emotet | 4ea5a4593e5b34256e70d713898843f7a3b29c1659a0237cb1baca9ce7f41735

General

Target

4ea5a4593e5b34256e70d713898843f7a3b29c1659a0237cb1baca9ce7f41735.exe
Size

458KB
MD5

11d228fc8b33ab8123d67743f2ae8118
SHA1

5bb6089c557f3b7e5f000bfa895322f327734907
SHA256

4ea5a4593e5b34256e70d713898843f7a3b29c1659a0237cb1baca9ce7f41735
SHA512

420e9a243c615d8d6a6c14b663fd5c5f9290ef0faa4684d3c9eb2c3985f8b71080bdf39f61057b96d816c9204c219de1bd7bd7dc1d142700a5197c9c82976efc

Score

10^/10

emotet epoch1 banker trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch1

C2

211.229.116.97:80

190.38.14.52:80

201.184.65.229:80

152.46.8.148:8080

62.75.150.240:7080

207.180.208.175:8080

71.244.60.230:7080

119.59.124.163:8080

46.163.144.228:80

46.29.183.211:8080

77.245.101.134:8080

190.230.60.129:80

109.104.79.48:8080

190.19.42.131:80

5.196.35.138:7080

187.188.166.192:80

186.83.133.253:8080

123.168.4.66:22

181.81.143.108:80

119.92.51.40:8080

rsa_pubkey.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Drops file in System32 directory 1 IoCs

Processes:

gesturetrc.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	gesturetrc.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

4ea5a4593e5b34256e70d713898843f7a3b29c1659a0237cb1baca9ce7f41735.exe4ea5a4593e5b34256e70d713898843f7a3b29c1659a0237cb1baca9ce7f41735.exegesturetrc.exegesturetrc.exe

description	pid	process	target process
PID 2024 set thread context of 1992	2024	4ea5a4593e5b34256e70d713898843f7a3b29c1659a0237cb1baca9ce7f41735.exe	4ea5a4593e5b34256e70d713898843f7a3b29c1659a0237cb1baca9ce7f41735.exe
PID 1388 set thread context of 796	1388	4ea5a4593e5b34256e70d713898843f7a3b29c1659a0237cb1baca9ce7f41735.exe	4ea5a4593e5b34256e70d713898843f7a3b29c1659a0237cb1baca9ce7f41735.exe
PID 1440 set thread context of 1504	1440	gesturetrc.exe	gesturetrc.exe
PID 1780 set thread context of 1684	1780	gesturetrc.exe	gesturetrc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 21 IoCs

Processes:

gesturetrc.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C7A15239-4A47-4C67-A768-39B2D80D2CED}\WpadDecisionTime = 90bb9586679cd801	gesturetrc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C7A15239-4A47-4C67-A768-39B2D80D2CED}\WpadDecision = "0"	gesturetrc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\6a-75-1b-2d-33-8d\WpadDecisionTime = 90bb9586679cd801	gesturetrc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	gesturetrc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	gesturetrc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	gesturetrc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	gesturetrc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C7A15239-4A47-4C67-A768-39B2D80D2CED}\WpadDecisionReason = "1"	gesturetrc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0101000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	gesturetrc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\6a-75-1b-2d-33-8d	gesturetrc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C7A15239-4A47-4C67-A768-39B2D80D2CED}\6a-75-1b-2d-33-8d	gesturetrc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\6a-75-1b-2d-33-8d\WpadDecision = "0"	gesturetrc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	gesturetrc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	gesturetrc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	gesturetrc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C7A15239-4A47-4C67-A768-39B2D80D2CED}	gesturetrc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C7A15239-4A47-4C67-A768-39B2D80D2CED}\WpadNetworkName = "Network 3"	gesturetrc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\6a-75-1b-2d-33-8d\WpadDecisionReason = "1"	gesturetrc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	gesturetrc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	gesturetrc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	gesturetrc.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

gesturetrc.exe

pid process

1684 gesturetrc.exe
1684 gesturetrc.exe
1684 gesturetrc.exe

pid	process
1684	gesturetrc.exe
1684	gesturetrc.exe
1684	gesturetrc.exe

Suspicious behavior: MapViewOfSection 4 IoCs

Processes:

4ea5a4593e5b34256e70d713898843f7a3b29c1659a0237cb1baca9ce7f41735.exe4ea5a4593e5b34256e70d713898843f7a3b29c1659a0237cb1baca9ce7f41735.exegesturetrc.exegesturetrc.exe

pid	process
2024	4ea5a4593e5b34256e70d713898843f7a3b29c1659a0237cb1baca9ce7f41735.exe
1388	4ea5a4593e5b34256e70d713898843f7a3b29c1659a0237cb1baca9ce7f41735.exe
1440	gesturetrc.exe
1780	gesturetrc.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

4ea5a4593e5b34256e70d713898843f7a3b29c1659a0237cb1baca9ce7f41735.exe

pid process

796 4ea5a4593e5b34256e70d713898843f7a3b29c1659a0237cb1baca9ce7f41735.exe

pid	process
796	4ea5a4593e5b34256e70d713898843f7a3b29c1659a0237cb1baca9ce7f41735.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

4ea5a4593e5b34256e70d713898843f7a3b29c1659a0237cb1baca9ce7f41735.exe4ea5a4593e5b34256e70d713898843f7a3b29c1659a0237cb1baca9ce7f41735.exegesturetrc.exegesturetrc.exe

pid	process
2024	4ea5a4593e5b34256e70d713898843f7a3b29c1659a0237cb1baca9ce7f41735.exe
1388	4ea5a4593e5b34256e70d713898843f7a3b29c1659a0237cb1baca9ce7f41735.exe
1440	gesturetrc.exe
1780	gesturetrc.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

4ea5a4593e5b34256e70d713898843f7a3b29c1659a0237cb1baca9ce7f41735.exe4ea5a4593e5b34256e70d713898843f7a3b29c1659a0237cb1baca9ce7f41735.exe4ea5a4593e5b34256e70d713898843f7a3b29c1659a0237cb1baca9ce7f41735.exegesturetrc.exegesturetrc.exegesturetrc.exe

description	pid	process	target process
PID 2024 wrote to memory of 1992	2024	4ea5a4593e5b34256e70d713898843f7a3b29c1659a0237cb1baca9ce7f41735.exe	4ea5a4593e5b34256e70d713898843f7a3b29c1659a0237cb1baca9ce7f41735.exe
PID 2024 wrote to memory of 1992	2024	4ea5a4593e5b34256e70d713898843f7a3b29c1659a0237cb1baca9ce7f41735.exe	4ea5a4593e5b34256e70d713898843f7a3b29c1659a0237cb1baca9ce7f41735.exe
PID 2024 wrote to memory of 1992	2024	4ea5a4593e5b34256e70d713898843f7a3b29c1659a0237cb1baca9ce7f41735.exe	4ea5a4593e5b34256e70d713898843f7a3b29c1659a0237cb1baca9ce7f41735.exe
PID 2024 wrote to memory of 1992	2024	4ea5a4593e5b34256e70d713898843f7a3b29c1659a0237cb1baca9ce7f41735.exe	4ea5a4593e5b34256e70d713898843f7a3b29c1659a0237cb1baca9ce7f41735.exe
PID 2024 wrote to memory of 1992	2024	4ea5a4593e5b34256e70d713898843f7a3b29c1659a0237cb1baca9ce7f41735.exe	4ea5a4593e5b34256e70d713898843f7a3b29c1659a0237cb1baca9ce7f41735.exe
PID 1992 wrote to memory of 1388	1992	4ea5a4593e5b34256e70d713898843f7a3b29c1659a0237cb1baca9ce7f41735.exe	4ea5a4593e5b34256e70d713898843f7a3b29c1659a0237cb1baca9ce7f41735.exe
PID 1992 wrote to memory of 1388	1992	4ea5a4593e5b34256e70d713898843f7a3b29c1659a0237cb1baca9ce7f41735.exe	4ea5a4593e5b34256e70d713898843f7a3b29c1659a0237cb1baca9ce7f41735.exe
PID 1992 wrote to memory of 1388	1992	4ea5a4593e5b34256e70d713898843f7a3b29c1659a0237cb1baca9ce7f41735.exe	4ea5a4593e5b34256e70d713898843f7a3b29c1659a0237cb1baca9ce7f41735.exe
PID 1992 wrote to memory of 1388	1992	4ea5a4593e5b34256e70d713898843f7a3b29c1659a0237cb1baca9ce7f41735.exe	4ea5a4593e5b34256e70d713898843f7a3b29c1659a0237cb1baca9ce7f41735.exe
PID 1388 wrote to memory of 796	1388	4ea5a4593e5b34256e70d713898843f7a3b29c1659a0237cb1baca9ce7f41735.exe	4ea5a4593e5b34256e70d713898843f7a3b29c1659a0237cb1baca9ce7f41735.exe
PID 1388 wrote to memory of 796	1388	4ea5a4593e5b34256e70d713898843f7a3b29c1659a0237cb1baca9ce7f41735.exe	4ea5a4593e5b34256e70d713898843f7a3b29c1659a0237cb1baca9ce7f41735.exe
PID 1388 wrote to memory of 796	1388	4ea5a4593e5b34256e70d713898843f7a3b29c1659a0237cb1baca9ce7f41735.exe	4ea5a4593e5b34256e70d713898843f7a3b29c1659a0237cb1baca9ce7f41735.exe
PID 1388 wrote to memory of 796	1388	4ea5a4593e5b34256e70d713898843f7a3b29c1659a0237cb1baca9ce7f41735.exe	4ea5a4593e5b34256e70d713898843f7a3b29c1659a0237cb1baca9ce7f41735.exe
PID 1388 wrote to memory of 796	1388	4ea5a4593e5b34256e70d713898843f7a3b29c1659a0237cb1baca9ce7f41735.exe	4ea5a4593e5b34256e70d713898843f7a3b29c1659a0237cb1baca9ce7f41735.exe
PID 1440 wrote to memory of 1504	1440	gesturetrc.exe	gesturetrc.exe
PID 1440 wrote to memory of 1504	1440	gesturetrc.exe	gesturetrc.exe
PID 1440 wrote to memory of 1504	1440	gesturetrc.exe	gesturetrc.exe
PID 1440 wrote to memory of 1504	1440	gesturetrc.exe	gesturetrc.exe
PID 1440 wrote to memory of 1504	1440	gesturetrc.exe	gesturetrc.exe
PID 1504 wrote to memory of 1780	1504	gesturetrc.exe	gesturetrc.exe
PID 1504 wrote to memory of 1780	1504	gesturetrc.exe	gesturetrc.exe
PID 1504 wrote to memory of 1780	1504	gesturetrc.exe	gesturetrc.exe
PID 1504 wrote to memory of 1780	1504	gesturetrc.exe	gesturetrc.exe
PID 1780 wrote to memory of 1684	1780	gesturetrc.exe	gesturetrc.exe
PID 1780 wrote to memory of 1684	1780	gesturetrc.exe	gesturetrc.exe
PID 1780 wrote to memory of 1684	1780	gesturetrc.exe	gesturetrc.exe
PID 1780 wrote to memory of 1684	1780	gesturetrc.exe	gesturetrc.exe
PID 1780 wrote to memory of 1684	1780	gesturetrc.exe	gesturetrc.exe

C:\Users\Admin\AppData\Local\Temp\4ea5a4593e5b34256e70d713898843f7a3b29c1659a0237cb1baca9ce7f41735.exe
"C:\Users\Admin\AppData\Local\Temp\4ea5a4593e5b34256e70d713898843f7a3b29c1659a0237cb1baca9ce7f41735.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2024

C:\Users\Admin\AppData\Local\Temp\4ea5a4593e5b34256e70d713898843f7a3b29c1659a0237cb1baca9ce7f41735.exe
"C:\Users\Admin\AppData\Local\Temp\4ea5a4593e5b34256e70d713898843f7a3b29c1659a0237cb1baca9ce7f41735.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1992

C:\Users\Admin\AppData\Local\Temp\4ea5a4593e5b34256e70d713898843f7a3b29c1659a0237cb1baca9ce7f41735.exe
--ac4bad00
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1388

C:\Users\Admin\AppData\Local\Temp\4ea5a4593e5b34256e70d713898843f7a3b29c1659a0237cb1baca9ce7f41735.exe
--ac4bad00
4⤵
- Suspicious behavior: RenamesItself
PID:796

C:\Windows\SysWOW64\gesturetrc.exe
"C:\Windows\SysWOW64\gesturetrc.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1440

C:\Windows\SysWOW64\gesturetrc.exe
"C:\Windows\SysWOW64\gesturetrc.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1504

C:\Windows\SysWOW64\gesturetrc.exe
--7b66068e
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1780

C:\Windows\SysWOW64\gesturetrc.exe
--7b66068e
4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1684

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\6d14e4b1d8ca773bab785d1be032546e_7c53fe69-5b94-496b-96b7-9f57c3c2be05
Filesize
1KB

MD5
faabf51548ebae78f406ae9a611c8e1a

SHA1
c5c12333a3d577c96b4318ca25d42e4b43ee2a74

SHA256
c75a704257261c9fba8844e3273e93614cfc7b6c6614b0562b1dfcd8edb5fd1b

SHA512
27c92ba58d673b9919a5a0d68a1c628dbd3787f1ea1fe2e84a66bcab29549d8ad30858a43c6a2b0d5c1b2cdd3076e74a510a881a57c175409771fff81ed356c0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3440072777-2118400376-1759599358-1000\0f5007522459c86e95ffcc62f32308f1_7c53fe69-5b94-496b-96b7-9f57c3c2be05
Filesize
1KB

MD5
af6ae9fe1cd78c2c7c1ce2fdf1583287

SHA1
1c5b1f481bb5ad8cf554f33c6101000f0a6912f3

SHA256
7dac7c4c218137042325f64af8297d7993880940dbda0246689f0d4550092183

SHA512
622d7a47ab7e4c4fb4558fa7ccf4c8c0161bb21ac984e57b28250a837de9e7ce3f8a5786f6bc4ecf2b1b42e3d72b2cac7c6ea11622d00703ac55e50bc8524d4d

Download Submit
memory/796-76-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/796-67-0x000000000040D977-mapping.dmp

Download
memory/796-68-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1388-60-0x0000000000000000-mapping.dmp

Download
memory/1388-64-0x0000000000860000-0x0000000000874000-memory.dmp

Filesize
80KB

Download
memory/1440-71-0x0000000000940000-0x0000000000954000-memory.dmp

Filesize
80KB

Download
memory/1504-74-0x000000000040D977-mapping.dmp

Download
memory/1684-82-0x000000000040D977-mapping.dmp

Download
memory/1684-83-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1684-85-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1780-75-0x0000000000000000-mapping.dmp

Download
memory/1780-79-0x00000000003E0000-0x00000000003F4000-memory.dmp

Filesize
80KB

Download
memory/1992-58-0x000000000040D977-mapping.dmp

Download
memory/1992-61-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2024-59-0x00000000002D0000-0x00000000002E3000-memory.dmp

Filesize
76KB

Download
memory/2024-54-0x0000000074E11000-0x0000000074E13000-memory.dmp

Filesize
8KB

Download
memory/2024-55-0x0000000000480000-0x0000000000494000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads