emotet | 361531ae945f36019323f6047778a7b9f70093f3d41aa0507452b4c51a30d694

General

Target

361531ae945f36019323f6047778a7b9f70093f3d41aa0507452b4c51a30d694.exe
Size

292KB
MD5

244374204971acc756b7ef1c1616e4a0
SHA1

50a3ca99a3e8009ebc70671ae6df4e84e67c9a2f
SHA256

361531ae945f36019323f6047778a7b9f70093f3d41aa0507452b4c51a30d694
SHA512

8c99f3d5c71b078b58932c764b9585c12dd7cc449b7509639d592a026aec69e630753f9008eff7c353f2eac27694978abb9980f7d9b67815f2d9b508e3ef1669

Score

10^/10

emotet banker trojan

Malware Config

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Drops file in System32 directory 5 IoCs

Processes:

angledef.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	angledef.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	angledef.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	angledef.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	angledef.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	angledef.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 3 IoCs

Processes:

angledef.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	angledef.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	angledef.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	angledef.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

angledef.exe

pid	process
3976	angledef.exe
3976	angledef.exe
3976	angledef.exe
3976	angledef.exe
3976	angledef.exe
3976	angledef.exe
3976	angledef.exe
3976	angledef.exe
3976	angledef.exe
3976	angledef.exe
3976	angledef.exe
3976	angledef.exe
3976	angledef.exe
3976	angledef.exe
3976	angledef.exe
3976	angledef.exe
3976	angledef.exe
3976	angledef.exe
3976	angledef.exe
3976	angledef.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

361531ae945f36019323f6047778a7b9f70093f3d41aa0507452b4c51a30d694.exe

pid process

1668 361531ae945f36019323f6047778a7b9f70093f3d41aa0507452b4c51a30d694.exe

pid	process
1668	361531ae945f36019323f6047778a7b9f70093f3d41aa0507452b4c51a30d694.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

361531ae945f36019323f6047778a7b9f70093f3d41aa0507452b4c51a30d694.exeangledef.exe

description	pid	process	target process
PID 1832 wrote to memory of 1668	1832	361531ae945f36019323f6047778a7b9f70093f3d41aa0507452b4c51a30d694.exe	361531ae945f36019323f6047778a7b9f70093f3d41aa0507452b4c51a30d694.exe
PID 1832 wrote to memory of 1668	1832	361531ae945f36019323f6047778a7b9f70093f3d41aa0507452b4c51a30d694.exe	361531ae945f36019323f6047778a7b9f70093f3d41aa0507452b4c51a30d694.exe
PID 1832 wrote to memory of 1668	1832	361531ae945f36019323f6047778a7b9f70093f3d41aa0507452b4c51a30d694.exe	361531ae945f36019323f6047778a7b9f70093f3d41aa0507452b4c51a30d694.exe
PID 3368 wrote to memory of 3976	3368	angledef.exe	angledef.exe
PID 3368 wrote to memory of 3976	3368	angledef.exe	angledef.exe
PID 3368 wrote to memory of 3976	3368	angledef.exe	angledef.exe

C:\Users\Admin\AppData\Local\Temp\361531ae945f36019323f6047778a7b9f70093f3d41aa0507452b4c51a30d694.exe
"C:\Users\Admin\AppData\Local\Temp\361531ae945f36019323f6047778a7b9f70093f3d41aa0507452b4c51a30d694.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1832

C:\Users\Admin\AppData\Local\Temp\361531ae945f36019323f6047778a7b9f70093f3d41aa0507452b4c51a30d694.exe
--355c7734
2⤵
- Suspicious behavior: RenamesItself
PID:1668

C:\Windows\SysWOW64\angledef.exe
"C:\Windows\SysWOW64\angledef.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3368

C:\Windows\SysWOW64\angledef.exe
--aa428ca4
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:3976

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\4f7b12359ff0cd5362f9410c19b36a74_89bbad60-16d5-41c2-ad8d-716f4ac5f4c2
MD5
e4b53ea64ceb467b80ac8c2a2cdaebdf

SHA1
6ffec5f65ba74828f2c9e767624c075576546d41

SHA256
ee7615f799b8f2710a58f5b765a36ede97c281a1c5fc16044d89d8089e5f8658

SHA512
a462b615b016ea6432a0f4fced211a57448f7c19736e50cc020b1c70663ec58beeafeed3f42aa6affabfda11b936b19fc69ce0a102ca7ce92184c5e995e630fe

Download Submit
memory/1668-116-0x0000000000000000-mapping.dmp

Download
memory/1668-117-0x0000000000450000-0x000000000059A000-memory.dmp

Filesize
1.3MB

Download
memory/1832-115-0x0000000000560000-0x00000000006AA000-memory.dmp

Filesize
1.3MB

Download
memory/3368-120-0x0000000000450000-0x00000000004FE000-memory.dmp

Filesize
696KB

Download
memory/3976-119-0x0000000000000000-mapping.dmp

Download
memory/3976-123-0x00000000001F0000-0x00000000001FF000-memory.dmp

Filesize
60KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads