Overview

overview

10

Static

static

85ea96b6ec...e3.exe

windows7_x64

10

85ea96b6ec...e3.exe

windows10_x64

10

Analysis

  • max time kernel
    130s
  • max time network
    152s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    16-05-2021 05:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    85ea96b6ec918a3587c8c7a2d9dfe33e5c2de25e5a72dfded03d2bc2586d05e3.exe

  • Size

    162KB

  • MD5

    d53c01297e52267714ebaf27cd3884e7

  • SHA1

    96e1739d7b55d2f2640ddb9d9e3a869e4192a6b9

  • SHA256

    85ea96b6ec918a3587c8c7a2d9dfe33e5c2de25e5a72dfded03d2bc2586d05e3

  • SHA512

    94a017d8d9cf7b6b889a2a28a4282e847c16a015e83024cfd812213035838f9e25ab0ae51b4f178d2c1ab79784a22d80712e117484aeb88736082297ef38069b

Score
10/10
emotetbankertrojan

Malware Config

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

    trojanbankeremotet
  • Drops file in System32 directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\85ea96b6ec918a3587c8c7a2d9dfe33e5c2de25e5a72dfded03d2bc2586d05e3.exe
    "C:\Users\Admin\AppData\Local\Temp\85ea96b6ec918a3587c8c7a2d9dfe33e5c2de25e5a72dfded03d2bc2586d05e3.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3932
    • C:\Users\Admin\AppData\Local\Temp\85ea96b6ec918a3587c8c7a2d9dfe33e5c2de25e5a72dfded03d2bc2586d05e3.exe
      --70715e46
      2⤵
      • Suspicious behavior: RenamesItself
      PID:2456
  • C:\Windows\SysWOW64\selparent.exe
    "C:\Windows\SysWOW64\selparent.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2804
    • C:\Windows\SysWOW64\selparent.exe
      --ff4c545a
      2⤵
      • Drops file in System32 directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      PID:2580

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2456-115-0x0000000000000000-mapping.dmp

    Download

  • memory/2456-117-0x0000000000550000-0x000000000069A000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2456-118-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

    Download

  • memory/2580-120-0x0000000000000000-mapping.dmp

    Download

  • memory/2804-119-0x0000000000490000-0x000000000053E000-memory.dmp

    Filesize

    696KB

    Download

  • memory/2804-121-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

    Download

  • memory/3932-114-0x0000000000560000-0x00000000006AA000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/3932-116-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

    Download