emotet | 4ea5a4593e5b34256e70d713898843f7a3b29c1659a0237cb1baca9ce7f41735

General

Target

4ea5a4593e5b34256e70d713898843f7a3b29c1659a0237cb1baca9ce7f41735.exe
Size

458KB
MD5

11d228fc8b33ab8123d67743f2ae8118
SHA1

5bb6089c557f3b7e5f000bfa895322f327734907
SHA256

4ea5a4593e5b34256e70d713898843f7a3b29c1659a0237cb1baca9ce7f41735
SHA512

420e9a243c615d8d6a6c14b663fd5c5f9290ef0faa4684d3c9eb2c3985f8b71080bdf39f61057b96d816c9204c219de1bd7bd7dc1d142700a5197c9c82976efc

Score

10^/10

emotet epoch1 banker trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch1

C2

211.229.116.97:80

190.38.14.52:80

201.184.65.229:80

152.46.8.148:8080

62.75.150.240:7080

207.180.208.175:8080

71.244.60.230:7080

119.59.124.163:8080

46.163.144.228:80

46.29.183.211:8080

77.245.101.134:8080

190.230.60.129:80

109.104.79.48:8080

190.19.42.131:80

5.196.35.138:7080

187.188.166.192:80

186.83.133.253:8080

123.168.4.66:22

181.81.143.108:80

119.92.51.40:8080

rsa_pubkey.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Drops file in System32 directory 4 IoCs

Processes:

programwim.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	programwim.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	programwim.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	programwim.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	programwim.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

4ea5a4593e5b34256e70d713898843f7a3b29c1659a0237cb1baca9ce7f41735.exe4ea5a4593e5b34256e70d713898843f7a3b29c1659a0237cb1baca9ce7f41735.exeprogramwim.exeprogramwim.exe

description	pid	process	target process
PID 1924 set thread context of 2260	1924	4ea5a4593e5b34256e70d713898843f7a3b29c1659a0237cb1baca9ce7f41735.exe	4ea5a4593e5b34256e70d713898843f7a3b29c1659a0237cb1baca9ce7f41735.exe
PID 2656 set thread context of 3564	2656	4ea5a4593e5b34256e70d713898843f7a3b29c1659a0237cb1baca9ce7f41735.exe	4ea5a4593e5b34256e70d713898843f7a3b29c1659a0237cb1baca9ce7f41735.exe
PID 3304 set thread context of 432	3304	programwim.exe	programwim.exe
PID 4092 set thread context of 4364	4092	programwim.exe	programwim.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 3 IoCs

Processes:

programwim.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	programwim.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	programwim.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	programwim.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

programwim.exe

pid	process
4364	programwim.exe
4364	programwim.exe
4364	programwim.exe
4364	programwim.exe
4364	programwim.exe
4364	programwim.exe
4364	programwim.exe
4364	programwim.exe
4364	programwim.exe
4364	programwim.exe
4364	programwim.exe
4364	programwim.exe

Suspicious behavior: MapViewOfSection 4 IoCs

Processes:

4ea5a4593e5b34256e70d713898843f7a3b29c1659a0237cb1baca9ce7f41735.exe4ea5a4593e5b34256e70d713898843f7a3b29c1659a0237cb1baca9ce7f41735.exeprogramwim.exeprogramwim.exe

pid	process
1924	4ea5a4593e5b34256e70d713898843f7a3b29c1659a0237cb1baca9ce7f41735.exe
2656	4ea5a4593e5b34256e70d713898843f7a3b29c1659a0237cb1baca9ce7f41735.exe
3304	programwim.exe
4092	programwim.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

4ea5a4593e5b34256e70d713898843f7a3b29c1659a0237cb1baca9ce7f41735.exe

pid process

3564 4ea5a4593e5b34256e70d713898843f7a3b29c1659a0237cb1baca9ce7f41735.exe

pid	process
3564	4ea5a4593e5b34256e70d713898843f7a3b29c1659a0237cb1baca9ce7f41735.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

4ea5a4593e5b34256e70d713898843f7a3b29c1659a0237cb1baca9ce7f41735.exe4ea5a4593e5b34256e70d713898843f7a3b29c1659a0237cb1baca9ce7f41735.exeprogramwim.exeprogramwim.exe

pid	process
1924	4ea5a4593e5b34256e70d713898843f7a3b29c1659a0237cb1baca9ce7f41735.exe
2656	4ea5a4593e5b34256e70d713898843f7a3b29c1659a0237cb1baca9ce7f41735.exe
3304	programwim.exe
4092	programwim.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

