Analysis
-
max time kernel
130s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
14/02/2023, 22:52
Static task
static1
Behavioral task
behavioral1
Sample
2019-05-01-Emotet-binary-retrieved-by-Word-macro.exe
Resource
win7-20221111-en
8 signatures
150 seconds
General
-
Target
2019-05-01-Emotet-binary-retrieved-by-Word-macro.exe
-
Size
168KB
-
MD5
84d164fbfe0982a00404cb3d7b164bf5
-
SHA1
e068cd94e06c1f592a2d16ac2adc52c2ce506fa5
-
SHA256
2032acdf04511314d53f51d1fef7f9e62e69abbe3db0b31a0302a8545ab1bd82
-
SHA512
be33a2f96c68ff640a1f59241969fb27971305ecf251c2f8422d3e5a6b0bf609580a7360db3fa3c0355c956f19efec5f7d2f69e947e8f3c979f930ee1761da04
-
SSDEEP
3072:tzFEhjHHIUjCgArLEZXApH3UHE360ESYUzp8t:1FWHIU2Y9KEHE36FS5p8t
Malware Config
Signatures
-
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies redistslide.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 redistslide.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 redistslide.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE redistslide.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 3 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix redistslide.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" redistslide.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" redistslide.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings OpenWith.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 1988 redistslide.exe 1988 redistslide.exe 1988 redistslide.exe 1988 redistslide.exe 1988 redistslide.exe 1988 redistslide.exe 1988 redistslide.exe 1988 redistslide.exe 1988 redistslide.exe 1988 redistslide.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 5056 2019-05-01-Emotet-binary-retrieved-by-Word-macro.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2284 OpenWith.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4304 wrote to memory of 5056 4304 2019-05-01-Emotet-binary-retrieved-by-Word-macro.exe 80 PID 4304 wrote to memory of 5056 4304 2019-05-01-Emotet-binary-retrieved-by-Word-macro.exe 80 PID 4304 wrote to memory of 5056 4304 2019-05-01-Emotet-binary-retrieved-by-Word-macro.exe 80 PID 4620 wrote to memory of 1988 4620 redistslide.exe 85 PID 4620 wrote to memory of 1988 4620 redistslide.exe 85 PID 4620 wrote to memory of 1988 4620 redistslide.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\2019-05-01-Emotet-binary-retrieved-by-Word-macro.exe"C:\Users\Admin\AppData\Local\Temp\2019-05-01-Emotet-binary-retrieved-by-Word-macro.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4304 -
C:\Users\Admin\AppData\Local\Temp\2019-05-01-Emotet-binary-retrieved-by-Word-macro.exe--6dea92982⤵
- Suspicious behavior: RenamesItself
PID:5056
-
-
C:\Windows\SysWOW64\redistslide.exe"C:\Windows\SysWOW64\redistslide.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4620 -
C:\Windows\SysWOW64\redistslide.exe--779f322e2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1988
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2188
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2284