emotet | 88b6e1df8dd5d0f3345948e81df1f70315927e949e875bdda440002b0c1d16b2

General

Target

88b6e1df8dd5d0f3345948e81df1f70315927e949e875bdda440002b0c1d16b2.exe
Size

212KB
MD5

b32e26f8c8d982d8b1ad942b3e0d32cb
SHA1

bd0343fa996118f9f060908579299ebff7980700
SHA256

88b6e1df8dd5d0f3345948e81df1f70315927e949e875bdda440002b0c1d16b2
SHA512

58f09caabac2331f23d7fadfb15d85add2d52b4af5fb383888a444f19e3821fc45b00aa50aa130a7e2bcfef7d81e18694fd924d4fbb8dc532dba0715666bdeb2

Score

10^/10

emotet banker trojan

Malware Config

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Drops file in System32 directory 1 IoCs

Processes:

wrapspeed.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	wrapspeed.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 21 IoCs

Processes:

wrapspeed.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	wrapspeed.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	wrapspeed.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	wrapspeed.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecisionReason = "1"	wrapspeed.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecisionTime = 1017af640a4cd701	wrapspeed.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecision = "0"	wrapspeed.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32}	wrapspeed.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32}\WpadDecision = "0"	wrapspeed.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32}\WpadNetworkName = "Network"	wrapspeed.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77	wrapspeed.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	wrapspeed.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	wrapspeed.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	wrapspeed.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a070010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	wrapspeed.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32}\32-e2-17-db-d2-77	wrapspeed.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32}\WpadDecisionReason = "1"	wrapspeed.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32}\WpadDecisionTime = 1017af640a4cd701	wrapspeed.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	wrapspeed.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	wrapspeed.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	wrapspeed.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	wrapspeed.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

wrapspeed.exe

pid process

1288 wrapspeed.exe
1288 wrapspeed.exe
1288 wrapspeed.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

88b6e1df8dd5d0f3345948e81df1f70315927e949e875bdda440002b0c1d16b2.exe

pid process

1752 88b6e1df8dd5d0f3345948e81df1f70315927e949e875bdda440002b0c1d16b2.exe

pid	process
1288	wrapspeed.exe
1288	wrapspeed.exe
1288	wrapspeed.exe

pid	process
1752	88b6e1df8dd5d0f3345948e81df1f70315927e949e875bdda440002b0c1d16b2.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

88b6e1df8dd5d0f3345948e81df1f70315927e949e875bdda440002b0c1d16b2.exe88b6e1df8dd5d0f3345948e81df1f70315927e949e875bdda440002b0c1d16b2.exewrapspeed.exewrapspeed.exe

pid	process
296	88b6e1df8dd5d0f3345948e81df1f70315927e949e875bdda440002b0c1d16b2.exe
1752	88b6e1df8dd5d0f3345948e81df1f70315927e949e875bdda440002b0c1d16b2.exe
1428	wrapspeed.exe
1288	wrapspeed.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

88b6e1df8dd5d0f3345948e81df1f70315927e949e875bdda440002b0c1d16b2.exewrapspeed.exe

description	pid	process	target process
PID 296 wrote to memory of 1752	296	88b6e1df8dd5d0f3345948e81df1f70315927e949e875bdda440002b0c1d16b2.exe	88b6e1df8dd5d0f3345948e81df1f70315927e949e875bdda440002b0c1d16b2.exe
PID 296 wrote to memory of 1752	296	88b6e1df8dd5d0f3345948e81df1f70315927e949e875bdda440002b0c1d16b2.exe	88b6e1df8dd5d0f3345948e81df1f70315927e949e875bdda440002b0c1d16b2.exe
PID 296 wrote to memory of 1752	296	88b6e1df8dd5d0f3345948e81df1f70315927e949e875bdda440002b0c1d16b2.exe	88b6e1df8dd5d0f3345948e81df1f70315927e949e875bdda440002b0c1d16b2.exe
PID 296 wrote to memory of 1752	296	88b6e1df8dd5d0f3345948e81df1f70315927e949e875bdda440002b0c1d16b2.exe	88b6e1df8dd5d0f3345948e81df1f70315927e949e875bdda440002b0c1d16b2.exe
PID 1428 wrote to memory of 1288	1428	wrapspeed.exe	wrapspeed.exe
PID 1428 wrote to memory of 1288	1428	wrapspeed.exe	wrapspeed.exe
PID 1428 wrote to memory of 1288	1428	wrapspeed.exe	wrapspeed.exe
PID 1428 wrote to memory of 1288	1428	wrapspeed.exe	wrapspeed.exe

C:\Users\Admin\AppData\Local\Temp\88b6e1df8dd5d0f3345948e81df1f70315927e949e875bdda440002b0c1d16b2.exe
"C:\Users\Admin\AppData\Local\Temp\88b6e1df8dd5d0f3345948e81df1f70315927e949e875bdda440002b0c1d16b2.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:296

C:\Users\Admin\AppData\Local\Temp\88b6e1df8dd5d0f3345948e81df1f70315927e949e875bdda440002b0c1d16b2.exe
--379743e2
2⤵
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
PID:1752

C:\Windows\SysWOW64\wrapspeed.exe
"C:\Windows\SysWOW64\wrapspeed.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1428

C:\Windows\SysWOW64\wrapspeed.exe
--fe9904d3
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1288

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/296-60-0x00000000002D0000-0x00000000002E1000-memory.dmp

Filesize
68KB

Download
memory/1288-63-0x0000000000000000-mapping.dmp

Download
memory/1428-62-0x00000000757E1000-0x00000000757E3000-memory.dmp

Filesize
8KB

Download
memory/1752-59-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads