emotet | 42441876b8d0db0a3ea49640bb989b269801ed6d48fa895eb544bb9a56eb24de

General

Target

42441876b8d0db0a3ea49640bb989b269801ed6d48fa895eb544bb9a56eb24de.exe
Size

149KB
MD5

0ce8dd46919a2dc2476a9bfadf88aee5
SHA1

24ce36c4808046d2a82e082f4d419c6d25533d2f
SHA256

42441876b8d0db0a3ea49640bb989b269801ed6d48fa895eb544bb9a56eb24de
SHA512

603c979e7cce3535c56e6fcfd12c3580f90a9dc866ad2d982bb3131f144723b15f32e8d8b53f4cc431582c83fd2f42de31ddef4fe3f95dcc8032318b83a9514a

Score

10^/10

emotet banker trojan

Malware Config

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Drops file in System32 directory 5 IoCs

Processes:

soundtyp.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	soundtyp.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	soundtyp.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	soundtyp.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	soundtyp.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	soundtyp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 3 IoCs

Processes:

soundtyp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	soundtyp.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	soundtyp.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	soundtyp.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

soundtyp.exe

pid	process
3396	soundtyp.exe
3396	soundtyp.exe
3396	soundtyp.exe
3396	soundtyp.exe
3396	soundtyp.exe
3396	soundtyp.exe
3396	soundtyp.exe
3396	soundtyp.exe
3396	soundtyp.exe
3396	soundtyp.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

42441876b8d0db0a3ea49640bb989b269801ed6d48fa895eb544bb9a56eb24de.exe

pid process

2712 42441876b8d0db0a3ea49640bb989b269801ed6d48fa895eb544bb9a56eb24de.exe

pid	process
2712	42441876b8d0db0a3ea49640bb989b269801ed6d48fa895eb544bb9a56eb24de.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

42441876b8d0db0a3ea49640bb989b269801ed6d48fa895eb544bb9a56eb24de.exesoundtyp.exe

description	pid	process	target process
PID 4008 wrote to memory of 2712	4008	42441876b8d0db0a3ea49640bb989b269801ed6d48fa895eb544bb9a56eb24de.exe	42441876b8d0db0a3ea49640bb989b269801ed6d48fa895eb544bb9a56eb24de.exe
PID 4008 wrote to memory of 2712	4008	42441876b8d0db0a3ea49640bb989b269801ed6d48fa895eb544bb9a56eb24de.exe	42441876b8d0db0a3ea49640bb989b269801ed6d48fa895eb544bb9a56eb24de.exe
PID 4008 wrote to memory of 2712	4008	42441876b8d0db0a3ea49640bb989b269801ed6d48fa895eb544bb9a56eb24de.exe	42441876b8d0db0a3ea49640bb989b269801ed6d48fa895eb544bb9a56eb24de.exe
PID 3516 wrote to memory of 3396	3516	soundtyp.exe	soundtyp.exe
PID 3516 wrote to memory of 3396	3516	soundtyp.exe	soundtyp.exe
PID 3516 wrote to memory of 3396	3516	soundtyp.exe	soundtyp.exe

C:\Users\Admin\AppData\Local\Temp\42441876b8d0db0a3ea49640bb989b269801ed6d48fa895eb544bb9a56eb24de.exe
"C:\Users\Admin\AppData\Local\Temp\42441876b8d0db0a3ea49640bb989b269801ed6d48fa895eb544bb9a56eb24de.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4008

C:\Users\Admin\AppData\Local\Temp\42441876b8d0db0a3ea49640bb989b269801ed6d48fa895eb544bb9a56eb24de.exe
--528073dc
2⤵
- Suspicious behavior: RenamesItself
PID:2712

C:\Windows\SysWOW64\soundtyp.exe
"C:\Windows\SysWOW64\soundtyp.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3516

C:\Windows\SysWOW64\soundtyp.exe
--780e4c4e
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:3396

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2712-115-0x0000000000000000-mapping.dmp

Download
memory/2712-117-0x0000000000570000-0x00000000006BA000-memory.dmp

Filesize
1.3MB

Download
memory/2712-118-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/3396-120-0x0000000000000000-mapping.dmp

Download
memory/3396-122-0x0000000000430000-0x00000000004DE000-memory.dmp

Filesize
696KB

Download
memory/3396-123-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/3516-119-0x0000000000430000-0x00000000004DE000-memory.dmp

Filesize
696KB

Download
memory/3516-121-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/4008-114-0x0000000000590000-0x00000000005A1000-memory.dmp

Filesize
68KB

Download
memory/4008-116-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads