emotet | ee278c851fed3fd602477bf50b295a2acc665352ad6dd12e8e636c59e140db96

General

Target

ee278c851fed3fd602477bf50b295a2acc665352ad6dd12e8e636c59e140db96.exe
Size

201KB
MD5

372c6e99901e78019f5cd84e3eb9c09f
SHA1

5968f46eb4786422d6e4236dfbfc777244140f95
SHA256

ee278c851fed3fd602477bf50b295a2acc665352ad6dd12e8e636c59e140db96
SHA512

df05d5799b8faa8c3f008da8b3c2022cee3f6fae2bc64d7ca99e9b0a2a546adad13ef2c36ff0cfad53c122e3d42728a6bc43a6906428cb3c96807c7070751847

Score

10^/10

emotet banker trojan

Malware Config

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Drops file in System32 directory 1 IoCs

Processes:

avgstarted.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	avgstarted.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 25 IoCs

Processes:

avgstarted.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	avgstarted.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	avgstarted.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1D27265D-0CDC-4A42-BB31-5A9FF37D60EB}\WpadDecisionTime = f05996fb1e17d801	avgstarted.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\4e-ac-78-2d-b8-15	avgstarted.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1D27265D-0CDC-4A42-BB31-5A9FF37D60EB}\4e-ac-78-2d-b8-15	avgstarted.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\4e-ac-78-2d-b8-15\WpadDecisionReason = "1"	avgstarted.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	avgstarted.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	avgstarted.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	avgstarted.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	avgstarted.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1D27265D-0CDC-4A42-BB31-5A9FF37D60EB}\WpadDecision = "0"	avgstarted.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\4e-ac-78-2d-b8-15\WpadDetectedUrl	avgstarted.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	avgstarted.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	avgstarted.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	avgstarted.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1D27265D-0CDC-4A42-BB31-5A9FF37D60EB}	avgstarted.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\4e-ac-78-2d-b8-15\WpadDecisionTime = f05996fb1e17d801	avgstarted.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\4e-ac-78-2d-b8-15\WpadDecision = "0"	avgstarted.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1D27265D-0CDC-4A42-BB31-5A9FF37D60EB}\WpadDecisionTime = 10475f341f17d801	avgstarted.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	avgstarted.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0081000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	avgstarted.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1D27265D-0CDC-4A42-BB31-5A9FF37D60EB}\WpadDecisionReason = "1"	avgstarted.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1D27265D-0CDC-4A42-BB31-5A9FF37D60EB}\WpadNetworkName = "Network 3"	avgstarted.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000004000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0081000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	avgstarted.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\4e-ac-78-2d-b8-15\WpadDecisionTime = 10475f341f17d801	avgstarted.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

avgstarted.exe

pid process

616 avgstarted.exe
616 avgstarted.exe
616 avgstarted.exe
616 avgstarted.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

ee278c851fed3fd602477bf50b295a2acc665352ad6dd12e8e636c59e140db96.exe

pid process

1592 ee278c851fed3fd602477bf50b295a2acc665352ad6dd12e8e636c59e140db96.exe

pid	process
616	avgstarted.exe
616	avgstarted.exe
616	avgstarted.exe
616	avgstarted.exe

pid	process
1592	ee278c851fed3fd602477bf50b295a2acc665352ad6dd12e8e636c59e140db96.exe

Suspicious use of UnmapMainImage 4 IoCs

Processes:

ee278c851fed3fd602477bf50b295a2acc665352ad6dd12e8e636c59e140db96.exeee278c851fed3fd602477bf50b295a2acc665352ad6dd12e8e636c59e140db96.exeavgstarted.exeavgstarted.exe

pid	process
792	ee278c851fed3fd602477bf50b295a2acc665352ad6dd12e8e636c59e140db96.exe
1592	ee278c851fed3fd602477bf50b295a2acc665352ad6dd12e8e636c59e140db96.exe
776	avgstarted.exe
616	avgstarted.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

ee278c851fed3fd602477bf50b295a2acc665352ad6dd12e8e636c59e140db96.exeavgstarted.exe

description	pid	process	target process
PID 792 wrote to memory of 1592	792	ee278c851fed3fd602477bf50b295a2acc665352ad6dd12e8e636c59e140db96.exe	ee278c851fed3fd602477bf50b295a2acc665352ad6dd12e8e636c59e140db96.exe
PID 792 wrote to memory of 1592	792	ee278c851fed3fd602477bf50b295a2acc665352ad6dd12e8e636c59e140db96.exe	ee278c851fed3fd602477bf50b295a2acc665352ad6dd12e8e636c59e140db96.exe
PID 792 wrote to memory of 1592	792	ee278c851fed3fd602477bf50b295a2acc665352ad6dd12e8e636c59e140db96.exe	ee278c851fed3fd602477bf50b295a2acc665352ad6dd12e8e636c59e140db96.exe
PID 792 wrote to memory of 1592	792	ee278c851fed3fd602477bf50b295a2acc665352ad6dd12e8e636c59e140db96.exe	ee278c851fed3fd602477bf50b295a2acc665352ad6dd12e8e636c59e140db96.exe
PID 776 wrote to memory of 616	776	avgstarted.exe	avgstarted.exe
PID 776 wrote to memory of 616	776	avgstarted.exe	avgstarted.exe
PID 776 wrote to memory of 616	776	avgstarted.exe	avgstarted.exe
PID 776 wrote to memory of 616	776	avgstarted.exe	avgstarted.exe

C:\Users\Admin\AppData\Local\Temp\ee278c851fed3fd602477bf50b295a2acc665352ad6dd12e8e636c59e140db96.exe
"C:\Users\Admin\AppData\Local\Temp\ee278c851fed3fd602477bf50b295a2acc665352ad6dd12e8e636c59e140db96.exe"
1⤵
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:792

C:\Users\Admin\AppData\Local\Temp\ee278c851fed3fd602477bf50b295a2acc665352ad6dd12e8e636c59e140db96.exe
--40dac8c7
2⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
PID:1592

C:\Windows\SysWOW64\avgstarted.exe
"C:\Windows\SysWOW64\avgstarted.exe"
1⤵
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:776

C:\Windows\SysWOW64\avgstarted.exe
--131086e1
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
PID:616

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/792-55-0x00000000001B0000-0x00000000001CB000-memory.dmp

Filesize
108KB

Download
memory/792-56-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1592-57-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1592-58-0x0000000075321000-0x0000000075323000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads