Analysis
-
max time kernel
137s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
14/02/2023, 02:39
Static task
static1
Behavioral task
behavioral1
Sample
2019-05-01-Emotet-binary-updated-after-initial-infection-1-of-2.exe
Resource
win7-20220812-en
8 signatures
150 seconds
General
-
Target
2019-05-01-Emotet-binary-updated-after-initial-infection-1-of-2.exe
-
Size
168KB
-
MD5
1cc91941efd6d3da54a1054d9c9d870f
-
SHA1
b6531c99b2fb0c51941ac3a636c5c3cf69073f65
-
SHA256
6d7aff70a84d9237bde3b149ff04532cafb29b6f358886b5038a737af5934d1f
-
SHA512
bade1e20f1a892e33d20535235f0ed45b625ef8cdd1ba9a391f074d3b77f971fb63f68f6d0f97e51fa48ef211fa7bea76a56da9deb88c85dbd0aa892ae78ed69
-
SSDEEP
3072:5JYzFEhjHHIUjCgArLEZXApH3UHE360ESYUspf:r4FeHIU2Y9KEHE36FS2pf
Malware Config
Signatures
-
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE ielllangs.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies ielllangs.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 ielllangs.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 ielllangs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 3 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" ielllangs.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix ielllangs.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" ielllangs.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 3600 ielllangs.exe 3600 ielllangs.exe 3600 ielllangs.exe 3600 ielllangs.exe 3600 ielllangs.exe 3600 ielllangs.exe 3600 ielllangs.exe 3600 ielllangs.exe 3600 ielllangs.exe 3600 ielllangs.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1204 2019-05-01-Emotet-binary-updated-after-initial-infection-1-of-2.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4752 wrote to memory of 1204 4752 2019-05-01-Emotet-binary-updated-after-initial-infection-1-of-2.exe 82 PID 4752 wrote to memory of 1204 4752 2019-05-01-Emotet-binary-updated-after-initial-infection-1-of-2.exe 82 PID 4752 wrote to memory of 1204 4752 2019-05-01-Emotet-binary-updated-after-initial-infection-1-of-2.exe 82 PID 2140 wrote to memory of 3600 2140 ielllangs.exe 86 PID 2140 wrote to memory of 3600 2140 ielllangs.exe 86 PID 2140 wrote to memory of 3600 2140 ielllangs.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\2019-05-01-Emotet-binary-updated-after-initial-infection-1-of-2.exe"C:\Users\Admin\AppData\Local\Temp\2019-05-01-Emotet-binary-updated-after-initial-infection-1-of-2.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4752 -
C:\Users\Admin\AppData\Local\Temp\2019-05-01-Emotet-binary-updated-after-initial-infection-1-of-2.exe--a1bda3282⤵
- Suspicious behavior: RenamesItself
PID:1204
-
-
C:\Windows\SysWOW64\ielllangs.exe"C:\Windows\SysWOW64\ielllangs.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Windows\SysWOW64\ielllangs.exe--22ede07f2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:3600
-