Analysis

  • max time kernel
    138s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    16-05-2022 16:21

General

  • Target

    d82767751280c173d75b7eac6591bcff4ee4e3e03a683cf6436635a873299daa.exe

  • Size

    172KB

  • MD5

    c3d04a3a5520a2f58516c2f0acbd4055

  • SHA1

    f97acd5a5384d81f003d382b5c3a5ac448a9bb62

  • SHA256

    d82767751280c173d75b7eac6591bcff4ee4e3e03a683cf6436635a873299daa

  • SHA512

    fd5bfb01b5f5c6d857620797ed4add60869ee662dcb5aaf721e3ee1a1fee01fcad08fd4b4b2eaa6dc626d6ac0438033f30d5affde3f12b159fdffe4bca5e41fd

Score
10/10

Malware Config

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 22 IoCs
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d82767751280c173d75b7eac6591bcff4ee4e3e03a683cf6436635a873299daa.exe
    "C:\Users\Admin\AppData\Local\Temp\d82767751280c173d75b7eac6591bcff4ee4e3e03a683cf6436635a873299daa.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1892
    • C:\Users\Admin\AppData\Local\Temp\d82767751280c173d75b7eac6591bcff4ee4e3e03a683cf6436635a873299daa.exe
      "C:\Users\Admin\AppData\Local\Temp\d82767751280c173d75b7eac6591bcff4ee4e3e03a683cf6436635a873299daa.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: RenamesItself
      PID:604
  • C:\Windows\SysWOW64\alaskapolic.exe
    "C:\Windows\SysWOW64\alaskapolic.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1164
    • C:\Windows\SysWOW64\alaskapolic.exe
      "C:\Windows\SysWOW64\alaskapolic.exe"
      2⤵
      • Drops file in System32 directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      PID:1724

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/604-68-0x0000000000280000-0x00000000002A0000-memory.dmp

    Filesize

    128KB

  • memory/604-69-0x00000000756A1000-0x00000000756A3000-memory.dmp

    Filesize

    8KB

  • memory/604-60-0x0000000000260000-0x000000000027A000-memory.dmp

    Filesize

    104KB

  • memory/604-64-0x0000000000260000-0x000000000027A000-memory.dmp

    Filesize

    104KB

  • memory/604-67-0x0000000000240000-0x000000000025A000-memory.dmp

    Filesize

    104KB

  • memory/1164-74-0x0000000000380000-0x000000000039A000-memory.dmp

    Filesize

    104KB

  • memory/1164-82-0x00000000003A0000-0x00000000003C0000-memory.dmp

    Filesize

    128KB

  • memory/1164-81-0x0000000000310000-0x000000000032A000-memory.dmp

    Filesize

    104KB

  • memory/1164-70-0x0000000000380000-0x000000000039A000-memory.dmp

    Filesize

    104KB

  • memory/1724-76-0x00000000001F0000-0x000000000020A000-memory.dmp

    Filesize

    104KB

  • memory/1724-84-0x0000000000290000-0x00000000002B0000-memory.dmp

    Filesize

    128KB

  • memory/1724-80-0x00000000001F0000-0x000000000020A000-memory.dmp

    Filesize

    104KB

  • memory/1724-83-0x00000000001D0000-0x00000000001EA000-memory.dmp

    Filesize

    104KB

  • memory/1892-58-0x00000000002F0000-0x000000000030A000-memory.dmp

    Filesize

    104KB

  • memory/1892-66-0x0000000000310000-0x0000000000330000-memory.dmp

    Filesize

    128KB

  • memory/1892-65-0x00000000002D0000-0x00000000002EA000-memory.dmp

    Filesize

    104KB

  • memory/1892-54-0x00000000002F0000-0x000000000030A000-memory.dmp

    Filesize

    104KB