emotet | cf677969114fa5594fcdbf3de9d41776037d7396c99bd704b7d50a00dbfa65fa

General

Target

cf677969114fa5594fcdbf3de9d41776037d7396c99bd704b7d50a00dbfa65fa.exe
Size

148KB
MD5

59eed63f3d5a1f50016c55ebc9936fbf
SHA1

92c3c32a397c39b5e2ef0b6489ec8cd750065620
SHA256

cf677969114fa5594fcdbf3de9d41776037d7396c99bd704b7d50a00dbfa65fa
SHA512

cdb6d47d0c0aaf66a69f7e17f9edde052b7080b9e94bfe388821d7fa19547cb85955dba2ab322c4c65d55ddf5118308d44f72b6320b6d0cec8e2c303fcfb7423

Score

10^/10

emotet banker trojan

Malware Config

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Drops file in System32 directory 1 IoCs

Processes:

allowmig.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	allowmig.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 18 IoCs

Processes:

allowmig.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	allowmig.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecision = "0"	allowmig.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	allowmig.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	allowmig.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32}	allowmig.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32}\WpadDecisionTime = 0086965b564ad701	allowmig.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32}\32-e2-17-db-d2-77	allowmig.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	allowmig.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	allowmig.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a070028000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	allowmig.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32}\WpadNetworkName = "Network"	allowmig.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77	allowmig.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	allowmig.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	allowmig.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32}\WpadDecisionReason = "1"	allowmig.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32}\WpadDecision = "0"	allowmig.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecisionReason = "1"	allowmig.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecisionTime = 0086965b564ad701	allowmig.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

cf677969114fa5594fcdbf3de9d41776037d7396c99bd704b7d50a00dbfa65fa.execf677969114fa5594fcdbf3de9d41776037d7396c99bd704b7d50a00dbfa65fa.exeallowmig.exeallowmig.exe

pid	process
1084	cf677969114fa5594fcdbf3de9d41776037d7396c99bd704b7d50a00dbfa65fa.exe
1992	cf677969114fa5594fcdbf3de9d41776037d7396c99bd704b7d50a00dbfa65fa.exe
288	allowmig.exe
396	allowmig.exe
396	allowmig.exe
396	allowmig.exe
396	allowmig.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

cf677969114fa5594fcdbf3de9d41776037d7396c99bd704b7d50a00dbfa65fa.exe

pid process

1992 cf677969114fa5594fcdbf3de9d41776037d7396c99bd704b7d50a00dbfa65fa.exe

pid	process
1992	cf677969114fa5594fcdbf3de9d41776037d7396c99bd704b7d50a00dbfa65fa.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

cf677969114fa5594fcdbf3de9d41776037d7396c99bd704b7d50a00dbfa65fa.exeallowmig.exe

description	pid	process	target process
PID 1084 wrote to memory of 1992	1084	cf677969114fa5594fcdbf3de9d41776037d7396c99bd704b7d50a00dbfa65fa.exe	cf677969114fa5594fcdbf3de9d41776037d7396c99bd704b7d50a00dbfa65fa.exe
PID 1084 wrote to memory of 1992	1084	cf677969114fa5594fcdbf3de9d41776037d7396c99bd704b7d50a00dbfa65fa.exe	cf677969114fa5594fcdbf3de9d41776037d7396c99bd704b7d50a00dbfa65fa.exe
PID 1084 wrote to memory of 1992	1084	cf677969114fa5594fcdbf3de9d41776037d7396c99bd704b7d50a00dbfa65fa.exe	cf677969114fa5594fcdbf3de9d41776037d7396c99bd704b7d50a00dbfa65fa.exe
PID 1084 wrote to memory of 1992	1084	cf677969114fa5594fcdbf3de9d41776037d7396c99bd704b7d50a00dbfa65fa.exe	cf677969114fa5594fcdbf3de9d41776037d7396c99bd704b7d50a00dbfa65fa.exe
PID 288 wrote to memory of 396	288	allowmig.exe	allowmig.exe
PID 288 wrote to memory of 396	288	allowmig.exe	allowmig.exe
PID 288 wrote to memory of 396	288	allowmig.exe	allowmig.exe
PID 288 wrote to memory of 396	288	allowmig.exe	allowmig.exe

C:\Users\Admin\AppData\Local\Temp\cf677969114fa5594fcdbf3de9d41776037d7396c99bd704b7d50a00dbfa65fa.exe
"C:\Users\Admin\AppData\Local\Temp\cf677969114fa5594fcdbf3de9d41776037d7396c99bd704b7d50a00dbfa65fa.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1084
- C:\Users\Admin\AppData\Local\Temp\cf677969114fa5594fcdbf3de9d41776037d7396c99bd704b7d50a00dbfa65fa.exe
  "C:\Users\Admin\AppData\Local\Temp\cf677969114fa5594fcdbf3de9d41776037d7396c99bd704b7d50a00dbfa65fa.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: RenamesItself
  PID:1992

C:\Windows\SysWOW64\allowmig.exe
"C:\Windows\SysWOW64\allowmig.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:288
- C:\Windows\SysWOW64\allowmig.exe
  "C:\Windows\SysWOW64\allowmig.exe"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:396

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/288-79-0x0000000000120000-0x0000000000139000-memory.dmp

Filesize
100KB

Download
memory/288-87-0x0000000000140000-0x0000000000160000-memory.dmp

Filesize
128KB

Download
memory/288-76-0x0000000000120000-0x0000000000139000-memory.dmp

Filesize
100KB

Download
memory/396-89-0x0000000000150000-0x0000000000170000-memory.dmp

Filesize
128KB

Download
memory/396-85-0x0000000000130000-0x0000000000149000-memory.dmp

Filesize
100KB

Download
memory/396-82-0x0000000000130000-0x0000000000149000-memory.dmp

Filesize
100KB

Download
memory/396-80-0x0000000000000000-mapping.dmp

Download
memory/1084-71-0x0000000000100000-0x0000000000119000-memory.dmp

Filesize
100KB

Download
memory/1084-60-0x00000000752F1000-0x00000000752F3000-memory.dmp

Filesize
8KB

Download
memory/1084-72-0x0000000000190000-0x00000000001B0000-memory.dmp

Filesize
128KB

Download
memory/1084-64-0x0000000000120000-0x0000000000139000-memory.dmp

Filesize
100KB

Download
memory/1084-61-0x0000000000120000-0x0000000000139000-memory.dmp

Filesize
100KB

Download
memory/1992-74-0x00000000001B0000-0x00000000001D0000-memory.dmp

Filesize
128KB

Download
memory/1992-67-0x0000000000170000-0x0000000000189000-memory.dmp

Filesize
100KB

Download
memory/1992-70-0x0000000000170000-0x0000000000189000-memory.dmp

Filesize
100KB

Download
memory/1992-65-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads