emotet | 9fc295b4046b38f0020b30dab546c31d1b4464c0494ee8d1cbf0d6c7d58b35f3

General

Target

9fc295b4046b38f0020b30dab546c31d1b4464c0494ee8d1cbf0d6c7d58b35f3.exe
Size

59KB
MD5

7bb08b410ea79f92cbe93691e591126a
SHA1

fe847199a6b0b2dc6edff5b6044c767108755b40
SHA256

9fc295b4046b38f0020b30dab546c31d1b4464c0494ee8d1cbf0d6c7d58b35f3
SHA512

1a9027de68edcfc73d567b669720521c60f8a27a98c52053d24cd5e3ae982a3e43ac5d33c77617b1d78f92801c16694cc8ac2cebab12e8dab303bf27a29dca46

Score

10^/10

emotet banker trojan

Malware Config

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Drops file in System32 directory 4 IoCs

Processes:

sinephotos.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	sinephotos.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	sinephotos.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	sinephotos.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	sinephotos.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 3 IoCs

Processes:

sinephotos.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	sinephotos.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	sinephotos.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	sinephotos.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

sinephotos.exe

pid	process
2252	sinephotos.exe
2252	sinephotos.exe
2252	sinephotos.exe
2252	sinephotos.exe
2252	sinephotos.exe
2252	sinephotos.exe
2252	sinephotos.exe
2252	sinephotos.exe
2252	sinephotos.exe
2252	sinephotos.exe
2252	sinephotos.exe
2252	sinephotos.exe
2252	sinephotos.exe
2252	sinephotos.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

9fc295b4046b38f0020b30dab546c31d1b4464c0494ee8d1cbf0d6c7d58b35f3.exe

pid process

3764 9fc295b4046b38f0020b30dab546c31d1b4464c0494ee8d1cbf0d6c7d58b35f3.exe

pid	process
3764	9fc295b4046b38f0020b30dab546c31d1b4464c0494ee8d1cbf0d6c7d58b35f3.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

9fc295b4046b38f0020b30dab546c31d1b4464c0494ee8d1cbf0d6c7d58b35f3.exesinephotos.exe

description	pid	process	target process
PID 3736 wrote to memory of 3764	3736	9fc295b4046b38f0020b30dab546c31d1b4464c0494ee8d1cbf0d6c7d58b35f3.exe	9fc295b4046b38f0020b30dab546c31d1b4464c0494ee8d1cbf0d6c7d58b35f3.exe
PID 3736 wrote to memory of 3764	3736	9fc295b4046b38f0020b30dab546c31d1b4464c0494ee8d1cbf0d6c7d58b35f3.exe	9fc295b4046b38f0020b30dab546c31d1b4464c0494ee8d1cbf0d6c7d58b35f3.exe
PID 3736 wrote to memory of 3764	3736	9fc295b4046b38f0020b30dab546c31d1b4464c0494ee8d1cbf0d6c7d58b35f3.exe	9fc295b4046b38f0020b30dab546c31d1b4464c0494ee8d1cbf0d6c7d58b35f3.exe
PID 1716 wrote to memory of 2252	1716	sinephotos.exe	sinephotos.exe
PID 1716 wrote to memory of 2252	1716	sinephotos.exe	sinephotos.exe
PID 1716 wrote to memory of 2252	1716	sinephotos.exe	sinephotos.exe

C:\Users\Admin\AppData\Local\Temp\9fc295b4046b38f0020b30dab546c31d1b4464c0494ee8d1cbf0d6c7d58b35f3.exe
"C:\Users\Admin\AppData\Local\Temp\9fc295b4046b38f0020b30dab546c31d1b4464c0494ee8d1cbf0d6c7d58b35f3.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3736
- C:\Users\Admin\AppData\Local\Temp\9fc295b4046b38f0020b30dab546c31d1b4464c0494ee8d1cbf0d6c7d58b35f3.exe
  --2ef02f5e
  2⤵
  - Suspicious behavior: RenamesItself
  PID:3764

C:\Windows\SysWOW64\sinephotos.exe
"C:\Windows\SysWOW64\sinephotos.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1716
- C:\Windows\SysWOW64\sinephotos.exe
  --6c48bfc0
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:2252

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads