Overview

overview

10

Static

static

3

ff95dab004...eN.exe

windows7-x64

10

ff95dab004...eN.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    97s
  • max time network
    101s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    23-11-2024 17:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ff95dab004cf42ec1a6864afa6220bf946d6807741455f567e3af747f5502e6eN.exe

  • Size

    219KB

  • MD5

    06b92478cb19fde2665038cbdd0b1420

  • SHA1

    1e025bd647fb544e140b5d1922f9967166e76ecb

  • SHA256

    ff95dab004cf42ec1a6864afa6220bf946d6807741455f567e3af747f5502e6e

  • SHA512

    95e342a0a79985dfe2557837ecce6b9b9523233c4a1335295fbe78e7bf8645990d763686c381a627dcf3e62acdc846cb48c4514cef304e4693216a8539251974

  • SSDEEP

    3072:3RlzaDXLsnDvTuPuoD2UKaxwExELFuWpWN71AC4WSttt1ka3OuRXdHQIZ:3XzC43GdPHj447raLL

Score
10/10
emotetbankerdiscoverytrojan

Malware Config

Signatures

  • Detect Emotet payload 5 IoCs
  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

    trojanbankeremotet
  • Emotet family
    emotet
  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1180
      • C:\Users\Admin\AppData\Local\Temp\ff95dab004cf42ec1a6864afa6220bf946d6807741455f567e3af747f5502e6eN.exe
        "C:\Users\Admin\AppData\Local\Temp\ff95dab004cf42ec1a6864afa6220bf946d6807741455f567e3af747f5502e6eN.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2580
        • C:\Users\Admin\AppData\Local\Temp\ff95dab004cf42ec1a6864afa6220bf946d6807741455f567e3af747f5502e6eN.exe
          "C:\Users\Admin\AppData\Local\Temp\ff95dab004cf42ec1a6864afa6220bf946d6807741455f567e3af747f5502e6eN.exe"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1612

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1180-8-0x0000000077B81000-0x0000000077B82000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1180-9-0x0000000073B30000-0x0000000073B43000-memory.dmp

      Filesize

      76KB

      Download

    • memory/1180-13-0x0000000077B81000-0x0000000077B82000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1180-14-0x0000000073B30000-0x0000000073B43000-memory.dmp

      Filesize

      76KB

      Download

    • memory/1612-2-0x0000000000400000-0x0000000000410000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1612-4-0x0000000000400000-0x0000000000410000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1612-5-0x0000000000400000-0x0000000000410000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1612-3-0x0000000000400000-0x0000000000410000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1612-7-0x0000000000400000-0x0000000000410000-memory.dmp

      Filesize

      64KB

      Download