emotet | 18800172b307039b3c4450e9deb66b6890de64a077d37dab4228c621cfa47163

General

Target

18800172b307039b3c4450e9deb66b6890de64a077d37dab4228c621cfa47163.exe
Size

140KB
MD5

db298d024b82bba33c2744fe5472f217
SHA1

3960999598f3e7a42b31357b2b0ea2677d7a81a2
SHA256

18800172b307039b3c4450e9deb66b6890de64a077d37dab4228c621cfa47163
SHA512

75b3916d0ad21386630e375b0cf4fda4f794dd9b59c2e7ed4869522842650ef2a520682c43c7730d0a45d4dd5015cd797f19d316da0f78fc67a425dd2d14b0d8

Score

10^/10

emotet banker trojan

Malware Config

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Drops file in System32 directory 1 IoCs

Processes:

wscapimarkers.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	wscapimarkers.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 21 IoCs

Processes:

wscapimarkers.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	wscapimarkers.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	wscapimarkers.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	wscapimarkers.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F89AED28-36C9-44BA-B75A-D975843AC504}	wscapimarkers.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F89AED28-36C9-44BA-B75A-D975843AC504}\WpadDecision = "0"	wscapimarkers.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	wscapimarkers.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	wscapimarkers.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F89AED28-36C9-44BA-B75A-D975843AC504}\WpadNetworkName = "Network"	wscapimarkers.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\26-51-70-1a-3f-ec	wscapimarkers.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\26-51-70-1a-3f-ec\WpadDecisionTime = 10c7612f797bd801	wscapimarkers.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\26-51-70-1a-3f-ec\WpadDecision = "0"	wscapimarkers.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	wscapimarkers.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	wscapimarkers.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0092000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	wscapimarkers.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F89AED28-36C9-44BA-B75A-D975843AC504}\WpadDecisionReason = "1"	wscapimarkers.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F89AED28-36C9-44BA-B75A-D975843AC504}\WpadDecisionTime = 10c7612f797bd801	wscapimarkers.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	wscapimarkers.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	wscapimarkers.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	wscapimarkers.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F89AED28-36C9-44BA-B75A-D975843AC504}\26-51-70-1a-3f-ec	wscapimarkers.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\26-51-70-1a-3f-ec\WpadDecisionReason = "1"	wscapimarkers.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

18800172b307039b3c4450e9deb66b6890de64a077d37dab4228c621cfa47163.exe18800172b307039b3c4450e9deb66b6890de64a077d37dab4228c621cfa47163.exewscapimarkers.exewscapimarkers.exe

pid	process
1764	18800172b307039b3c4450e9deb66b6890de64a077d37dab4228c621cfa47163.exe
908	18800172b307039b3c4450e9deb66b6890de64a077d37dab4228c621cfa47163.exe
1288	wscapimarkers.exe
1380	wscapimarkers.exe
1380	wscapimarkers.exe
1380	wscapimarkers.exe
1380	wscapimarkers.exe
1380	wscapimarkers.exe
1380	wscapimarkers.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

18800172b307039b3c4450e9deb66b6890de64a077d37dab4228c621cfa47163.exe

pid process

908 18800172b307039b3c4450e9deb66b6890de64a077d37dab4228c621cfa47163.exe

pid	process
908	18800172b307039b3c4450e9deb66b6890de64a077d37dab4228c621cfa47163.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

18800172b307039b3c4450e9deb66b6890de64a077d37dab4228c621cfa47163.exewscapimarkers.exe

description	pid	process	target process
PID 1764 wrote to memory of 908	1764	18800172b307039b3c4450e9deb66b6890de64a077d37dab4228c621cfa47163.exe	18800172b307039b3c4450e9deb66b6890de64a077d37dab4228c621cfa47163.exe
PID 1764 wrote to memory of 908	1764	18800172b307039b3c4450e9deb66b6890de64a077d37dab4228c621cfa47163.exe	18800172b307039b3c4450e9deb66b6890de64a077d37dab4228c621cfa47163.exe
PID 1764 wrote to memory of 908	1764	18800172b307039b3c4450e9deb66b6890de64a077d37dab4228c621cfa47163.exe	18800172b307039b3c4450e9deb66b6890de64a077d37dab4228c621cfa47163.exe
PID 1764 wrote to memory of 908	1764	18800172b307039b3c4450e9deb66b6890de64a077d37dab4228c621cfa47163.exe	18800172b307039b3c4450e9deb66b6890de64a077d37dab4228c621cfa47163.exe
PID 1288 wrote to memory of 1380	1288	wscapimarkers.exe	wscapimarkers.exe
PID 1288 wrote to memory of 1380	1288	wscapimarkers.exe	wscapimarkers.exe
PID 1288 wrote to memory of 1380	1288	wscapimarkers.exe	wscapimarkers.exe
PID 1288 wrote to memory of 1380	1288	wscapimarkers.exe	wscapimarkers.exe

C:\Users\Admin\AppData\Local\Temp\18800172b307039b3c4450e9deb66b6890de64a077d37dab4228c621cfa47163.exe
"C:\Users\Admin\AppData\Local\Temp\18800172b307039b3c4450e9deb66b6890de64a077d37dab4228c621cfa47163.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1764
- C:\Users\Admin\AppData\Local\Temp\18800172b307039b3c4450e9deb66b6890de64a077d37dab4228c621cfa47163.exe
  "C:\Users\Admin\AppData\Local\Temp\18800172b307039b3c4450e9deb66b6890de64a077d37dab4228c621cfa47163.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: RenamesItself
  PID:908

C:\Windows\SysWOW64\wscapimarkers.exe
"C:\Windows\SysWOW64\wscapimarkers.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1288
- C:\Windows\SysWOW64\wscapimarkers.exe
  "C:\Windows\SysWOW64\wscapimarkers.exe"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:1380

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/908-68-0x0000000000300000-0x0000000000310000-memory.dmp

Filesize
64KB

Download
memory/908-67-0x0000000000240000-0x000000000024D000-memory.dmp

Filesize
52KB

Download
memory/908-69-0x0000000074F91000-0x0000000074F93000-memory.dmp

Filesize
8KB

Download
memory/908-83-0x0000000000240000-0x000000000024D000-memory.dmp

Filesize
52KB

Download
memory/908-64-0x00000000002F0000-0x00000000002FD000-memory.dmp

Filesize
52KB

Download
memory/908-60-0x00000000002F0000-0x00000000002FD000-memory.dmp

Filesize
52KB

Download
memory/908-59-0x0000000000000000-mapping.dmp

Download
memory/1288-81-0x00000000001C0000-0x00000000001CD000-memory.dmp

Filesize
52KB

Download
memory/1288-74-0x0000000000250000-0x000000000025D000-memory.dmp

Filesize
52KB

Download
memory/1288-82-0x00000000003F0000-0x0000000000400000-memory.dmp

Filesize
64KB

Download
memory/1288-70-0x0000000000250000-0x000000000025D000-memory.dmp

Filesize
52KB

Download
memory/1380-86-0x0000000000250000-0x000000000025D000-memory.dmp

Filesize
52KB

Download
memory/1380-75-0x0000000000000000-mapping.dmp

Download
memory/1380-85-0x0000000000250000-0x000000000025D000-memory.dmp

Filesize
52KB

Download
memory/1764-66-0x0000000000270000-0x0000000000280000-memory.dmp

Filesize
64KB

Download
memory/1764-65-0x0000000000250000-0x000000000025D000-memory.dmp

Filesize
52KB

Download
memory/1764-58-0x0000000000260000-0x000000000026D000-memory.dmp

Filesize
52KB

Download
memory/1764-54-0x0000000000260000-0x000000000026D000-memory.dmp

Filesize
52KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads