emotet | d065af6e650d3f6228a1bbe5cae78e79f876e89c3a0cabafa100dd80f8426c88

General

Target

d065af6e650d3f6228a1bbe5cae78e79f876e89c3a0cabafa100dd80f8426c88.exe
Size

65KB
MD5

0cc17238884c9c6ce174237493e47d53
SHA1

e12b733dff4cb07b8944d861bf0fc006e092f5a2
SHA256

d065af6e650d3f6228a1bbe5cae78e79f876e89c3a0cabafa100dd80f8426c88
SHA512

f99fc1412b1b16896fde1c86a335abe9030ee06841d11539b8f49bfa4250bf4a255b55b248ac8246fee865dcb187e0719b56501363e7e3e8d028d4704ce8e05c

Score

10^/10

emotet banker trojan

Malware Config

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Drops file in System32 directory 4 IoCs

Processes:

knowndevice.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	knowndevice.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	knowndevice.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	knowndevice.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	knowndevice.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 3 IoCs

Processes:

knowndevice.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	knowndevice.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	knowndevice.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	knowndevice.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

knowndevice.exe

pid	process
4972	knowndevice.exe
4972	knowndevice.exe
4972	knowndevice.exe
4972	knowndevice.exe
4972	knowndevice.exe
4972	knowndevice.exe
4972	knowndevice.exe
4972	knowndevice.exe
4972	knowndevice.exe
4972	knowndevice.exe
4972	knowndevice.exe
4972	knowndevice.exe
4972	knowndevice.exe
4972	knowndevice.exe
4972	knowndevice.exe
4972	knowndevice.exe
4972	knowndevice.exe
4972	knowndevice.exe
4972	knowndevice.exe
4972	knowndevice.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

d065af6e650d3f6228a1bbe5cae78e79f876e89c3a0cabafa100dd80f8426c88.exe

pid process

2124 d065af6e650d3f6228a1bbe5cae78e79f876e89c3a0cabafa100dd80f8426c88.exe

pid	process
2124	d065af6e650d3f6228a1bbe5cae78e79f876e89c3a0cabafa100dd80f8426c88.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

d065af6e650d3f6228a1bbe5cae78e79f876e89c3a0cabafa100dd80f8426c88.exeknowndevice.exe

description	pid	process	target process
PID 2736 wrote to memory of 2124	2736	d065af6e650d3f6228a1bbe5cae78e79f876e89c3a0cabafa100dd80f8426c88.exe	d065af6e650d3f6228a1bbe5cae78e79f876e89c3a0cabafa100dd80f8426c88.exe
PID 2736 wrote to memory of 2124	2736	d065af6e650d3f6228a1bbe5cae78e79f876e89c3a0cabafa100dd80f8426c88.exe	d065af6e650d3f6228a1bbe5cae78e79f876e89c3a0cabafa100dd80f8426c88.exe
PID 2736 wrote to memory of 2124	2736	d065af6e650d3f6228a1bbe5cae78e79f876e89c3a0cabafa100dd80f8426c88.exe	d065af6e650d3f6228a1bbe5cae78e79f876e89c3a0cabafa100dd80f8426c88.exe
PID 4912 wrote to memory of 4972	4912	knowndevice.exe	knowndevice.exe
PID 4912 wrote to memory of 4972	4912	knowndevice.exe	knowndevice.exe
PID 4912 wrote to memory of 4972	4912	knowndevice.exe	knowndevice.exe

C:\Users\Admin\AppData\Local\Temp\d065af6e650d3f6228a1bbe5cae78e79f876e89c3a0cabafa100dd80f8426c88.exe
"C:\Users\Admin\AppData\Local\Temp\d065af6e650d3f6228a1bbe5cae78e79f876e89c3a0cabafa100dd80f8426c88.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2736
- C:\Users\Admin\AppData\Local\Temp\d065af6e650d3f6228a1bbe5cae78e79f876e89c3a0cabafa100dd80f8426c88.exe
  --5aaaeb44
  2⤵
  - Suspicious behavior: RenamesItself
  PID:2124

C:\Windows\SysWOW64\knowndevice.exe
"C:\Windows\SysWOW64\knowndevice.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4912
- C:\Windows\SysWOW64\knowndevice.exe
  --70ba020f
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:4972

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads