emotet | c9c9bc27f596eb25d234491aeb394d85bbba1a640bcf72f39e4b3c373fbe8eb9

General

Target

c9c9bc27f596eb25d234491aeb394d85bbba1a640bcf72f39e4b3c373fbe8eb9.exe
Size

143KB
MD5

28b6e7754847c8c90eed3c0d8b82819f
SHA1

e960661b7f2e2e2465dd4fe9eb1b69dd049b8e34
SHA256

c9c9bc27f596eb25d234491aeb394d85bbba1a640bcf72f39e4b3c373fbe8eb9
SHA512

84ff731622c8ac225da655c4f1c5859dae48c8a7d37318584b50820aabe948ac320faf04424e29ed8d88192ad97c19e79cfedb6d31114a18957cdfc43342cf48

Score

10^/10

emotet banker trojan

Malware Config

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Drops file in System32 directory 5 IoCs

Processes:

unpackbulk.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	unpackbulk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	unpackbulk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	unpackbulk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	unpackbulk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	unpackbulk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 3 IoCs

Processes:

unpackbulk.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	unpackbulk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	unpackbulk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	unpackbulk.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

unpackbulk.exe

pid	process
1908	unpackbulk.exe
1908	unpackbulk.exe
1908	unpackbulk.exe
1908	unpackbulk.exe
1908	unpackbulk.exe
1908	unpackbulk.exe
1908	unpackbulk.exe
1908	unpackbulk.exe
1908	unpackbulk.exe
1908	unpackbulk.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

c9c9bc27f596eb25d234491aeb394d85bbba1a640bcf72f39e4b3c373fbe8eb9.exe

pid process

3992 c9c9bc27f596eb25d234491aeb394d85bbba1a640bcf72f39e4b3c373fbe8eb9.exe

pid	process
3992	c9c9bc27f596eb25d234491aeb394d85bbba1a640bcf72f39e4b3c373fbe8eb9.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

c9c9bc27f596eb25d234491aeb394d85bbba1a640bcf72f39e4b3c373fbe8eb9.exeunpackbulk.exe

description	pid	process	target process
PID 3872 wrote to memory of 3992	3872	c9c9bc27f596eb25d234491aeb394d85bbba1a640bcf72f39e4b3c373fbe8eb9.exe	c9c9bc27f596eb25d234491aeb394d85bbba1a640bcf72f39e4b3c373fbe8eb9.exe
PID 3872 wrote to memory of 3992	3872	c9c9bc27f596eb25d234491aeb394d85bbba1a640bcf72f39e4b3c373fbe8eb9.exe	c9c9bc27f596eb25d234491aeb394d85bbba1a640bcf72f39e4b3c373fbe8eb9.exe
PID 3872 wrote to memory of 3992	3872	c9c9bc27f596eb25d234491aeb394d85bbba1a640bcf72f39e4b3c373fbe8eb9.exe	c9c9bc27f596eb25d234491aeb394d85bbba1a640bcf72f39e4b3c373fbe8eb9.exe
PID 1484 wrote to memory of 1908	1484	unpackbulk.exe	unpackbulk.exe
PID 1484 wrote to memory of 1908	1484	unpackbulk.exe	unpackbulk.exe
PID 1484 wrote to memory of 1908	1484	unpackbulk.exe	unpackbulk.exe

C:\Users\Admin\AppData\Local\Temp\c9c9bc27f596eb25d234491aeb394d85bbba1a640bcf72f39e4b3c373fbe8eb9.exe
"C:\Users\Admin\AppData\Local\Temp\c9c9bc27f596eb25d234491aeb394d85bbba1a640bcf72f39e4b3c373fbe8eb9.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3872

C:\Users\Admin\AppData\Local\Temp\c9c9bc27f596eb25d234491aeb394d85bbba1a640bcf72f39e4b3c373fbe8eb9.exe
--c48b4b28
2⤵
- Suspicious behavior: RenamesItself
PID:3992

C:\Windows\SysWOW64\unpackbulk.exe
"C:\Windows\SysWOW64\unpackbulk.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1484

C:\Windows\SysWOW64\unpackbulk.exe
--7407af96
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1908

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1484-121-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1908-120-0x0000000000000000-mapping.dmp

Download
memory/3872-114-0x00000000001E0000-0x00000000001F1000-memory.dmp

Filesize
68KB

Download
memory/3872-116-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/3992-115-0x0000000000000000-mapping.dmp

Download
memory/3992-117-0x0000000000570000-0x00000000006BA000-memory.dmp

Filesize
1.3MB

Download
memory/3992-118-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads