Overview

overview

10

Static

static

18c788edd3...91.exe

windows7_x64

5

18c788edd3...91.exe

windows10_x64

10

Analysis

  • max time kernel
    132s
  • max time network
    141s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    16-05-2021 04:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    18c788edd309a5c15d9163cf016cd9651bf2db15622dcf3c21286b6b7f22f891.exe

  • Size

    135KB

  • MD5

    48fba897d161a3d734c6aff3119f952a

  • SHA1

    8dd00aec4276f2aaf6de1ba98cc9ffdf209ce420

  • SHA256

    18c788edd309a5c15d9163cf016cd9651bf2db15622dcf3c21286b6b7f22f891

  • SHA512

    0c072a4f24622f6c1a72722cadfc88b2e4c3417b002889c95b0dc7535681e9e35c5f53ed5c68337e807a0babd6bf488192a92cda2400cc7e5dd7a5919aa257a7

Score
10/10
emotetbankertrojan

Malware Config

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

    trojanbankeremotet
  • Drops file in System32 directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\18c788edd309a5c15d9163cf016cd9651bf2db15622dcf3c21286b6b7f22f891.exe
    "C:\Users\Admin\AppData\Local\Temp\18c788edd309a5c15d9163cf016cd9651bf2db15622dcf3c21286b6b7f22f891.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2204
    • C:\Users\Admin\AppData\Local\Temp\18c788edd309a5c15d9163cf016cd9651bf2db15622dcf3c21286b6b7f22f891.exe
      --cded26f7
      2⤵
      • Suspicious behavior: RenamesItself
      PID:2420
  • C:\Windows\SysWOW64\relcomment.exe
    "C:\Windows\SysWOW64\relcomment.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2144
    • C:\Windows\SysWOW64\relcomment.exe
      --a981fc78
      2⤵
      • Drops file in System32 directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      PID:4076

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2144-119-0x0000000000430000-0x000000000057A000-memory.dmp
    Filesize

    1.3MB

    Download
  • memory/2144-121-0x0000000000400000-0x0000000000423000-memory.dmp
    Filesize

    140KB

    Download
  • memory/2204-114-0x0000000000550000-0x0000000000561000-memory.dmp
    Filesize

    68KB

    Download
  • memory/2204-116-0x0000000000400000-0x0000000000423000-memory.dmp
    Filesize

    140KB

    Download
  • memory/2420-115-0x0000000000000000-mapping.dmp
    Download
  • memory/2420-117-0x0000000000550000-0x000000000069A000-memory.dmp
    Filesize

    1.3MB

    Download
  • memory/2420-118-0x0000000000400000-0x0000000000423000-memory.dmp
    Filesize

    140KB

    Download
  • memory/4076-120-0x0000000000000000-mapping.dmp
    Download
  • memory/4076-122-0x0000000000430000-0x00000000004DE000-memory.dmp
    Filesize

    696KB

    Download
  • memory/4076-123-0x0000000000400000-0x0000000000423000-memory.dmp
    Filesize

    140KB

    Download