ae90a26f50161558cba0cc3a4e8e5d58b5cbb25cd73b2e433ec8117206981d9c

General

Target

ae90a26f50161558cba0cc3a4e8e5d58b5cbb25cd73b2e433ec8117206981d9c.exe
Size

61KB
MD5

b6b3b7ab04cab7927e043a3a1fe795a6
SHA1

c7e23a585698078df1dcc734a78044b04541495c
SHA256

ae90a26f50161558cba0cc3a4e8e5d58b5cbb25cd73b2e433ec8117206981d9c
SHA512

7d851bf0c9503b64525e5294abda713655169cec57cadc282275c1851cdb253d0fc7968551fb2c0c42f9d70efeb3960ff225328a805f94a83045fe0ed641483f

Score

10^/10

suricata

Malware Config

Signatures

suricata: ET MALWARE Win32/Emotet CnC Activity (POST) M3
suricata: ET MALWARE Win32/Emotet CnC Activity (POST) M3
suricata
suricata: ET MALWARE Win32/Emotet CnC Activity (POST) M4
suricata: ET MALWARE Win32/Emotet CnC Activity (POST) M4
suricata

Drops file in System32 directory 1 IoCs

Processes:

backupedition.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	backupedition.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 25 IoCs

Processes:

backupedition.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0E3374F0-2B66-4E89-B939-F3C51C980197}	backupedition.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\be-58-1e-83-6e-6a\WpadDecisionReason = "1"	backupedition.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\be-58-1e-83-6e-6a\WpadDetectedUrl	backupedition.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	backupedition.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	backupedition.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0E3374F0-2B66-4E89-B939-F3C51C980197}\WpadDecision = "0"	backupedition.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0E3374F0-2B66-4E89-B939-F3C51C980197}\WpadNetworkName = "Network 3"	backupedition.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\be-58-1e-83-6e-6a\WpadDecisionTime = 90127550be9fd801	backupedition.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\be-58-1e-83-6e-6a\WpadDecisionTime = 70bfe264be9fd801	backupedition.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	backupedition.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	backupedition.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00c8000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	backupedition.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0E3374F0-2B66-4E89-B939-F3C51C980197}\WpadDecisionReason = "1"	backupedition.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0E3374F0-2B66-4E89-B939-F3C51C980197}\WpadDecisionTime = 90127550be9fd801	backupedition.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0E3374F0-2B66-4E89-B939-F3C51C980197}\be-58-1e-83-6e-6a	backupedition.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\be-58-1e-83-6e-6a\WpadDecision = "0"	backupedition.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0E3374F0-2B66-4E89-B939-F3C51C980197}\WpadDecisionTime = 70bfe264be9fd801	backupedition.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	backupedition.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	backupedition.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	backupedition.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	backupedition.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\be-58-1e-83-6e-6a	backupedition.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000004000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00c8000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	backupedition.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	backupedition.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	backupedition.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

backupedition.exe

pid process

2008 backupedition.exe
2008 backupedition.exe
2008 backupedition.exe
2008 backupedition.exe
2008 backupedition.exe
2008 backupedition.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

ae90a26f50161558cba0cc3a4e8e5d58b5cbb25cd73b2e433ec8117206981d9c.exe

pid process

1732 ae90a26f50161558cba0cc3a4e8e5d58b5cbb25cd73b2e433ec8117206981d9c.exe

pid	process
2008	backupedition.exe
2008	backupedition.exe
2008	backupedition.exe
2008	backupedition.exe
2008	backupedition.exe
2008	backupedition.exe

pid	process
1732	ae90a26f50161558cba0cc3a4e8e5d58b5cbb25cd73b2e433ec8117206981d9c.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

ae90a26f50161558cba0cc3a4e8e5d58b5cbb25cd73b2e433ec8117206981d9c.exebackupedition.exe

description	pid	process	target process
PID 1964 wrote to memory of 1732	1964	ae90a26f50161558cba0cc3a4e8e5d58b5cbb25cd73b2e433ec8117206981d9c.exe	ae90a26f50161558cba0cc3a4e8e5d58b5cbb25cd73b2e433ec8117206981d9c.exe
PID 1964 wrote to memory of 1732	1964	ae90a26f50161558cba0cc3a4e8e5d58b5cbb25cd73b2e433ec8117206981d9c.exe	ae90a26f50161558cba0cc3a4e8e5d58b5cbb25cd73b2e433ec8117206981d9c.exe
PID 1964 wrote to memory of 1732	1964	ae90a26f50161558cba0cc3a4e8e5d58b5cbb25cd73b2e433ec8117206981d9c.exe	ae90a26f50161558cba0cc3a4e8e5d58b5cbb25cd73b2e433ec8117206981d9c.exe
PID 1964 wrote to memory of 1732	1964	ae90a26f50161558cba0cc3a4e8e5d58b5cbb25cd73b2e433ec8117206981d9c.exe	ae90a26f50161558cba0cc3a4e8e5d58b5cbb25cd73b2e433ec8117206981d9c.exe
PID 1908 wrote to memory of 2008	1908	backupedition.exe	backupedition.exe
PID 1908 wrote to memory of 2008	1908	backupedition.exe	backupedition.exe
PID 1908 wrote to memory of 2008	1908	backupedition.exe	backupedition.exe
PID 1908 wrote to memory of 2008	1908	backupedition.exe	backupedition.exe

C:\Users\Admin\AppData\Local\Temp\ae90a26f50161558cba0cc3a4e8e5d58b5cbb25cd73b2e433ec8117206981d9c.exe
"C:\Users\Admin\AppData\Local\Temp\ae90a26f50161558cba0cc3a4e8e5d58b5cbb25cd73b2e433ec8117206981d9c.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1964
- C:\Users\Admin\AppData\Local\Temp\ae90a26f50161558cba0cc3a4e8e5d58b5cbb25cd73b2e433ec8117206981d9c.exe
  --addfee7b
  2⤵
  - Suspicious behavior: RenamesItself
  PID:1732

C:\Windows\SysWOW64\backupedition.exe
"C:\Windows\SysWOW64\backupedition.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1908
- C:\Windows\SysWOW64\backupedition.exe
  --11674ad2
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:2008

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1732-54-0x0000000000000000-mapping.dmp

Download
memory/1732-55-0x0000000075271000-0x0000000075273000-memory.dmp

Filesize
8KB

Download
memory/2008-56-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads