emotet | ea65aabffb33b122be980c2ea7a66f9ce8b3f81c83a94fff962bbc7725d8e7b7

General

Target

ea65aabffb33b122be980c2ea7a66f9ce8b3f81c83a94fff962bbc7725d8e7b7.exe
Size

170KB
MD5

5b5b849bbb349fea02d69a076302ddab
SHA1

3ddb25d728b7cce43d1948433c27a67cbb6c0ff7
SHA256

ea65aabffb33b122be980c2ea7a66f9ce8b3f81c83a94fff962bbc7725d8e7b7
SHA512

30dd4c08c617cff339b4d235ff0cd72568bd77eeba85a37dd360d2283f56814b0d7088ed810cff8d09e005025aef802e50f4960b780c0be98ca62b43576dbeb8

Score

10^/10

emotet banker trojan

Malware Config

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Drops file in System32 directory 5 IoCs

Processes:

scrnstarta.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	scrnstarta.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	scrnstarta.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	scrnstarta.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	scrnstarta.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	scrnstarta.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 3 IoCs

Processes:

scrnstarta.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	scrnstarta.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	scrnstarta.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	scrnstarta.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

scrnstarta.exe

pid	process
3548	scrnstarta.exe
3548	scrnstarta.exe
3548	scrnstarta.exe
3548	scrnstarta.exe
3548	scrnstarta.exe
3548	scrnstarta.exe
3548	scrnstarta.exe
3548	scrnstarta.exe
3548	scrnstarta.exe
3548	scrnstarta.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

ea65aabffb33b122be980c2ea7a66f9ce8b3f81c83a94fff962bbc7725d8e7b7.exe

pid process

3536 ea65aabffb33b122be980c2ea7a66f9ce8b3f81c83a94fff962bbc7725d8e7b7.exe

pid	process
3536	ea65aabffb33b122be980c2ea7a66f9ce8b3f81c83a94fff962bbc7725d8e7b7.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

ea65aabffb33b122be980c2ea7a66f9ce8b3f81c83a94fff962bbc7725d8e7b7.exescrnstarta.exe

description	pid	process	target process
PID 3724 wrote to memory of 3536	3724	ea65aabffb33b122be980c2ea7a66f9ce8b3f81c83a94fff962bbc7725d8e7b7.exe	ea65aabffb33b122be980c2ea7a66f9ce8b3f81c83a94fff962bbc7725d8e7b7.exe
PID 3724 wrote to memory of 3536	3724	ea65aabffb33b122be980c2ea7a66f9ce8b3f81c83a94fff962bbc7725d8e7b7.exe	ea65aabffb33b122be980c2ea7a66f9ce8b3f81c83a94fff962bbc7725d8e7b7.exe
PID 3724 wrote to memory of 3536	3724	ea65aabffb33b122be980c2ea7a66f9ce8b3f81c83a94fff962bbc7725d8e7b7.exe	ea65aabffb33b122be980c2ea7a66f9ce8b3f81c83a94fff962bbc7725d8e7b7.exe
PID 2648 wrote to memory of 3548	2648	scrnstarta.exe	scrnstarta.exe
PID 2648 wrote to memory of 3548	2648	scrnstarta.exe	scrnstarta.exe
PID 2648 wrote to memory of 3548	2648	scrnstarta.exe	scrnstarta.exe

C:\Users\Admin\AppData\Local\Temp\ea65aabffb33b122be980c2ea7a66f9ce8b3f81c83a94fff962bbc7725d8e7b7.exe
"C:\Users\Admin\AppData\Local\Temp\ea65aabffb33b122be980c2ea7a66f9ce8b3f81c83a94fff962bbc7725d8e7b7.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3724

C:\Users\Admin\AppData\Local\Temp\ea65aabffb33b122be980c2ea7a66f9ce8b3f81c83a94fff962bbc7725d8e7b7.exe
--42502a94
2⤵
- Suspicious behavior: RenamesItself
PID:3536

C:\Windows\SysWOW64\scrnstarta.exe
"C:\Windows\SysWOW64\scrnstarta.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2648

C:\Windows\SysWOW64\scrnstarta.exe
--7b1067bd
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:3548

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2648-121-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3536-115-0x0000000000000000-mapping.dmp

Download
memory/3536-117-0x0000000002020000-0x0000000002031000-memory.dmp

Filesize
68KB

Download
memory/3536-118-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3548-120-0x0000000000000000-mapping.dmp

Download
memory/3548-123-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3724-114-0x0000000000560000-0x00000000006AA000-memory.dmp

Filesize
1.3MB

Download
memory/3724-116-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads