Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
13/02/2023, 05:22
Static task
static1
Behavioral task
behavioral1
Sample
2019-05-01-Emotet-binary-retrieved-by-Word-macro.exe
Resource
win7-20220901-en
8 signatures
150 seconds
General
-
Target
2019-05-01-Emotet-binary-retrieved-by-Word-macro.exe
-
Size
168KB
-
MD5
84d164fbfe0982a00404cb3d7b164bf5
-
SHA1
e068cd94e06c1f592a2d16ac2adc52c2ce506fa5
-
SHA256
2032acdf04511314d53f51d1fef7f9e62e69abbe3db0b31a0302a8545ab1bd82
-
SHA512
be33a2f96c68ff640a1f59241969fb27971305ecf251c2f8422d3e5a6b0bf609580a7360db3fa3c0355c956f19efec5f7d2f69e947e8f3c979f930ee1761da04
-
SSDEEP
3072:tzFEhjHHIUjCgArLEZXApH3UHE360ESYUzp8t:1FWHIU2Y9KEHE36FS5p8t
Malware Config
Signatures
-
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE boxescloud.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies boxescloud.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 boxescloud.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 boxescloud.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 3 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" boxescloud.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix boxescloud.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" boxescloud.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 4900 boxescloud.exe 4900 boxescloud.exe 4900 boxescloud.exe 4900 boxescloud.exe 4900 boxescloud.exe 4900 boxescloud.exe 4900 boxescloud.exe 4900 boxescloud.exe 4900 boxescloud.exe 4900 boxescloud.exe 4900 boxescloud.exe 4900 boxescloud.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1984 2019-05-01-Emotet-binary-retrieved-by-Word-macro.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4160 wrote to memory of 1984 4160 2019-05-01-Emotet-binary-retrieved-by-Word-macro.exe 80 PID 4160 wrote to memory of 1984 4160 2019-05-01-Emotet-binary-retrieved-by-Word-macro.exe 80 PID 4160 wrote to memory of 1984 4160 2019-05-01-Emotet-binary-retrieved-by-Word-macro.exe 80 PID 3396 wrote to memory of 4900 3396 boxescloud.exe 82 PID 3396 wrote to memory of 4900 3396 boxescloud.exe 82 PID 3396 wrote to memory of 4900 3396 boxescloud.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\2019-05-01-Emotet-binary-retrieved-by-Word-macro.exe"C:\Users\Admin\AppData\Local\Temp\2019-05-01-Emotet-binary-retrieved-by-Word-macro.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4160 -
C:\Users\Admin\AppData\Local\Temp\2019-05-01-Emotet-binary-retrieved-by-Word-macro.exe--6dea92982⤵
- Suspicious behavior: RenamesItself
PID:1984
-
-
C:\Windows\SysWOW64\boxescloud.exe"C:\Windows\SysWOW64\boxescloud.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3396 -
C:\Windows\SysWOW64\boxescloud.exe--86b35b6e2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:4900
-