emotet | 0d83f49d4074d4e69c725725eb1f64d12b5dc28554ff320b4c5164fc35da2dbd

General

Target

0d83f49d4074d4e69c725725eb1f64d12b5dc28554ff320b4c5164fc35da2dbd.exe
Size

70KB
MD5

04d2faf1ebd3cd7702da40bcdffb3a68
SHA1

92eba2805cb13e85a5bd8cdec0c64920a7f9cd8f
SHA256

0d83f49d4074d4e69c725725eb1f64d12b5dc28554ff320b4c5164fc35da2dbd
SHA512

1d5c4caf1c0347ba8bbc114cb4fd9cd5daf7fd430c7d5feb527cc57853da03b8f63e598587ddd6cc3b2b330412403a6315ad45c677eb1a131735697de1d93601

Score

10^/10

emotet banker trojan

Malware Config

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Drops file in System32 directory 1 IoCs

Processes:

gestureshell.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	gestureshell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 25 IoCs

Processes:

gestureshell.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	gestureshell.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E7FF2A58-236C-4CF9-B9AC-A01D26ADE321}	gestureshell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000004000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0163000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	gestureshell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\6e-b3-27-43-75-e5\WpadDecisionTime = f00c62862728d801	gestureshell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\6e-b3-27-43-75-e5\WpadDecision = "0"	gestureshell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E7FF2A58-236C-4CF9-B9AC-A01D26ADE321}\WpadDecisionTime = f00c62862728d801	gestureshell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	gestureshell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0163000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	gestureshell.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E7FF2A58-236C-4CF9-B9AC-A01D26ADE321}\6e-b3-27-43-75-e5	gestureshell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\6e-b3-27-43-75-e5\WpadDecisionReason = "1"	gestureshell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E7FF2A58-236C-4CF9-B9AC-A01D26ADE321}\WpadNetworkName = "Network 3"	gestureshell.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\6e-b3-27-43-75-e5	gestureshell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	gestureshell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	gestureshell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	gestureshell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	gestureshell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E7FF2A58-236C-4CF9-B9AC-A01D26ADE321}\WpadDecisionReason = "1"	gestureshell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E7FF2A58-236C-4CF9-B9AC-A01D26ADE321}\WpadDecisionTime = 10be0a492728d801	gestureshell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E7FF2A58-236C-4CF9-B9AC-A01D26ADE321}\WpadDecision = "0"	gestureshell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\6e-b3-27-43-75-e5\WpadDecisionTime = 10be0a492728d801	gestureshell.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	gestureshell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	gestureshell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	gestureshell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	gestureshell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\6e-b3-27-43-75-e5\WpadDetectedUrl	gestureshell.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

gestureshell.exe

pid process

1212 gestureshell.exe
1212 gestureshell.exe
1212 gestureshell.exe
1212 gestureshell.exe
1212 gestureshell.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

0d83f49d4074d4e69c725725eb1f64d12b5dc28554ff320b4c5164fc35da2dbd.exe

pid process

848 0d83f49d4074d4e69c725725eb1f64d12b5dc28554ff320b4c5164fc35da2dbd.exe

pid	process
1212	gestureshell.exe
1212	gestureshell.exe
1212	gestureshell.exe
1212	gestureshell.exe
1212	gestureshell.exe

pid	process
848	0d83f49d4074d4e69c725725eb1f64d12b5dc28554ff320b4c5164fc35da2dbd.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

0d83f49d4074d4e69c725725eb1f64d12b5dc28554ff320b4c5164fc35da2dbd.exegestureshell.exe

description	pid	process	target process
PID 1452 wrote to memory of 848	1452	0d83f49d4074d4e69c725725eb1f64d12b5dc28554ff320b4c5164fc35da2dbd.exe	0d83f49d4074d4e69c725725eb1f64d12b5dc28554ff320b4c5164fc35da2dbd.exe
PID 1452 wrote to memory of 848	1452	0d83f49d4074d4e69c725725eb1f64d12b5dc28554ff320b4c5164fc35da2dbd.exe	0d83f49d4074d4e69c725725eb1f64d12b5dc28554ff320b4c5164fc35da2dbd.exe
PID 1452 wrote to memory of 848	1452	0d83f49d4074d4e69c725725eb1f64d12b5dc28554ff320b4c5164fc35da2dbd.exe	0d83f49d4074d4e69c725725eb1f64d12b5dc28554ff320b4c5164fc35da2dbd.exe
PID 1452 wrote to memory of 848	1452	0d83f49d4074d4e69c725725eb1f64d12b5dc28554ff320b4c5164fc35da2dbd.exe	0d83f49d4074d4e69c725725eb1f64d12b5dc28554ff320b4c5164fc35da2dbd.exe
PID 624 wrote to memory of 1212	624	gestureshell.exe	gestureshell.exe
PID 624 wrote to memory of 1212	624	gestureshell.exe	gestureshell.exe
PID 624 wrote to memory of 1212	624	gestureshell.exe	gestureshell.exe
PID 624 wrote to memory of 1212	624	gestureshell.exe	gestureshell.exe

C:\Users\Admin\AppData\Local\Temp\0d83f49d4074d4e69c725725eb1f64d12b5dc28554ff320b4c5164fc35da2dbd.exe
"C:\Users\Admin\AppData\Local\Temp\0d83f49d4074d4e69c725725eb1f64d12b5dc28554ff320b4c5164fc35da2dbd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1452
- C:\Users\Admin\AppData\Local\Temp\0d83f49d4074d4e69c725725eb1f64d12b5dc28554ff320b4c5164fc35da2dbd.exe
  --f561cee1
  2⤵
  - Suspicious behavior: RenamesItself
  PID:848

C:\Windows\SysWOW64\gestureshell.exe
"C:\Windows\SysWOW64\gestureshell.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:624
- C:\Windows\SysWOW64\gestureshell.exe
  --a4f0ba19
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:1212

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/848-54-0x0000000075AE1000-0x0000000075AE3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads