Overview

overview

10

Static

static

22d7305553...3b.exe

windows7_x64

10

22d7305553...3b.exe

windows10_x64

10

Analysis

  • max time kernel
    149s
  • max time network
    144s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    07-04-2021 13:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    22d7305553fb73065b56e2fcaeb399653a8a79bb7104a9e8ce44c5f7534a4b3b.exe

  • Size

    572KB

  • MD5

    6394ab67821651c32b6778a2a79bda66

  • SHA1

    d9083e0f56cf231aaa22044d28829e94e464b7d2

  • SHA256

    22d7305553fb73065b56e2fcaeb399653a8a79bb7104a9e8ce44c5f7534a4b3b

  • SHA512

    dff9db981012d5e930fd24d544524be84ee4df11a36dbda5f276ca7bc95af2ce994730dad23b11905aa6be965cacd65733fb6b4ae6cdbf0a7bb69e2b31ed2540

Score
10/10
emotetbankertrojan

Malware Config

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

    trojanbankeremotet
  • Drops file in System32 directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 3 IoCs
  • Suspicious behavior: EmotetMutantsSpam 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\22d7305553fb73065b56e2fcaeb399653a8a79bb7104a9e8ce44c5f7534a4b3b.exe
    "C:\Users\Admin\AppData\Local\Temp\22d7305553fb73065b56e2fcaeb399653a8a79bb7104a9e8ce44c5f7534a4b3b.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:832
    • C:\Users\Admin\AppData\Local\Temp\22d7305553fb73065b56e2fcaeb399653a8a79bb7104a9e8ce44c5f7534a4b3b.exe
      --f584da8b
      2⤵
      • Suspicious behavior: EmotetMutantsSpam
      • Suspicious behavior: RenamesItself
      • Suspicious use of SetWindowsHookEx
      PID:3532
  • C:\Windows\SysWOW64\texttofooter.exe
    "C:\Windows\SysWOW64\texttofooter.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1476
    • C:\Windows\SysWOW64\texttofooter.exe
      --35288115
      2⤵
      • Drops file in System32 directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EmotetMutantsSpam
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:3832

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\b36208c2e0ba1c7f0e7f094499ea3452_72727c5d-8d0e-47bb-8579-8067735277ff
    MD5

    d854e5bf32f6eff669679c3a9acd847a

    SHA1

    0d43be3bd4161a1cbb329c910fdf62346fa45b20

    SHA256

    5a08f974f0f6e267fb0a7658b1d80e809a3f4f1293a9149238b647f3ed305660

    SHA512

    2dafe095dadaf0536ab48043a05b71900717e49c6a344e3fcd4fa1282db0a46559e67528d541195efaafc77e53d2e69cbe6da46f4ce0fcf827f9d94c4bb48259

    Download Submit
  • memory/832-3-0x0000000000640000-0x0000000000651000-memory.dmp
    Filesize

    68KB

    Download
  • memory/3532-2-0x0000000000000000-mapping.dmp
    Download
  • memory/3532-4-0x0000000000400000-0x0000000000493000-memory.dmp
    Filesize

    588KB

    Download
  • memory/3832-6-0x0000000000000000-mapping.dmp
    Download
  • memory/3832-9-0x0000000000400000-0x0000000000493000-memory.dmp
    Filesize

    588KB

    Download