emotet | dae5bbe0ee7af55427e1e9dced24061dbcb701a53aff04217bdfa8cc260d6683

General

Target

dae5bbe0ee7af55427e1e9dced24061dbcb701a53aff04217bdfa8cc260d6683.exe
Size

88KB
MD5

5594fd3b929e2e30d3d70e4c0063085b
SHA1

90dc29422eef76512b554017c015ddfabd400784
SHA256

dae5bbe0ee7af55427e1e9dced24061dbcb701a53aff04217bdfa8cc260d6683
SHA512

48f152407cfeb71c86def1ed6ae84c1703649cfa5e2d2dfcf501bba17acfdfbc59f62c53a10d6e83bf17916a62115f658d0bd0f9ace68b1b2370cdd32c0df7dd

Score

10^/10

emotet banker trojan

Malware Config

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Drops file in System32 directory 1 IoCs

Processes:

editionshlp.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	editionshlp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 25 IoCs

Processes:

editionshlp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5A164389-A707-4E71-9D14-319BCC4C401D}\WpadNetworkName = "Network 3"	editionshlp.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\82-6d-3c-cc-f4-b1	editionshlp.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\82-6d-3c-cc-f4-b1\WpadDecisionTime = 40608ef56b31d801	editionshlp.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	editionshlp.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	editionshlp.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	editionshlp.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f002a000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	editionshlp.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5A164389-A707-4E71-9D14-319BCC4C401D}\WpadDecision = "0"	editionshlp.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5A164389-A707-4E71-9D14-319BCC4C401D}\WpadDecisionTime = 80c46c186c31d801	editionshlp.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\82-6d-3c-cc-f4-b1\WpadDecisionTime = 80c46c186c31d801	editionshlp.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5A164389-A707-4E71-9D14-319BCC4C401D}\82-6d-3c-cc-f4-b1	editionshlp.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\82-6d-3c-cc-f4-b1\WpadDecision = "0"	editionshlp.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	editionshlp.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	editionshlp.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	editionshlp.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	editionshlp.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5A164389-A707-4E71-9D14-319BCC4C401D}\WpadDecisionTime = 40608ef56b31d801	editionshlp.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\82-6d-3c-cc-f4-b1\WpadDetectedUrl	editionshlp.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	editionshlp.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	editionshlp.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5A164389-A707-4E71-9D14-319BCC4C401D}	editionshlp.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5A164389-A707-4E71-9D14-319BCC4C401D}\WpadDecisionReason = "1"	editionshlp.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\82-6d-3c-cc-f4-b1\WpadDecisionReason = "1"	editionshlp.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	editionshlp.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000004000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f002a000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	editionshlp.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

editionshlp.exe

pid process

1164 editionshlp.exe
1164 editionshlp.exe
1164 editionshlp.exe
1164 editionshlp.exe
1164 editionshlp.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

dae5bbe0ee7af55427e1e9dced24061dbcb701a53aff04217bdfa8cc260d6683.exe

pid process

1600 dae5bbe0ee7af55427e1e9dced24061dbcb701a53aff04217bdfa8cc260d6683.exe

pid	process
1164	editionshlp.exe
1164	editionshlp.exe
1164	editionshlp.exe
1164	editionshlp.exe
1164	editionshlp.exe

pid	process
1600	dae5bbe0ee7af55427e1e9dced24061dbcb701a53aff04217bdfa8cc260d6683.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

dae5bbe0ee7af55427e1e9dced24061dbcb701a53aff04217bdfa8cc260d6683.exeeditionshlp.exe

description	pid	process	target process
PID 1616 wrote to memory of 1600	1616	dae5bbe0ee7af55427e1e9dced24061dbcb701a53aff04217bdfa8cc260d6683.exe	dae5bbe0ee7af55427e1e9dced24061dbcb701a53aff04217bdfa8cc260d6683.exe
PID 1616 wrote to memory of 1600	1616	dae5bbe0ee7af55427e1e9dced24061dbcb701a53aff04217bdfa8cc260d6683.exe	dae5bbe0ee7af55427e1e9dced24061dbcb701a53aff04217bdfa8cc260d6683.exe
PID 1616 wrote to memory of 1600	1616	dae5bbe0ee7af55427e1e9dced24061dbcb701a53aff04217bdfa8cc260d6683.exe	dae5bbe0ee7af55427e1e9dced24061dbcb701a53aff04217bdfa8cc260d6683.exe
PID 1616 wrote to memory of 1600	1616	dae5bbe0ee7af55427e1e9dced24061dbcb701a53aff04217bdfa8cc260d6683.exe	dae5bbe0ee7af55427e1e9dced24061dbcb701a53aff04217bdfa8cc260d6683.exe
PID 1160 wrote to memory of 1164	1160	editionshlp.exe	editionshlp.exe
PID 1160 wrote to memory of 1164	1160	editionshlp.exe	editionshlp.exe
PID 1160 wrote to memory of 1164	1160	editionshlp.exe	editionshlp.exe
PID 1160 wrote to memory of 1164	1160	editionshlp.exe	editionshlp.exe

C:\Users\Admin\AppData\Local\Temp\dae5bbe0ee7af55427e1e9dced24061dbcb701a53aff04217bdfa8cc260d6683.exe
"C:\Users\Admin\AppData\Local\Temp\dae5bbe0ee7af55427e1e9dced24061dbcb701a53aff04217bdfa8cc260d6683.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1616

C:\Users\Admin\AppData\Local\Temp\dae5bbe0ee7af55427e1e9dced24061dbcb701a53aff04217bdfa8cc260d6683.exe
--2e491d45
2⤵
- Suspicious behavior: RenamesItself
PID:1600

C:\Windows\SysWOW64\editionshlp.exe
"C:\Windows\SysWOW64\editionshlp.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1160

C:\Windows\SysWOW64\editionshlp.exe
--1d84b00d
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1164

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1600-54-0x0000000076731000-0x0000000076733000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads