emotet | 47ce4a3551cfd77c69cb0615b6e3a40f78a57f8321477654dd6b06512070f1ae

General

Target

emotet.exe
Size

213KB
MD5

3135be2c48f42ef0f3540f7434eb9f39
SHA1

6c8773fd797cad0e05ee4c27658d484576bca4f4
SHA256

47ce4a3551cfd77c69cb0615b6e3a40f78a57f8321477654dd6b06512070f1ae
SHA512

03d6fc239d9f47975592f78e4a31ec8d30a414768f017dded7c5ca7f1fc877bf8561f85b1ed8ed1335177e5cb6300b3359032370e325aaa508e1be9989f370e7

Score

10^/10

emotet banker trojan

Malware Config

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Drops file in System32 directory 1 IoCs

Processes:

tabbtndeep.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	tabbtndeep.exe

Modifies data under HKEY_USERS 22 IoCs

Processes:

tabbtndeep.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	tabbtndeep.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77	tabbtndeep.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C88B0D75-95D7-40B2-89BD-4A3AD4DC11FD}\32-e2-17-db-d2-77	tabbtndeep.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecision = "0"	tabbtndeep.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDetectedUrl	tabbtndeep.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecisionTime = 9033f39af5bdd601	tabbtndeep.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	tabbtndeep.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	tabbtndeep.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a07005f000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	tabbtndeep.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C88B0D75-95D7-40B2-89BD-4A3AD4DC11FD}	tabbtndeep.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C88B0D75-95D7-40B2-89BD-4A3AD4DC11FD}\WpadDecisionTime = d099cf63f5bdd601	tabbtndeep.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C88B0D75-95D7-40B2-89BD-4A3AD4DC11FD}\WpadDecision = "0"	tabbtndeep.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C88B0D75-95D7-40B2-89BD-4A3AD4DC11FD}\WpadNetworkName = "Network"	tabbtndeep.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecisionReason = "1"	tabbtndeep.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	tabbtndeep.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C88B0D75-95D7-40B2-89BD-4A3AD4DC11FD}\WpadDecisionReason = "1"	tabbtndeep.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	tabbtndeep.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	tabbtndeep.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecisionTime = d099cf63f5bdd601	tabbtndeep.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000004000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a07005f000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	tabbtndeep.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C88B0D75-95D7-40B2-89BD-4A3AD4DC11FD}\WpadDecisionTime = 9033f39af5bdd601	tabbtndeep.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	tabbtndeep.exe

Suspicious behavior: EmotetMutantsSpam 2 IoCs

Processes:

emotet.exetabbtndeep.exe

pid process

1924 emotet.exe
1408 tabbtndeep.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

emotet.exeemotet.exetabbtndeep.exetabbtndeep.exe

pid process

1704 emotet.exe
1924 emotet.exe
1272 tabbtndeep.exe
1408 tabbtndeep.exe
1408 tabbtndeep.exe
1408 tabbtndeep.exe
1408 tabbtndeep.exe
1408 tabbtndeep.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

emotet.exe

pid process

1924 emotet.exe

pid	process
1924	emotet.exe
1408	tabbtndeep.exe

pid	process
1704	emotet.exe
1924	emotet.exe
1272	tabbtndeep.exe
1408	tabbtndeep.exe
1408	tabbtndeep.exe
1408	tabbtndeep.exe
1408	tabbtndeep.exe
1408	tabbtndeep.exe

pid	process
1924	emotet.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

emotet.exetabbtndeep.exe

description	pid	process	target process
PID 1704 wrote to memory of 1924	1704	emotet.exe	emotet.exe
PID 1704 wrote to memory of 1924	1704	emotet.exe	emotet.exe
PID 1704 wrote to memory of 1924	1704	emotet.exe	emotet.exe
PID 1704 wrote to memory of 1924	1704	emotet.exe	emotet.exe
PID 1272 wrote to memory of 1408	1272	tabbtndeep.exe	tabbtndeep.exe
PID 1272 wrote to memory of 1408	1272	tabbtndeep.exe	tabbtndeep.exe
PID 1272 wrote to memory of 1408	1272	tabbtndeep.exe	tabbtndeep.exe
PID 1272 wrote to memory of 1408	1272	tabbtndeep.exe	tabbtndeep.exe

C:\Users\Admin\AppData\Local\Temp\emotet.exe
"C:\Users\Admin\AppData\Local\Temp\emotet.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1704

C:\Users\Admin\AppData\Local\Temp\emotet.exe
"C:\Users\Admin\AppData\Local\Temp\emotet.exe"
2⤵
- Suspicious behavior: EmotetMutantsSpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
PID:1924

C:\Windows\SysWOW64\tabbtndeep.exe
"C:\Windows\SysWOW64\tabbtndeep.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1272

C:\Windows\SysWOW64\tabbtndeep.exe
"C:\Windows\SysWOW64\tabbtndeep.exe"
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EmotetMutantsSpam
- Suspicious behavior: EnumeratesProcesses
PID:1408

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1272-4-0x0000000000290000-0x00000000002A7000-memory.dmp

Filesize
92KB

Download
memory/1408-5-0x0000000000000000-mapping.dmp

Download
memory/1408-6-0x0000000000260000-0x0000000000277000-memory.dmp

Filesize
92KB

Download
memory/1408-7-0x0000000000B80000-0x0000000000BB9000-memory.dmp

Filesize
228KB

Download
memory/1704-0-0x00000000001D0000-0x00000000001E7000-memory.dmp

Filesize
92KB

Download
memory/1924-1-0x0000000000000000-mapping.dmp

Download
memory/1924-2-0x00000000001D0000-0x00000000001E7000-memory.dmp

Filesize
92KB

Download
memory/1924-3-0x0000000000B80000-0x0000000000BB9000-memory.dmp

Filesize
228KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads