Overview

overview

10

Static

static

10

8c6389fc67...a6.exe

windows7_x64

5

8c6389fc67...a6.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    132s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    06-03-2022 18:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8c6389fc67ddcd8b8342a02825b3278e7722a319ccc71dbccdd5bbcebb7997a6.exe

  • Size

    59KB

  • MD5

    5748520230e32823cbc44c721687351a

  • SHA1

    4a63a4edf47b4580b117c2f3598e2c967551997b

  • SHA256

    8c6389fc67ddcd8b8342a02825b3278e7722a319ccc71dbccdd5bbcebb7997a6

  • SHA512

    1030356b915e3409c449c59c87d8ade9198134e96eee1db6bba39e2bad7f2df853c32146567fe2ebb7ad8fff3b2c628a3d767f591ca3a68accabe75c132f5a56

Score
10/10
emotetbankertrojan

Malware Config

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

    trojanbankeremotet
  • Drops file in System32 directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8c6389fc67ddcd8b8342a02825b3278e7722a319ccc71dbccdd5bbcebb7997a6.exe
    "C:\Users\Admin\AppData\Local\Temp\8c6389fc67ddcd8b8342a02825b3278e7722a319ccc71dbccdd5bbcebb7997a6.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1740
    • C:\Users\Admin\AppData\Local\Temp\8c6389fc67ddcd8b8342a02825b3278e7722a319ccc71dbccdd5bbcebb7997a6.exe
      --fa359035
      2⤵
      • Suspicious behavior: RenamesItself
      PID:2136
  • C:\Windows\SysWOW64\substran.exe
    "C:\Windows\SysWOW64\substran.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1404
    • C:\Windows\SysWOW64\substran.exe
      --be76cbb0
      2⤵
      • Drops file in System32 directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      PID:3820

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads