emotet | 54dba7de43a2863d3a091d312d987915622068a027bd07ce63288083352902a4

General

Target

54dba7de43a2863d3a091d312d987915622068a027bd07ce63288083352902a4.exe
Size

159KB
MD5

ff51be7345fd3ec5cc78e733239335a8
SHA1

8903d63999d01fcb3f9ea42493324af669ae6a04
SHA256

54dba7de43a2863d3a091d312d987915622068a027bd07ce63288083352902a4
SHA512

d15823b254aced0325516188f33b6564d43d5e8331fbf08a6da034738d32bc114da44049dad66a4d44289e8791fb69d73e71471768b756f42df3a6b069826ee4

Score

10^/10

emotet banker trojan

Malware Config

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Drops file in System32 directory 5 IoCs

Processes:

phoenixbit.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	phoenixbit.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	phoenixbit.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	phoenixbit.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	phoenixbit.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	phoenixbit.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 3 IoCs

Processes:

phoenixbit.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	phoenixbit.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	phoenixbit.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	phoenixbit.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

phoenixbit.exe

pid	process
2584	phoenixbit.exe
2584	phoenixbit.exe
2584	phoenixbit.exe
2584	phoenixbit.exe
2584	phoenixbit.exe
2584	phoenixbit.exe
2584	phoenixbit.exe
2584	phoenixbit.exe
2584	phoenixbit.exe
2584	phoenixbit.exe
2584	phoenixbit.exe
2584	phoenixbit.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

54dba7de43a2863d3a091d312d987915622068a027bd07ce63288083352902a4.exe

pid process

3860 54dba7de43a2863d3a091d312d987915622068a027bd07ce63288083352902a4.exe

pid	process
3860	54dba7de43a2863d3a091d312d987915622068a027bd07ce63288083352902a4.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

54dba7de43a2863d3a091d312d987915622068a027bd07ce63288083352902a4.exephoenixbit.exe

description	pid	process	target process
PID 644 wrote to memory of 3860	644	54dba7de43a2863d3a091d312d987915622068a027bd07ce63288083352902a4.exe	54dba7de43a2863d3a091d312d987915622068a027bd07ce63288083352902a4.exe
PID 644 wrote to memory of 3860	644	54dba7de43a2863d3a091d312d987915622068a027bd07ce63288083352902a4.exe	54dba7de43a2863d3a091d312d987915622068a027bd07ce63288083352902a4.exe
PID 644 wrote to memory of 3860	644	54dba7de43a2863d3a091d312d987915622068a027bd07ce63288083352902a4.exe	54dba7de43a2863d3a091d312d987915622068a027bd07ce63288083352902a4.exe
PID 1252 wrote to memory of 2584	1252	phoenixbit.exe	phoenixbit.exe
PID 1252 wrote to memory of 2584	1252	phoenixbit.exe	phoenixbit.exe
PID 1252 wrote to memory of 2584	1252	phoenixbit.exe	phoenixbit.exe

C:\Users\Admin\AppData\Local\Temp\54dba7de43a2863d3a091d312d987915622068a027bd07ce63288083352902a4.exe
"C:\Users\Admin\AppData\Local\Temp\54dba7de43a2863d3a091d312d987915622068a027bd07ce63288083352902a4.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:644
- C:\Users\Admin\AppData\Local\Temp\54dba7de43a2863d3a091d312d987915622068a027bd07ce63288083352902a4.exe
  --e3dcd265
  2⤵
  - Suspicious behavior: RenamesItself
  PID:3860

C:\Windows\SysWOW64\phoenixbit.exe
"C:\Windows\SysWOW64\phoenixbit.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1252
- C:\Windows\SysWOW64\phoenixbit.exe
  --31449770
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:2584

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/644-114-0x0000000000590000-0x00000000005A1000-memory.dmp

Filesize
68KB

Download
memory/644-116-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1252-121-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2584-120-0x0000000000000000-mapping.dmp

Download
memory/2584-123-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3860-115-0x0000000000000000-mapping.dmp

Download
memory/3860-118-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads