Analysis
-
max time kernel
135s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
07-07-2022 16:20
General
-
Target
454aa330584eb807419c9b81f9bf0093cf661f7ef717c26ca7f0302ab8e0e8c8.exe
-
Size
277KB
-
MD5
e8daf8e5cfcc28c69e31eb389c9ccc26
-
SHA1
57ecda50d08933d4a5e8ad4c41fcc4a4c7f27e54
-
SHA256
454aa330584eb807419c9b81f9bf0093cf661f7ef717c26ca7f0302ab8e0e8c8
-
SHA512
0da1da0fd88c761339308b6737d67fbc48e283667333f6082ff9d223a01f82362749c8ce5de52e70456bb17d65ae1dc4ea4d3bb5392416ffe4957bab76ab9cc4
Score
10/10
Malware Config
Signatures
-
Emotet
Emotet is a trojan that is primarily spread through spam emails.
-
Drops file in System32 directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 18 IoCs
-
Suspicious behavior: EnumeratesProcesses 7 IoCs
-
Suspicious behavior: RenamesItself 1 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\454aa330584eb807419c9b81f9bf0093cf661f7ef717c26ca7f0302ab8e0e8c8.exe"C:\Users\Admin\AppData\Local\Temp\454aa330584eb807419c9b81f9bf0093cf661f7ef717c26ca7f0302ab8e0e8c8.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\454aa330584eb807419c9b81f9bf0093cf661f7ef717c26ca7f0302ab8e0e8c8.exe"C:\Users\Admin\AppData\Local\Temp\454aa330584eb807419c9b81f9bf0093cf661f7ef717c26ca7f0302ab8e0e8c8.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
-
C:\Windows\SysWOW64\cimenums.exe"C:\Windows\SysWOW64\cimenums.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cimenums.exe"C:\Windows\SysWOW64\cimenums.exe"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/856-81-0x0000000000180000-0x0000000000197000-memory.dmpFilesize
92KB
-
memory/856-74-0x00000000001A0000-0x00000000001B7000-memory.dmpFilesize
92KB
-
memory/856-70-0x00000000001A0000-0x00000000001B7000-memory.dmpFilesize
92KB
-
memory/856-82-0x00000000001C0000-0x00000000001D0000-memory.dmpFilesize
64KB
-
memory/1520-66-0x0000000000140000-0x0000000000157000-memory.dmpFilesize
92KB
-
memory/1520-58-0x00000000001E0000-0x00000000001F7000-memory.dmpFilesize
92KB
-
memory/1520-67-0x0000000000590000-0x00000000005A0000-memory.dmpFilesize
64KB
-
memory/1520-54-0x00000000001E0000-0x00000000001F7000-memory.dmpFilesize
92KB
-
memory/1812-80-0x0000000000280000-0x0000000000297000-memory.dmpFilesize
92KB
-
memory/1812-87-0x0000000000100000-0x0000000000117000-memory.dmpFilesize
92KB
-
memory/1812-86-0x0000000000120000-0x0000000000130000-memory.dmpFilesize
64KB
-
memory/1812-85-0x0000000000100000-0x0000000000117000-memory.dmpFilesize
92KB
-
memory/1812-75-0x0000000000000000-mapping.dmp
-
memory/1812-76-0x0000000000280000-0x0000000000297000-memory.dmpFilesize
92KB
-
memory/1968-69-0x0000000000090000-0x00000000000A0000-memory.dmpFilesize
64KB
-
memory/1968-60-0x0000000000360000-0x0000000000377000-memory.dmpFilesize
92KB
-
memory/1968-64-0x0000000000360000-0x0000000000377000-memory.dmpFilesize
92KB
-
memory/1968-83-0x0000000000340000-0x0000000000357000-memory.dmpFilesize
92KB
-
memory/1968-59-0x0000000000000000-mapping.dmp
-
memory/1968-65-0x0000000075841000-0x0000000075843000-memory.dmpFilesize
8KB
-
memory/1968-68-0x0000000000340000-0x0000000000357000-memory.dmpFilesize
92KB