emotet | 7f3e486aa756ead0ab26785b70608e6bd601abc3187e3364d7399d879654fd77

General

Target

7f3e486aa756ead0ab26785b70608e6bd601abc3187e3364d7399d879654fd77.exe
Size

58KB
MD5

8e7208eb64c1d0081c7f1fb31be0f82a
SHA1

9ef1d16d997e656a24cc34e0aa4121521166d63f
SHA256

7f3e486aa756ead0ab26785b70608e6bd601abc3187e3364d7399d879654fd77
SHA512

765289eeddde4a43ae9c870aadb901a01564f6552415d5c2bfbb8e18792b3b0db2ecedd826fbce8cf0925a5dc276756eb3d58f1862455f732fe994dcda7d1528

Score

10^/10

emotet banker trojan

Malware Config

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Drops file in System32 directory 1 IoCs

Processes:

sddlstarted.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	sddlstarted.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 25 IoCs

Processes:

sddlstarted.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	sddlstarted.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	sddlstarted.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8BDB93CF-3A3E-41C4-B703-730F6AC49D02}	sddlstarted.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8BDB93CF-3A3E-41C4-B703-730F6AC49D02}\WpadDecisionTime = 90d244d09f31d801	sddlstarted.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	sddlstarted.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	sddlstarted.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0093000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	sddlstarted.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\16-63-c6-f9-a1-fd\WpadDecisionReason = "1"	sddlstarted.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\16-63-c6-f9-a1-fd\WpadDecisionTime = f0af41969f31d801	sddlstarted.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\16-63-c6-f9-a1-fd\WpadDecisionTime = 90d244d09f31d801	sddlstarted.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	sddlstarted.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	sddlstarted.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8BDB93CF-3A3E-41C4-B703-730F6AC49D02}\WpadDecision = "0"	sddlstarted.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8BDB93CF-3A3E-41C4-B703-730F6AC49D02}\WpadNetworkName = "Network 3"	sddlstarted.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\16-63-c6-f9-a1-fd	sddlstarted.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\16-63-c6-f9-a1-fd\WpadDecision = "0"	sddlstarted.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\16-63-c6-f9-a1-fd\WpadDetectedUrl	sddlstarted.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000004000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0093000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	sddlstarted.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	sddlstarted.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	sddlstarted.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	sddlstarted.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	sddlstarted.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8BDB93CF-3A3E-41C4-B703-730F6AC49D02}\WpadDecisionReason = "1"	sddlstarted.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8BDB93CF-3A3E-41C4-B703-730F6AC49D02}\WpadDecisionTime = f0af41969f31d801	sddlstarted.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8BDB93CF-3A3E-41C4-B703-730F6AC49D02}\16-63-c6-f9-a1-fd	sddlstarted.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

sddlstarted.exe

pid process

752 sddlstarted.exe
752 sddlstarted.exe
752 sddlstarted.exe
752 sddlstarted.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

7f3e486aa756ead0ab26785b70608e6bd601abc3187e3364d7399d879654fd77.exe

pid process

964 7f3e486aa756ead0ab26785b70608e6bd601abc3187e3364d7399d879654fd77.exe

pid	process
752	sddlstarted.exe
752	sddlstarted.exe
752	sddlstarted.exe
752	sddlstarted.exe

pid	process
964	7f3e486aa756ead0ab26785b70608e6bd601abc3187e3364d7399d879654fd77.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

7f3e486aa756ead0ab26785b70608e6bd601abc3187e3364d7399d879654fd77.exesddlstarted.exe

description	pid	process	target process
PID 944 wrote to memory of 964	944	7f3e486aa756ead0ab26785b70608e6bd601abc3187e3364d7399d879654fd77.exe	7f3e486aa756ead0ab26785b70608e6bd601abc3187e3364d7399d879654fd77.exe
PID 944 wrote to memory of 964	944	7f3e486aa756ead0ab26785b70608e6bd601abc3187e3364d7399d879654fd77.exe	7f3e486aa756ead0ab26785b70608e6bd601abc3187e3364d7399d879654fd77.exe
PID 944 wrote to memory of 964	944	7f3e486aa756ead0ab26785b70608e6bd601abc3187e3364d7399d879654fd77.exe	7f3e486aa756ead0ab26785b70608e6bd601abc3187e3364d7399d879654fd77.exe
PID 944 wrote to memory of 964	944	7f3e486aa756ead0ab26785b70608e6bd601abc3187e3364d7399d879654fd77.exe	7f3e486aa756ead0ab26785b70608e6bd601abc3187e3364d7399d879654fd77.exe
PID 528 wrote to memory of 752	528	sddlstarted.exe	sddlstarted.exe
PID 528 wrote to memory of 752	528	sddlstarted.exe	sddlstarted.exe
PID 528 wrote to memory of 752	528	sddlstarted.exe	sddlstarted.exe
PID 528 wrote to memory of 752	528	sddlstarted.exe	sddlstarted.exe

C:\Users\Admin\AppData\Local\Temp\7f3e486aa756ead0ab26785b70608e6bd601abc3187e3364d7399d879654fd77.exe
"C:\Users\Admin\AppData\Local\Temp\7f3e486aa756ead0ab26785b70608e6bd601abc3187e3364d7399d879654fd77.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:944
- C:\Users\Admin\AppData\Local\Temp\7f3e486aa756ead0ab26785b70608e6bd601abc3187e3364d7399d879654fd77.exe
  --eaf6d906
  2⤵
  - Suspicious behavior: RenamesItself
  PID:964

C:\Windows\SysWOW64\sddlstarted.exe
"C:\Windows\SysWOW64\sddlstarted.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:528
- C:\Windows\SysWOW64\sddlstarted.exe
  --7dec83de
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:752

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/964-55-0x0000000074EC1000-0x0000000074EC3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads