Overview

overview

10

Static

static

4e3888c0c2...ae.exe

windows7_x64

10

4e3888c0c2...ae.exe

windows10_x64

10

Analysis

  • max time kernel
    144s
  • max time network
    146s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    07-04-2021 15:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4e3888c0c289fa84a59aa771e8b948e88805268273d758d279d0c76876ccb4ae.exe

  • Size

    400KB

  • MD5

    d782643d2a7eec1f892226c6dd4a71d6

  • SHA1

    a4fa2d85f3314c10e43bc374fdb3ccd4b902feac

  • SHA256

    4e3888c0c289fa84a59aa771e8b948e88805268273d758d279d0c76876ccb4ae

  • SHA512

    36cb6ea7265401bd3ff8c7290352fa2c47f1396e494c303478e6bb534943a36a8c33469623cf01209b0b542e5738d72d8739448f6f25534a3e398a94b2e3cda6

Score
10/10
emotetbankertrojan

Malware Config

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

    trojanbankeremotet
  • Drops file in System32 directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 3 IoCs
  • Suspicious behavior: EmotetMutantsSpam 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4e3888c0c289fa84a59aa771e8b948e88805268273d758d279d0c76876ccb4ae.exe
    "C:\Users\Admin\AppData\Local\Temp\4e3888c0c289fa84a59aa771e8b948e88805268273d758d279d0c76876ccb4ae.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3116
    • C:\Users\Admin\AppData\Local\Temp\4e3888c0c289fa84a59aa771e8b948e88805268273d758d279d0c76876ccb4ae.exe
      --84ca9d77
      2⤵
      • Suspicious behavior: EmotetMutantsSpam
      • Suspicious behavior: RenamesItself
      • Suspicious use of SetWindowsHookEx
      PID:3140
  • C:\Windows\SysWOW64\dispidleel.exe
    "C:\Windows\SysWOW64\dispidleel.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3548
    • C:\Windows\SysWOW64\dispidleel.exe
      --c2fa54f
      2⤵
      • Drops file in System32 directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EmotetMutantsSpam
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:2424

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\b36208c2e0ba1c7f0e7f094499ea3452_72727c5d-8d0e-47bb-8579-8067735277ff
    MD5

    d854e5bf32f6eff669679c3a9acd847a

    SHA1

    0d43be3bd4161a1cbb329c910fdf62346fa45b20

    SHA256

    5a08f974f0f6e267fb0a7658b1d80e809a3f4f1293a9149238b647f3ed305660

    SHA512

    2dafe095dadaf0536ab48043a05b71900717e49c6a344e3fcd4fa1282db0a46559e67528d541195efaafc77e53d2e69cbe6da46f4ce0fcf827f9d94c4bb48259

    Download Submit
  • memory/2424-6-0x0000000000000000-mapping.dmp
    Download
  • memory/2424-9-0x0000000000400000-0x0000000000468000-memory.dmp
    Filesize

    416KB

    Download
  • memory/3116-3-0x00000000001E0000-0x00000000001F1000-memory.dmp
    Filesize

    68KB

    Download
  • memory/3140-2-0x0000000000000000-mapping.dmp
    Download
  • memory/3140-4-0x0000000000400000-0x0000000000468000-memory.dmp
    Filesize

    416KB

    Download