emotet | 46492e74843cad3c1737eb6574a23860f6d06bb6ded87cfa60813f6a2733651b

General

Target

46492e74843cad3c1737eb6574a23860f6d06bb6ded87cfa60813f6a2733651b.exe
Size

107KB
MD5

2713803ed23c454fa465882d919de3a3
SHA1

9e143c0e0fb22c132aec6dffeac137bee7bf8008
SHA256

46492e74843cad3c1737eb6574a23860f6d06bb6ded87cfa60813f6a2733651b
SHA512

ed35ef97a281736228e65de3967f95fa00fa8598bd7c77175e93d7f77cc7039afd170f310d8b3108219716349bbe39a54d7ef6f0573a8f6c1999bff51e7eb078

Score

10^/10

emotet banker trojan

Malware Config

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	certapp.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	certapp.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	certapp.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	certapp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	certapp.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	certapp.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	certapp.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
100	certapp.exe
100	certapp.exe
100	certapp.exe
100	certapp.exe
100	certapp.exe
100	certapp.exe
100	certapp.exe
100	certapp.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1352	46492e74843cad3c1737eb6574a23860f6d06bb6ded87cfa60813f6a2733651b.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3316 wrote to memory of 1352	3316	46492e74843cad3c1737eb6574a23860f6d06bb6ded87cfa60813f6a2733651b.exe	82
PID 3316 wrote to memory of 1352	3316	46492e74843cad3c1737eb6574a23860f6d06bb6ded87cfa60813f6a2733651b.exe	82
PID 3316 wrote to memory of 1352	3316	46492e74843cad3c1737eb6574a23860f6d06bb6ded87cfa60813f6a2733651b.exe	82
PID 232 wrote to memory of 100	232	certapp.exe	86
PID 232 wrote to memory of 100	232	certapp.exe	86
PID 232 wrote to memory of 100	232	certapp.exe	86

C:\Users\Admin\AppData\Local\Temp\46492e74843cad3c1737eb6574a23860f6d06bb6ded87cfa60813f6a2733651b.exe
"C:\Users\Admin\AppData\Local\Temp\46492e74843cad3c1737eb6574a23860f6d06bb6ded87cfa60813f6a2733651b.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3316
- C:\Users\Admin\AppData\Local\Temp\46492e74843cad3c1737eb6574a23860f6d06bb6ded87cfa60813f6a2733651b.exe
  "C:\Users\Admin\AppData\Local\Temp\46492e74843cad3c1737eb6574a23860f6d06bb6ded87cfa60813f6a2733651b.exe"
  2⤵
  - Suspicious behavior: RenamesItself
  PID:1352

C:\Windows\SysWOW64\certapp.exe
C:\Windows\SysWOW64\certapp.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:232
- C:\Windows\SysWOW64\certapp.exe
  "C:\Windows\SysWOW64\certapp.exe"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:100

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/100-161-0x00000000005A0000-0x00000000005AE000-memory.dmp

Filesize
56KB

Download
memory/100-160-0x0000000000E30000-0x0000000000E40000-memory.dmp

Filesize
64KB

Download
memory/100-159-0x00000000005A0000-0x00000000005AE000-memory.dmp

Filesize
56KB

Download
memory/100-155-0x00000000005C0000-0x00000000005CE000-memory.dmp

Filesize
56KB

Download
memory/100-151-0x00000000005C0000-0x00000000005CE000-memory.dmp

Filesize
56KB

Download
memory/232-157-0x00000000006D0000-0x00000000006E0000-memory.dmp

Filesize
64KB

Download
memory/232-149-0x00000000006C0000-0x00000000006CE000-memory.dmp

Filesize
56KB

Download
memory/232-156-0x00000000006A0000-0x00000000006AE000-memory.dmp

Filesize
56KB

Download
memory/232-145-0x00000000006C0000-0x00000000006CE000-memory.dmp

Filesize
56KB

Download
memory/1352-140-0x0000000002160000-0x000000000216E000-memory.dmp

Filesize
56KB

Download
memory/1352-143-0x00000000005C0000-0x00000000005CE000-memory.dmp

Filesize
56KB

Download
memory/1352-144-0x0000000002170000-0x0000000002180000-memory.dmp

Filesize
64KB

Download
memory/1352-158-0x00000000005C0000-0x00000000005CE000-memory.dmp

Filesize
56KB

Download
memory/1352-136-0x0000000002160000-0x000000000216E000-memory.dmp

Filesize
56KB

Download
memory/3316-142-0x00000000021B0000-0x00000000021C0000-memory.dmp

Filesize
64KB

Download
memory/3316-141-0x0000000000600000-0x000000000060E000-memory.dmp

Filesize
56KB

Download
memory/3316-130-0x00000000021A0000-0x00000000021AE000-memory.dmp

Filesize
56KB

Download
memory/3316-134-0x00000000021A0000-0x00000000021AE000-memory.dmp

Filesize
56KB

Download

Analysis

Sharing