Overview

overview

10

Static

static

2373c0c77d...cd.exe

windows7_x64

10

2373c0c77d...cd.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    147s
  • max time network
    155s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    12-06-2022 01:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2373c0c77d9177247d183e1075537e1e1be2092f580765260b080704c63001cd.exe

  • Size

    284KB

  • MD5

    7f0297e938775d06c129b71dc986cab1

  • SHA1

    d89bc4d229810524492b2ce731e68afb5e700a01

  • SHA256

    2373c0c77d9177247d183e1075537e1e1be2092f580765260b080704c63001cd

  • SHA512

    af3565ff42536b498f59faceac6fa50124392d8f9fda5b76d865d8a99e8836345b42aa6b29f791aeca84b55299e0e5b3e053b71561ca30fc76d67f61f155df12

Score
10/10
emotetbankertrojan

Malware Config

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

    trojanbankeremotet
  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 18 IoCs
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2373c0c77d9177247d183e1075537e1e1be2092f580765260b080704c63001cd.exe
    "C:\Users\Admin\AppData\Local\Temp\2373c0c77d9177247d183e1075537e1e1be2092f580765260b080704c63001cd.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1868
    • C:\Users\Admin\AppData\Local\Temp\2373c0c77d9177247d183e1075537e1e1be2092f580765260b080704c63001cd.exe
      "C:\Users\Admin\AppData\Local\Temp\2373c0c77d9177247d183e1075537e1e1be2092f580765260b080704c63001cd.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: RenamesItself
      PID:1532
  • C:\Windows\SysWOW64\tabbtniowa.exe
    "C:\Windows\SysWOW64\tabbtniowa.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1596
    • C:\Windows\SysWOW64\tabbtniowa.exe
      "C:\Windows\SysWOW64\tabbtniowa.exe"
      2⤵
      • Drops file in System32 directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      PID:1756

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1532-69-0x0000000000250000-0x0000000000267000-memory.dmp
    Filesize

    92KB

    Download
  • memory/1532-60-0x0000000000000000-mapping.dmp
    Download
  • memory/1532-70-0x0000000000290000-0x00000000002A0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1532-87-0x0000000000250000-0x0000000000267000-memory.dmp
    Filesize

    92KB

    Download
  • memory/1532-62-0x0000000000270000-0x0000000000287000-memory.dmp
    Filesize

    92KB

    Download
  • memory/1532-66-0x0000000000270000-0x0000000000287000-memory.dmp
    Filesize

    92KB

    Download
  • memory/1596-84-0x0000000000250000-0x0000000000267000-memory.dmp
    Filesize

    92KB

    Download
  • memory/1756-88-0x0000000000310000-0x0000000000327000-memory.dmp
    Filesize

    92KB

    Download
  • memory/1756-79-0x0000000000330000-0x0000000000347000-memory.dmp
    Filesize

    92KB

    Download
  • memory/1756-83-0x0000000000330000-0x0000000000347000-memory.dmp
    Filesize

    92KB

    Download
  • memory/1756-85-0x0000000000310000-0x0000000000327000-memory.dmp
    Filesize

    92KB

    Download
  • memory/1756-86-0x0000000000350000-0x0000000000360000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1756-77-0x0000000000000000-mapping.dmp
    Download
  • memory/1868-68-0x00000000003F0000-0x0000000000400000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1868-59-0x0000000000450000-0x0000000000467000-memory.dmp
    Filesize

    92KB

    Download
  • memory/1868-67-0x00000000003D0000-0x00000000003E7000-memory.dmp
    Filesize

    92KB

    Download
  • memory/1868-55-0x0000000000450000-0x0000000000467000-memory.dmp
    Filesize

    92KB

    Download
  • memory/1868-54-0x00000000759E1000-0x00000000759E3000-memory.dmp
    Filesize

    8KB

    Download