4ea5a4593e5b34256e70d713898843f7a3b29c1659a0237cb1baca9ce7f41735.exe4ea5a4593e5b34256e70d713898843f7a3b29c1659a0237cb1baca9ce7f41735.exe4ea5a4593e5b34256e70d713898843f7a3b29c1659a0237cb1baca9ce7f41735.exeprogramwim.exeprogramwim.exeprogramwim.exe

description	pid	process	target process
PID 1924 wrote to memory of 2260	1924	4ea5a4593e5b34256e70d713898843f7a3b29c1659a0237cb1baca9ce7f41735.exe	4ea5a4593e5b34256e70d713898843f7a3b29c1659a0237cb1baca9ce7f41735.exe
PID 1924 wrote to memory of 2260	1924	4ea5a4593e5b34256e70d713898843f7a3b29c1659a0237cb1baca9ce7f41735.exe	4ea5a4593e5b34256e70d713898843f7a3b29c1659a0237cb1baca9ce7f41735.exe
PID 1924 wrote to memory of 2260	1924	4ea5a4593e5b34256e70d713898843f7a3b29c1659a0237cb1baca9ce7f41735.exe	4ea5a4593e5b34256e70d713898843f7a3b29c1659a0237cb1baca9ce7f41735.exe
PID 1924 wrote to memory of 2260	1924	4ea5a4593e5b34256e70d713898843f7a3b29c1659a0237cb1baca9ce7f41735.exe	4ea5a4593e5b34256e70d713898843f7a3b29c1659a0237cb1baca9ce7f41735.exe
PID 2260 wrote to memory of 2656	2260	4ea5a4593e5b34256e70d713898843f7a3b29c1659a0237cb1baca9ce7f41735.exe	4ea5a4593e5b34256e70d713898843f7a3b29c1659a0237cb1baca9ce7f41735.exe
PID 2260 wrote to memory of 2656	2260	4ea5a4593e5b34256e70d713898843f7a3b29c1659a0237cb1baca9ce7f41735.exe	4ea5a4593e5b34256e70d713898843f7a3b29c1659a0237cb1baca9ce7f41735.exe
PID 2260 wrote to memory of 2656	2260	4ea5a4593e5b34256e70d713898843f7a3b29c1659a0237cb1baca9ce7f41735.exe	4ea5a4593e5b34256e70d713898843f7a3b29c1659a0237cb1baca9ce7f41735.exe
PID 2656 wrote to memory of 3564	2656	4ea5a4593e5b34256e70d713898843f7a3b29c1659a0237cb1baca9ce7f41735.exe	4ea5a4593e5b34256e70d713898843f7a3b29c1659a0237cb1baca9ce7f41735.exe
PID 2656 wrote to memory of 3564	2656	4ea5a4593e5b34256e70d713898843f7a3b29c1659a0237cb1baca9ce7f41735.exe	4ea5a4593e5b34256e70d713898843f7a3b29c1659a0237cb1baca9ce7f41735.exe
PID 2656 wrote to memory of 3564	2656	4ea5a4593e5b34256e70d713898843f7a3b29c1659a0237cb1baca9ce7f41735.exe	4ea5a4593e5b34256e70d713898843f7a3b29c1659a0237cb1baca9ce7f41735.exe
PID 2656 wrote to memory of 3564	2656	4ea5a4593e5b34256e70d713898843f7a3b29c1659a0237cb1baca9ce7f41735.exe	4ea5a4593e5b34256e70d713898843f7a3b29c1659a0237cb1baca9ce7f41735.exe
PID 3304 wrote to memory of 432	3304	programwim.exe	programwim.exe
PID 3304 wrote to memory of 432	3304	programwim.exe	programwim.exe
PID 3304 wrote to memory of 432	3304	programwim.exe	programwim.exe
PID 3304 wrote to memory of 432	3304	programwim.exe	programwim.exe
PID 432 wrote to memory of 4092	432	programwim.exe	programwim.exe
PID 432 wrote to memory of 4092	432	programwim.exe	programwim.exe
PID 432 wrote to memory of 4092	432	programwim.exe	programwim.exe
PID 4092 wrote to memory of 4364	4092	programwim.exe	programwim.exe
PID 4092 wrote to memory of 4364	4092	programwim.exe	programwim.exe
PID 4092 wrote to memory of 4364	4092	programwim.exe	programwim.exe
PID 4092 wrote to memory of 4364	4092	programwim.exe	programwim.exe

C:\Users\Admin\AppData\Local\Temp\4ea5a4593e5b34256e70d713898843f7a3b29c1659a0237cb1baca9ce7f41735.exe
"C:\Users\Admin\AppData\Local\Temp\4ea5a4593e5b34256e70d713898843f7a3b29c1659a0237cb1baca9ce7f41735.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1924

C:\Users\Admin\AppData\Local\Temp\4ea5a4593e5b34256e70d713898843f7a3b29c1659a0237cb1baca9ce7f41735.exe
"C:\Users\Admin\AppData\Local\Temp\4ea5a4593e5b34256e70d713898843f7a3b29c1659a0237cb1baca9ce7f41735.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2260

C:\Users\Admin\AppData\Local\Temp\4ea5a4593e5b34256e70d713898843f7a3b29c1659a0237cb1baca9ce7f41735.exe
--ac4bad00
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2656

C:\Users\Admin\AppData\Local\Temp\4ea5a4593e5b34256e70d713898843f7a3b29c1659a0237cb1baca9ce7f41735.exe
--ac4bad00
4⤵
- Suspicious behavior: RenamesItself
PID:3564

C:\Windows\SysWOW64\programwim.exe
"C:\Windows\SysWOW64\programwim.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3304

C:\Windows\SysWOW64\programwim.exe
"C:\Windows\SysWOW64\programwim.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:432

C:\Windows\SysWOW64\programwim.exe
--dca0c1c9
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4092

C:\Windows\SysWOW64\programwim.exe
--dca0c1c9
4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:4364

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\41a9766167bb2621916e3aa8c5b7501d_6bc4f1a7-81b1-41ee-9ade-7ee4bdaf44c0
Filesize
1KB

MD5
875827af194fd98a92b241e050b81dbd

SHA1
bea52e5b8b32155b394dc0c34073ec4c17f8ad87

SHA256
eebf609ec46cabc7968bfb02c77fa5155c10dab51877b47e6ad5c48493432857

SHA512
e0cdade90b5ae33095d27e671626366a2d180202731695f420589ffa090a0e43009e655b3cdcf18151c5ed33541602840b8c58a3666da3ac4be6f133a51e7955

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2783062828-828903012-4218294845-1000\0f5007522459c86e95ffcc62f32308f1_6bc4f1a7-81b1-41ee-9ade-7ee4bdaf44c0
Filesize
1KB

MD5
a77ef9bd358438498a11c739cc18fb50

SHA1
f7d092bbe83ec978ae8ad23229eca0d9f7c567c6

SHA256
ab9443abc68a4ec954911abe6f52b1e0a4d63aa18b72fdd5e6dc0de236d44252

SHA512
aeb07b2c0b180db513de532383957d0745406dee318ad6f7956ab2b1d668d7db51f274c603ba954d35166ec0406f8e38f22a0cd5ad7c353e1eec21d76e2366ef

Download Submit
memory/432-146-0x0000000000000000-mapping.dmp

Download
memory/1924-130-0x00000000022E0000-0x00000000022F4000-memory.dmp

Filesize
80KB

Download
memory/2260-133-0x0000000000000000-mapping.dmp

Download
memory/2260-135-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2656-134-0x0000000000000000-mapping.dmp

Download
memory/2656-137-0x0000000002090000-0x00000000020A4000-memory.dmp

Filesize
80KB

Download
memory/2656-141-0x0000000002070000-0x0000000002083000-memory.dmp

Filesize
76KB

Download
memory/3304-143-0x00000000007E0000-0x00000000007F4000-memory.dmp

Filesize
80KB

Download
memory/3564-142-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3564-140-0x0000000000000000-mapping.dmp

Download
memory/3564-148-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4092-147-0x0000000000000000-mapping.dmp

Download
memory/4092-150-0x0000000000E40000-0x0000000000E54000-memory.dmp

Filesize
80KB

Download
memory/4364-153-0x0000000000000000-mapping.dmp

Download
memory/4364-154-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4364-155-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads