emotet | 47159abdd9c8dc0962a3d9173002f47ff5438a27a24c3fcc21ba35550ba5923b

General

Target

47159abdd9c8dc0962a3d9173002f47ff5438a27a24c3fcc21ba35550ba5923b.exe
Size

364KB
MD5

dd5952eae75f3ec5e2803b42c1bba39f
SHA1

973963adee52a041d04bf3334b82222bfd5bc3de
SHA256

47159abdd9c8dc0962a3d9173002f47ff5438a27a24c3fcc21ba35550ba5923b
SHA512

7b2bd1ee29fd1ec19e457df6764a0b74692840c2b7949313960a4a36c56d1ccfd77aa26f30c876ccf43e869841892ba403e25a6ea2bebb5dc7ca7bd6096857a4

Score

10^/10

emotet epoch2 banker trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch2

C2

190.106.97.230:443

24.51.106.145:21

186.4.172.5:443

77.237.248.136:8080

185.142.236.163:443

63.142.253.122:8080

178.254.6.27:7080

92.222.125.16:7080

182.176.106.43:995

31.12.67.62:7080

37.157.194.134:443

85.106.1.166:50000

201.251.43.69:8080

136.243.177.26:8080

104.131.11.150:8080

190.201.164.223:53

103.97.95.218:143

190.53.135.159:21

138.201.140.110:8080

80.11.163.139:21

rsa_pubkey.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Drops file in System32 directory 1 IoCs

Processes:

cursorreadand.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	cursorreadand.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

47159abdd9c8dc0962a3d9173002f47ff5438a27a24c3fcc21ba35550ba5923b.exe47159abdd9c8dc0962a3d9173002f47ff5438a27a24c3fcc21ba35550ba5923b.execursorreadand.execursorreadand.exe

description	pid	process	target process
PID 1884 set thread context of 1456	1884	47159abdd9c8dc0962a3d9173002f47ff5438a27a24c3fcc21ba35550ba5923b.exe	47159abdd9c8dc0962a3d9173002f47ff5438a27a24c3fcc21ba35550ba5923b.exe
PID 1536 set thread context of 996	1536	47159abdd9c8dc0962a3d9173002f47ff5438a27a24c3fcc21ba35550ba5923b.exe	47159abdd9c8dc0962a3d9173002f47ff5438a27a24c3fcc21ba35550ba5923b.exe
PID 616 set thread context of 804	616	cursorreadand.exe	cursorreadand.exe
PID 820 set thread context of 928	820	cursorreadand.exe	cursorreadand.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 21 IoCs

Processes:

cursorreadand.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	cursorreadand.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	cursorreadand.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	cursorreadand.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	cursorreadand.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	cursorreadand.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EE5278E7-484A-43BE-AD34-800727674E01}\WpadDecisionReason = "1"	cursorreadand.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ea-f7-5e-a1-ae-5f\WpadDecisionTime = f0a1287c9397d801	cursorreadand.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EE5278E7-484A-43BE-AD34-800727674E01}	cursorreadand.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EE5278E7-484A-43BE-AD34-800727674E01}\WpadDecision = "0"	cursorreadand.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ea-f7-5e-a1-ae-5f	cursorreadand.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	cursorreadand.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	cursorreadand.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	cursorreadand.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0079000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	cursorreadand.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	cursorreadand.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	cursorreadand.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EE5278E7-484A-43BE-AD34-800727674E01}\WpadDecisionTime = f0a1287c9397d801	cursorreadand.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EE5278E7-484A-43BE-AD34-800727674E01}\WpadNetworkName = "Network 3"	cursorreadand.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EE5278E7-484A-43BE-AD34-800727674E01}\ea-f7-5e-a1-ae-5f	cursorreadand.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ea-f7-5e-a1-ae-5f\WpadDecisionReason = "1"	cursorreadand.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ea-f7-5e-a1-ae-5f\WpadDecision = "0"	cursorreadand.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

cursorreadand.exe

pid process

928 cursorreadand.exe
928 cursorreadand.exe
928 cursorreadand.exe

pid	process
928	cursorreadand.exe
928	cursorreadand.exe
928	cursorreadand.exe

Suspicious behavior: MapViewOfSection 4 IoCs

Processes:

47159abdd9c8dc0962a3d9173002f47ff5438a27a24c3fcc21ba35550ba5923b.exe47159abdd9c8dc0962a3d9173002f47ff5438a27a24c3fcc21ba35550ba5923b.execursorreadand.execursorreadand.exe

pid	process
1884	47159abdd9c8dc0962a3d9173002f47ff5438a27a24c3fcc21ba35550ba5923b.exe
1536	47159abdd9c8dc0962a3d9173002f47ff5438a27a24c3fcc21ba35550ba5923b.exe
616	cursorreadand.exe
820	cursorreadand.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

47159abdd9c8dc0962a3d9173002f47ff5438a27a24c3fcc21ba35550ba5923b.exe

pid process

996 47159abdd9c8dc0962a3d9173002f47ff5438a27a24c3fcc21ba35550ba5923b.exe

pid	process
996	47159abdd9c8dc0962a3d9173002f47ff5438a27a24c3fcc21ba35550ba5923b.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

47159abdd9c8dc0962a3d9173002f47ff5438a27a24c3fcc21ba35550ba5923b.exe47159abdd9c8dc0962a3d9173002f47ff5438a27a24c3fcc21ba35550ba5923b.exe47159abdd9c8dc0962a3d9173002f47ff5438a27a24c3fcc21ba35550ba5923b.execursorreadand.execursorreadand.execursorreadand.exe

description	pid	process	target process
PID 1884 wrote to memory of 1456	1884	47159abdd9c8dc0962a3d9173002f47ff5438a27a24c3fcc21ba35550ba5923b.exe	47159abdd9c8dc0962a3d9173002f47ff5438a27a24c3fcc21ba35550ba5923b.exe
PID 1884 wrote to memory of 1456	1884	47159abdd9c8dc0962a3d9173002f47ff5438a27a24c3fcc21ba35550ba5923b.exe	47159abdd9c8dc0962a3d9173002f47ff5438a27a24c3fcc21ba35550ba5923b.exe
PID 1884 wrote to memory of 1456	1884	47159abdd9c8dc0962a3d9173002f47ff5438a27a24c3fcc21ba35550ba5923b.exe	47159abdd9c8dc0962a3d9173002f47ff5438a27a24c3fcc21ba35550ba5923b.exe
PID 1884 wrote to memory of 1456	1884	47159abdd9c8dc0962a3d9173002f47ff5438a27a24c3fcc21ba35550ba5923b.exe	47159abdd9c8dc0962a3d9173002f47ff5438a27a24c3fcc21ba35550ba5923b.exe
PID 1884 wrote to memory of 1456	1884	47159abdd9c8dc0962a3d9173002f47ff5438a27a24c3fcc21ba35550ba5923b.exe	47159abdd9c8dc0962a3d9173002f47ff5438a27a24c3fcc21ba35550ba5923b.exe
PID 1456 wrote to memory of 1536	1456	47159abdd9c8dc0962a3d9173002f47ff5438a27a24c3fcc21ba35550ba5923b.exe	47159abdd9c8dc0962a3d9173002f47ff5438a27a24c3fcc21ba35550ba5923b.exe
PID 1456 wrote to memory of 1536	1456	47159abdd9c8dc0962a3d9173002f47ff5438a27a24c3fcc21ba35550ba5923b.exe	47159abdd9c8dc0962a3d9173002f47ff5438a27a24c3fcc21ba35550ba5923b.exe
PID 1456 wrote to memory of 1536	1456	47159abdd9c8dc0962a3d9173002f47ff5438a27a24c3fcc21ba35550ba5923b.exe	47159abdd9c8dc0962a3d9173002f47ff5438a27a24c3fcc21ba35550ba5923b.exe
PID 1456 wrote to memory of 1536	1456	47159abdd9c8dc0962a3d9173002f47ff5438a27a24c3fcc21ba35550ba5923b.exe	47159abdd9c8dc0962a3d9173002f47ff5438a27a24c3fcc21ba35550ba5923b.exe
PID 1536 wrote to memory of 996	1536	47159abdd9c8dc0962a3d9173002f47ff5438a27a24c3fcc21ba35550ba5923b.exe	47159abdd9c8dc0962a3d9173002f47ff5438a27a24c3fcc21ba35550ba5923b.exe
PID 1536 wrote to memory of 996	1536	47159abdd9c8dc0962a3d9173002f47ff5438a27a24c3fcc21ba35550ba5923b.exe	47159abdd9c8dc0962a3d9173002f47ff5438a27a24c3fcc21ba35550ba5923b.exe
PID 1536 wrote to memory of 996	1536	47159abdd9c8dc0962a3d9173002f47ff5438a27a24c3fcc21ba35550ba5923b.exe	47159abdd9c8dc0962a3d9173002f47ff5438a27a24c3fcc21ba35550ba5923b.exe
PID 1536 wrote to memory of 996	1536	47159abdd9c8dc0962a3d9173002f47ff5438a27a24c3fcc21ba35550ba5923b.exe	47159abdd9c8dc0962a3d9173002f47ff5438a27a24c3fcc21ba35550ba5923b.exe
PID 1536 wrote to memory of 996	1536	47159abdd9c8dc0962a3d9173002f47ff5438a27a24c3fcc21ba35550ba5923b.exe	47159abdd9c8dc0962a3d9173002f47ff5438a27a24c3fcc21ba35550ba5923b.exe
PID 616 wrote to memory of 804	616	cursorreadand.exe	cursorreadand.exe
PID 616 wrote to memory of 804	616	cursorreadand.exe	cursorreadand.exe
PID 616 wrote to memory of 804	616	cursorreadand.exe	cursorreadand.exe
PID 616 wrote to memory of 804	616	cursorreadand.exe	cursorreadand.exe
PID 616 wrote to memory of 804	616	cursorreadand.exe	cursorreadand.exe
PID 804 wrote to memory of 820	804	cursorreadand.exe	cursorreadand.exe
PID 804 wrote to memory of 820	804	cursorreadand.exe	cursorreadand.exe
PID 804 wrote to memory of 820	804	cursorreadand.exe	cursorreadand.exe
PID 804 wrote to memory of 820	804	cursorreadand.exe	cursorreadand.exe
PID 820 wrote to memory of 928	820	cursorreadand.exe	cursorreadand.exe
PID 820 wrote to memory of 928	820	cursorreadand.exe	cursorreadand.exe
PID 820 wrote to memory of 928	820	cursorreadand.exe	cursorreadand.exe
PID 820 wrote to memory of 928	820	cursorreadand.exe	cursorreadand.exe
PID 820 wrote to memory of 928	820	cursorreadand.exe	cursorreadand.exe

C:\Users\Admin\AppData\Local\Temp\47159abdd9c8dc0962a3d9173002f47ff5438a27a24c3fcc21ba35550ba5923b.exe
"C:\Users\Admin\AppData\Local\Temp\47159abdd9c8dc0962a3d9173002f47ff5438a27a24c3fcc21ba35550ba5923b.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1884

C:\Users\Admin\AppData\Local\Temp\47159abdd9c8dc0962a3d9173002f47ff5438a27a24c3fcc21ba35550ba5923b.exe
"C:\Users\Admin\AppData\Local\Temp\47159abdd9c8dc0962a3d9173002f47ff5438a27a24c3fcc21ba35550ba5923b.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1456

C:\Users\Admin\AppData\Local\Temp\47159abdd9c8dc0962a3d9173002f47ff5438a27a24c3fcc21ba35550ba5923b.exe
--bf30e269
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1536

C:\Users\Admin\AppData\Local\Temp\47159abdd9c8dc0962a3d9173002f47ff5438a27a24c3fcc21ba35550ba5923b.exe
--bf30e269
4⤵
- Suspicious behavior: RenamesItself
PID:996

C:\Windows\SysWOW64\cursorreadand.exe
"C:\Windows\SysWOW64\cursorreadand.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:616

C:\Windows\SysWOW64\cursorreadand.exe
"C:\Windows\SysWOW64\cursorreadand.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:804

C:\Windows\SysWOW64\cursorreadand.exe
--bea31941
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:820

C:\Windows\SysWOW64\cursorreadand.exe
--bea31941
4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:928

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/616-70-0x00000000005A0000-0x00000000005B6000-memory.dmp

Filesize
88KB

Download
memory/804-73-0x000000000040F072-mapping.dmp

Download
memory/820-77-0x00000000008D0000-0x00000000008E6000-memory.dmp

Filesize
88KB

Download
memory/820-74-0x0000000000000000-mapping.dmp

Download
memory/928-83-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/928-81-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/928-80-0x000000000040F072-mapping.dmp

Download
memory/996-67-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/996-66-0x000000000040F072-mapping.dmp

Download
memory/996-75-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1456-60-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1456-58-0x000000000040F072-mapping.dmp

Download
memory/1536-63-0x00000000002B0000-0x00000000002C6000-memory.dmp

Filesize
88KB

Download
memory/1536-59-0x0000000000000000-mapping.dmp

Download
memory/1884-54-0x00000000759E1000-0x00000000759E3000-memory.dmp

Filesize
8KB

Download
memory/1884-62-0x0000000000290000-0x00000000002AB000-memory.dmp

Filesize
108KB

Download
memory/1884-55-0x0000000000340000-0x0000000000356000-memory.dmp

Filesize
88KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads