Overview

overview

10

Static

static

10

5f2b3da7ba...89.exe

windows7_x64

10

5f2b3da7ba...89.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    4294217s
  • max time network
    173s
  • platform
    windows7_x64
  • resource
    win7-20220223-en
  • submitted
    07-03-2022 05:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5f2b3da7bab461edaba34cfabb710e8c504f4da95f18fc59afcf35f50250e489.exe

  • Size

    58KB

  • MD5

    1f3845d95e6cf47aa5b6ad03333961ee

  • SHA1

    60f07ac82822d3704a63fc556fe4388c2389d1c8

  • SHA256

    5f2b3da7bab461edaba34cfabb710e8c504f4da95f18fc59afcf35f50250e489

  • SHA512

    62ba59cd3435f457d7642bc11bc914dc983238893fa460819d8009a7fba08093a0c34cb89135e25c87b66fa551263a72881741732d075641051c1de322e842b4

Score
10/10
emotetbankertrojan

Malware Config

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

    trojanbankeremotet
  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 25 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5f2b3da7bab461edaba34cfabb710e8c504f4da95f18fc59afcf35f50250e489.exe
    "C:\Users\Admin\AppData\Local\Temp\5f2b3da7bab461edaba34cfabb710e8c504f4da95f18fc59afcf35f50250e489.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1464
    • C:\Users\Admin\AppData\Local\Temp\5f2b3da7bab461edaba34cfabb710e8c504f4da95f18fc59afcf35f50250e489.exe
      --a41e7d22
      2⤵
      • Suspicious behavior: RenamesItself
      PID:1704
  • C:\Windows\SysWOW64\footxcl.exe
    "C:\Windows\SysWOW64\footxcl.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1284
    • C:\Windows\SysWOW64\footxcl.exe
      --ec6e52a9
      2⤵
      • Drops file in System32 directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      PID:1416

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1704-54-0x00000000752A1000-0x00000000752A3000-memory.dmp

    Filesize

    8KB

    Download