Analysis
-
max time kernel
134s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
15/02/2023, 16:42
Static task
static1
Behavioral task
behavioral1
Sample
2019-05-01-Emotet-binary-updated-after-initial-infection-2-of-2.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
2019-05-01-Emotet-binary-updated-after-initial-infection-2-of-2.exe
Resource
win10v2004-20220812-en
General
-
Target
2019-05-01-Emotet-binary-updated-after-initial-infection-2-of-2.exe
-
Size
157KB
-
MD5
d05d59b36d76a2d919d73e5383f0b35b
-
SHA1
bdd29b90d93e3bd85b2e0291e3601a45b0c8e33c
-
SHA256
486ede4ecff9a951261af3d267072bf75a37e7812afd91dc4c30bf5535dede8b
-
SHA512
74efa7b921beda7eff6c56ccd43eef44d4e1ec19e6bb76ccb08e879b2e491a7fffbf176b095244a73181098583d925d56f44fc9cb41c73b67c43a85224f04fc2
-
SSDEEP
3072:paROF9HwBJa2vMjrmok3XxK6T9f5pNF/NB+GQIiqGgyVcU4TZP8eIn:l9wBJa2EmvXxKy9FJjQIi1gyR/
Malware Config
Signatures
-
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 randomboxes.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE randomboxes.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies randomboxes.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 randomboxes.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 3 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix randomboxes.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" randomboxes.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" randomboxes.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 4992 randomboxes.exe 4992 randomboxes.exe 4992 randomboxes.exe 4992 randomboxes.exe 4992 randomboxes.exe 4992 randomboxes.exe 4992 randomboxes.exe 4992 randomboxes.exe 4992 randomboxes.exe 4992 randomboxes.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1800 2019-05-01-Emotet-binary-updated-after-initial-infection-2-of-2.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 444 wrote to memory of 1800 444 2019-05-01-Emotet-binary-updated-after-initial-infection-2-of-2.exe 80 PID 444 wrote to memory of 1800 444 2019-05-01-Emotet-binary-updated-after-initial-infection-2-of-2.exe 80 PID 444 wrote to memory of 1800 444 2019-05-01-Emotet-binary-updated-after-initial-infection-2-of-2.exe 80 PID 448 wrote to memory of 4992 448 randomboxes.exe 86 PID 448 wrote to memory of 4992 448 randomboxes.exe 86 PID 448 wrote to memory of 4992 448 randomboxes.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\2019-05-01-Emotet-binary-updated-after-initial-infection-2-of-2.exe"C:\Users\Admin\AppData\Local\Temp\2019-05-01-Emotet-binary-updated-after-initial-infection-2-of-2.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:444 -
C:\Users\Admin\AppData\Local\Temp\2019-05-01-Emotet-binary-updated-after-initial-infection-2-of-2.exe--531465672⤵
- Suspicious behavior: RenamesItself
PID:1800
-
-
C:\Windows\SysWOW64\randomboxes.exe"C:\Windows\SysWOW64\randomboxes.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:448 -
C:\Windows\SysWOW64\randomboxes.exe--33c067cc2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:4992
-