Overview

overview

10

Static

static

9

991733473e...52.exe

windows7-x64

10

991733473e...52.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    189s
  • max time network
    229s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-11-2022 15:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    991733473e2f2cd9f1e28f11d9429a27751a85ed1b805929aa2ad71b8e1b6152.exe

  • Size

    201KB

  • MD5

    30193e56b6b89ebb74635f72d4e6a854

  • SHA1

    63022da3e2aae7fbb2a79a1269c991e372c0c1c0

  • SHA256

    991733473e2f2cd9f1e28f11d9429a27751a85ed1b805929aa2ad71b8e1b6152

  • SHA512

    7539ba938f69ac67b0fa043d6b7a9f4ec76f07c10c3dc8e7b59874ff562c2545e287a1c0457c7d74f8d449951143a439c3859ff54f38ff9a9b975512363726af

  • SSDEEP

    3072:EDSXf2ro/JcXsFptLu3GIPkqu8J27A76NY36EZukoXVW4wFGmjZqMNeNV:EDef2roRc+1uFP9/J27A76OZZZvEV

Score
10/10
emotetbankertrojan

Malware Config

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

    trojanbankeremotet
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\991733473e2f2cd9f1e28f11d9429a27751a85ed1b805929aa2ad71b8e1b6152.exe
    "C:\Users\Admin\AppData\Local\Temp\991733473e2f2cd9f1e28f11d9429a27751a85ed1b805929aa2ad71b8e1b6152.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:308
    • C:\Users\Admin\AppData\Local\Temp\991733473e2f2cd9f1e28f11d9429a27751a85ed1b805929aa2ad71b8e1b6152.exe
      --cd2aec66
      2⤵
      • Suspicious behavior: RenamesItself
      PID:3784
  • C:\Windows\SysWOW64\neutraliprop.exe
    "C:\Windows\SysWOW64\neutraliprop.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4572
    • C:\Windows\SysWOW64\neutraliprop.exe
      --5747faf7
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:936

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/308-132-0x00000000007D0000-0x00000000007EB000-memory.dmp
    Filesize

    108KB

    Download
  • memory/308-134-0x00000000007D0000-0x00000000007EB000-memory.dmp
    Filesize

    108KB

    Download
  • memory/308-135-0x0000000000400000-0x000000000041D000-memory.dmp
    Filesize

    116KB

    Download
  • memory/936-140-0x0000000000000000-mapping.dmp
    Download
  • memory/936-142-0x0000000000400000-0x0000000000435000-memory.dmp
    Filesize

    212KB

    Download
  • memory/936-143-0x0000000000400000-0x0000000000435000-memory.dmp
    Filesize

    212KB

    Download
  • memory/3784-133-0x0000000000000000-mapping.dmp
    Download
  • memory/3784-136-0x0000000000400000-0x0000000000435000-memory.dmp
    Filesize

    212KB

    Download
  • memory/3784-137-0x0000000000400000-0x0000000000435000-memory.dmp
    Filesize

    212KB

    Download
  • memory/3784-141-0x0000000000400000-0x000000000041D000-memory.dmp
    Filesize

    116KB

    Download
  • memory/4572-138-0x0000000000400000-0x0000000000435000-memory.dmp
    Filesize

    212KB

    Download
  • memory/4572-139-0x0000000000400000-0x0000000000435000-memory.dmp
    Filesize

    212KB

    Download