emotet | 1f4259e2b808cd00fc825f0e39a2b22ff4aea6caa5175f1e4567dba0bf296dca

General

Target

1f4259e2b808cd00fc825f0e39a2b22ff4aea6caa5175f1e4567dba0bf296dca.exe
Size

132KB
MD5

9987adb305c3e989d368b913ea35c978
SHA1

f3c2d096888b20e8e9000bf5eb0738d96462693a
SHA256

1f4259e2b808cd00fc825f0e39a2b22ff4aea6caa5175f1e4567dba0bf296dca
SHA512

c3cab64f6f676972b81d54a243500caa12602a397a9dd4deb56e310bc0cfccefeca87b392ad19c5c249259f9d3d0e08f34df1dfe63642e61bce7c25d72dc2de7

Score

10^/10

emotet epoch2 banker trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch2

C2

81.109.227.123:80

82.15.36.209:443

142.4.198.249:7080

162.144.119.216:8080

142.93.88.16:443

31.12.67.62:7080

91.83.93.103:7080

178.152.78.149:20

104.131.208.175:8080

136.243.177.26:8080

206.189.98.125:8080

178.79.161.166:443

195.242.117.231:8080

187.163.222.244:465

186.144.64.31:53

104.236.99.225:8080

71.244.60.230:8080

91.205.215.66:8080

212.71.234.16:8080

190.25.255.98:443

rsa_pubkey.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Drops file in System32 directory 1 IoCs

Processes:

waspower.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	waspower.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 21 IoCs

Processes:

waspower.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\f6-ae-2f-66-53-42	waspower.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	waspower.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	waspower.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AD5BD91F-A825-4690-AF65-6FEECC9D53BD}\WpadNetworkName = "Network 3"	waspower.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AD5BD91F-A825-4690-AF65-6FEECC9D53BD}\WpadDecisionTime = f05e6e7a4a17d801	waspower.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	waspower.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	waspower.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AD5BD91F-A825-4690-AF65-6FEECC9D53BD}	waspower.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AD5BD91F-A825-4690-AF65-6FEECC9D53BD}\WpadDecisionReason = "1"	waspower.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AD5BD91F-A825-4690-AF65-6FEECC9D53BD}\WpadDecision = "0"	waspower.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AD5BD91F-A825-4690-AF65-6FEECC9D53BD}\f6-ae-2f-66-53-42	waspower.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\f6-ae-2f-66-53-42\WpadDecisionTime = f05e6e7a4a17d801	waspower.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\f6-ae-2f-66-53-42\WpadDecision = "0"	waspower.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	waspower.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	waspower.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f007f000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	waspower.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	waspower.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\f6-ae-2f-66-53-42\WpadDecisionReason = "1"	waspower.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	waspower.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	waspower.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	waspower.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

waspower.exe

pid process

1396 waspower.exe
1396 waspower.exe
1396 waspower.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

1f4259e2b808cd00fc825f0e39a2b22ff4aea6caa5175f1e4567dba0bf296dca.exe

pid process

1680 1f4259e2b808cd00fc825f0e39a2b22ff4aea6caa5175f1e4567dba0bf296dca.exe

pid	process
1396	waspower.exe
1396	waspower.exe
1396	waspower.exe

pid	process
1680	1f4259e2b808cd00fc825f0e39a2b22ff4aea6caa5175f1e4567dba0bf296dca.exe

Suspicious use of UnmapMainImage 4 IoCs

Processes:

1f4259e2b808cd00fc825f0e39a2b22ff4aea6caa5175f1e4567dba0bf296dca.exe1f4259e2b808cd00fc825f0e39a2b22ff4aea6caa5175f1e4567dba0bf296dca.exewaspower.exewaspower.exe

pid	process
836	1f4259e2b808cd00fc825f0e39a2b22ff4aea6caa5175f1e4567dba0bf296dca.exe
1680	1f4259e2b808cd00fc825f0e39a2b22ff4aea6caa5175f1e4567dba0bf296dca.exe
380	waspower.exe
1396	waspower.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

1f4259e2b808cd00fc825f0e39a2b22ff4aea6caa5175f1e4567dba0bf296dca.exewaspower.exe

description	pid	process	target process
PID 836 wrote to memory of 1680	836	1f4259e2b808cd00fc825f0e39a2b22ff4aea6caa5175f1e4567dba0bf296dca.exe	1f4259e2b808cd00fc825f0e39a2b22ff4aea6caa5175f1e4567dba0bf296dca.exe
PID 836 wrote to memory of 1680	836	1f4259e2b808cd00fc825f0e39a2b22ff4aea6caa5175f1e4567dba0bf296dca.exe	1f4259e2b808cd00fc825f0e39a2b22ff4aea6caa5175f1e4567dba0bf296dca.exe
PID 836 wrote to memory of 1680	836	1f4259e2b808cd00fc825f0e39a2b22ff4aea6caa5175f1e4567dba0bf296dca.exe	1f4259e2b808cd00fc825f0e39a2b22ff4aea6caa5175f1e4567dba0bf296dca.exe
PID 836 wrote to memory of 1680	836	1f4259e2b808cd00fc825f0e39a2b22ff4aea6caa5175f1e4567dba0bf296dca.exe	1f4259e2b808cd00fc825f0e39a2b22ff4aea6caa5175f1e4567dba0bf296dca.exe
PID 380 wrote to memory of 1396	380	waspower.exe	waspower.exe
PID 380 wrote to memory of 1396	380	waspower.exe	waspower.exe
PID 380 wrote to memory of 1396	380	waspower.exe	waspower.exe
PID 380 wrote to memory of 1396	380	waspower.exe	waspower.exe

C:\Users\Admin\AppData\Local\Temp\1f4259e2b808cd00fc825f0e39a2b22ff4aea6caa5175f1e4567dba0bf296dca.exe
"C:\Users\Admin\AppData\Local\Temp\1f4259e2b808cd00fc825f0e39a2b22ff4aea6caa5175f1e4567dba0bf296dca.exe"
1⤵
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:836

C:\Users\Admin\AppData\Local\Temp\1f4259e2b808cd00fc825f0e39a2b22ff4aea6caa5175f1e4567dba0bf296dca.exe
--d090bb49
2⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
PID:1680

C:\Windows\SysWOW64\waspower.exe
"C:\Windows\SysWOW64\waspower.exe"
1⤵
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:380

C:\Windows\SysWOW64\waspower.exe
--a44be58e
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
PID:1396

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/836-55-0x0000000076641000-0x0000000076643000-memory.dmp

Filesize
8KB

Download
memory/836-56-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/836-57-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1396-62-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1680-59-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads