Analysis
-
max time kernel
144s -
max time network
151s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
13-07-2021 08:16
Static task
static1
Behavioral task
behavioral1
Sample
emotet_test001.exe
Resource
win7v20210410
windows7_x64
0 signatures
0 seconds
General
-
Target
emotet_test001.exe
-
Size
176KB
-
MD5
1d314c60cf2ab83672f258033f1c9fdb
-
SHA1
a076655c3e4b48b2a074a7d37210adaea0e22f92
-
SHA256
459f8d96d0c21300199c87ee798b594216732a27da6c3190f36b483df9faaabf
-
SHA512
82f5b8d8b4eec5dac2220a9cef857be499e0a5c6ac6b4e095633bcdfeb7892dabfd5a3ae4b19833c2e635494855a59559c032f60eae0de7aba1eceec5592efee
Malware Config
Signatures
-
Drops file in System32 directory 1 IoCs
Processes:
accessscn.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat accessscn.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 22 IoCs
Processes:
emotet_test001.exeemotet_test001.exeaccessscn.exeaccessscn.exepid process 416 emotet_test001.exe 416 emotet_test001.exe 3012 emotet_test001.exe 3012 emotet_test001.exe 3040 accessscn.exe 3040 accessscn.exe 3732 accessscn.exe 3732 accessscn.exe 3732 accessscn.exe 3732 accessscn.exe 3732 accessscn.exe 3732 accessscn.exe 3732 accessscn.exe 3732 accessscn.exe 3732 accessscn.exe 3732 accessscn.exe 3732 accessscn.exe 3732 accessscn.exe 3732 accessscn.exe 3732 accessscn.exe 3732 accessscn.exe 3732 accessscn.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
emotet_test001.exepid process 3012 emotet_test001.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
emotet_test001.exeaccessscn.exedescription pid process target process PID 416 wrote to memory of 3012 416 emotet_test001.exe emotet_test001.exe PID 416 wrote to memory of 3012 416 emotet_test001.exe emotet_test001.exe PID 416 wrote to memory of 3012 416 emotet_test001.exe emotet_test001.exe PID 3040 wrote to memory of 3732 3040 accessscn.exe accessscn.exe PID 3040 wrote to memory of 3732 3040 accessscn.exe accessscn.exe PID 3040 wrote to memory of 3732 3040 accessscn.exe accessscn.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\emotet_test001.exe"C:\Users\Admin\AppData\Local\Temp\emotet_test001.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\emotet_test001.exe"C:\Users\Admin\AppData\Local\Temp\emotet_test001.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
-
C:\Windows\SysWOW64\accessscn.exe"C:\Windows\SysWOW64\accessscn.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\accessscn.exe"C:\Windows\SysWOW64\accessscn.exe"2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/416-124-0x00000000024F0000-0x000000000263A000-memory.dmpFilesize
1.3MB
-
memory/416-117-0x0000000002530000-0x0000000002549000-memory.dmpFilesize
100KB
-
memory/416-126-0x0000000002550000-0x0000000002568000-memory.dmpFilesize
96KB
-
memory/3012-128-0x0000000004060000-0x0000000004079000-memory.dmpFilesize
100KB
-
memory/3012-122-0x0000000004080000-0x0000000004099000-memory.dmpFilesize
100KB
-
memory/3012-127-0x00000000040A0000-0x00000000040B8000-memory.dmpFilesize
96KB
-
memory/3012-119-0x0000000000000000-mapping.dmp
-
memory/3040-131-0x00000000025C0000-0x00000000025D9000-memory.dmpFilesize
100KB
-
memory/3040-140-0x00000000028F0000-0x0000000002908000-memory.dmpFilesize
96KB
-
memory/3732-134-0x0000000000000000-mapping.dmp
-
memory/3732-138-0x00000000025B0000-0x00000000025C9000-memory.dmpFilesize
100KB
-
memory/3732-141-0x0000000002550000-0x000000000269A000-memory.dmpFilesize
1.3MB
-
memory/3732-142-0x00000000025D0000-0x00000000025E8000-memory.dmpFilesize
96KB