Overview

overview

10

Static

static

9

4d041cb67d...47.exe

windows7-x64

10

4d041cb67d...47.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220721-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-07-2022 19:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4d041cb67dd05b71c2da8c2b85ab6972e7fd097f3268295f4679480273bf1647.exe

  • Size

    104KB

  • MD5

    1934fa4786eaf1339b4f808154f3f9c3

  • SHA1

    eccfb04816095ae59d196295b9713773717a65cc

  • SHA256

    4d041cb67dd05b71c2da8c2b85ab6972e7fd097f3268295f4679480273bf1647

  • SHA512

    47e99dfae7deb0a5310c8cdcb28c744b6a7c02f5d72167904b85506bb7c62ce8b7daa5ad68dfdf5e64ea58867a3358ed72f45035ecbc97a53d9bb0a289a6eafa

Score
10/10
emotetbankertrojan

Malware Config

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

    trojanbankeremotet
  • Drops file in System32 directory 10 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 9 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4d041cb67dd05b71c2da8c2b85ab6972e7fd097f3268295f4679480273bf1647.exe
    "C:\Users\Admin\AppData\Local\Temp\4d041cb67dd05b71c2da8c2b85ab6972e7fd097f3268295f4679480273bf1647.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4180
    • C:\Users\Admin\AppData\Local\Temp\4d041cb67dd05b71c2da8c2b85ab6972e7fd097f3268295f4679480273bf1647.exe
      --86a46e14
      2⤵
      • Suspicious behavior: RenamesItself
      PID:612
  • C:\Windows\SysWOW64\viewerdma.exe
    "C:\Windows\SysWOW64\viewerdma.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4968
    • C:\Windows\SysWOW64\viewerdma.exe
      --fa0942bc
      2⤵
      • Drops file in System32 directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      PID:1676

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/612-131-0x0000000000000000-mapping.dmp
    Download
  • memory/612-133-0x0000000002020000-0x0000000002031000-memory.dmp
    Filesize

    68KB

    Download
  • memory/612-134-0x0000000000400000-0x000000000041C000-memory.dmp
    Filesize

    112KB

    Download
  • memory/612-138-0x0000000000400000-0x0000000000414000-memory.dmp
    Filesize

    80KB

    Download
  • memory/1676-136-0x0000000000000000-mapping.dmp
    Download
  • memory/1676-139-0x0000000000400000-0x000000000041C000-memory.dmp
    Filesize

    112KB

    Download
  • memory/1676-140-0x0000000000400000-0x000000000041C000-memory.dmp
    Filesize

    112KB

    Download
  • memory/4180-130-0x0000000000580000-0x00000000005FA000-memory.dmp
    Filesize

    488KB

    Download
  • memory/4180-132-0x0000000000400000-0x0000000000414000-memory.dmp
    Filesize

    80KB

    Download
  • memory/4968-135-0x0000000000400000-0x000000000041C000-memory.dmp
    Filesize

    112KB

    Download
  • memory/4968-137-0x0000000000580000-0x0000000000591000-memory.dmp
    Filesize

    68KB

    Download