Resubmissions

15/02/2023, 16:39

230215-t55jfscg64 10

Analysis

  • max time kernel
    158s
  • max time network
    164s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    15/02/2023, 16:39

General

  • Target

    2019-05-01-Emotet-binary-updated-after-initial-infection-1-of-2.exe

  • Size

    168KB

  • MD5

    1cc91941efd6d3da54a1054d9c9d870f

  • SHA1

    b6531c99b2fb0c51941ac3a636c5c3cf69073f65

  • SHA256

    6d7aff70a84d9237bde3b149ff04532cafb29b6f358886b5038a737af5934d1f

  • SHA512

    bade1e20f1a892e33d20535235f0ed45b625ef8cdd1ba9a391f074d3b77f971fb63f68f6d0f97e51fa48ef211fa7bea76a56da9deb88c85dbd0aa892ae78ed69

  • SSDEEP

    3072:5JYzFEhjHHIUjCgArLEZXApH3UHE360ESYUspf:r4FeHIU2Y9KEHE36FS2pf

Score
10/10

Malware Config

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 21 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of UnmapMainImage 4 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2019-05-01-Emotet-binary-updated-after-initial-infection-1-of-2.exe
    "C:\Users\Admin\AppData\Local\Temp\2019-05-01-Emotet-binary-updated-after-initial-infection-1-of-2.exe"
    1⤵
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:1104
    • C:\Users\Admin\AppData\Local\Temp\2019-05-01-Emotet-binary-updated-after-initial-infection-1-of-2.exe
      --a1bda328
      2⤵
      • Suspicious behavior: RenamesItself
      • Suspicious use of UnmapMainImage
      PID:2036
  • C:\Windows\SysWOW64\redistbit.exe
    "C:\Windows\SysWOW64\redistbit.exe"
    1⤵
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:564
    • C:\Windows\SysWOW64\redistbit.exe
      --5132896a
      2⤵
      • Drops file in System32 directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of UnmapMainImage
      PID:1456

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/564-62-0x00000000002E0000-0x00000000002F1000-memory.dmp

          Filesize

          68KB

        • memory/1104-54-0x0000000075631000-0x0000000075633000-memory.dmp

          Filesize

          8KB

        • memory/1104-56-0x0000000000230000-0x000000000023D000-memory.dmp

          Filesize

          52KB

        • memory/1104-58-0x0000000000400000-0x0000000000414000-memory.dmp

          Filesize

          80KB

        • memory/1456-64-0x0000000000400000-0x000000000042C000-memory.dmp

          Filesize

          176KB

        • memory/1456-66-0x0000000000400000-0x000000000042C000-memory.dmp

          Filesize

          176KB

        • memory/2036-59-0x0000000000430000-0x0000000000441000-memory.dmp

          Filesize

          68KB

        • memory/2036-60-0x0000000000400000-0x000000000042C000-memory.dmp

          Filesize

          176KB

        • memory/2036-63-0x0000000000400000-0x0000000000414000-memory.dmp

          Filesize

          80KB