emotet | 9c33560693e80b82e246d75609e4e35c8d6d0f804df7a75a9e99fecdacc44002

General

Target

9c33560693e80b82e246d75609e4e35c8d6d0f804df7a75a9e99fecdacc44002.exe
Size

59KB
MD5

a2c47f6ffe53125d0dc415d5850ca2b8
SHA1

2fd768534db11f92fbd55b085652bf39a08a0bea
SHA256

9c33560693e80b82e246d75609e4e35c8d6d0f804df7a75a9e99fecdacc44002
SHA512

bbafc1c36217d1b7d52d8954118a4425752f87efd7d0cc4067c4338d86f19d54ab671ecdc42cec93d82d5612754e8797121e2f05b5bffe9899c7cf27ab9deba9

Score

10^/10

emotet banker trojan

Malware Config

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Drops file in System32 directory 1 IoCs

Processes:

aposound.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	aposound.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 21 IoCs

Processes:

aposound.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	aposound.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0EEF80D3-138B-418F-AD92-0CB3E092E7FE}\WpadDecision = "0"	aposound.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0EEF80D3-138B-418F-AD92-0CB3E092E7FE}\1a-87-9c-f9-89-17	aposound.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	aposound.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	aposound.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00c6000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	aposound.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\1a-87-9c-f9-89-17	aposound.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\1a-87-9c-f9-89-17\WpadDecisionReason = "1"	aposound.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	aposound.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	aposound.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	aposound.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	aposound.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0EEF80D3-138B-418F-AD92-0CB3E092E7FE}\WpadNetworkName = "Network 3"	aposound.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\1a-87-9c-f9-89-17\WpadDecision = "0"	aposound.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	aposound.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	aposound.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	aposound.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0EEF80D3-138B-418F-AD92-0CB3E092E7FE}	aposound.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0EEF80D3-138B-418F-AD92-0CB3E092E7FE}\WpadDecisionReason = "1"	aposound.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0EEF80D3-138B-418F-AD92-0CB3E092E7FE}\WpadDecisionTime = 80351ca293a0d801	aposound.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\1a-87-9c-f9-89-17\WpadDecisionTime = 80351ca293a0d801	aposound.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

aposound.exe

pid process

1944 aposound.exe
1944 aposound.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

9c33560693e80b82e246d75609e4e35c8d6d0f804df7a75a9e99fecdacc44002.exe

pid process

1144 9c33560693e80b82e246d75609e4e35c8d6d0f804df7a75a9e99fecdacc44002.exe

pid	process
1944	aposound.exe
1944	aposound.exe

pid	process
1144	9c33560693e80b82e246d75609e4e35c8d6d0f804df7a75a9e99fecdacc44002.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

9c33560693e80b82e246d75609e4e35c8d6d0f804df7a75a9e99fecdacc44002.exeaposound.exe

description	pid	process	target process
PID 768 wrote to memory of 1144	768	9c33560693e80b82e246d75609e4e35c8d6d0f804df7a75a9e99fecdacc44002.exe	9c33560693e80b82e246d75609e4e35c8d6d0f804df7a75a9e99fecdacc44002.exe
PID 768 wrote to memory of 1144	768	9c33560693e80b82e246d75609e4e35c8d6d0f804df7a75a9e99fecdacc44002.exe	9c33560693e80b82e246d75609e4e35c8d6d0f804df7a75a9e99fecdacc44002.exe
PID 768 wrote to memory of 1144	768	9c33560693e80b82e246d75609e4e35c8d6d0f804df7a75a9e99fecdacc44002.exe	9c33560693e80b82e246d75609e4e35c8d6d0f804df7a75a9e99fecdacc44002.exe
PID 768 wrote to memory of 1144	768	9c33560693e80b82e246d75609e4e35c8d6d0f804df7a75a9e99fecdacc44002.exe	9c33560693e80b82e246d75609e4e35c8d6d0f804df7a75a9e99fecdacc44002.exe
PID 1756 wrote to memory of 1944	1756	aposound.exe	aposound.exe
PID 1756 wrote to memory of 1944	1756	aposound.exe	aposound.exe
PID 1756 wrote to memory of 1944	1756	aposound.exe	aposound.exe
PID 1756 wrote to memory of 1944	1756	aposound.exe	aposound.exe

C:\Users\Admin\AppData\Local\Temp\9c33560693e80b82e246d75609e4e35c8d6d0f804df7a75a9e99fecdacc44002.exe
"C:\Users\Admin\AppData\Local\Temp\9c33560693e80b82e246d75609e4e35c8d6d0f804df7a75a9e99fecdacc44002.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:768

C:\Users\Admin\AppData\Local\Temp\9c33560693e80b82e246d75609e4e35c8d6d0f804df7a75a9e99fecdacc44002.exe
--9f5ded2d
2⤵
- Suspicious behavior: RenamesItself
PID:1144

C:\Windows\SysWOW64\aposound.exe
"C:\Windows\SysWOW64\aposound.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1756

C:\Windows\SysWOW64\aposound.exe
--9f1fe0e1
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1944

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1144-54-0x0000000000000000-mapping.dmp

Download
memory/1144-55-0x0000000076AE1000-0x0000000076AE3000-memory.dmp

Filesize
8KB

Download
memory/1944-56-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads