc5094301f6d8cec29704880c595a19cbaae211e64e364e3217afa3ebe.exe
572KB
07-04-2021 13:11
Score
10/10
MD5
SHA1
SHA256
c882de666f59cdeff7c0f5611d18fa3f
2cd4c99affc6aaeae73c0899a77b18d66c9ff2fb
2db032cc5094301f6d8cec29704880c595a19cbaae211e64e364e3217afa3ebe
Malware Config
Signatures 9
Filter: none
Discovery
-
Emotet
Description
Emotet is a trojan that is primarily spread through spam emails.
Tags
-
Drops file in System32 directoryinboxinbox.exe
Reported IOCs
description ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 inboxinbox.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat inboxinbox.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 inboxinbox.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE inboxinbox.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies inboxinbox.exe -
Enumerates physical storage devices
Description
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
TTPs
-
Modifies data under HKEY_USERSinboxinbox.exe
Reported IOCs
description ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix inboxinbox.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" inboxinbox.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" inboxinbox.exe -
Suspicious behavior: EmotetMutantsSpam2db032cc5094301f6d8cec29704880c595a19cbaae211e64e364e3217afa3ebe.exeinboxinbox.exe
Reported IOCs
pid process 1500 2db032cc5094301f6d8cec29704880c595a19cbaae211e64e364e3217afa3ebe.exe 2212 inboxinbox.exe -
Suspicious behavior: EnumeratesProcessesinboxinbox.exe
Reported IOCs
pid process 2212 inboxinbox.exe 2212 inboxinbox.exe 2212 inboxinbox.exe 2212 inboxinbox.exe 2212 inboxinbox.exe 2212 inboxinbox.exe 2212 inboxinbox.exe 2212 inboxinbox.exe 2212 inboxinbox.exe 2212 inboxinbox.exe 2212 inboxinbox.exe 2212 inboxinbox.exe 2212 inboxinbox.exe 2212 inboxinbox.exe 2212 inboxinbox.exe 2212 inboxinbox.exe 2212 inboxinbox.exe 2212 inboxinbox.exe -
Suspicious behavior: RenamesItself2db032cc5094301f6d8cec29704880c595a19cbaae211e64e364e3217afa3ebe.exe
Reported IOCs
pid process 1500 2db032cc5094301f6d8cec29704880c595a19cbaae211e64e364e3217afa3ebe.exe -
Suspicious use of SetWindowsHookEx2db032cc5094301f6d8cec29704880c595a19cbaae211e64e364e3217afa3ebe.exe2db032cc5094301f6d8cec29704880c595a19cbaae211e64e364e3217afa3ebe.exeinboxinbox.exeinboxinbox.exe
Reported IOCs
pid process 3576 2db032cc5094301f6d8cec29704880c595a19cbaae211e64e364e3217afa3ebe.exe 1500 2db032cc5094301f6d8cec29704880c595a19cbaae211e64e364e3217afa3ebe.exe 3720 inboxinbox.exe 2212 inboxinbox.exe -
Suspicious use of WriteProcessMemory2db032cc5094301f6d8cec29704880c595a19cbaae211e64e364e3217afa3ebe.exeinboxinbox.exe
Reported IOCs
description pid process target process PID 3576 wrote to memory of 1500 3576 2db032cc5094301f6d8cec29704880c595a19cbaae211e64e364e3217afa3ebe.exe 2db032cc5094301f6d8cec29704880c595a19cbaae211e64e364e3217afa3ebe.exe PID 3576 wrote to memory of 1500 3576 2db032cc5094301f6d8cec29704880c595a19cbaae211e64e364e3217afa3ebe.exe 2db032cc5094301f6d8cec29704880c595a19cbaae211e64e364e3217afa3ebe.exe PID 3576 wrote to memory of 1500 3576 2db032cc5094301f6d8cec29704880c595a19cbaae211e64e364e3217afa3ebe.exe 2db032cc5094301f6d8cec29704880c595a19cbaae211e64e364e3217afa3ebe.exe PID 3720 wrote to memory of 2212 3720 inboxinbox.exe inboxinbox.exe PID 3720 wrote to memory of 2212 3720 inboxinbox.exe inboxinbox.exe PID 3720 wrote to memory of 2212 3720 inboxinbox.exe inboxinbox.exe
Processes 4
-
C:\Users\Admin\AppData\Local\Temp\2db032cc5094301f6d8cec29704880c595a19cbaae211e64e364e3217afa3ebe.exePID:3576"C:\Users\Admin\AppData\Local\Temp\2db032cc5094301f6d8cec29704880c595a19cbaae211e64e364e3217afa3ebe.exe"Suspicious use of SetWindowsHookExSuspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\2db032cc5094301f6d8cec29704880c595a19cbaae211e64e364e3217afa3ebe.exePID:1500--ca061b2dSuspicious behavior: EmotetMutantsSpamSuspicious behavior: RenamesItselfSuspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\inboxinbox.exePID:3720"C:\Windows\SysWOW64\inboxinbox.exe"Suspicious use of SetWindowsHookExSuspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\inboxinbox.exePID:2212--55f44a92Drops file in System32 directoryModifies data under HKEY_USERSSuspicious behavior: EmotetMutantsSpamSuspicious behavior: EnumeratesProcessesSuspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Replay Monitor
00:00
00:00
Downloads
-
C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\b36208c2e0ba1c7f0e7f094499ea3452_72727c5d-8d0e-47bb-8579-8067735277ff
MD5d854e5bf32f6eff669679c3a9acd847a
SHA10d43be3bd4161a1cbb329c910fdf62346fa45b20
SHA2565a08f974f0f6e267fb0a7658b1d80e809a3f4f1293a9149238b647f3ed305660
SHA5122dafe095dadaf0536ab48043a05b71900717e49c6a344e3fcd4fa1282db0a46559e67528d541195efaafc77e53d2e69cbe6da46f4ce0fcf827f9d94c4bb48259
-
memory/1500-2-0x0000000000000000-mapping.dmp
-
memory/1500-4-0x0000000000400000-0x0000000000493000-memory.dmp
-
memory/2212-6-0x0000000000000000-mapping.dmp
-
memory/2212-9-0x0000000000400000-0x0000000000493000-memory.dmp
-
memory/3576-3-0x0000000000570000-0x0000000000581000-memory.dmp
Title
Loading data