Overview

overview

10

Static

static

f886202f15...56.exe

windows7_x64

10

f886202f15...56.exe

windows10_x64

10

Analysis

  • max time kernel
    142s
  • max time network
    157s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    13-05-2021 02:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f886202f15a93ff1bd3522be14dd3143c4f7443cc700c7840fe8667e8abf4656.exe

  • Size

    134KB

  • MD5

    9a4c58c9a89a06da19007a28186d454a

  • SHA1

    0e0e436266e1dc0bde5ea0bd7a0421f17d483dc0

  • SHA256

    f886202f15a93ff1bd3522be14dd3143c4f7443cc700c7840fe8667e8abf4656

  • SHA512

    25595c1bbdb2d1a42f48d53e86e7b854f7ac90df31b392d71c618e29811158589dd83469833055afc00b972d0df7850fd1d0b0f317b381f75b669761019262ba

Score
10/10
emotetbankertrojan

Malware Config

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

    trojanbankeremotet
  • Drops file in System32 directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f886202f15a93ff1bd3522be14dd3143c4f7443cc700c7840fe8667e8abf4656.exe
    "C:\Users\Admin\AppData\Local\Temp\f886202f15a93ff1bd3522be14dd3143c4f7443cc700c7840fe8667e8abf4656.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2544
    • C:\Users\Admin\AppData\Local\Temp\f886202f15a93ff1bd3522be14dd3143c4f7443cc700c7840fe8667e8abf4656.exe
      --e5d54944
      2⤵
      • Suspicious behavior: RenamesItself
      PID:2076
  • C:\Windows\SysWOW64\ribbonrelated.exe
    "C:\Windows\SysWOW64\ribbonrelated.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2928
    • C:\Windows\SysWOW64\ribbonrelated.exe
      --2a48e34b
      2⤵
      • Drops file in System32 directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      PID:2628

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2076-115-0x0000000000000000-mapping.dmp
    Download
  • memory/2076-118-0x0000000000400000-0x0000000000423000-memory.dmp
    Filesize

    140KB

    Download
  • memory/2544-114-0x00000000004E0000-0x000000000062A000-memory.dmp
    Filesize

    1.3MB

    Download
  • memory/2544-116-0x0000000000400000-0x0000000000423000-memory.dmp
    Filesize

    140KB

    Download
  • memory/2628-120-0x0000000000000000-mapping.dmp
    Download
  • memory/2628-123-0x0000000000400000-0x0000000000423000-memory.dmp
    Filesize

    140KB

    Download
  • memory/2928-119-0x00000000001E0000-0x00000000001F1000-memory.dmp
    Filesize

    68KB

    Download
  • memory/2928-121-0x0000000000400000-0x0000000000423000-memory.dmp
    Filesize

    140KB

    Download