emotet | b82f2c21851dbbc28c4140767828fbd0744dd78edf663972a445f16e746e3f73

General

Target

b82f2c21851dbbc28c4140767828fbd0744dd78edf663972a445f16e746e3f73.exe
Size

179KB
MD5

c8b3199437ab28f48df03778f37902a6
SHA1

cc77a38470b68e893d04e249dace3821cb6474d5
SHA256

b82f2c21851dbbc28c4140767828fbd0744dd78edf663972a445f16e746e3f73
SHA512

031bf40a1f91baf53665e1d102f37bc820dd47f63e18e0a88bb5b6a13ec76866fd0563cc7664efd53e0bb78f33c7e12fb26fb23fb4255ed2eebe7606c8c85570

Score

10^/10

emotet banker trojan

Malware Config

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Drops file in System32 directory 5 IoCs

Processes:

relredist.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	relredist.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	relredist.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	relredist.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	relredist.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	relredist.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 3 IoCs

Processes:

relredist.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	relredist.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	relredist.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	relredist.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

relredist.exe

pid	process
3356	relredist.exe
3356	relredist.exe
3356	relredist.exe
3356	relredist.exe
3356	relredist.exe
3356	relredist.exe
3356	relredist.exe
3356	relredist.exe
3356	relredist.exe
3356	relredist.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

b82f2c21851dbbc28c4140767828fbd0744dd78edf663972a445f16e746e3f73.exe

pid process

2056 b82f2c21851dbbc28c4140767828fbd0744dd78edf663972a445f16e746e3f73.exe

pid	process
2056	b82f2c21851dbbc28c4140767828fbd0744dd78edf663972a445f16e746e3f73.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

b82f2c21851dbbc28c4140767828fbd0744dd78edf663972a445f16e746e3f73.exerelredist.exe

description	pid	process	target process
PID 1908 wrote to memory of 2056	1908	b82f2c21851dbbc28c4140767828fbd0744dd78edf663972a445f16e746e3f73.exe	b82f2c21851dbbc28c4140767828fbd0744dd78edf663972a445f16e746e3f73.exe
PID 1908 wrote to memory of 2056	1908	b82f2c21851dbbc28c4140767828fbd0744dd78edf663972a445f16e746e3f73.exe	b82f2c21851dbbc28c4140767828fbd0744dd78edf663972a445f16e746e3f73.exe
PID 1908 wrote to memory of 2056	1908	b82f2c21851dbbc28c4140767828fbd0744dd78edf663972a445f16e746e3f73.exe	b82f2c21851dbbc28c4140767828fbd0744dd78edf663972a445f16e746e3f73.exe
PID 2764 wrote to memory of 3356	2764	relredist.exe	relredist.exe
PID 2764 wrote to memory of 3356	2764	relredist.exe	relredist.exe
PID 2764 wrote to memory of 3356	2764	relredist.exe	relredist.exe

C:\Users\Admin\AppData\Local\Temp\b82f2c21851dbbc28c4140767828fbd0744dd78edf663972a445f16e746e3f73.exe
"C:\Users\Admin\AppData\Local\Temp\b82f2c21851dbbc28c4140767828fbd0744dd78edf663972a445f16e746e3f73.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1908
- C:\Users\Admin\AppData\Local\Temp\b82f2c21851dbbc28c4140767828fbd0744dd78edf663972a445f16e746e3f73.exe
  --4d10b388
  2⤵
  - Suspicious behavior: RenamesItself
  PID:2056

C:\Windows\SysWOW64\relredist.exe
"C:\Windows\SysWOW64\relredist.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2764
- C:\Windows\SysWOW64\relredist.exe
  --be6a9ba8
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:3356

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1908-114-0x00000000005C0000-0x00000000005D1000-memory.dmp

Filesize
68KB

Download
memory/1908-116-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2056-115-0x0000000000000000-mapping.dmp

Download
memory/2056-117-0x0000000000430000-0x000000000057A000-memory.dmp

Filesize
1.3MB

Download
memory/2056-118-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2764-121-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3356-120-0x0000000000000000-mapping.dmp

Download
memory/3356-122-0x0000000000560000-0x00000000006AA000-memory.dmp

Filesize
1.3MB

Download
memory/3356-123-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads