emotet | fe67208312a732b43e261eae866db9d0387728033863fc10bf84ddfee49ccdab

General

Target

fe67208312a732b43e261eae866db9d0387728033863fc10bf84ddfee49ccdab.exe
Size

149KB
MD5

4e8a94ca8cdadfe9c269907a1565deff
SHA1

95c0bb6b8b7790f29d0d7290cbd3201772a8d866
SHA256

fe67208312a732b43e261eae866db9d0387728033863fc10bf84ddfee49ccdab
SHA512

2c05aee7485339e00152717873b581a7e0ed35acf61de97fac3d813cfb5072bf4354cfff486dd02040cfa5bedadbdc7fe6263ae891900d9c5b3794c6631ea585

Score

10^/10

emotet banker trojan

Malware Config

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Drops file in System32 directory 1 IoCs

Processes:

phoenixiprop.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	phoenixiprop.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 21 IoCs

Processes:

phoenixiprop.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3A33DB50-CC69-497D-AB93-6EAB524EB9A7}\WpadDecisionTime = d0aedd9f6e4ad701	phoenixiprop.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\86-63-5e-29-41-08\WpadDecisionReason = "1"	phoenixiprop.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	phoenixiprop.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	phoenixiprop.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	phoenixiprop.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a07001a000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	phoenixiprop.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3A33DB50-CC69-497D-AB93-6EAB524EB9A7}	phoenixiprop.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	phoenixiprop.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	phoenixiprop.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	phoenixiprop.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3A33DB50-CC69-497D-AB93-6EAB524EB9A7}\86-63-5e-29-41-08	phoenixiprop.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3A33DB50-CC69-497D-AB93-6EAB524EB9A7}\WpadDecisionReason = "1"	phoenixiprop.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3A33DB50-CC69-497D-AB93-6EAB524EB9A7}\WpadDecision = "0"	phoenixiprop.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\86-63-5e-29-41-08	phoenixiprop.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\86-63-5e-29-41-08\WpadDecisionTime = d0aedd9f6e4ad701	phoenixiprop.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\86-63-5e-29-41-08\WpadDecision = "0"	phoenixiprop.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	phoenixiprop.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	phoenixiprop.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	phoenixiprop.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	phoenixiprop.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3A33DB50-CC69-497D-AB93-6EAB524EB9A7}\WpadNetworkName = "Network"	phoenixiprop.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

phoenixiprop.exe

pid process

1800 phoenixiprop.exe
1800 phoenixiprop.exe
1800 phoenixiprop.exe
1800 phoenixiprop.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

fe67208312a732b43e261eae866db9d0387728033863fc10bf84ddfee49ccdab.exe

pid process

1196 fe67208312a732b43e261eae866db9d0387728033863fc10bf84ddfee49ccdab.exe

pid	process
1800	phoenixiprop.exe
1800	phoenixiprop.exe
1800	phoenixiprop.exe
1800	phoenixiprop.exe

pid	process
1196	fe67208312a732b43e261eae866db9d0387728033863fc10bf84ddfee49ccdab.exe

Suspicious use of UnmapMainImage 4 IoCs

Processes:

fe67208312a732b43e261eae866db9d0387728033863fc10bf84ddfee49ccdab.exefe67208312a732b43e261eae866db9d0387728033863fc10bf84ddfee49ccdab.exephoenixiprop.exephoenixiprop.exe

pid	process
320	fe67208312a732b43e261eae866db9d0387728033863fc10bf84ddfee49ccdab.exe
1196	fe67208312a732b43e261eae866db9d0387728033863fc10bf84ddfee49ccdab.exe
1604	phoenixiprop.exe
1800	phoenixiprop.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

fe67208312a732b43e261eae866db9d0387728033863fc10bf84ddfee49ccdab.exephoenixiprop.exe

description	pid	process	target process
PID 320 wrote to memory of 1196	320	fe67208312a732b43e261eae866db9d0387728033863fc10bf84ddfee49ccdab.exe	fe67208312a732b43e261eae866db9d0387728033863fc10bf84ddfee49ccdab.exe
PID 320 wrote to memory of 1196	320	fe67208312a732b43e261eae866db9d0387728033863fc10bf84ddfee49ccdab.exe	fe67208312a732b43e261eae866db9d0387728033863fc10bf84ddfee49ccdab.exe
PID 320 wrote to memory of 1196	320	fe67208312a732b43e261eae866db9d0387728033863fc10bf84ddfee49ccdab.exe	fe67208312a732b43e261eae866db9d0387728033863fc10bf84ddfee49ccdab.exe
PID 320 wrote to memory of 1196	320	fe67208312a732b43e261eae866db9d0387728033863fc10bf84ddfee49ccdab.exe	fe67208312a732b43e261eae866db9d0387728033863fc10bf84ddfee49ccdab.exe
PID 1604 wrote to memory of 1800	1604	phoenixiprop.exe	phoenixiprop.exe
PID 1604 wrote to memory of 1800	1604	phoenixiprop.exe	phoenixiprop.exe
PID 1604 wrote to memory of 1800	1604	phoenixiprop.exe	phoenixiprop.exe
PID 1604 wrote to memory of 1800	1604	phoenixiprop.exe	phoenixiprop.exe

C:\Users\Admin\AppData\Local\Temp\fe67208312a732b43e261eae866db9d0387728033863fc10bf84ddfee49ccdab.exe
"C:\Users\Admin\AppData\Local\Temp\fe67208312a732b43e261eae866db9d0387728033863fc10bf84ddfee49ccdab.exe"
1⤵
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:320

C:\Users\Admin\AppData\Local\Temp\fe67208312a732b43e261eae866db9d0387728033863fc10bf84ddfee49ccdab.exe
--ca51e628
2⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
PID:1196

C:\Windows\SysWOW64\phoenixiprop.exe
"C:\Windows\SysWOW64\phoenixiprop.exe"
1⤵
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1604

C:\Windows\SysWOW64\phoenixiprop.exe
--a569d6f
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
PID:1800

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/320-59-0x0000000000220000-0x0000000000231000-memory.dmp

Filesize
68KB

Download
memory/320-61-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1196-60-0x0000000000000000-mapping.dmp

Download
memory/1196-63-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1196-64-0x0000000075051000-0x0000000075053000-memory.dmp

Filesize
8KB

Download
memory/1800-66-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads