Analysis

  • max time kernel
    148s
  • max time network
    148s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    07-04-2021 15:27

General

  • Target

    faca543878c17e6a54140eb3307d5f9c948fe517b74fb731413af4fe39a163c5.exe

  • Size

    572KB

  • MD5

    2c4e3add87c219ec974b2ebc2551307f

  • SHA1

    51d0f3d119718b236c2afc964df6ea43d80d1988

  • SHA256

    faca543878c17e6a54140eb3307d5f9c948fe517b74fb731413af4fe39a163c5

  • SHA512

    a79f1e125ecd0a7f721fb19e8e4ef713f62031e91ab3e59aefb136ba6002477569d685491b8af2b1002a1fa455133541336188262498b2bb5b9106be8385791c

Score
10/10

Malware Config

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

  • Drops file in System32 directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 3 IoCs
  • Suspicious behavior: EmotetMutantsSpam 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\faca543878c17e6a54140eb3307d5f9c948fe517b74fb731413af4fe39a163c5.exe
    "C:\Users\Admin\AppData\Local\Temp\faca543878c17e6a54140eb3307d5f9c948fe517b74fb731413af4fe39a163c5.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3996
    • C:\Users\Admin\AppData\Local\Temp\faca543878c17e6a54140eb3307d5f9c948fe517b74fb731413af4fe39a163c5.exe
      --3c8a43ec
      2⤵
      • Suspicious behavior: EmotetMutantsSpam
      • Suspicious behavior: RenamesItself
      • Suspicious use of SetWindowsHookEx
      PID:3792
  • C:\Windows\SysWOW64\ipmimailbox.exe
    "C:\Windows\SysWOW64\ipmimailbox.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3160
    • C:\Windows\SysWOW64\ipmimailbox.exe
      --1024b7e7
      2⤵
      • Drops file in System32 directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EmotetMutantsSpam
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:3824

Network

MITRE ATT&CK Matrix ATT&CK v6

Discovery

System Information Discovery

1
T1082

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\b36208c2e0ba1c7f0e7f094499ea3452_72727c5d-8d0e-47bb-8579-8067735277ff
    MD5

    d854e5bf32f6eff669679c3a9acd847a

    SHA1

    0d43be3bd4161a1cbb329c910fdf62346fa45b20

    SHA256

    5a08f974f0f6e267fb0a7658b1d80e809a3f4f1293a9149238b647f3ed305660

    SHA512

    2dafe095dadaf0536ab48043a05b71900717e49c6a344e3fcd4fa1282db0a46559e67528d541195efaafc77e53d2e69cbe6da46f4ce0fcf827f9d94c4bb48259

  • memory/3792-2-0x0000000000000000-mapping.dmp
  • memory/3792-4-0x0000000000400000-0x0000000000493000-memory.dmp
    Filesize

    588KB

  • memory/3824-6-0x0000000000000000-mapping.dmp
  • memory/3824-9-0x0000000000400000-0x0000000000493000-memory.dmp
    Filesize

    588KB

  • memory/3996-3-0x0000000000620000-0x0000000000631000-memory.dmp
    Filesize

    68KB