emotet | bf6f9f8f38399302917fd8d4b2db61ac34fc61bb72c049506c602ac3542db636

General

Target

bf6f9f8f38399302917fd8d4b2db61ac34fc61bb72c049506c602ac3542db636.exe
Size

136KB
MD5

e9d2d3e643fe767bce1cfeada14b0fd4
SHA1

f1a1048ba8b93de2f5c9c91801fa9003a896c20e
SHA256

bf6f9f8f38399302917fd8d4b2db61ac34fc61bb72c049506c602ac3542db636
SHA512

b1296468dcbc6fcd95b647eaa3a98dab3b244027b1769be7cba6931dba2c8b5fa8abee68ef21ef6bd16d5d49a0e90aea89ab744bdb69220789f12c9d0615c745

Score

10^/10

emotet banker trojan

Malware Config

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Drops file in System32 directory 5 IoCs

Processes:

relredist.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	relredist.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	relredist.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	relredist.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	relredist.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	relredist.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 3 IoCs

Processes:

relredist.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	relredist.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	relredist.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	relredist.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

relredist.exe

pid	process
3416	relredist.exe
3416	relredist.exe
3416	relredist.exe
3416	relredist.exe
3416	relredist.exe
3416	relredist.exe
3416	relredist.exe
3416	relredist.exe
3416	relredist.exe
3416	relredist.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

bf6f9f8f38399302917fd8d4b2db61ac34fc61bb72c049506c602ac3542db636.exe

pid process

1892 bf6f9f8f38399302917fd8d4b2db61ac34fc61bb72c049506c602ac3542db636.exe

pid	process
1892	bf6f9f8f38399302917fd8d4b2db61ac34fc61bb72c049506c602ac3542db636.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

bf6f9f8f38399302917fd8d4b2db61ac34fc61bb72c049506c602ac3542db636.exerelredist.exe

description	pid	process	target process
PID 4060 wrote to memory of 1892	4060	bf6f9f8f38399302917fd8d4b2db61ac34fc61bb72c049506c602ac3542db636.exe	bf6f9f8f38399302917fd8d4b2db61ac34fc61bb72c049506c602ac3542db636.exe
PID 4060 wrote to memory of 1892	4060	bf6f9f8f38399302917fd8d4b2db61ac34fc61bb72c049506c602ac3542db636.exe	bf6f9f8f38399302917fd8d4b2db61ac34fc61bb72c049506c602ac3542db636.exe
PID 4060 wrote to memory of 1892	4060	bf6f9f8f38399302917fd8d4b2db61ac34fc61bb72c049506c602ac3542db636.exe	bf6f9f8f38399302917fd8d4b2db61ac34fc61bb72c049506c602ac3542db636.exe
PID 3844 wrote to memory of 3416	3844	relredist.exe	relredist.exe
PID 3844 wrote to memory of 3416	3844	relredist.exe	relredist.exe
PID 3844 wrote to memory of 3416	3844	relredist.exe	relredist.exe

C:\Users\Admin\AppData\Local\Temp\bf6f9f8f38399302917fd8d4b2db61ac34fc61bb72c049506c602ac3542db636.exe
"C:\Users\Admin\AppData\Local\Temp\bf6f9f8f38399302917fd8d4b2db61ac34fc61bb72c049506c602ac3542db636.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4060

C:\Users\Admin\AppData\Local\Temp\bf6f9f8f38399302917fd8d4b2db61ac34fc61bb72c049506c602ac3542db636.exe
--3b78a4df
2⤵
- Suspicious behavior: RenamesItself
PID:1892

C:\Windows\SysWOW64\relredist.exe
"C:\Windows\SysWOW64\relredist.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3844

C:\Windows\SysWOW64\relredist.exe
--be6a9ba8
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:3416

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1892-115-0x0000000000000000-mapping.dmp

Download
memory/1892-117-0x0000000000510000-0x000000000065A000-memory.dmp

Filesize
1.3MB

Download
memory/1892-118-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3416-120-0x0000000000000000-mapping.dmp

Download
memory/3416-122-0x0000000000CE0000-0x0000000000CF1000-memory.dmp

Filesize
68KB

Download
memory/3844-119-0x0000000000430000-0x00000000004DE000-memory.dmp

Filesize
696KB

Download
memory/3844-121-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4060-114-0x0000000000480000-0x00000000005CA000-memory.dmp

Filesize
1.3MB

Download
memory/4060-116-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads