Analysis
-
max time kernel
126s -
max time network
158s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
16-06-2022 07:09
General
-
Target
26d5725f7b9028b03df9cd6bbbb08fbbb78d909d5f8f3b6fe923285dce6a25b0.exe
-
Size
176KB
-
MD5
38fdcd01a740f20a6ce85702ef490d0c
-
SHA1
ecb7f6563f75172ed8c8e1e57045418a6bee0481
-
SHA256
26d5725f7b9028b03df9cd6bbbb08fbbb78d909d5f8f3b6fe923285dce6a25b0
-
SHA512
b3debc0fe45a00332fb523767be212282a77b791f5bf07290116768614900750ef632401471984c658e994624b66a01fdac4bb5c7696bc7ee0190c35e42f9954
Score
10/10
Malware Config
Signatures
-
Emotet
Emotet is a trojan that is primarily spread through spam emails.
-
Drops file in System32 directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 21 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious behavior: RenamesItself 1 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\26d5725f7b9028b03df9cd6bbbb08fbbb78d909d5f8f3b6fe923285dce6a25b0.exe"C:\Users\Admin\AppData\Local\Temp\26d5725f7b9028b03df9cd6bbbb08fbbb78d909d5f8f3b6fe923285dce6a25b0.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\26d5725f7b9028b03df9cd6bbbb08fbbb78d909d5f8f3b6fe923285dce6a25b0.exe"C:\Users\Admin\AppData\Local\Temp\26d5725f7b9028b03df9cd6bbbb08fbbb78d909d5f8f3b6fe923285dce6a25b0.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
-
C:\Windows\SysWOW64\wscapihyper.exe"C:\Windows\SysWOW64\wscapihyper.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wscapihyper.exe"C:\Windows\SysWOW64\wscapihyper.exe"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/952-55-0x0000000000290000-0x000000000029D000-memory.dmpFilesize
52KB
-
memory/952-59-0x0000000000290000-0x000000000029D000-memory.dmpFilesize
52KB
-
memory/952-54-0x00000000750C1000-0x00000000750C3000-memory.dmpFilesize
8KB
-
memory/952-68-0x00000000002A0000-0x00000000002B0000-memory.dmpFilesize
64KB
-
memory/952-67-0x0000000000280000-0x000000000028D000-memory.dmpFilesize
52KB
-
memory/1152-78-0x0000000000000000-mapping.dmp
-
memory/1152-89-0x0000000000360000-0x0000000000370000-memory.dmpFilesize
64KB
-
memory/1152-88-0x0000000000340000-0x000000000034D000-memory.dmpFilesize
52KB
-
memory/1152-84-0x0000000000350000-0x000000000035D000-memory.dmpFilesize
52KB
-
memory/1152-80-0x0000000000350000-0x000000000035D000-memory.dmpFilesize
52KB
-
memory/1180-66-0x0000000000280000-0x000000000028D000-memory.dmpFilesize
52KB
-
memory/1180-71-0x0000000000270000-0x000000000027D000-memory.dmpFilesize
52KB
-
memory/1180-70-0x0000000000290000-0x00000000002A0000-memory.dmpFilesize
64KB
-
memory/1180-69-0x0000000000270000-0x000000000027D000-memory.dmpFilesize
52KB
-
memory/1180-87-0x0000000000270000-0x000000000027D000-memory.dmpFilesize
52KB
-
memory/1180-62-0x0000000000280000-0x000000000028D000-memory.dmpFilesize
52KB
-
memory/1180-60-0x0000000000000000-mapping.dmp
-
memory/1868-73-0x0000000000340000-0x000000000034D000-memory.dmpFilesize
52KB
-
memory/1868-77-0x0000000000340000-0x000000000034D000-memory.dmpFilesize
52KB
-
memory/1868-85-0x0000000000330000-0x000000000033D000-memory.dmpFilesize
52KB
-
memory/1868-86-0x0000000000350000-0x0000000000360000-memory.dmpFilesize
64KB