Overview

overview

10

Static

static

411cc0e848...ff.exe

windows7_x64

10

411cc0e848...ff.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    46s
  • max time network
    67s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    01-07-2022 05:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    411cc0e848e37589d5af9d8245f2c157ca00e0e0e51276aa43b4258612770eff.exe

  • Size

    200KB

  • MD5

    35a217cc26ef71d7e77df6ecc613a301

  • SHA1

    fe741cdb83b427bfd68ea9e96149e6faabbb6d4c

  • SHA256

    411cc0e848e37589d5af9d8245f2c157ca00e0e0e51276aa43b4258612770eff

  • SHA512

    b9e9ac4535bb6f6ab9cab81df835a44355acac6461a2933ba1faa598abe9bbe4a086bd34b3e37ff270c34e5740223d43b0f3d57c95fff56b88da7958f8eb2bc5

Score
10/10
emotetbankertrojan

Malware Config

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

    trojanbankeremotet
  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Modifies data under HKEY_USERS 11 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\411cc0e848e37589d5af9d8245f2c157ca00e0e0e51276aa43b4258612770eff.exe
    "C:\Users\Admin\AppData\Local\Temp\411cc0e848e37589d5af9d8245f2c157ca00e0e0e51276aa43b4258612770eff.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1700
    • C:\Users\Admin\AppData\Local\Temp\411cc0e848e37589d5af9d8245f2c157ca00e0e0e51276aa43b4258612770eff.exe
      "C:\Users\Admin\AppData\Local\Temp\411cc0e848e37589d5af9d8245f2c157ca00e0e0e51276aa43b4258612770eff.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: RenamesItself
      PID:1344
  • C:\Windows\SysWOW64\fonduetexture.exe
    "C:\Windows\SysWOW64\fonduetexture.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1776
    • C:\Windows\SysWOW64\fonduetexture.exe
      "C:\Windows\SysWOW64\fonduetexture.exe"
      2⤵
      • Drops file in System32 directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2028
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2028 -s 596
        3⤵
        • Program crash
        PID:1844

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1344-66-0x0000000075F21000-0x0000000075F23000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1344-68-0x00000000000F0000-0x00000000000FD000-memory.dmp

    Filesize

    52KB

    Download

  • memory/1344-82-0x00000000000F0000-0x00000000000FD000-memory.dmp

    Filesize

    52KB

    Download

  • memory/1700-54-0x0000000000100000-0x000000000010D000-memory.dmp

    Filesize

    52KB

    Download

  • memory/1700-58-0x0000000000100000-0x000000000010D000-memory.dmp

    Filesize

    52KB

    Download

  • memory/1700-67-0x0000000000110000-0x0000000000130000-memory.dmp

    Filesize

    128KB

    Download

  • memory/1700-65-0x00000000000F0000-0x00000000000FD000-memory.dmp

    Filesize

    52KB

    Download

  • memory/1776-73-0x0000000000140000-0x000000000014D000-memory.dmp

    Filesize

    52KB

    Download

  • memory/1776-80-0x00000000000F0000-0x00000000000FD000-memory.dmp

    Filesize

    52KB

    Download

  • memory/1776-81-0x0000000000150000-0x0000000000170000-memory.dmp

    Filesize

    128KB

    Download

  • memory/1776-69-0x0000000000140000-0x000000000014D000-memory.dmp

    Filesize

    52KB

    Download

  • memory/2028-75-0x0000000000100000-0x000000000010D000-memory.dmp

    Filesize

    52KB

    Download

  • memory/2028-79-0x0000000000100000-0x000000000010D000-memory.dmp

    Filesize

    52KB

    Download

  • memory/2028-85-0x0000000000220000-0x0000000000240000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2028-84-0x00000000000F0000-0x00000000000FD000-memory.dmp

    Filesize

    52KB

    Download

  • memory/2028-86-0x00000000000F0000-0x00000000000FD000-memory.dmp

    Filesize

    52KB

    Download