emotet | 18800172b307039b3c4450e9deb66b6890de64a077d37dab4228c621cfa47163

General

Target

18800172b307039b3c4450e9deb66b6890de64a077d37dab4228c621cfa47163.exe
Size

140KB
MD5

db298d024b82bba33c2744fe5472f217
SHA1

3960999598f3e7a42b31357b2b0ea2677d7a81a2
SHA256

18800172b307039b3c4450e9deb66b6890de64a077d37dab4228c621cfa47163
SHA512

75b3916d0ad21386630e375b0cf4fda4f794dd9b59c2e7ed4869522842650ef2a520682c43c7730d0a45d4dd5015cd797f19d316da0f78fc67a425dd2d14b0d8

Score

10^/10

emotet banker trojan

Malware Config

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Drops file in System32 directory 4 IoCs

Processes:

waitals.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	waitals.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	waitals.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	waitals.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	waitals.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 3 IoCs

Processes:

waitals.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	waitals.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	waitals.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	waitals.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

18800172b307039b3c4450e9deb66b6890de64a077d37dab4228c621cfa47163.exe18800172b307039b3c4450e9deb66b6890de64a077d37dab4228c621cfa47163.exewaitals.exewaitals.exe

pid	process
904	18800172b307039b3c4450e9deb66b6890de64a077d37dab4228c621cfa47163.exe
904	18800172b307039b3c4450e9deb66b6890de64a077d37dab4228c621cfa47163.exe
4644	18800172b307039b3c4450e9deb66b6890de64a077d37dab4228c621cfa47163.exe
4644	18800172b307039b3c4450e9deb66b6890de64a077d37dab4228c621cfa47163.exe
3620	waitals.exe
3620	waitals.exe
3916	waitals.exe
3916	waitals.exe
3916	waitals.exe
3916	waitals.exe
3916	waitals.exe
3916	waitals.exe
3916	waitals.exe
3916	waitals.exe
3916	waitals.exe
3916	waitals.exe
3916	waitals.exe
3916	waitals.exe
3916	waitals.exe
3916	waitals.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

18800172b307039b3c4450e9deb66b6890de64a077d37dab4228c621cfa47163.exe

pid process

4644 18800172b307039b3c4450e9deb66b6890de64a077d37dab4228c621cfa47163.exe

pid	process
4644	18800172b307039b3c4450e9deb66b6890de64a077d37dab4228c621cfa47163.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

18800172b307039b3c4450e9deb66b6890de64a077d37dab4228c621cfa47163.exewaitals.exe

description	pid	process	target process
PID 904 wrote to memory of 4644	904	18800172b307039b3c4450e9deb66b6890de64a077d37dab4228c621cfa47163.exe	18800172b307039b3c4450e9deb66b6890de64a077d37dab4228c621cfa47163.exe
PID 904 wrote to memory of 4644	904	18800172b307039b3c4450e9deb66b6890de64a077d37dab4228c621cfa47163.exe	18800172b307039b3c4450e9deb66b6890de64a077d37dab4228c621cfa47163.exe
PID 904 wrote to memory of 4644	904	18800172b307039b3c4450e9deb66b6890de64a077d37dab4228c621cfa47163.exe	18800172b307039b3c4450e9deb66b6890de64a077d37dab4228c621cfa47163.exe
PID 3620 wrote to memory of 3916	3620	waitals.exe	waitals.exe
PID 3620 wrote to memory of 3916	3620	waitals.exe	waitals.exe
PID 3620 wrote to memory of 3916	3620	waitals.exe	waitals.exe

C:\Users\Admin\AppData\Local\Temp\18800172b307039b3c4450e9deb66b6890de64a077d37dab4228c621cfa47163.exe
"C:\Users\Admin\AppData\Local\Temp\18800172b307039b3c4450e9deb66b6890de64a077d37dab4228c621cfa47163.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:904
- C:\Users\Admin\AppData\Local\Temp\18800172b307039b3c4450e9deb66b6890de64a077d37dab4228c621cfa47163.exe
  "C:\Users\Admin\AppData\Local\Temp\18800172b307039b3c4450e9deb66b6890de64a077d37dab4228c621cfa47163.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: RenamesItself
  PID:4644

C:\Windows\SysWOW64\waitals.exe
"C:\Windows\SysWOW64\waitals.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3620
- C:\Windows\SysWOW64\waitals.exe
  "C:\Windows\SysWOW64\waitals.exe"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:3916

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/904-143-0x00000000005E0000-0x00000000005ED000-memory.dmp

Filesize
52KB

Download
memory/904-134-0x00000000005F0000-0x00000000005FD000-memory.dmp

Filesize
52KB

Download
memory/904-135-0x00000000005E0000-0x00000000005ED000-memory.dmp

Filesize
52KB

Download
memory/904-136-0x0000000000710000-0x0000000000720000-memory.dmp

Filesize
64KB

Download
memory/904-130-0x00000000005F0000-0x00000000005FD000-memory.dmp

Filesize
52KB

Download
memory/3620-157-0x0000000000590000-0x000000000059D000-memory.dmp

Filesize
52KB

Download
memory/3620-158-0x00000000009A0000-0x00000000009B0000-memory.dmp

Filesize
64KB

Download
memory/3620-146-0x0000000000990000-0x000000000099D000-memory.dmp

Filesize
52KB

Download
memory/3620-150-0x0000000000990000-0x000000000099D000-memory.dmp

Filesize
52KB

Download
memory/3916-162-0x0000000000500000-0x000000000050D000-memory.dmp

Filesize
52KB

Download
memory/3916-161-0x00000000009A0000-0x00000000009B0000-memory.dmp

Filesize
64KB

Download
memory/3916-160-0x0000000000500000-0x000000000050D000-memory.dmp

Filesize
52KB

Download
memory/3916-151-0x0000000000000000-mapping.dmp

Download
memory/3916-152-0x00000000006C0000-0x00000000006CD000-memory.dmp

Filesize
52KB

Download
memory/3916-156-0x00000000006C0000-0x00000000006CD000-memory.dmp

Filesize
52KB

Download
memory/4644-145-0x00000000005D0000-0x00000000005E0000-memory.dmp

Filesize
64KB

Download
memory/4644-137-0x0000000000000000-mapping.dmp

Download
memory/4644-159-0x00000000004D0000-0x00000000004DD000-memory.dmp

Filesize
52KB

Download
memory/4644-142-0x00000000004E0000-0x00000000004ED000-memory.dmp

Filesize
52KB

Download
memory/4644-144-0x00000000004D0000-0x00000000004DD000-memory.dmp

Filesize
52KB

Download
memory/4644-138-0x00000000004E0000-0x00000000004ED000-memory.dmp

Filesize
52KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads