emotet | 5d5ef6429494a7789f3a086c5aeafd825cb033e74507c1c03495ceb37c81bf98

General

Target

5d5ef6429494a7789f3a086c5aeafd825cb033e74507c1c03495ceb37c81bf98.exe
Size

372KB
MD5

ae7d41c270b9a835e387d6b3794d8db5
SHA1

afc7b1e9e5ab0c88038b0f6a021282b9eec549de
SHA256

5d5ef6429494a7789f3a086c5aeafd825cb033e74507c1c03495ceb37c81bf98
SHA512

c69fd3fb00270ea093f5fb7c28c841c8f31b0f6d930d0f42144e6c3bcee7040c80e6ba707eecf2f3a47b6262cc92114c387ae1f45bd4e1e7be7bf2d3ca820780

Score

10^/10

emotet banker trojan

Malware Config

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Drops file in System32 directory 5 IoCs

Processes:

leelcompon.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	leelcompon.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	leelcompon.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	leelcompon.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	leelcompon.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	leelcompon.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 3 IoCs

Processes:

leelcompon.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	leelcompon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	leelcompon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	leelcompon.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

leelcompon.exe

pid	process
3332	leelcompon.exe
3332	leelcompon.exe
3332	leelcompon.exe
3332	leelcompon.exe
3332	leelcompon.exe
3332	leelcompon.exe
3332	leelcompon.exe
3332	leelcompon.exe
3332	leelcompon.exe
3332	leelcompon.exe
3332	leelcompon.exe
3332	leelcompon.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

5d5ef6429494a7789f3a086c5aeafd825cb033e74507c1c03495ceb37c81bf98.exe

pid process

1192 5d5ef6429494a7789f3a086c5aeafd825cb033e74507c1c03495ceb37c81bf98.exe

pid	process
1192	5d5ef6429494a7789f3a086c5aeafd825cb033e74507c1c03495ceb37c81bf98.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

5d5ef6429494a7789f3a086c5aeafd825cb033e74507c1c03495ceb37c81bf98.exeleelcompon.exe

description	pid	process	target process
PID 3652 wrote to memory of 1192	3652	5d5ef6429494a7789f3a086c5aeafd825cb033e74507c1c03495ceb37c81bf98.exe	5d5ef6429494a7789f3a086c5aeafd825cb033e74507c1c03495ceb37c81bf98.exe
PID 3652 wrote to memory of 1192	3652	5d5ef6429494a7789f3a086c5aeafd825cb033e74507c1c03495ceb37c81bf98.exe	5d5ef6429494a7789f3a086c5aeafd825cb033e74507c1c03495ceb37c81bf98.exe
PID 3652 wrote to memory of 1192	3652	5d5ef6429494a7789f3a086c5aeafd825cb033e74507c1c03495ceb37c81bf98.exe	5d5ef6429494a7789f3a086c5aeafd825cb033e74507c1c03495ceb37c81bf98.exe
PID 3956 wrote to memory of 3332	3956	leelcompon.exe	leelcompon.exe
PID 3956 wrote to memory of 3332	3956	leelcompon.exe	leelcompon.exe
PID 3956 wrote to memory of 3332	3956	leelcompon.exe	leelcompon.exe

C:\Users\Admin\AppData\Local\Temp\5d5ef6429494a7789f3a086c5aeafd825cb033e74507c1c03495ceb37c81bf98.exe
"C:\Users\Admin\AppData\Local\Temp\5d5ef6429494a7789f3a086c5aeafd825cb033e74507c1c03495ceb37c81bf98.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3652

C:\Users\Admin\AppData\Local\Temp\5d5ef6429494a7789f3a086c5aeafd825cb033e74507c1c03495ceb37c81bf98.exe
--744c99d7
2⤵
- Suspicious behavior: RenamesItself
PID:1192

C:\Windows\SysWOW64\leelcompon.exe
"C:\Windows\SysWOW64\leelcompon.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3956

C:\Windows\SysWOW64\leelcompon.exe
--42bc2720
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:3332

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\4f7b12359ff0cd5362f9410c19b36a74_89bbad60-16d5-41c2-ad8d-716f4ac5f4c2
MD5
e4b53ea64ceb467b80ac8c2a2cdaebdf

SHA1
6ffec5f65ba74828f2c9e767624c075576546d41

SHA256
ee7615f799b8f2710a58f5b765a36ede97c281a1c5fc16044d89d8089e5f8658

SHA512
a462b615b016ea6432a0f4fced211a57448f7c19736e50cc020b1c70663ec58beeafeed3f42aa6affabfda11b936b19fc69ce0a102ca7ce92184c5e995e630fe

Download Submit
memory/1192-114-0x0000000000000000-mapping.dmp

Download
memory/1192-117-0x00000000001F0000-0x0000000000200000-memory.dmp

Filesize
64KB

Download
memory/3332-118-0x0000000000000000-mapping.dmp

Download
memory/3332-122-0x0000000000460000-0x000000000050E000-memory.dmp

Filesize
696KB

Download
memory/3652-116-0x0000000000680000-0x0000000000690000-memory.dmp

Filesize
64KB

Download
memory/3956-119-0x00000000001D0000-0x00000000001F3000-memory.dmp

Filesize
140KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads