emotet | c4479969d5fd10775ce145611010172e406b9626c37b1f7c75f722366711050c

General

Target

c4479969d5fd10775ce145611010172e406b9626c37b1f7c75f722366711050c
Sample

200114-1dxkc4d4mn
SHA256

c4479969d5fd10775ce145611010172e406b9626c37b1f7c75f722366711050c

Score

10^/10

trojan banker emotet

Malware Config

Extracted

Family

emotet

C2

66.7.242.50:8080

72.186.137.156:80

197.89.27.26:8080

91.250.96.22:8080

37.187.72.193:8080

104.131.44.150:8080

167.71.10.37:8080

78.24.219.147:8080

159.65.25.128:8080

95.128.43.213:8080

179.13.185.19:80

186.86.247.171:443

110.142.38.16:80

201.173.217.124:443

169.239.182.217:8080

211.63.71.72:8080

104.131.11.150:8080

190.55.181.54:443

209.146.22.34:443

64.53.242.181:8080

rsa_pubkey.plain

Signatures

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

moredispid.exe

pid process

60 moredispid.exe
Emotet
Emotet is a trojan that is primarily spread through spam emails
trojan banker emotet

pid	process
60	moredispid.exe

Drops file in System32 directory 6 IoCs

Processes:

moredispid.exec4479969d5fd10775ce145611010172e406b9626c37b1f7c75f722366711050c.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	moredispid.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	moredispid.exe
File renamed	C:\Users\Admin\AppData\Local\Temp\c4479969d5fd10775ce145611010172e406b9626c37b1f7c75f722366711050c.exe => C:\Windows\SysWOW64\moredispid.exe	c4479969d5fd10775ce145611010172e406b9626c37b1f7c75f722366711050c.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	moredispid.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	moredispid.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	moredispid.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

c4479969d5fd10775ce145611010172e406b9626c37b1f7c75f722366711050c.exec4479969d5fd10775ce145611010172e406b9626c37b1f7c75f722366711050c.exemoredispid.exemoredispid.exe

pid	process
4964	c4479969d5fd10775ce145611010172e406b9626c37b1f7c75f722366711050c.exe
4988	c4479969d5fd10775ce145611010172e406b9626c37b1f7c75f722366711050c.exe
992	moredispid.exe
60	moredispid.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

c4479969d5fd10775ce145611010172e406b9626c37b1f7c75f722366711050c.exemoredispid.exe

description	pid	process	target process
PID 4964 wrote to memory of 4988	4964	c4479969d5fd10775ce145611010172e406b9626c37b1f7c75f722366711050c.exe	c4479969d5fd10775ce145611010172e406b9626c37b1f7c75f722366711050c.exe
PID 992 wrote to memory of 60	992	moredispid.exe	moredispid.exe

Suspicious behavior: EmotetMutantsSpam 2 IoCs

Processes:

c4479969d5fd10775ce145611010172e406b9626c37b1f7c75f722366711050c.exemoredispid.exe

pid process

4988 c4479969d5fd10775ce145611010172e406b9626c37b1f7c75f722366711050c.exe
60 moredispid.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

c4479969d5fd10775ce145611010172e406b9626c37b1f7c75f722366711050c.exe

pid process

4988 c4479969d5fd10775ce145611010172e406b9626c37b1f7c75f722366711050c.exe

pid	process
4988	c4479969d5fd10775ce145611010172e406b9626c37b1f7c75f722366711050c.exe
60	moredispid.exe

pid	process
4988	c4479969d5fd10775ce145611010172e406b9626c37b1f7c75f722366711050c.exe

C:\Users\Admin\AppData\Local\Temp\c4479969d5fd10775ce145611010172e406b9626c37b1f7c75f722366711050c.exe
"C:\Users\Admin\AppData\Local\Temp\c4479969d5fd10775ce145611010172e406b9626c37b1f7c75f722366711050c.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4964

C:\Users\Admin\AppData\Local\Temp\c4479969d5fd10775ce145611010172e406b9626c37b1f7c75f722366711050c.exe
--26c2e666
2⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: EmotetMutantsSpam
- Suspicious behavior: RenamesItself
PID:4988

C:\Windows\SysWOW64\moredispid.exe
"C:\Windows\SysWOW64\moredispid.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:992

C:\Windows\SysWOW64\moredispid.exe
--f3a6bcc4
2⤵
- Suspicious behavior: EnumeratesProcesses
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: EmotetMutantsSpam
PID:60

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\403f0cc78adafaecdb503a6c6424923d_293fa5bd-edfb-4bba-800e-a7dce3ea3438

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-634046074-2673730973-2644684987-1000\0f5007522459c86e95ffcc62f32308f1_293fa5bd-edfb-4bba-800e-a7dce3ea3438

Download Submit
memory/60-6-0x0000000000600000-0x0000000000617000-memory.dmp

Filesize
92KB

Download
memory/60-7-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/992-4-0x0000000000DE0000-0x0000000000DF7000-memory.dmp

Filesize
92KB

Download
memory/4964-0-0x00000000021F0000-0x0000000002207000-memory.dmp

Filesize
92KB

Download
memory/4988-2-0x0000000002130000-0x0000000002147000-memory.dmp

Filesize
92KB

Download
memory/4988-3-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads