emotet | e50f8fd47455de0dbb75b38d0302ca736d03d3cc8f4a51b4620e55fe3466012c

General

Target

e50f8fd47455de0dbb75b38d0302ca736d03d3cc8f4a51b4620e55fe3466012c.exe
Size

58KB
MD5

776687c64bb358e34d0b162aac81b6e3
SHA1

3cf5269c81fed40ec8bf3eede5eeccc315d8b40e
SHA256

e50f8fd47455de0dbb75b38d0302ca736d03d3cc8f4a51b4620e55fe3466012c
SHA512

4c56f650cf3b70326d84e37b9630880c633f61c5d49e782ce228cf07329f153671d5663362ae819c41bd5838b2ed46095e78fc3ac323ef675fd464915430245b

Score

10^/10

emotet banker trojan

Malware Config

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Drops file in System32 directory 1 IoCs

Processes:

resapiquery.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	resapiquery.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 25 IoCs

Processes:

resapiquery.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	resapiquery.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0028000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	resapiquery.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\36-38-f9-08-85-5a	resapiquery.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C519771-F741-46F0-841C-6201BB1ADDCC}\36-38-f9-08-85-5a	resapiquery.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\36-38-f9-08-85-5a\WpadDecisionReason = "1"	resapiquery.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	resapiquery.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	resapiquery.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	resapiquery.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	resapiquery.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	resapiquery.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C519771-F741-46F0-841C-6201BB1ADDCC}	resapiquery.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C519771-F741-46F0-841C-6201BB1ADDCC}\WpadDecisionTime = d0f8a5b06631d801	resapiquery.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	resapiquery.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C519771-F741-46F0-841C-6201BB1ADDCC}\WpadDecisionReason = "1"	resapiquery.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C519771-F741-46F0-841C-6201BB1ADDCC}\WpadNetworkName = "Network 3"	resapiquery.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\36-38-f9-08-85-5a\WpadDecisionTime = d0f8a5b06631d801	resapiquery.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\36-38-f9-08-85-5a\WpadDetectedUrl	resapiquery.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C519771-F741-46F0-841C-6201BB1ADDCC}\WpadDecisionTime = b0290eec6631d801	resapiquery.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\36-38-f9-08-85-5a\WpadDecisionTime = b0290eec6631d801	resapiquery.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	resapiquery.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	resapiquery.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	resapiquery.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C519771-F741-46F0-841C-6201BB1ADDCC}\WpadDecision = "0"	resapiquery.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\36-38-f9-08-85-5a\WpadDecision = "0"	resapiquery.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000004000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0028000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	resapiquery.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

resapiquery.exe

pid process

332 resapiquery.exe
332 resapiquery.exe
332 resapiquery.exe
332 resapiquery.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

e50f8fd47455de0dbb75b38d0302ca736d03d3cc8f4a51b4620e55fe3466012c.exe

pid process

1104 e50f8fd47455de0dbb75b38d0302ca736d03d3cc8f4a51b4620e55fe3466012c.exe

pid	process
332	resapiquery.exe
332	resapiquery.exe
332	resapiquery.exe
332	resapiquery.exe

pid	process
1104	e50f8fd47455de0dbb75b38d0302ca736d03d3cc8f4a51b4620e55fe3466012c.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

e50f8fd47455de0dbb75b38d0302ca736d03d3cc8f4a51b4620e55fe3466012c.exeresapiquery.exe

description	pid	process	target process
PID 956 wrote to memory of 1104	956	e50f8fd47455de0dbb75b38d0302ca736d03d3cc8f4a51b4620e55fe3466012c.exe	e50f8fd47455de0dbb75b38d0302ca736d03d3cc8f4a51b4620e55fe3466012c.exe
PID 956 wrote to memory of 1104	956	e50f8fd47455de0dbb75b38d0302ca736d03d3cc8f4a51b4620e55fe3466012c.exe	e50f8fd47455de0dbb75b38d0302ca736d03d3cc8f4a51b4620e55fe3466012c.exe
PID 956 wrote to memory of 1104	956	e50f8fd47455de0dbb75b38d0302ca736d03d3cc8f4a51b4620e55fe3466012c.exe	e50f8fd47455de0dbb75b38d0302ca736d03d3cc8f4a51b4620e55fe3466012c.exe
PID 956 wrote to memory of 1104	956	e50f8fd47455de0dbb75b38d0302ca736d03d3cc8f4a51b4620e55fe3466012c.exe	e50f8fd47455de0dbb75b38d0302ca736d03d3cc8f4a51b4620e55fe3466012c.exe
PID 1676 wrote to memory of 332	1676	resapiquery.exe	resapiquery.exe
PID 1676 wrote to memory of 332	1676	resapiquery.exe	resapiquery.exe
PID 1676 wrote to memory of 332	1676	resapiquery.exe	resapiquery.exe
PID 1676 wrote to memory of 332	1676	resapiquery.exe	resapiquery.exe

C:\Users\Admin\AppData\Local\Temp\e50f8fd47455de0dbb75b38d0302ca736d03d3cc8f4a51b4620e55fe3466012c.exe
"C:\Users\Admin\AppData\Local\Temp\e50f8fd47455de0dbb75b38d0302ca736d03d3cc8f4a51b4620e55fe3466012c.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:956
- C:\Users\Admin\AppData\Local\Temp\e50f8fd47455de0dbb75b38d0302ca736d03d3cc8f4a51b4620e55fe3466012c.exe
  --ff4ea500
  2⤵
  - Suspicious behavior: RenamesItself
  PID:1104

C:\Windows\SysWOW64\resapiquery.exe
"C:\Windows\SysWOW64\resapiquery.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1676
- C:\Windows\SysWOW64\resapiquery.exe
  --79dc5544
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:332

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1104-54-0x0000000076771000-0x0000000076773000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads