Overview

overview

10

Static

static

017a38c8b1...b5.exe

windows7_x64

10

017a38c8b1...b5.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    135s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    23-05-2022 19:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    017a38c8b1ea67cc72ade902f1c5551a785f5c5a1f515fb43b5e7d2109225cb5.exe

  • Size

    148KB

  • MD5

    7893d57cd60b412ef68220ce395f9a59

  • SHA1

    a20fd845d6569d26ffcbc4a1c9c9aae51f7ffb85

  • SHA256

    017a38c8b1ea67cc72ade902f1c5551a785f5c5a1f515fb43b5e7d2109225cb5

  • SHA512

    14fd790842e5cc420bba09bf08fe0732b1c0d145b696515f3e43535f55f8ff3aa49a3ce7d04af245a62b8d2e023f3ea2a4a04a997f3eafec3386b4f861249a61

Score
10/10
emotetbankertrojan

Malware Config

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

    trojanbankeremotet
  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 18 IoCs
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\017a38c8b1ea67cc72ade902f1c5551a785f5c5a1f515fb43b5e7d2109225cb5.exe
    "C:\Users\Admin\AppData\Local\Temp\017a38c8b1ea67cc72ade902f1c5551a785f5c5a1f515fb43b5e7d2109225cb5.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:748
    • C:\Users\Admin\AppData\Local\Temp\017a38c8b1ea67cc72ade902f1c5551a785f5c5a1f515fb43b5e7d2109225cb5.exe
      "C:\Users\Admin\AppData\Local\Temp\017a38c8b1ea67cc72ade902f1c5551a785f5c5a1f515fb43b5e7d2109225cb5.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: RenamesItself
      PID:1372
  • C:\Windows\SysWOW64\shimsstatus.exe
    "C:\Windows\SysWOW64\shimsstatus.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2036
    • C:\Windows\SysWOW64\shimsstatus.exe
      "C:\Windows\SysWOW64\shimsstatus.exe"
      2⤵
      • Drops file in System32 directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      PID:2024

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/748-54-0x00000000003D0000-0x00000000003E9000-memory.dmp

    Filesize

    100KB

    Download

  • memory/748-63-0x00000000003B0000-0x00000000003C9000-memory.dmp

    Filesize

    100KB

    Download

  • memory/748-64-0x0000000000430000-0x0000000000448000-memory.dmp

    Filesize

    96KB

    Download

  • memory/1372-66-0x0000000000430000-0x0000000000448000-memory.dmp

    Filesize

    96KB

    Download

  • memory/1372-65-0x00000000003A0000-0x00000000003B9000-memory.dmp

    Filesize

    100KB

    Download

  • memory/1372-59-0x00000000003C0000-0x00000000003D9000-memory.dmp

    Filesize

    100KB

    Download

  • memory/1372-67-0x00000000763E1000-0x00000000763E3000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2024-73-0x00000000003D0000-0x00000000003E9000-memory.dmp

    Filesize

    100KB

    Download

  • memory/2024-80-0x0000000000920000-0x0000000000938000-memory.dmp

    Filesize

    96KB

    Download

  • memory/2024-79-0x0000000000320000-0x0000000000339000-memory.dmp

    Filesize

    100KB

    Download

  • memory/2036-78-0x00000000002A0000-0x00000000002B8000-memory.dmp

    Filesize

    96KB

    Download

  • memory/2036-77-0x00000000001E0000-0x00000000001F9000-memory.dmp

    Filesize

    100KB

    Download

  • memory/2036-68-0x0000000000280000-0x0000000000299000-memory.dmp

    Filesize

    100KB

    Download