emotet | 4d8acd99b8e8b1e40b64b35dcee753a3f9073847ec1e8957e793dab849140c29

General

Target

4d8acd99b8e8b1e40b64b35dcee753a3f9073847ec1e8957e793dab849140c29.exe
Size

516KB
MD5

f7a31719c91770d2f7f945c5acba4116
SHA1

ac2162d2ae066bf9067ad7f8bf3697a78154ea68
SHA256

4d8acd99b8e8b1e40b64b35dcee753a3f9073847ec1e8957e793dab849140c29
SHA512

1375dced5b7a646461d632d7069d40d69aaca2e008f16f6bbcb22ea8304ebaaa6f8d26d05da45dbe3c79b89fea9e3c048da5bd3c8823eafe7bb7376182b6a38d

Score

10^/10

emotet epoch2 banker trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch2

C2

190.18.146.70:80

187.147.50.167:8080

80.11.163.139:21

178.254.6.27:7080

92.222.125.16:7080

142.44.162.209:8080

31.12.67.62:7080

45.123.3.54:443

201.250.11.236:50000

41.220.119.246:80

86.98.25.30:53

37.157.194.134:443

187.144.189.58:50000

189.209.217.49:80

31.172.240.91:8080

104.131.11.150:8080

59.152.93.46:443

190.53.135.159:21

222.214.218.192:8080

162.243.125.212:8080

rsa_pubkey.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Drops file in System32 directory 4 IoCs

Processes:

foldersshell.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	foldersshell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	foldersshell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	foldersshell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	foldersshell.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

4d8acd99b8e8b1e40b64b35dcee753a3f9073847ec1e8957e793dab849140c29.exe4d8acd99b8e8b1e40b64b35dcee753a3f9073847ec1e8957e793dab849140c29.exefoldersshell.exefoldersshell.exe

description	pid	process	target process
PID 3364 set thread context of 880	3364	4d8acd99b8e8b1e40b64b35dcee753a3f9073847ec1e8957e793dab849140c29.exe	4d8acd99b8e8b1e40b64b35dcee753a3f9073847ec1e8957e793dab849140c29.exe
PID 1992 set thread context of 4856	1992	4d8acd99b8e8b1e40b64b35dcee753a3f9073847ec1e8957e793dab849140c29.exe	4d8acd99b8e8b1e40b64b35dcee753a3f9073847ec1e8957e793dab849140c29.exe
PID 4492 set thread context of 3176	4492	foldersshell.exe	foldersshell.exe
PID 4624 set thread context of 4360	4624	foldersshell.exe	foldersshell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 3 IoCs

Processes:

foldersshell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	foldersshell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	foldersshell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	foldersshell.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

foldersshell.exe

pid	process
4360	foldersshell.exe
4360	foldersshell.exe
4360	foldersshell.exe
4360	foldersshell.exe
4360	foldersshell.exe
4360	foldersshell.exe
4360	foldersshell.exe
4360	foldersshell.exe

Suspicious behavior: MapViewOfSection 4 IoCs

Processes:

4d8acd99b8e8b1e40b64b35dcee753a3f9073847ec1e8957e793dab849140c29.exe4d8acd99b8e8b1e40b64b35dcee753a3f9073847ec1e8957e793dab849140c29.exefoldersshell.exefoldersshell.exe

pid	process
3364	4d8acd99b8e8b1e40b64b35dcee753a3f9073847ec1e8957e793dab849140c29.exe
1992	4d8acd99b8e8b1e40b64b35dcee753a3f9073847ec1e8957e793dab849140c29.exe
4492	foldersshell.exe
4624	foldersshell.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

4d8acd99b8e8b1e40b64b35dcee753a3f9073847ec1e8957e793dab849140c29.exe

pid process

4856 4d8acd99b8e8b1e40b64b35dcee753a3f9073847ec1e8957e793dab849140c29.exe

pid	process
4856	4d8acd99b8e8b1e40b64b35dcee753a3f9073847ec1e8957e793dab849140c29.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

4d8acd99b8e8b1e40b64b35dcee753a3f9073847ec1e8957e793dab849140c29.exe4d8acd99b8e8b1e40b64b35dcee753a3f9073847ec1e8957e793dab849140c29.exefoldersshell.exefoldersshell.exe

pid	process
3364	4d8acd99b8e8b1e40b64b35dcee753a3f9073847ec1e8957e793dab849140c29.exe
1992	4d8acd99b8e8b1e40b64b35dcee753a3f9073847ec1e8957e793dab849140c29.exe
4492	foldersshell.exe
4624	foldersshell.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

4d8acd99b8e8b1e40b64b35dcee753a3f9073847ec1e8957e793dab849140c29.exe4d8acd99b8e8b1e40b64b35dcee753a3f9073847ec1e8957e793dab849140c29.exe4d8acd99b8e8b1e40b64b35dcee753a3f9073847ec1e8957e793dab849140c29.exefoldersshell.exefoldersshell.exefoldersshell.exe

description	pid	process	target process
PID 3364 wrote to memory of 880	3364	4d8acd99b8e8b1e40b64b35dcee753a3f9073847ec1e8957e793dab849140c29.exe	4d8acd99b8e8b1e40b64b35dcee753a3f9073847ec1e8957e793dab849140c29.exe
PID 3364 wrote to memory of 880	3364	4d8acd99b8e8b1e40b64b35dcee753a3f9073847ec1e8957e793dab849140c29.exe	4d8acd99b8e8b1e40b64b35dcee753a3f9073847ec1e8957e793dab849140c29.exe
PID 3364 wrote to memory of 880	3364	4d8acd99b8e8b1e40b64b35dcee753a3f9073847ec1e8957e793dab849140c29.exe	4d8acd99b8e8b1e40b64b35dcee753a3f9073847ec1e8957e793dab849140c29.exe
PID 3364 wrote to memory of 880	3364	4d8acd99b8e8b1e40b64b35dcee753a3f9073847ec1e8957e793dab849140c29.exe	4d8acd99b8e8b1e40b64b35dcee753a3f9073847ec1e8957e793dab849140c29.exe
PID 880 wrote to memory of 1992	880	4d8acd99b8e8b1e40b64b35dcee753a3f9073847ec1e8957e793dab849140c29.exe	4d8acd99b8e8b1e40b64b35dcee753a3f9073847ec1e8957e793dab849140c29.exe
PID 880 wrote to memory of 1992	880	4d8acd99b8e8b1e40b64b35dcee753a3f9073847ec1e8957e793dab849140c29.exe	4d8acd99b8e8b1e40b64b35dcee753a3f9073847ec1e8957e793dab849140c29.exe
PID 880 wrote to memory of 1992	880	4d8acd99b8e8b1e40b64b35dcee753a3f9073847ec1e8957e793dab849140c29.exe	4d8acd99b8e8b1e40b64b35dcee753a3f9073847ec1e8957e793dab849140c29.exe
PID 1992 wrote to memory of 4856	1992	4d8acd99b8e8b1e40b64b35dcee753a3f9073847ec1e8957e793dab849140c29.exe	4d8acd99b8e8b1e40b64b35dcee753a3f9073847ec1e8957e793dab849140c29.exe
PID 1992 wrote to memory of 4856	1992	4d8acd99b8e8b1e40b64b35dcee753a3f9073847ec1e8957e793dab849140c29.exe	4d8acd99b8e8b1e40b64b35dcee753a3f9073847ec1e8957e793dab849140c29.exe
PID 1992 wrote to memory of 4856	1992	4d8acd99b8e8b1e40b64b35dcee753a3f9073847ec1e8957e793dab849140c29.exe	4d8acd99b8e8b1e40b64b35dcee753a3f9073847ec1e8957e793dab849140c29.exe
PID 1992 wrote to memory of 4856	1992	4d8acd99b8e8b1e40b64b35dcee753a3f9073847ec1e8957e793dab849140c29.exe	4d8acd99b8e8b1e40b64b35dcee753a3f9073847ec1e8957e793dab849140c29.exe
PID 4492 wrote to memory of 3176	4492	foldersshell.exe	foldersshell.exe
PID 4492 wrote to memory of 3176	4492	foldersshell.exe	foldersshell.exe
PID 4492 wrote to memory of 3176	4492	foldersshell.exe	foldersshell.exe
PID 4492 wrote to memory of 3176	4492	foldersshell.exe	foldersshell.exe
PID 3176 wrote to memory of 4624	3176	foldersshell.exe	foldersshell.exe
PID 3176 wrote to memory of 4624	3176	foldersshell.exe	foldersshell.exe
PID 3176 wrote to memory of 4624	3176	foldersshell.exe	foldersshell.exe
PID 4624 wrote to memory of 4360	4624	foldersshell.exe	foldersshell.exe
PID 4624 wrote to memory of 4360	4624	foldersshell.exe	foldersshell.exe
PID 4624 wrote to memory of 4360	4624	foldersshell.exe	foldersshell.exe
PID 4624 wrote to memory of 4360	4624	foldersshell.exe	foldersshell.exe

C:\Users\Admin\AppData\Local\Temp\4d8acd99b8e8b1e40b64b35dcee753a3f9073847ec1e8957e793dab849140c29.exe
"C:\Users\Admin\AppData\Local\Temp\4d8acd99b8e8b1e40b64b35dcee753a3f9073847ec1e8957e793dab849140c29.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3364

C:\Users\Admin\AppData\Local\Temp\4d8acd99b8e8b1e40b64b35dcee753a3f9073847ec1e8957e793dab849140c29.exe
"C:\Users\Admin\AppData\Local\Temp\4d8acd99b8e8b1e40b64b35dcee753a3f9073847ec1e8957e793dab849140c29.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:880

C:\Users\Admin\AppData\Local\Temp\4d8acd99b8e8b1e40b64b35dcee753a3f9073847ec1e8957e793dab849140c29.exe
--2a94fb31
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1992

C:\Users\Admin\AppData\Local\Temp\4d8acd99b8e8b1e40b64b35dcee753a3f9073847ec1e8957e793dab849140c29.exe
--2a94fb31
4⤵
- Suspicious behavior: RenamesItself
PID:4856

C:\Windows\SysWOW64\foldersshell.exe
"C:\Windows\SysWOW64\foldersshell.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4492

C:\Windows\SysWOW64\foldersshell.exe
"C:\Windows\SysWOW64\foldersshell.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3176

C:\Windows\SysWOW64\foldersshell.exe
--361bb01d
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4624

C:\Windows\SysWOW64\foldersshell.exe
--361bb01d
4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:4360

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\16b5a57564fb3212f29adc807d77f3df_6bb404a8-25bc-4cef-a831-797f8d1e89c0
Filesize
1KB

MD5
06c1701ec44e58b14926f29e9eee7b2f

SHA1
b7b4715ec4c533a1fe681757e72b051368a87278

SHA256
08ff71234a710116a6fddb20d74381f26a0a7b2653e4aaf5f6b1ba54aa30403b

SHA512
5fe88a90154ff5b274cccfd18d1a30f2e3bffd510fe1ccf82192507bdbe5ae090e638d28fd7ee7107cb5113b4e38b5f9fcaa9eb1721dfc6ad0b6e1e71876e8a2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3751123196-3323558407-1869646069-1000\0f5007522459c86e95ffcc62f32308f1_6bb404a8-25bc-4cef-a831-797f8d1e89c0
Filesize
1KB

MD5
9e8ffc74b30230ce8b62ae18cfc940a9

SHA1
56239ea9fe4d5ce8da204ee7f4eb44738567b357

SHA256
aed1767226cb3e6f839d34a5a813ddfa6a026d17ff5422dc4698a5f114f8befc

SHA512
af621c102291028dd50fa8dee1794f3968f8196b19f6164816c209793ba615b81d28419c6a62cefa943b4d28075fc79f28f0aa842512112c27f8ce4c96c2fcea

Download Submit
memory/880-133-0x0000000000000000-mapping.dmp

Download
memory/880-136-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1992-135-0x0000000000000000-mapping.dmp

Download
memory/1992-138-0x0000000002180000-0x0000000002196000-memory.dmp

Filesize
88KB

Download
memory/3176-146-0x0000000000000000-mapping.dmp

Download
memory/3364-130-0x00000000022C0000-0x00000000022D6000-memory.dmp

Filesize
88KB

Download
memory/3364-134-0x0000000002280000-0x0000000002295000-memory.dmp

Filesize
84KB

Download
memory/4360-155-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/4360-154-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/4360-153-0x0000000000000000-mapping.dmp

Download
memory/4492-143-0x0000000000E30000-0x0000000000E46000-memory.dmp

Filesize
88KB

Download
memory/4624-150-0x0000000000E40000-0x0000000000E56000-memory.dmp

Filesize
88KB

Download
memory/4624-147-0x0000000000000000-mapping.dmp

Download
memory/4856-148-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/4856-142-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/4856-141-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads