emotet | e50f8fd47455de0dbb75b38d0302ca736d03d3cc8f4a51b4620e55fe3466012c

General

Target

e50f8fd47455de0dbb75b38d0302ca736d03d3cc8f4a51b4620e55fe3466012c.exe
Size

58KB
MD5

776687c64bb358e34d0b162aac81b6e3
SHA1

3cf5269c81fed40ec8bf3eede5eeccc315d8b40e
SHA256

e50f8fd47455de0dbb75b38d0302ca736d03d3cc8f4a51b4620e55fe3466012c
SHA512

4c56f650cf3b70326d84e37b9630880c633f61c5d49e782ce228cf07329f153671d5663362ae819c41bd5838b2ed46095e78fc3ac323ef675fd464915430245b

Score

10^/10

emotet banker trojan

Malware Config

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Drops file in System32 directory 4 IoCs

Processes:

routercpls.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	routercpls.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	routercpls.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	routercpls.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	routercpls.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 3 IoCs

Processes:

routercpls.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	routercpls.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	routercpls.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	routercpls.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

routercpls.exe

pid	process
2800	routercpls.exe
2800	routercpls.exe
2800	routercpls.exe
2800	routercpls.exe
2800	routercpls.exe
2800	routercpls.exe
2800	routercpls.exe
2800	routercpls.exe
2800	routercpls.exe
2800	routercpls.exe
2800	routercpls.exe
2800	routercpls.exe
2800	routercpls.exe
2800	routercpls.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

e50f8fd47455de0dbb75b38d0302ca736d03d3cc8f4a51b4620e55fe3466012c.exe

pid process

1712 e50f8fd47455de0dbb75b38d0302ca736d03d3cc8f4a51b4620e55fe3466012c.exe

pid	process
1712	e50f8fd47455de0dbb75b38d0302ca736d03d3cc8f4a51b4620e55fe3466012c.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

e50f8fd47455de0dbb75b38d0302ca736d03d3cc8f4a51b4620e55fe3466012c.exeroutercpls.exe

description	pid	process	target process
PID 1516 wrote to memory of 1712	1516	e50f8fd47455de0dbb75b38d0302ca736d03d3cc8f4a51b4620e55fe3466012c.exe	e50f8fd47455de0dbb75b38d0302ca736d03d3cc8f4a51b4620e55fe3466012c.exe
PID 1516 wrote to memory of 1712	1516	e50f8fd47455de0dbb75b38d0302ca736d03d3cc8f4a51b4620e55fe3466012c.exe	e50f8fd47455de0dbb75b38d0302ca736d03d3cc8f4a51b4620e55fe3466012c.exe
PID 1516 wrote to memory of 1712	1516	e50f8fd47455de0dbb75b38d0302ca736d03d3cc8f4a51b4620e55fe3466012c.exe	e50f8fd47455de0dbb75b38d0302ca736d03d3cc8f4a51b4620e55fe3466012c.exe
PID 2700 wrote to memory of 2800	2700	routercpls.exe	routercpls.exe
PID 2700 wrote to memory of 2800	2700	routercpls.exe	routercpls.exe
PID 2700 wrote to memory of 2800	2700	routercpls.exe	routercpls.exe

C:\Users\Admin\AppData\Local\Temp\e50f8fd47455de0dbb75b38d0302ca736d03d3cc8f4a51b4620e55fe3466012c.exe
"C:\Users\Admin\AppData\Local\Temp\e50f8fd47455de0dbb75b38d0302ca736d03d3cc8f4a51b4620e55fe3466012c.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1516

C:\Users\Admin\AppData\Local\Temp\e50f8fd47455de0dbb75b38d0302ca736d03d3cc8f4a51b4620e55fe3466012c.exe
--ff4ea500
2⤵
- Suspicious behavior: RenamesItself
PID:1712

C:\Windows\SysWOW64\routercpls.exe
"C:\Windows\SysWOW64\routercpls.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2700

C:\Windows\SysWOW64\routercpls.exe
--83f038ef
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2800

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads