emotet | d065af6e650d3f6228a1bbe5cae78e79f876e89c3a0cabafa100dd80f8426c88

General

Target

d065af6e650d3f6228a1bbe5cae78e79f876e89c3a0cabafa100dd80f8426c88.exe
Size

65KB
MD5

0cc17238884c9c6ce174237493e47d53
SHA1

e12b733dff4cb07b8944d861bf0fc006e092f5a2
SHA256

d065af6e650d3f6228a1bbe5cae78e79f876e89c3a0cabafa100dd80f8426c88
SHA512

f99fc1412b1b16896fde1c86a335abe9030ee06841d11539b8f49bfa4250bf4a255b55b248ac8246fee865dcb187e0719b56501363e7e3e8d028d4704ce8e05c

Score

10^/10

emotet banker suricata trojan

Malware Config

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
suricata: ET MALWARE Win32/Emotet CnC Activity (POST) M2
suricata: ET MALWARE Win32/Emotet CnC Activity (POST) M2
suricata
suricata: ET MALWARE Win32/Emotet CnC Activity (POST) M3
suricata: ET MALWARE Win32/Emotet CnC Activity (POST) M3
suricata
suricata: ET MALWARE Win32/Emotet CnC Activity (POST) M4
suricata: ET MALWARE Win32/Emotet CnC Activity (POST) M4
suricata

Drops file in System32 directory 1 IoCs

Processes:

engnnetwork.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	engnnetwork.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 25 IoCs

Processes:

engnnetwork.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	engnnetwork.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f008c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	engnnetwork.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8a-22-40-c6-2c-24\WpadDecision = "0"	engnnetwork.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000004000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f008c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	engnnetwork.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8a-22-40-c6-2c-24\WpadDecisionTime = 60540f1e7731d801	engnnetwork.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{05644405-E691-4C78-967B-CC79A7304C58}\WpadNetworkName = "Network 3"	engnnetwork.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8a-22-40-c6-2c-24	engnnetwork.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8a-22-40-c6-2c-24\WpadDecisionTime = 0007dddf7631d801	engnnetwork.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	engnnetwork.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	engnnetwork.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	engnnetwork.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	engnnetwork.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{05644405-E691-4C78-967B-CC79A7304C58}\WpadDecision = "0"	engnnetwork.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8a-22-40-c6-2c-24\WpadDetectedUrl	engnnetwork.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	engnnetwork.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	engnnetwork.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{05644405-E691-4C78-967B-CC79A7304C58}\WpadDecisionTime = 0007dddf7631d801	engnnetwork.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{05644405-E691-4C78-967B-CC79A7304C58}\8a-22-40-c6-2c-24	engnnetwork.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8a-22-40-c6-2c-24\WpadDecisionReason = "1"	engnnetwork.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	engnnetwork.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	engnnetwork.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	engnnetwork.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{05644405-E691-4C78-967B-CC79A7304C58}	engnnetwork.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{05644405-E691-4C78-967B-CC79A7304C58}\WpadDecisionReason = "1"	engnnetwork.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{05644405-E691-4C78-967B-CC79A7304C58}\WpadDecisionTime = 60540f1e7731d801	engnnetwork.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

engnnetwork.exe

pid process

872 engnnetwork.exe
872 engnnetwork.exe
872 engnnetwork.exe
872 engnnetwork.exe
872 engnnetwork.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

d065af6e650d3f6228a1bbe5cae78e79f876e89c3a0cabafa100dd80f8426c88.exe

pid process

1668 d065af6e650d3f6228a1bbe5cae78e79f876e89c3a0cabafa100dd80f8426c88.exe

pid	process
872	engnnetwork.exe
872	engnnetwork.exe
872	engnnetwork.exe
872	engnnetwork.exe
872	engnnetwork.exe

pid	process
1668	d065af6e650d3f6228a1bbe5cae78e79f876e89c3a0cabafa100dd80f8426c88.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

d065af6e650d3f6228a1bbe5cae78e79f876e89c3a0cabafa100dd80f8426c88.exeengnnetwork.exe

description	pid	process	target process
PID 1512 wrote to memory of 1668	1512	d065af6e650d3f6228a1bbe5cae78e79f876e89c3a0cabafa100dd80f8426c88.exe	d065af6e650d3f6228a1bbe5cae78e79f876e89c3a0cabafa100dd80f8426c88.exe
PID 1512 wrote to memory of 1668	1512	d065af6e650d3f6228a1bbe5cae78e79f876e89c3a0cabafa100dd80f8426c88.exe	d065af6e650d3f6228a1bbe5cae78e79f876e89c3a0cabafa100dd80f8426c88.exe
PID 1512 wrote to memory of 1668	1512	d065af6e650d3f6228a1bbe5cae78e79f876e89c3a0cabafa100dd80f8426c88.exe	d065af6e650d3f6228a1bbe5cae78e79f876e89c3a0cabafa100dd80f8426c88.exe
PID 1512 wrote to memory of 1668	1512	d065af6e650d3f6228a1bbe5cae78e79f876e89c3a0cabafa100dd80f8426c88.exe	d065af6e650d3f6228a1bbe5cae78e79f876e89c3a0cabafa100dd80f8426c88.exe
PID 1252 wrote to memory of 872	1252	engnnetwork.exe	engnnetwork.exe
PID 1252 wrote to memory of 872	1252	engnnetwork.exe	engnnetwork.exe
PID 1252 wrote to memory of 872	1252	engnnetwork.exe	engnnetwork.exe
PID 1252 wrote to memory of 872	1252	engnnetwork.exe	engnnetwork.exe

C:\Users\Admin\AppData\Local\Temp\d065af6e650d3f6228a1bbe5cae78e79f876e89c3a0cabafa100dd80f8426c88.exe
"C:\Users\Admin\AppData\Local\Temp\d065af6e650d3f6228a1bbe5cae78e79f876e89c3a0cabafa100dd80f8426c88.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1512
- C:\Users\Admin\AppData\Local\Temp\d065af6e650d3f6228a1bbe5cae78e79f876e89c3a0cabafa100dd80f8426c88.exe
  --5aaaeb44
  2⤵
  - Suspicious behavior: RenamesItself
  PID:1668

C:\Windows\SysWOW64\engnnetwork.exe
"C:\Windows\SysWOW64\engnnetwork.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1252
- C:\Windows\SysWOW64\engnnetwork.exe
  --4de30014
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:872

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1668-55-0x0000000075191000-0x0000000075193000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads