emotet | f570f153b8e834fe30a3ba90aeb618a0e9e5926d0df533781f121dc784f9d3bc

General

Target

f570f153b8e834fe30a3ba90aeb618a0e9e5926d0df533781f121dc784f9d3bc.exe
Size

58KB
MD5

f70293d937d4cab1a4d5e7149be6e670
SHA1

79d2b78cb813dd6adf3fc24c05daeab403d15f3d
SHA256

f570f153b8e834fe30a3ba90aeb618a0e9e5926d0df533781f121dc784f9d3bc
SHA512

3f935b783ff3c146c2d5742d9567353144a9bc447d06d33fb612c9eb8fdfa6a7137996ee77c390476af42b84159e7f8e8ecb354a65d2e2858760aba42a642c09

Score

10^/10

emotet banker trojan

Malware Config

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Drops file in System32 directory 4 IoCs

Processes:

fwdrfinish.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	fwdrfinish.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	fwdrfinish.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	fwdrfinish.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	fwdrfinish.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 3 IoCs

Processes:

fwdrfinish.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	fwdrfinish.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	fwdrfinish.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	fwdrfinish.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

fwdrfinish.exe

pid	process
3204	fwdrfinish.exe
3204	fwdrfinish.exe
3204	fwdrfinish.exe
3204	fwdrfinish.exe
3204	fwdrfinish.exe
3204	fwdrfinish.exe
3204	fwdrfinish.exe
3204	fwdrfinish.exe
3204	fwdrfinish.exe
3204	fwdrfinish.exe
3204	fwdrfinish.exe
3204	fwdrfinish.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

f570f153b8e834fe30a3ba90aeb618a0e9e5926d0df533781f121dc784f9d3bc.exe

pid process

3352 f570f153b8e834fe30a3ba90aeb618a0e9e5926d0df533781f121dc784f9d3bc.exe

pid	process
3352	f570f153b8e834fe30a3ba90aeb618a0e9e5926d0df533781f121dc784f9d3bc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

f570f153b8e834fe30a3ba90aeb618a0e9e5926d0df533781f121dc784f9d3bc.exefwdrfinish.exe

description	pid	process	target process
PID 116 wrote to memory of 3352	116	f570f153b8e834fe30a3ba90aeb618a0e9e5926d0df533781f121dc784f9d3bc.exe	f570f153b8e834fe30a3ba90aeb618a0e9e5926d0df533781f121dc784f9d3bc.exe
PID 116 wrote to memory of 3352	116	f570f153b8e834fe30a3ba90aeb618a0e9e5926d0df533781f121dc784f9d3bc.exe	f570f153b8e834fe30a3ba90aeb618a0e9e5926d0df533781f121dc784f9d3bc.exe
PID 116 wrote to memory of 3352	116	f570f153b8e834fe30a3ba90aeb618a0e9e5926d0df533781f121dc784f9d3bc.exe	f570f153b8e834fe30a3ba90aeb618a0e9e5926d0df533781f121dc784f9d3bc.exe
PID 1636 wrote to memory of 3204	1636	fwdrfinish.exe	fwdrfinish.exe
PID 1636 wrote to memory of 3204	1636	fwdrfinish.exe	fwdrfinish.exe
PID 1636 wrote to memory of 3204	1636	fwdrfinish.exe	fwdrfinish.exe

C:\Users\Admin\AppData\Local\Temp\f570f153b8e834fe30a3ba90aeb618a0e9e5926d0df533781f121dc784f9d3bc.exe
"C:\Users\Admin\AppData\Local\Temp\f570f153b8e834fe30a3ba90aeb618a0e9e5926d0df533781f121dc784f9d3bc.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:116

C:\Users\Admin\AppData\Local\Temp\f570f153b8e834fe30a3ba90aeb618a0e9e5926d0df533781f121dc784f9d3bc.exe
--854cc15c
2⤵
- Suspicious behavior: RenamesItself
PID:3352

C:\Windows\SysWOW64\fwdrfinish.exe
"C:\Windows\SysWOW64\fwdrfinish.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1636

C:\Windows\SysWOW64\fwdrfinish.exe
--fa3ce5e4
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:3204

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads