emotet | f706952df88e270262ad1acf11b8a99fe76bb623305b893b46cd9d86ac95e4c4

General

Target

a8845b072587903ed165f4932e5290fb.exe
Size

672KB
MD5

ed0cf028613656a71d52680aaba1af57
SHA1

b902528d8f919396164113ebe20020a73a28c751
SHA256

f706952df88e270262ad1acf11b8a99fe76bb623305b893b46cd9d86ac95e4c4
SHA512

3dc0b7ceda4d3b0b4f3499162de7b52fa73822b4a3cb29c9af27ece2f4cb3998e5250fcc706e79e8c02f48feb696ef7838809466a8ecf35e4c0e2dc28b5169b4

Score

10^/10

emotet banker trojan

Malware Config

Extracted

Family

emotet

C2

186.84.173.153:80

181.36.42.205:443

190.166.25.99:80

131.0.103.200:8080

78.46.103.90:7080

94.177.253.126:80

120.138.101.250:80

200.55.168.82:20

75.154.163.1:8090

95.216.207.86:7080

190.96.118.15:443

144.76.62.10:8080

212.112.113.235:80

184.82.233.15:80

157.7.164.178:8081

113.52.135.33:7080

176.58.93.123:80

51.38.134.203:8080

190.228.212.165:50000

203.99.188.11:443

rsa_pubkey.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Drops file in System32 directory 1 IoCs

Processes:

partnermodern.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	partnermodern.exe

Modifies data under HKEY_USERS 21 IoCs

Processes:

partnermodern.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77	partnermodern.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecisionReason = "1"	partnermodern.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecisionTime = 302552cd06bdd601	partnermodern.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	partnermodern.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C88B0D75-95D7-40B2-89BD-4A3AD4DC11FD}	partnermodern.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	partnermodern.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C88B0D75-95D7-40B2-89BD-4A3AD4DC11FD}\WpadDecision = "0"	partnermodern.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	partnermodern.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	partnermodern.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	partnermodern.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	partnermodern.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	partnermodern.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	partnermodern.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a07005c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	partnermodern.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C88B0D75-95D7-40B2-89BD-4A3AD4DC11FD}\WpadDecisionReason = "1"	partnermodern.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C88B0D75-95D7-40B2-89BD-4A3AD4DC11FD}\WpadDecisionTime = 302552cd06bdd601	partnermodern.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C88B0D75-95D7-40B2-89BD-4A3AD4DC11FD}\WpadNetworkName = "Network"	partnermodern.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C88B0D75-95D7-40B2-89BD-4A3AD4DC11FD}\32-e2-17-db-d2-77	partnermodern.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecision = "0"	partnermodern.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	partnermodern.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	partnermodern.exe

Suspicious behavior: EmotetMutantsSpam 2 IoCs

Processes:

a8845b072587903ed165f4932e5290fb.exepartnermodern.exe

pid process

2040 a8845b072587903ed165f4932e5290fb.exe
1720 partnermodern.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

partnermodern.exe

pid process

1720 partnermodern.exe
1720 partnermodern.exe
1720 partnermodern.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

a8845b072587903ed165f4932e5290fb.exe

pid process

2040 a8845b072587903ed165f4932e5290fb.exe

pid	process
2040	a8845b072587903ed165f4932e5290fb.exe
1720	partnermodern.exe

pid	process
1720	partnermodern.exe
1720	partnermodern.exe
1720	partnermodern.exe

pid	process
2040	a8845b072587903ed165f4932e5290fb.exe

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

a8845b072587903ed165f4932e5290fb.exea8845b072587903ed165f4932e5290fb.exepartnermodern.exepartnermodern.exe

pid	process
1644	a8845b072587903ed165f4932e5290fb.exe
1644	a8845b072587903ed165f4932e5290fb.exe
2040	a8845b072587903ed165f4932e5290fb.exe
2040	a8845b072587903ed165f4932e5290fb.exe
1628	partnermodern.exe
1628	partnermodern.exe
1720	partnermodern.exe
1720	partnermodern.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

a8845b072587903ed165f4932e5290fb.exepartnermodern.exe

description	pid	process	target process
PID 1644 wrote to memory of 2040	1644	a8845b072587903ed165f4932e5290fb.exe	a8845b072587903ed165f4932e5290fb.exe
PID 1644 wrote to memory of 2040	1644	a8845b072587903ed165f4932e5290fb.exe	a8845b072587903ed165f4932e5290fb.exe
PID 1644 wrote to memory of 2040	1644	a8845b072587903ed165f4932e5290fb.exe	a8845b072587903ed165f4932e5290fb.exe
PID 1644 wrote to memory of 2040	1644	a8845b072587903ed165f4932e5290fb.exe	a8845b072587903ed165f4932e5290fb.exe
PID 1628 wrote to memory of 1720	1628	partnermodern.exe	partnermodern.exe
PID 1628 wrote to memory of 1720	1628	partnermodern.exe	partnermodern.exe
PID 1628 wrote to memory of 1720	1628	partnermodern.exe	partnermodern.exe
PID 1628 wrote to memory of 1720	1628	partnermodern.exe	partnermodern.exe

C:\Users\Admin\AppData\Local\Temp\a8845b072587903ed165f4932e5290fb.exe
"C:\Users\Admin\AppData\Local\Temp\a8845b072587903ed165f4932e5290fb.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1644

C:\Users\Admin\AppData\Local\Temp\a8845b072587903ed165f4932e5290fb.exe
--dd7f4c6d
2⤵
- Suspicious behavior: EmotetMutantsSpam
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
PID:2040

C:\Windows\SysWOW64\partnermodern.exe
"C:\Windows\SysWOW64\partnermodern.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1628

C:\Windows\SysWOW64\partnermodern.exe
--1de457fd
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EmotetMutantsSpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1720

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1628-4-0x00000000003E0000-0x00000000003F7000-memory.dmp

Filesize
92KB

Download
memory/1644-0-0x0000000000370000-0x0000000000387000-memory.dmp

Filesize
92KB

Download
memory/1720-5-0x0000000000000000-mapping.dmp

Download
memory/1720-6-0x00000000003D0000-0x00000000003E7000-memory.dmp

Filesize
92KB

Download
memory/1720-7-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download
memory/2040-1-0x0000000000000000-mapping.dmp

Download
memory/2040-2-0x00000000003A0000-0x00000000003B7000-memory.dmp

Filesize
92KB

Download
memory/2040-3-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads