Overview

overview

10

Static

static

9

d7a7455332...f2.exe

windows7-x64

10

d7a7455332...f2.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    30-11-2022 14:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d7a745533209956b23fafe533d54e93193c7cda43457924693dbe60ec77ef8f2.exe

  • Size

    100KB

  • MD5

    8dc2977abe0b363aca606378bf7fd385

  • SHA1

    82fd6c30ebb2b3b5bb5911a3b57fd29142ce6fa8

  • SHA256

    d7a745533209956b23fafe533d54e93193c7cda43457924693dbe60ec77ef8f2

  • SHA512

    59f33d6707902aaa8704420a213541cfb758fe2cdfa49fce82d0c29f941d855d77799ef6cde5e5db6d307b8c620f4ba8eb2466dbb87d798c37757212e5786325

  • SSDEEP

    1536:S9XM2K4Y3kK5MNq5cktsVPkRcT5nEYJyuXtg/7rSLh50Uj7z3nYxV:S98xkK5h5xwPDTZrKrqh50Uj7z3nYxV

Score
10/10
emotetbankertrojan

Malware Config

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

    trojanbankeremotet
  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 21 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of UnmapMainImage 4 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d7a745533209956b23fafe533d54e93193c7cda43457924693dbe60ec77ef8f2.exe
    "C:\Users\Admin\AppData\Local\Temp\d7a745533209956b23fafe533d54e93193c7cda43457924693dbe60ec77ef8f2.exe"
    1⤵
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:836
    • C:\Users\Admin\AppData\Local\Temp\d7a745533209956b23fafe533d54e93193c7cda43457924693dbe60ec77ef8f2.exe
      --c5edc055
      2⤵
      • Suspicious behavior: RenamesItself
      • Suspicious use of UnmapMainImage
      PID:960
  • C:\Windows\SysWOW64\aclguiddef.exe
    "C:\Windows\SysWOW64\aclguiddef.exe"
    1⤵
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:544
    • C:\Windows\SysWOW64\aclguiddef.exe
      --dbad6b44
      2⤵
      • Drops file in System32 directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of UnmapMainImage
      PID:732

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/732-61-0x0000000000000000-mapping.dmp
    Download
  • memory/836-54-0x0000000075AD1000-0x0000000075AD3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/836-56-0x00000000001B0000-0x00000000001C1000-memory.dmp
    Filesize

    68KB

    Download
  • memory/836-57-0x0000000000400000-0x0000000000414000-memory.dmp
    Filesize

    80KB

    Download
  • memory/960-55-0x0000000000000000-mapping.dmp
    Download
  • memory/960-59-0x0000000000400000-0x000000000041C000-memory.dmp
    Filesize

    112KB

    Download
  • memory/960-63-0x0000000000400000-0x0000000000414000-memory.dmp
    Filesize

    80KB

    Download