Overview

overview

10

Static

static

61ab89f51f...3a.exe

windows7_x64

10

61ab89f51f...3a.exe

windows10_x64

10

Analysis

  • max time kernel
    140s
  • max time network
    143s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    07-04-2021 15:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    61ab89f51f3743405d6cc52a82cf70344fc7cbfde25ed42c80c028ebfada023a.exe

  • Size

    672KB

  • MD5

    5e02977a2d98faf2de394fce6dbe0d45

  • SHA1

    ee177f2ece20347034d056858f2e21136605306a

  • SHA256

    61ab89f51f3743405d6cc52a82cf70344fc7cbfde25ed42c80c028ebfada023a

  • SHA512

    4bc73e8cd501b9ec39643f9e0328445ab1085e07c6b12f22f40d6fa72caa5e77120916868ec42ca2559d69b85e2a1b571b4985c750d4ccd5cdc6d252d3d13686

Score
10/10
emotetbankertrojan

Malware Config

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

    trojanbankeremotet
  • Drops file in System32 directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 3 IoCs
  • Suspicious behavior: EmotetMutantsSpam 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\61ab89f51f3743405d6cc52a82cf70344fc7cbfde25ed42c80c028ebfada023a.exe
    "C:\Users\Admin\AppData\Local\Temp\61ab89f51f3743405d6cc52a82cf70344fc7cbfde25ed42c80c028ebfada023a.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4648
    • C:\Users\Admin\AppData\Local\Temp\61ab89f51f3743405d6cc52a82cf70344fc7cbfde25ed42c80c028ebfada023a.exe
      --99f50949
      2⤵
      • Suspicious behavior: EmotetMutantsSpam
      • Suspicious behavior: RenamesItself
      • Suspicious use of SetWindowsHookEx
      PID:720
  • C:\Windows\SysWOW64\titlenetsh.exe
    "C:\Windows\SysWOW64\titlenetsh.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3936
    • C:\Windows\SysWOW64\titlenetsh.exe
      --5e548bcc
      2⤵
      • Drops file in System32 directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EmotetMutantsSpam
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:4080

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\6b58dd83fde6e6bdb1d5bcbc2235cb92_4a1d5b5d-6336-41a4-a4da-b4af65e6deff
    MD5

    a3db8a5438ea2c28046dd9f1b37e3b73

    SHA1

    4c1f2f336d30cd8e7ec229c5af658fa2e8236e73

    SHA256

    e16642f1248278e20d8bc8e356e75a2f7587e88ff411823a6accdacc78eb2d3f

    SHA512

    4636c1399d63d21b61b0e74dcb000f85f29f5971640d18cfafaab2ef3d56fe3fe753b2a80387beca1c60753c9a01d5cb5d2260201dd15b7883bd813240f5f285

    Download Submit
  • memory/720-2-0x0000000000000000-mapping.dmp
    Download
  • memory/720-4-0x0000000000400000-0x00000000004AE000-memory.dmp
    Filesize

    696KB

    Download
  • memory/4080-6-0x0000000000000000-mapping.dmp
    Download
  • memory/4080-9-0x0000000000400000-0x00000000004AE000-memory.dmp
    Filesize

    696KB

    Download
  • memory/4648-3-0x0000000002150000-0x0000000002161000-memory.dmp
    Filesize

    68KB

    Download