Analysis

  • max time kernel
    31s
  • max time network
    37s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    13/02/2023, 14:05

General

  • Target

    2019-05-01-Emotet-binary-updated-after-initial-infection-1-of-2.exe

  • Size

    168KB

  • MD5

    1cc91941efd6d3da54a1054d9c9d870f

  • SHA1

    b6531c99b2fb0c51941ac3a636c5c3cf69073f65

  • SHA256

    6d7aff70a84d9237bde3b149ff04532cafb29b6f358886b5038a737af5934d1f

  • SHA512

    bade1e20f1a892e33d20535235f0ed45b625ef8cdd1ba9a391f074d3b77f971fb63f68f6d0f97e51fa48ef211fa7bea76a56da9deb88c85dbd0aa892ae78ed69

  • SSDEEP

    3072:5JYzFEhjHHIUjCgArLEZXApH3UHE360ESYUspf:r4FeHIU2Y9KEHE36FS2pf

Score
10/10

Malware Config

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 10 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of UnmapMainImage 4 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2019-05-01-Emotet-binary-updated-after-initial-infection-1-of-2.exe
    "C:\Users\Admin\AppData\Local\Temp\2019-05-01-Emotet-binary-updated-after-initial-infection-1-of-2.exe"
    1⤵
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:320
    • C:\Users\Admin\AppData\Local\Temp\2019-05-01-Emotet-binary-updated-after-initial-infection-1-of-2.exe
      --a1bda328
      2⤵
      • Suspicious behavior: RenamesItself
      • Suspicious use of UnmapMainImage
      PID:1488
  • C:\Windows\SysWOW64\licssound.exe
    "C:\Windows\SysWOW64\licssound.exe"
    1⤵
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:1712
    • C:\Windows\SysWOW64\licssound.exe
      --272a2058
      2⤵
      • Drops file in System32 directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of UnmapMainImage
      PID:1700

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/320-54-0x0000000075711000-0x0000000075713000-memory.dmp

          Filesize

          8KB

        • memory/320-58-0x0000000000400000-0x0000000000414000-memory.dmp

          Filesize

          80KB

        • memory/320-56-0x00000000001C0000-0x00000000001CD000-memory.dmp

          Filesize

          52KB

        • memory/1488-59-0x0000000000230000-0x000000000025C000-memory.dmp

          Filesize

          176KB

        • memory/1488-60-0x0000000000400000-0x000000000042C000-memory.dmp

          Filesize

          176KB

        • memory/1488-64-0x0000000000400000-0x0000000000414000-memory.dmp

          Filesize

          80KB

        • memory/1700-65-0x0000000000400000-0x000000000042C000-memory.dmp

          Filesize

          176KB

        • memory/1700-67-0x0000000000400000-0x000000000042C000-memory.dmp

          Filesize

          176KB

        • memory/1712-61-0x0000000000390000-0x00000000003A1000-memory.dmp

          Filesize

          68KB

        • memory/1712-63-0x0000000000390000-0x00000000003A1000-memory.dmp

          Filesize

          68KB