emotet | 5d4c36b4986c34336f188e1782f1ac8f650d30de84578e78fbaa8b2e6d479cb6

General

Target

5d4c36b4986c34336f188e1782f1ac8f650d30de84578e78fbaa8b2e6d479cb6.exe
Size

78KB
MD5

04f8bea5c6d6bb8336e85afb32804945
SHA1

5181f6572f0a810b2e8a0d5ab5005b35c044c0c0
SHA256

5d4c36b4986c34336f188e1782f1ac8f650d30de84578e78fbaa8b2e6d479cb6
SHA512

e50a12fc6ead5b4627a8b301254ab4ea629b055eed0e7a20a38e6fd8a284b1461ae8e3da09e7b6f9bcaca019b977ce5dc6a86d6be32cd68fa6a0dfc320b888f2

Score

10^/10

emotet banker trojan

Malware Config

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Drops file in System32 directory 4 IoCs

Processes:

lclcpl.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	lclcpl.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	lclcpl.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	lclcpl.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	lclcpl.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 3 IoCs

Processes:

lclcpl.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	lclcpl.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	lclcpl.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	lclcpl.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

lclcpl.exe

pid	process
4032	lclcpl.exe
4032	lclcpl.exe
4032	lclcpl.exe
4032	lclcpl.exe
4032	lclcpl.exe
4032	lclcpl.exe
4032	lclcpl.exe
4032	lclcpl.exe
4032	lclcpl.exe
4032	lclcpl.exe
4032	lclcpl.exe
4032	lclcpl.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

5d4c36b4986c34336f188e1782f1ac8f650d30de84578e78fbaa8b2e6d479cb6.exe

pid process

988 5d4c36b4986c34336f188e1782f1ac8f650d30de84578e78fbaa8b2e6d479cb6.exe

pid	process
988	5d4c36b4986c34336f188e1782f1ac8f650d30de84578e78fbaa8b2e6d479cb6.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

5d4c36b4986c34336f188e1782f1ac8f650d30de84578e78fbaa8b2e6d479cb6.exelclcpl.exe

description	pid	process	target process
PID 624 wrote to memory of 988	624	5d4c36b4986c34336f188e1782f1ac8f650d30de84578e78fbaa8b2e6d479cb6.exe	5d4c36b4986c34336f188e1782f1ac8f650d30de84578e78fbaa8b2e6d479cb6.exe
PID 624 wrote to memory of 988	624	5d4c36b4986c34336f188e1782f1ac8f650d30de84578e78fbaa8b2e6d479cb6.exe	5d4c36b4986c34336f188e1782f1ac8f650d30de84578e78fbaa8b2e6d479cb6.exe
PID 624 wrote to memory of 988	624	5d4c36b4986c34336f188e1782f1ac8f650d30de84578e78fbaa8b2e6d479cb6.exe	5d4c36b4986c34336f188e1782f1ac8f650d30de84578e78fbaa8b2e6d479cb6.exe
PID 2996 wrote to memory of 4032	2996	lclcpl.exe	lclcpl.exe
PID 2996 wrote to memory of 4032	2996	lclcpl.exe	lclcpl.exe
PID 2996 wrote to memory of 4032	2996	lclcpl.exe	lclcpl.exe

C:\Users\Admin\AppData\Local\Temp\5d4c36b4986c34336f188e1782f1ac8f650d30de84578e78fbaa8b2e6d479cb6.exe
"C:\Users\Admin\AppData\Local\Temp\5d4c36b4986c34336f188e1782f1ac8f650d30de84578e78fbaa8b2e6d479cb6.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:624
- C:\Users\Admin\AppData\Local\Temp\5d4c36b4986c34336f188e1782f1ac8f650d30de84578e78fbaa8b2e6d479cb6.exe
  --15e45428
  2⤵
  - Suspicious behavior: RenamesItself
  PID:988

C:\Windows\SysWOW64\lclcpl.exe
"C:\Windows\SysWOW64\lclcpl.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2996
- C:\Windows\SysWOW64\lclcpl.exe
  --fab7ae7c
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:4032

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads