emotet | 34222f81e9d8bd85c6b6e66b94da2d1e118f29d206b12b323abc81ad94bd55a0

General

Target

34222f81e9d8bd85c6b6e66b94da2d1e118f29d206b12b323abc81ad94bd55a0.exe
Size

275KB
MD5

0edc1d0416e429be7b5622bbd8332737
SHA1

80f03cf8b4cd9a30259593ee906cf61701032c79
SHA256

34222f81e9d8bd85c6b6e66b94da2d1e118f29d206b12b323abc81ad94bd55a0
SHA512

73256722267499dbc8cffc43f8fbca6fd3f10a4b02f967455f215e830a944c70c78832a9d5f25b1cc31c1286c3adaf529b7923faccbe65f95001413b354a9948

Score

10^/10

emotet epoch1 banker trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch1

C2

181.123.0.125:80

119.159.150.176:443

184.69.214.94:20

80.240.141.141:7080

185.187.198.10:8080

46.41.134.46:8080

178.249.187.151:8080

217.199.160.224:8080

186.83.133.253:8080

23.92.22.225:7080

212.71.237.140:8080

190.221.50.210:8080

187.199.158.226:443

185.86.148.222:8080

200.58.171.51:80

77.245.101.134:8080

201.163.74.202:443

203.25.159.3:8080

183.82.97.25:80

51.15.8.192:8080

rsa_pubkey.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	windowinset.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	windowinset.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	windowinset.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	windowinset.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 816 set thread context of 4136	816	34222f81e9d8bd85c6b6e66b94da2d1e118f29d206b12b323abc81ad94bd55a0.exe	79
PID 4668 set thread context of 5080	4668	34222f81e9d8bd85c6b6e66b94da2d1e118f29d206b12b323abc81ad94bd55a0.exe	81
PID 1524 set thread context of 3024	1524	windowinset.exe	83
PID 4712 set thread context of 4184	4712	windowinset.exe	85

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	windowinset.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	windowinset.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	windowinset.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4184	windowinset.exe
4184	windowinset.exe
4184	windowinset.exe
4184	windowinset.exe
4184	windowinset.exe
4184	windowinset.exe
4184	windowinset.exe
4184	windowinset.exe
4184	windowinset.exe
4184	windowinset.exe

Suspicious behavior: MapViewOfSection 4 IoCs

pid	Process
816	34222f81e9d8bd85c6b6e66b94da2d1e118f29d206b12b323abc81ad94bd55a0.exe
4668	34222f81e9d8bd85c6b6e66b94da2d1e118f29d206b12b323abc81ad94bd55a0.exe
1524	windowinset.exe
4712	windowinset.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
5080	34222f81e9d8bd85c6b6e66b94da2d1e118f29d206b12b323abc81ad94bd55a0.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
816	34222f81e9d8bd85c6b6e66b94da2d1e118f29d206b12b323abc81ad94bd55a0.exe
4668	34222f81e9d8bd85c6b6e66b94da2d1e118f29d206b12b323abc81ad94bd55a0.exe
1524	windowinset.exe
4712	windowinset.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 816 wrote to memory of 4136	816	34222f81e9d8bd85c6b6e66b94da2d1e118f29d206b12b323abc81ad94bd55a0.exe	79
PID 816 wrote to memory of 4136	816	34222f81e9d8bd85c6b6e66b94da2d1e118f29d206b12b323abc81ad94bd55a0.exe	79
PID 816 wrote to memory of 4136	816	34222f81e9d8bd85c6b6e66b94da2d1e118f29d206b12b323abc81ad94bd55a0.exe	79
PID 816 wrote to memory of 4136	816	34222f81e9d8bd85c6b6e66b94da2d1e118f29d206b12b323abc81ad94bd55a0.exe	79
PID 4136 wrote to memory of 4668	4136	34222f81e9d8bd85c6b6e66b94da2d1e118f29d206b12b323abc81ad94bd55a0.exe	80
PID 4136 wrote to memory of 4668	4136	34222f81e9d8bd85c6b6e66b94da2d1e118f29d206b12b323abc81ad94bd55a0.exe	80
PID 4136 wrote to memory of 4668	4136	34222f81e9d8bd85c6b6e66b94da2d1e118f29d206b12b323abc81ad94bd55a0.exe	80
PID 4668 wrote to memory of 5080	4668	34222f81e9d8bd85c6b6e66b94da2d1e118f29d206b12b323abc81ad94bd55a0.exe	81
PID 4668 wrote to memory of 5080	4668	34222f81e9d8bd85c6b6e66b94da2d1e118f29d206b12b323abc81ad94bd55a0.exe	81
PID 4668 wrote to memory of 5080	4668	34222f81e9d8bd85c6b6e66b94da2d1e118f29d206b12b323abc81ad94bd55a0.exe	81
PID 4668 wrote to memory of 5080	4668	34222f81e9d8bd85c6b6e66b94da2d1e118f29d206b12b323abc81ad94bd55a0.exe	81
PID 1524 wrote to memory of 3024	1524	windowinset.exe	83
PID 1524 wrote to memory of 3024	1524	windowinset.exe	83
PID 1524 wrote to memory of 3024	1524	windowinset.exe	83
PID 1524 wrote to memory of 3024	1524	windowinset.exe	83
PID 3024 wrote to memory of 4712	3024	windowinset.exe	84
PID 3024 wrote to memory of 4712	3024	windowinset.exe	84
PID 3024 wrote to memory of 4712	3024	windowinset.exe	84
PID 4712 wrote to memory of 4184	4712	windowinset.exe	85
PID 4712 wrote to memory of 4184	4712	windowinset.exe	85
PID 4712 wrote to memory of 4184	4712	windowinset.exe	85
PID 4712 wrote to memory of 4184	4712	windowinset.exe	85

C:\Users\Admin\AppData\Local\Temp\34222f81e9d8bd85c6b6e66b94da2d1e118f29d206b12b323abc81ad94bd55a0.exe
"C:\Users\Admin\AppData\Local\Temp\34222f81e9d8bd85c6b6e66b94da2d1e118f29d206b12b323abc81ad94bd55a0.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:816
- C:\Users\Admin\AppData\Local\Temp\34222f81e9d8bd85c6b6e66b94da2d1e118f29d206b12b323abc81ad94bd55a0.exe
  "C:\Users\Admin\AppData\Local\Temp\34222f81e9d8bd85c6b6e66b94da2d1e118f29d206b12b323abc81ad94bd55a0.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4136
- - C:\Users\Admin\AppData\Local\Temp\34222f81e9d8bd85c6b6e66b94da2d1e118f29d206b12b323abc81ad94bd55a0.exe
    --2c4a6959
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4668
  - - C:\Users\Admin\AppData\Local\Temp\34222f81e9d8bd85c6b6e66b94da2d1e118f29d206b12b323abc81ad94bd55a0.exe
      --2c4a6959
      4⤵
      Suspicious behavior: RenamesItself
      PID:5080

C:\Windows\SysWOW64\windowinset.exe
"C:\Windows\SysWOW64\windowinset.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1524
- C:\Windows\SysWOW64\windowinset.exe
  "C:\Windows\SysWOW64\windowinset.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3024
- - C:\Windows\SysWOW64\windowinset.exe
    --80c3ad83
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4712
  - - C:\Windows\SysWOW64\windowinset.exe
      --80c3ad83
      4⤵
      Drops file in System32 directory
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      PID:4184

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/816-130-0x0000000002280000-0x0000000002294000-memory.dmp

Filesize
80KB

Download
memory/816-134-0x0000000002260000-0x0000000002273000-memory.dmp

Filesize
76KB

Download
memory/1524-142-0x0000000000DF0000-0x0000000000E04000-memory.dmp

Filesize
80KB

Download
memory/4136-136-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4184-152-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4184-153-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4668-137-0x0000000002040000-0x0000000002054000-memory.dmp

Filesize
80KB

Download
memory/4712-148-0x0000000000E10000-0x0000000000E24000-memory.dmp

Filesize
80KB

Download
memory/5080-141-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/5080-147-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing