Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
14/02/2023, 23:01
Static task
static1
Behavioral task
behavioral1
Sample
2019-05-01-Emotet-binary-retrieved-by-Word-macro.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
2019-05-01-Emotet-binary-retrieved-by-Word-macro.exe
Resource
win10v2004-20220812-en
General
-
Target
2019-05-01-Emotet-binary-retrieved-by-Word-macro.exe
-
Size
168KB
-
MD5
84d164fbfe0982a00404cb3d7b164bf5
-
SHA1
e068cd94e06c1f592a2d16ac2adc52c2ce506fa5
-
SHA256
2032acdf04511314d53f51d1fef7f9e62e69abbe3db0b31a0302a8545ab1bd82
-
SHA512
be33a2f96c68ff640a1f59241969fb27971305ecf251c2f8422d3e5a6b0bf609580a7360db3fa3c0355c956f19efec5f7d2f69e947e8f3c979f930ee1761da04
-
SSDEEP
3072:tzFEhjHHIUjCgArLEZXApH3UHE360ESYUzp8t:1FWHIU2Y9KEHE36FS5p8t
Malware Config
Signatures
-
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 guiddefunpack.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE guiddefunpack.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies guiddefunpack.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 guiddefunpack.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 3 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix guiddefunpack.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" guiddefunpack.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" guiddefunpack.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings OpenWith.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 1200 guiddefunpack.exe 1200 guiddefunpack.exe 1200 guiddefunpack.exe 1200 guiddefunpack.exe 1200 guiddefunpack.exe 1200 guiddefunpack.exe 1200 guiddefunpack.exe 1200 guiddefunpack.exe 1200 guiddefunpack.exe 1200 guiddefunpack.exe 1200 guiddefunpack.exe 1200 guiddefunpack.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 3988 2019-05-01-Emotet-binary-retrieved-by-Word-macro.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2644 OpenWith.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2732 wrote to memory of 3988 2732 2019-05-01-Emotet-binary-retrieved-by-Word-macro.exe 82 PID 2732 wrote to memory of 3988 2732 2019-05-01-Emotet-binary-retrieved-by-Word-macro.exe 82 PID 2732 wrote to memory of 3988 2732 2019-05-01-Emotet-binary-retrieved-by-Word-macro.exe 82 PID 4552 wrote to memory of 1200 4552 guiddefunpack.exe 87 PID 4552 wrote to memory of 1200 4552 guiddefunpack.exe 87 PID 4552 wrote to memory of 1200 4552 guiddefunpack.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\2019-05-01-Emotet-binary-retrieved-by-Word-macro.exe"C:\Users\Admin\AppData\Local\Temp\2019-05-01-Emotet-binary-retrieved-by-Word-macro.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Users\Admin\AppData\Local\Temp\2019-05-01-Emotet-binary-retrieved-by-Word-macro.exe--6dea92982⤵
- Suspicious behavior: RenamesItself
PID:3988
-
-
C:\Windows\SysWOW64\guiddefunpack.exe"C:\Windows\SysWOW64\guiddefunpack.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4552 -
C:\Windows\SysWOW64\guiddefunpack.exe--85ae1d842⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1200
-
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2644