Overview

overview

10

Static

static

9

ba309d71b2...f3.exe

windows7-x64

10

ba309d71b2...f3.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    223s
  • max time network
    253s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-01-2023 18:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ba309d71b27e294159587a0a02f25912a057294a6aca9dc384bc733b32c93cf3.exe

  • Size

    200KB

  • MD5

    9d690127d647ba4d09d0ed689cac0453

  • SHA1

    ab9cfc80609d094efbab60ff9afcb5d30d1435e6

  • SHA256

    ba309d71b27e294159587a0a02f25912a057294a6aca9dc384bc733b32c93cf3

  • SHA512

    6c1d230edb9acff06f8970febf64f05d747010feb06ae00c4c63f3bc2d6f97a2ae6547279ea040f338657d63e5430954f7d036c38271b52ffbcfc897f3da691f

  • SSDEEP

    3072:XtF9bBJwMcZOz+GLRATw8dtCCLsoB0eQKqERRYmx9a+IuSxJI1CTlJo2xHiJ53Mr:JBROOztLRuwc5xRRBJ/1CTlJzA36Nsun

Score
10/10
emotetbankertrojan

Malware Config

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

    trojanbankeremotet
  • Drops file in System32 directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ba309d71b27e294159587a0a02f25912a057294a6aca9dc384bc733b32c93cf3.exe
    "C:\Users\Admin\AppData\Local\Temp\ba309d71b27e294159587a0a02f25912a057294a6aca9dc384bc733b32c93cf3.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4308
    • C:\Users\Admin\AppData\Local\Temp\ba309d71b27e294159587a0a02f25912a057294a6aca9dc384bc733b32c93cf3.exe
      --4539f4ff
      2⤵
      • Suspicious behavior: RenamesItself
      PID:2056
  • C:\Windows\SysWOW64\indexermfidl.exe
    "C:\Windows\SysWOW64\indexermfidl.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:5088
    • C:\Windows\SysWOW64\indexermfidl.exe
      --4745eccb
      2⤵
      • Drops file in System32 directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      PID:4624

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2056-134-0x0000000000000000-mapping.dmp
    Download
  • memory/2056-137-0x0000000000400000-0x0000000000434000-memory.dmp
    Filesize

    208KB

    Download
  • memory/2056-138-0x0000000000400000-0x0000000000434000-memory.dmp
    Filesize

    208KB

    Download
  • memory/2056-142-0x0000000000400000-0x000000000041D000-memory.dmp
    Filesize

    116KB

    Download
  • memory/4308-133-0x00000000004B0000-0x00000000004CB000-memory.dmp
    Filesize

    108KB

    Download
  • memory/4308-135-0x00000000004B0000-0x00000000004CB000-memory.dmp
    Filesize

    108KB

    Download
  • memory/4308-136-0x0000000000400000-0x000000000041D000-memory.dmp
    Filesize

    116KB

    Download
  • memory/4624-140-0x0000000000000000-mapping.dmp
    Download
  • memory/4624-141-0x0000000000400000-0x0000000000434000-memory.dmp
    Filesize

    208KB

    Download
  • memory/4624-143-0x0000000000400000-0x0000000000434000-memory.dmp
    Filesize

    208KB

    Download
  • memory/5088-139-0x0000000000400000-0x0000000000434000-memory.dmp
    Filesize

    208KB

    Download