Analysis
-
max time kernel
148s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
15/02/2023, 09:52
Static task
static1
Behavioral task
behavioral1
Sample
2019-05-01-Emotet-binary-updated-after-initial-infection-1-of-2.exe
Resource
win7-20220812-en
General
-
Target
2019-05-01-Emotet-binary-updated-after-initial-infection-1-of-2.exe
-
Size
168KB
-
MD5
1cc91941efd6d3da54a1054d9c9d870f
-
SHA1
b6531c99b2fb0c51941ac3a636c5c3cf69073f65
-
SHA256
6d7aff70a84d9237bde3b149ff04532cafb29b6f358886b5038a737af5934d1f
-
SHA512
bade1e20f1a892e33d20535235f0ed45b625ef8cdd1ba9a391f074d3b77f971fb63f68f6d0f97e51fa48ef211fa7bea76a56da9deb88c85dbd0aa892ae78ed69
-
SSDEEP
3072:5JYzFEhjHHIUjCgArLEZXApH3UHE360ESYUspf:r4FeHIU2Y9KEHE36FS2pf
Malware Config
Signatures
-
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 nisboxes.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE nisboxes.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies nisboxes.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 nisboxes.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\Debug\WIA\wiatrace.log mspaint.exe File opened for modification C:\Windows\Debug\WIA\wiatrace.log mspaint.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 801091e12b41d901 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31015211" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3736571715" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\IESettingSync IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31015211" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000fc1cb26e42627543897680db7b55642000000000020000000000106600000001000020000000c5cc01b38dbdd703f00c5818dff8b2bee7d477a809f6304980f7cada04825f20000000000e8000000002000020000000e7dc25f4049eee9bca4591c71b2671103f69fc2b1bce430e6e4e189d627f4dcc200000008233164a4a18ffded9711fa9bc4e41802490f75c1f61bfe475c1b80a2269fbbd400000003d3c0f5e75e4da3fbc80a6b0e8581e4fa7c49d1a734d00b6dfc0fcbbc79b5d33944d3e921600f9bc6d6d4fdfff8377148acbf8d59fa2c18ed432114aa0239249 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\MINIE iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000fc1cb26e42627543897680db7b55642000000000020000000000106600000001000020000000a038928be3d7afdc1b2cc68dc73a3cfaa4a79095665186601a612464224061c6000000000e80000000020000200000008097064dd64b2bf2705517883abe48858556eed900a1b5ac73710925866d354e20000000d6727fcfd9b9b6e09c3f46adf7cad9f199bfe8643e3999ba312479a45bafc28a4000000072ed0efdb73e99b5709eaae54d2e8fef6627b3ee3fb14c7605daa666e1b120dd4f9605b09d91dce47c9b078f70a1146c84ebd388cf5daec789e22f1449244866 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 60f79ce12b41d901 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3736571715" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{09BDA4E9-AD1F-11ED-B696-CA2A13AD51D0} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE -
Modifies data under HKEY_USERS 3 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix nisboxes.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" nisboxes.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" nisboxes.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 3580 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 1960 nisboxes.exe 1960 nisboxes.exe 3656 mspaint.exe 3656 mspaint.exe 4336 mspaint.exe 4336 mspaint.exe 1960 nisboxes.exe 1960 nisboxes.exe 1960 nisboxes.exe 1960 nisboxes.exe 1960 nisboxes.exe 1960 nisboxes.exe 1960 nisboxes.exe 1960 nisboxes.exe 1960 nisboxes.exe 1960 nisboxes.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 3800 2019-05-01-Emotet-binary-updated-after-initial-infection-1-of-2.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 208 iexplore.exe -
Suspicious use of SetWindowsHookEx 22 IoCs
pid Process 3656 mspaint.exe 3656 mspaint.exe 3656 mspaint.exe 3656 mspaint.exe 4336 mspaint.exe 4336 mspaint.exe 4336 mspaint.exe 4336 mspaint.exe 3580 EXCEL.EXE 3580 EXCEL.EXE 3580 EXCEL.EXE 3580 EXCEL.EXE 3580 EXCEL.EXE 3580 EXCEL.EXE 3580 EXCEL.EXE 3580 EXCEL.EXE 3580 EXCEL.EXE 208 iexplore.exe 208 iexplore.exe 4356 IEXPLORE.EXE 4356 IEXPLORE.EXE 4356 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4756 wrote to memory of 3800 4756 2019-05-01-Emotet-binary-updated-after-initial-infection-1-of-2.exe 80 PID 4756 wrote to memory of 3800 4756 2019-05-01-Emotet-binary-updated-after-initial-infection-1-of-2.exe 80 PID 4756 wrote to memory of 3800 4756 2019-05-01-Emotet-binary-updated-after-initial-infection-1-of-2.exe 80 PID 4320 wrote to memory of 1960 4320 nisboxes.exe 82 PID 4320 wrote to memory of 1960 4320 nisboxes.exe 82 PID 4320 wrote to memory of 1960 4320 nisboxes.exe 82 PID 208 wrote to memory of 4356 208 iexplore.exe 105 PID 208 wrote to memory of 4356 208 iexplore.exe 105 PID 208 wrote to memory of 4356 208 iexplore.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\2019-05-01-Emotet-binary-updated-after-initial-infection-1-of-2.exe"C:\Users\Admin\AppData\Local\Temp\2019-05-01-Emotet-binary-updated-after-initial-infection-1-of-2.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4756 -
C:\Users\Admin\AppData\Local\Temp\2019-05-01-Emotet-binary-updated-after-initial-infection-1-of-2.exe--a1bda3282⤵
- Suspicious behavior: RenamesItself
PID:3800
-
-
C:\Windows\SysWOW64\nisboxes.exe"C:\Windows\SysWOW64\nisboxes.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4320 -
C:\Windows\SysWOW64\nisboxes.exe--f1c912532⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1960
-
-
C:\Windows\system32\mspaint.exe"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\ExpandRevoke.emf"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3656
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService1⤵PID:2188
-
C:\Windows\system32\mspaint.exe"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\ExpandRevoke.emf"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4336
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Desktop\ConvertToSplit.xlsm"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3580
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:888
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -nohome1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:208 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:208 CREDAT:17410 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4356
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD580ab2f22e320c95f387181e49b5632bb
SHA17647fb55e9380c4ea83a61186dd286806c38ef8b
SHA256f0cb3f935622e8d5a12595edcc7f06b4aaa964c4c56090ae2f76baa83d2b5fd4
SHA512c689c9eec42ab895bb3cd3d434412cd2198018c466eb25a73e2e626a7e8cfa6fec4c3735cc5ddaca7c4d7f745372b6860f0cb40eb19bb1b1651c3471c29ed7a2