emotet | 5a89c0b4d52a8feb9b4bf7ebd49eb7a84b54b9cd94ced300b16202177926287f

General

Target

bad71.bin.exe
Size

752KB
MD5

b356ddc2348a102711ccd47a65b6cbcf
SHA1

9d72d0985e61dc81758e0afcb58375e6182e7d66
SHA256

5a89c0b4d52a8feb9b4bf7ebd49eb7a84b54b9cd94ced300b16202177926287f
SHA512

3eb612bdd8f01c3b182a980fe79d47980d16fd9d934e13bd5f2db06163b60e63e8054add2dcffedb0cb8a8e2d66d67838ab7cbf58c6125d35ea3f32edec73fc2

Score

10^/10

emotet epoch2 banker trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch2

C2

217.160.19.232:8080

192.241.220.155:8080

167.99.105.223:7080

176.31.200.130:8080

91.205.215.66:8080

181.143.194.138:443

167.71.10.37:8080

133.167.80.63:7080

183.102.238.69:465

190.145.67.134:8090

169.239.182.217:8080

78.24.219.147:8080

92.222.216.44:8080

47.41.213.2:22

124.240.198.66:80

189.209.217.49:80

80.11.163.139:21

190.53.135.159:21

217.160.182.191:8080

87.230.19.21:8080

rsa_pubkey.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Drops file in System32 directory 1 IoCs

Processes:

teapotcaching.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	teapotcaching.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 25 IoCs

Processes:

teapotcaching.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	teapotcaching.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0271AF7A-4677-4C25-BD6A-784087224B50}\WpadDecisionReason = "1"	teapotcaching.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0271AF7A-4677-4C25-BD6A-784087224B50}\WpadDecisionTime = a090358086ddd701	teapotcaching.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\e2-99-3c-5b-5b-f8	teapotcaching.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	teapotcaching.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	teapotcaching.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	teapotcaching.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	teapotcaching.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0271AF7A-4677-4C25-BD6A-784087224B50}\e2-99-3c-5b-5b-f8	teapotcaching.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\e2-99-3c-5b-5b-f8\WpadDecisionTime = a090358086ddd701	teapotcaching.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\e2-99-3c-5b-5b-f8\WpadDetectedUrl	teapotcaching.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0271AF7A-4677-4C25-BD6A-784087224B50}\WpadDecisionTime = 20fdefba86ddd701	teapotcaching.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	teapotcaching.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	teapotcaching.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0271AF7A-4677-4C25-BD6A-784087224B50}	teapotcaching.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0271AF7A-4677-4C25-BD6A-784087224B50}\WpadDecision = "0"	teapotcaching.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\e2-99-3c-5b-5b-f8\WpadDecisionReason = "1"	teapotcaching.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\e2-99-3c-5b-5b-f8\WpadDecision = "0"	teapotcaching.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000004000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0043000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	teapotcaching.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\e2-99-3c-5b-5b-f8\WpadDecisionTime = 20fdefba86ddd701	teapotcaching.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	teapotcaching.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0043000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	teapotcaching.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0271AF7A-4677-4C25-BD6A-784087224B50}\WpadNetworkName = "Network 3"	teapotcaching.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	teapotcaching.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	teapotcaching.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

teapotcaching.exe

pid process

1920 teapotcaching.exe
1920 teapotcaching.exe
1920 teapotcaching.exe
1920 teapotcaching.exe
1920 teapotcaching.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

bad71.bin.exe

pid process

1292 bad71.bin.exe

pid	process
1920	teapotcaching.exe
1920	teapotcaching.exe
1920	teapotcaching.exe
1920	teapotcaching.exe
1920	teapotcaching.exe

pid	process
1292	bad71.bin.exe

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

bad71.bin.exebad71.bin.exeteapotcaching.exeteapotcaching.exe

pid	process
524	bad71.bin.exe
524	bad71.bin.exe
1292	bad71.bin.exe
1292	bad71.bin.exe
1984	teapotcaching.exe
1984	teapotcaching.exe
1920	teapotcaching.exe
1920	teapotcaching.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

bad71.bin.exeteapotcaching.exe

description	pid	process	target process
PID 524 wrote to memory of 1292	524	bad71.bin.exe	bad71.bin.exe
PID 524 wrote to memory of 1292	524	bad71.bin.exe	bad71.bin.exe
PID 524 wrote to memory of 1292	524	bad71.bin.exe	bad71.bin.exe
PID 524 wrote to memory of 1292	524	bad71.bin.exe	bad71.bin.exe
PID 1984 wrote to memory of 1920	1984	teapotcaching.exe	teapotcaching.exe
PID 1984 wrote to memory of 1920	1984	teapotcaching.exe	teapotcaching.exe
PID 1984 wrote to memory of 1920	1984	teapotcaching.exe	teapotcaching.exe
PID 1984 wrote to memory of 1920	1984	teapotcaching.exe	teapotcaching.exe

C:\Users\Admin\AppData\Local\Temp\bad71.bin.exe
"C:\Users\Admin\AppData\Local\Temp\bad71.bin.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:524

C:\Users\Admin\AppData\Local\Temp\bad71.bin.exe
--97c5adc
2⤵
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
PID:1292

C:\Windows\SysWOW64\teapotcaching.exe
"C:\Windows\SysWOW64\teapotcaching.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1984

C:\Windows\SysWOW64\teapotcaching.exe
--73c72110
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1920

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/524-55-0x0000000075B71000-0x0000000075B73000-memory.dmp

Filesize
8KB

Download
memory/524-56-0x00000000003E0000-0x00000000003F7000-memory.dmp

Filesize
92KB

Download
memory/524-66-0x00000000003C0000-0x00000000003D1000-memory.dmp

Filesize
68KB

Download
memory/1292-60-0x0000000000000000-mapping.dmp

Download
memory/1292-62-0x0000000000260000-0x0000000000277000-memory.dmp

Filesize
92KB

Download
memory/1920-72-0x0000000000000000-mapping.dmp

Download
memory/1920-74-0x0000000000A90000-0x0000000000AA7000-memory.dmp

Filesize
92KB

Download
memory/1984-68-0x0000000000540000-0x0000000000557000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads