Overview

overview

10

Static

static

783b113080...d8.exe

windows7-x64

10

783b113080...d8.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    138s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-01-2023 18:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    783b113080fa36887d57234d3421e365a54467baf4d15d3b655212e49b287fd8.exe

  • Size

    118KB

  • MD5

    34952df05ea29f84d07acca48a632a70

  • SHA1

    38280fe8d98ee0997c279b25ac3fbf718b1509d8

  • SHA256

    783b113080fa36887d57234d3421e365a54467baf4d15d3b655212e49b287fd8

  • SHA512

    91460927840fed03c5e4be0fc5a74009239e289505d6610cc962aef488b92903876dcc14034fd5221608a8e3260eed0bab5cd930c33dce2b1489f14d01a5a325

  • SSDEEP

    1536:mHDQNHRoajvvFOQb/bevSVCyBT82KpIqxomwxpbI1DIAOEOMOwKY79MFCvJgZP1X:SFa4QbTDRBT82Kpzk4djGwKkxEPgWrH

Score
10/10
emotetbankertrojan

Malware Config

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

    trojanbankeremotet
  • Drops file in System32 directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\783b113080fa36887d57234d3421e365a54467baf4d15d3b655212e49b287fd8.exe
    "C:\Users\Admin\AppData\Local\Temp\783b113080fa36887d57234d3421e365a54467baf4d15d3b655212e49b287fd8.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4872
    • C:\Users\Admin\AppData\Local\Temp\783b113080fa36887d57234d3421e365a54467baf4d15d3b655212e49b287fd8.exe
      --7495329f
      2⤵
      • Suspicious behavior: RenamesItself
      PID:2192
  • C:\Windows\SysWOW64\showjpn.exe
    "C:\Windows\SysWOW64\showjpn.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4620
    • C:\Windows\SysWOW64\showjpn.exe
      --23c72ae1
      2⤵
      • Drops file in System32 directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      PID:4900

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2192-133-0x0000000000000000-mapping.dmp

    Download

  • memory/2192-136-0x0000000000560000-0x00000000005DA000-memory.dmp

    Filesize

    488KB

    Download

  • memory/2192-137-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2192-140-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

    Download

  • memory/4620-138-0x0000000000530000-0x00000000005AA000-memory.dmp

    Filesize

    488KB

    Download

  • memory/4872-132-0x00000000007B0000-0x00000000007C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4872-134-0x00000000007B0000-0x00000000007C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4872-135-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

    Download

  • memory/4900-139-0x0000000000000000-mapping.dmp

    Download

  • memory/4900-141-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB

    Download

  • memory/4900-142-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB

    Download