emotet | e6c5fcde6492ba4a79eb9c8fac2edd28a4691a0bc434cf53b92618f1967bd1fa

General

Target

e6c5fcde6492ba4a79eb9c8fac2edd28a4691a0bc434cf53b92618f1967bd1fa.exe
Size

160KB
MD5

976d5fe15f687f907f22c1f709204dbd
SHA1

861ce7f421a60e4c0c6c03027be4c2bfa5fd9a6b
SHA256

e6c5fcde6492ba4a79eb9c8fac2edd28a4691a0bc434cf53b92618f1967bd1fa
SHA512

06459f5dc47942f45c195a10b0251744487ff40f0a81fa0c55258cd71fc08e7c332ad1582c9b5fca19c94a564cb3c3587cb098318aaf4dcab799f3a148182cf3

Score

10^/10

emotet banker trojan

Malware Config

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	mnushims.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
1016	e6c5fcde6492ba4a79eb9c8fac2edd28a4691a0bc434cf53b92618f1967bd1fa.exe
1016	e6c5fcde6492ba4a79eb9c8fac2edd28a4691a0bc434cf53b92618f1967bd1fa.exe
516	e6c5fcde6492ba4a79eb9c8fac2edd28a4691a0bc434cf53b92618f1967bd1fa.exe
516	e6c5fcde6492ba4a79eb9c8fac2edd28a4691a0bc434cf53b92618f1967bd1fa.exe
1756	mnushims.exe
1756	mnushims.exe
3188	mnushims.exe
3188	mnushims.exe
3188	mnushims.exe
3188	mnushims.exe
3188	mnushims.exe
3188	mnushims.exe
3188	mnushims.exe
3188	mnushims.exe
3188	mnushims.exe
3188	mnushims.exe
3188	mnushims.exe
3188	mnushims.exe
3188	mnushims.exe
3188	mnushims.exe
3188	mnushims.exe
3188	mnushims.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
516	e6c5fcde6492ba4a79eb9c8fac2edd28a4691a0bc434cf53b92618f1967bd1fa.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1016 wrote to memory of 516	1016	e6c5fcde6492ba4a79eb9c8fac2edd28a4691a0bc434cf53b92618f1967bd1fa.exe	73
PID 1016 wrote to memory of 516	1016	e6c5fcde6492ba4a79eb9c8fac2edd28a4691a0bc434cf53b92618f1967bd1fa.exe	73
PID 1016 wrote to memory of 516	1016	e6c5fcde6492ba4a79eb9c8fac2edd28a4691a0bc434cf53b92618f1967bd1fa.exe	73
PID 1756 wrote to memory of 3188	1756	mnushims.exe	81
PID 1756 wrote to memory of 3188	1756	mnushims.exe	81
PID 1756 wrote to memory of 3188	1756	mnushims.exe	81

C:\Users\Admin\AppData\Local\Temp\e6c5fcde6492ba4a79eb9c8fac2edd28a4691a0bc434cf53b92618f1967bd1fa.exe
"C:\Users\Admin\AppData\Local\Temp\e6c5fcde6492ba4a79eb9c8fac2edd28a4691a0bc434cf53b92618f1967bd1fa.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1016
- C:\Users\Admin\AppData\Local\Temp\e6c5fcde6492ba4a79eb9c8fac2edd28a4691a0bc434cf53b92618f1967bd1fa.exe
  "C:\Users\Admin\AppData\Local\Temp\e6c5fcde6492ba4a79eb9c8fac2edd28a4691a0bc434cf53b92618f1967bd1fa.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: RenamesItself
  PID:516

C:\Windows\SysWOW64\mnushims.exe
"C:\Windows\SysWOW64\mnushims.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1756
- C:\Windows\SysWOW64\mnushims.exe
  "C:\Windows\SysWOW64\mnushims.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:3188

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/516-126-0x00000000005B0000-0x00000000005C0000-memory.dmp

Filesize
64KB

Download
memory/516-125-0x0000000000430000-0x000000000057A000-memory.dmp

Filesize
1.3MB

Download
memory/516-119-0x0000000000590000-0x00000000005A7000-memory.dmp

Filesize
92KB

Download
memory/516-122-0x0000000000590000-0x00000000005A7000-memory.dmp

Filesize
92KB

Download
memory/1016-123-0x0000000000540000-0x000000000068A000-memory.dmp

Filesize
1.3MB

Download
memory/1016-124-0x00000000005C0000-0x00000000005D0000-memory.dmp

Filesize
64KB

Download
memory/1016-117-0x00000000005A0000-0x00000000005B7000-memory.dmp

Filesize
92KB

Download
memory/1016-115-0x00000000005A0000-0x00000000005B7000-memory.dmp

Filesize
92KB

Download
memory/1756-130-0x0000000000D20000-0x0000000000D37000-memory.dmp

Filesize
92KB

Download
memory/1756-127-0x0000000000D20000-0x0000000000D37000-memory.dmp

Filesize
92KB

Download
memory/1756-137-0x0000000000940000-0x0000000000950000-memory.dmp

Filesize
64KB

Download
memory/1756-136-0x0000000000D00000-0x0000000000D17000-memory.dmp

Filesize
92KB

Download
memory/3188-132-0x0000000000B80000-0x0000000000B97000-memory.dmp

Filesize
92KB

Download
memory/3188-135-0x0000000000B80000-0x0000000000B97000-memory.dmp

Filesize
92KB

Download
memory/3188-139-0x0000000000600000-0x0000000000610000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing