Analysis
-
max time kernel
130s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
14/02/2023, 05:08
Static task
static1
Behavioral task
behavioral1
Sample
2019-05-01-Emotet-binary-retrieved-by-Word-macro.exe
Resource
win7-20221111-en
8 signatures
150 seconds
General
-
Target
2019-05-01-Emotet-binary-retrieved-by-Word-macro.exe
-
Size
168KB
-
MD5
84d164fbfe0982a00404cb3d7b164bf5
-
SHA1
e068cd94e06c1f592a2d16ac2adc52c2ce506fa5
-
SHA256
2032acdf04511314d53f51d1fef7f9e62e69abbe3db0b31a0302a8545ab1bd82
-
SHA512
be33a2f96c68ff640a1f59241969fb27971305ecf251c2f8422d3e5a6b0bf609580a7360db3fa3c0355c956f19efec5f7d2f69e947e8f3c979f930ee1761da04
-
SSDEEP
3072:tzFEhjHHIUjCgArLEZXApH3UHE360ESYUzp8t:1FWHIU2Y9KEHE36FS5p8t
Malware Config
Signatures
-
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 bitnis.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE bitnis.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies bitnis.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 bitnis.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 3 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix bitnis.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" bitnis.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" bitnis.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 1828 bitnis.exe 1828 bitnis.exe 1828 bitnis.exe 1828 bitnis.exe 1828 bitnis.exe 1828 bitnis.exe 1828 bitnis.exe 1828 bitnis.exe 1828 bitnis.exe 1828 bitnis.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 4440 2019-05-01-Emotet-binary-retrieved-by-Word-macro.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4264 wrote to memory of 4440 4264 2019-05-01-Emotet-binary-retrieved-by-Word-macro.exe 80 PID 4264 wrote to memory of 4440 4264 2019-05-01-Emotet-binary-retrieved-by-Word-macro.exe 80 PID 4264 wrote to memory of 4440 4264 2019-05-01-Emotet-binary-retrieved-by-Word-macro.exe 80 PID 428 wrote to memory of 1828 428 bitnis.exe 86 PID 428 wrote to memory of 1828 428 bitnis.exe 86 PID 428 wrote to memory of 1828 428 bitnis.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\2019-05-01-Emotet-binary-retrieved-by-Word-macro.exe"C:\Users\Admin\AppData\Local\Temp\2019-05-01-Emotet-binary-retrieved-by-Word-macro.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4264 -
C:\Users\Admin\AppData\Local\Temp\2019-05-01-Emotet-binary-retrieved-by-Word-macro.exe--6dea92982⤵
- Suspicious behavior: RenamesItself
PID:4440
-
-
C:\Windows\SysWOW64\bitnis.exe"C:\Windows\SysWOW64\bitnis.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:428 -
C:\Windows\SysWOW64\bitnis.exe--8c9449dd2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1828
-