Resubmissions

15/02/2023, 09:52

230215-lv6d1aba3x 10

15/02/2023, 09:50

230215-ltxepsbc55 10

Analysis

  • max time kernel
    148s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15/02/2023, 09:52

General

  • Target

    2019-05-01-Emotet-binary-updated-after-initial-infection-1-of-2.exe

  • Size

    168KB

  • MD5

    1cc91941efd6d3da54a1054d9c9d870f

  • SHA1

    b6531c99b2fb0c51941ac3a636c5c3cf69073f65

  • SHA256

    6d7aff70a84d9237bde3b149ff04532cafb29b6f358886b5038a737af5934d1f

  • SHA512

    bade1e20f1a892e33d20535235f0ed45b625ef8cdd1ba9a391f074d3b77f971fb63f68f6d0f97e51fa48ef211fa7bea76a56da9deb88c85dbd0aa892ae78ed69

  • SSDEEP

    3072:5JYzFEhjHHIUjCgArLEZXApH3UHE360ESYUspf:r4FeHIU2Y9KEHE36FS2pf

Score
10/10

Malware Config

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

  • Drops file in System32 directory 4 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies data under HKEY_USERS 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 22 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2019-05-01-Emotet-binary-updated-after-initial-infection-1-of-2.exe
    "C:\Users\Admin\AppData\Local\Temp\2019-05-01-Emotet-binary-updated-after-initial-infection-1-of-2.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4756
    • C:\Users\Admin\AppData\Local\Temp\2019-05-01-Emotet-binary-updated-after-initial-infection-1-of-2.exe
      --a1bda328
      2⤵
      • Suspicious behavior: RenamesItself
      PID:3800
  • C:\Windows\SysWOW64\nisboxes.exe
    "C:\Windows\SysWOW64\nisboxes.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4320
    • C:\Windows\SysWOW64\nisboxes.exe
      --f1c91253
      2⤵
      • Drops file in System32 directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      PID:1960
  • C:\Windows\system32\mspaint.exe
    "C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\ExpandRevoke.emf"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    PID:3656
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
    1⤵
      PID:2188
    • C:\Windows\system32\mspaint.exe
      "C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\ExpandRevoke.emf"
      1⤵
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:4336
    • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Desktop\ConvertToSplit.xlsm"
      1⤵
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:3580
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:888
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -nohome
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:208
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:208 CREDAT:17410 /prefetch:2
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:4356

      Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Windows\Debug\WIA\wiatrace.log

              Filesize

              3KB

              MD5

              80ab2f22e320c95f387181e49b5632bb

              SHA1

              7647fb55e9380c4ea83a61186dd286806c38ef8b

              SHA256

              f0cb3f935622e8d5a12595edcc7f06b4aaa964c4c56090ae2f76baa83d2b5fd4

              SHA512

              c689c9eec42ab895bb3cd3d434412cd2198018c466eb25a73e2e626a7e8cfa6fec4c3735cc5ddaca7c4d7f745372b6860f0cb40eb19bb1b1651c3471c29ed7a2

            • memory/1960-141-0x0000000000400000-0x000000000042C000-memory.dmp

              Filesize

              176KB

            • memory/1960-140-0x0000000000400000-0x000000000042C000-memory.dmp

              Filesize

              176KB

            • memory/3580-147-0x00007FFB70CF0000-0x00007FFB70D00000-memory.dmp

              Filesize

              64KB

            • memory/3580-149-0x00007FFB6E6B0000-0x00007FFB6E6C0000-memory.dmp

              Filesize

              64KB

            • memory/3580-154-0x00007FFB70CF0000-0x00007FFB70D00000-memory.dmp

              Filesize

              64KB

            • memory/3580-152-0x00007FFB70CF0000-0x00007FFB70D00000-memory.dmp

              Filesize

              64KB

            • memory/3580-153-0x00007FFB70CF0000-0x00007FFB70D00000-memory.dmp

              Filesize

              64KB

            • memory/3580-151-0x00007FFB70CF0000-0x00007FFB70D00000-memory.dmp

              Filesize

              64KB

            • memory/3580-148-0x00007FFB6E6B0000-0x00007FFB6E6C0000-memory.dmp

              Filesize

              64KB

            • memory/3580-143-0x00007FFB70CF0000-0x00007FFB70D00000-memory.dmp

              Filesize

              64KB

            • memory/3580-145-0x00007FFB70CF0000-0x00007FFB70D00000-memory.dmp

              Filesize

              64KB

            • memory/3580-144-0x00007FFB70CF0000-0x00007FFB70D00000-memory.dmp

              Filesize

              64KB

            • memory/3580-146-0x00007FFB70CF0000-0x00007FFB70D00000-memory.dmp

              Filesize

              64KB

            • memory/3800-137-0x0000000000400000-0x000000000042C000-memory.dmp

              Filesize

              176KB

            • memory/3800-139-0x0000000000400000-0x0000000000414000-memory.dmp

              Filesize

              80KB

            • memory/4756-132-0x00000000005C0000-0x00000000005D1000-memory.dmp

              Filesize

              68KB

            • memory/4756-133-0x0000000000400000-0x000000000042C000-memory.dmp

              Filesize

              176KB

            • memory/4756-136-0x0000000000400000-0x0000000000414000-memory.dmp

              Filesize

              80KB

            • memory/4756-135-0x00000000005C0000-0x00000000005D1000-memory.dmp

              Filesize

              68KB