Overview

overview

10

Static

static

01613e4009...28.exe

windows7-x64

10

01613e4009...28.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    138s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-11-2022 19:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    01613e4009813b9c524e3a1c4b14ba35a5e1b382d0de721d0c627d9a20c4af28.exe

  • Size

    122KB

  • MD5

    699e79f6240a9edb393841bbff83e939

  • SHA1

    2a0f31420c92fd5b603db742a332d9b916e74d45

  • SHA256

    01613e4009813b9c524e3a1c4b14ba35a5e1b382d0de721d0c627d9a20c4af28

  • SHA512

    67b66843d3006e46e9a90a84b89cdd6ca17944136b4b9881c504ff79c523e73cc7dfa43268e75bb34637aaafc56a4a24366a6a1054617b4a172a0cdf53ee0b1b

  • SSDEEP

    3072:Xpe0SFTgkJNr/LJHD06mYG46MA5df+BC3K5eqyI:X80igkJJ/V06mR4P0K7yI

Score
10/10
emotetbankertrojan

Malware Config

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

    trojanbankeremotet
  • Drops file in System32 directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\01613e4009813b9c524e3a1c4b14ba35a5e1b382d0de721d0c627d9a20c4af28.exe
    "C:\Users\Admin\AppData\Local\Temp\01613e4009813b9c524e3a1c4b14ba35a5e1b382d0de721d0c627d9a20c4af28.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4740
    • C:\Users\Admin\AppData\Local\Temp\01613e4009813b9c524e3a1c4b14ba35a5e1b382d0de721d0c627d9a20c4af28.exe
      --6c43f3cd
      2⤵
      • Suspicious behavior: RenamesItself
      PID:1180
  • C:\Windows\SysWOW64\sortingportal.exe
    "C:\Windows\SysWOW64\sortingportal.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:5024
    • C:\Windows\SysWOW64\sortingportal.exe
      --63fca926
      2⤵
      • Drops file in System32 directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      PID:4824

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1180-132-0x0000000000000000-mapping.dmp
    Download
  • memory/1180-135-0x0000000000780000-0x0000000000791000-memory.dmp
    Filesize

    68KB

    Download
  • memory/1180-136-0x0000000000400000-0x0000000000421000-memory.dmp
    Filesize

    132KB

    Download
  • memory/1180-138-0x0000000000400000-0x0000000000421000-memory.dmp
    Filesize

    132KB

    Download
  • memory/1180-141-0x0000000000400000-0x0000000000414000-memory.dmp
    Filesize

    80KB

    Download
  • memory/4740-133-0x00000000006D0000-0x00000000006E1000-memory.dmp
    Filesize

    68KB

    Download
  • memory/4740-134-0x0000000000400000-0x0000000000421000-memory.dmp
    Filesize

    132KB

    Download
  • memory/4740-137-0x0000000000400000-0x0000000000421000-memory.dmp
    Filesize

    132KB

    Download
  • memory/4824-139-0x0000000000000000-mapping.dmp
    Download
  • memory/4824-142-0x0000000000400000-0x0000000000421000-memory.dmp
    Filesize

    132KB

    Download
  • memory/4824-143-0x0000000000400000-0x0000000000421000-memory.dmp
    Filesize

    132KB

    Download
  • memory/5024-140-0x0000000000400000-0x0000000000414000-memory.dmp
    Filesize

    80KB

    Download