emotet | 4d041cb67dd05b71c2da8c2b85ab6972e7fd097f3268295f4679480273bf1647

General

Target

4d041cb67dd05b71c2da8c2b85ab6972e7fd097f3268295f4679480273bf1647.exe
Size

104KB
MD5

1934fa4786eaf1339b4f808154f3f9c3
SHA1

eccfb04816095ae59d196295b9713773717a65cc
SHA256

4d041cb67dd05b71c2da8c2b85ab6972e7fd097f3268295f4679480273bf1647
SHA512

47e99dfae7deb0a5310c8cdcb28c744b6a7c02f5d72167904b85506bb7c62ce8b7daa5ad68dfdf5e64ea58867a3358ed72f45035ecbc97a53d9bb0a289a6eafa

Score

10^/10

emotet banker trojan

Malware Config

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Drops file in System32 directory 1 IoCs

Processes:

sercloud.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	sercloud.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 21 IoCs

Processes:

sercloud.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	sercloud.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{7EBA8BB8-F9AE-4316-A3A1-26FD02B6CD27}	sercloud.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\16-8c-ca-49-e1-52	sercloud.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{7EBA8BB8-F9AE-4316-A3A1-26FD02B6CD27}\16-8c-ca-49-e1-52	sercloud.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	sercloud.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	sercloud.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{7EBA8BB8-F9AE-4316-A3A1-26FD02B6CD27}\WpadDecisionTime = 40b58249a69fd801	sercloud.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{7EBA8BB8-F9AE-4316-A3A1-26FD02B6CD27}\WpadNetworkName = "Network 3"	sercloud.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\16-8c-ca-49-e1-52\WpadDecision = "0"	sercloud.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	sercloud.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	sercloud.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	sercloud.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	sercloud.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	sercloud.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00c0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	sercloud.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\16-8c-ca-49-e1-52\WpadDecisionReason = "1"	sercloud.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\16-8c-ca-49-e1-52\WpadDecisionTime = 40b58249a69fd801	sercloud.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	sercloud.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{7EBA8BB8-F9AE-4316-A3A1-26FD02B6CD27}\WpadDecisionReason = "1"	sercloud.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{7EBA8BB8-F9AE-4316-A3A1-26FD02B6CD27}\WpadDecision = "0"	sercloud.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	sercloud.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

sercloud.exe

pid process

984 sercloud.exe
984 sercloud.exe
984 sercloud.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

4d041cb67dd05b71c2da8c2b85ab6972e7fd097f3268295f4679480273bf1647.exe

pid process

872 4d041cb67dd05b71c2da8c2b85ab6972e7fd097f3268295f4679480273bf1647.exe

pid	process
984	sercloud.exe
984	sercloud.exe
984	sercloud.exe

pid	process
872	4d041cb67dd05b71c2da8c2b85ab6972e7fd097f3268295f4679480273bf1647.exe

Suspicious use of UnmapMainImage 4 IoCs

Processes:

4d041cb67dd05b71c2da8c2b85ab6972e7fd097f3268295f4679480273bf1647.exe4d041cb67dd05b71c2da8c2b85ab6972e7fd097f3268295f4679480273bf1647.exesercloud.exesercloud.exe

pid	process
1592	4d041cb67dd05b71c2da8c2b85ab6972e7fd097f3268295f4679480273bf1647.exe
872	4d041cb67dd05b71c2da8c2b85ab6972e7fd097f3268295f4679480273bf1647.exe
956	sercloud.exe
984	sercloud.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

4d041cb67dd05b71c2da8c2b85ab6972e7fd097f3268295f4679480273bf1647.exesercloud.exe

description	pid	process	target process
PID 1592 wrote to memory of 872	1592	4d041cb67dd05b71c2da8c2b85ab6972e7fd097f3268295f4679480273bf1647.exe	4d041cb67dd05b71c2da8c2b85ab6972e7fd097f3268295f4679480273bf1647.exe
PID 1592 wrote to memory of 872	1592	4d041cb67dd05b71c2da8c2b85ab6972e7fd097f3268295f4679480273bf1647.exe	4d041cb67dd05b71c2da8c2b85ab6972e7fd097f3268295f4679480273bf1647.exe
PID 1592 wrote to memory of 872	1592	4d041cb67dd05b71c2da8c2b85ab6972e7fd097f3268295f4679480273bf1647.exe	4d041cb67dd05b71c2da8c2b85ab6972e7fd097f3268295f4679480273bf1647.exe
PID 1592 wrote to memory of 872	1592	4d041cb67dd05b71c2da8c2b85ab6972e7fd097f3268295f4679480273bf1647.exe	4d041cb67dd05b71c2da8c2b85ab6972e7fd097f3268295f4679480273bf1647.exe
PID 956 wrote to memory of 984	956	sercloud.exe	sercloud.exe
PID 956 wrote to memory of 984	956	sercloud.exe	sercloud.exe
PID 956 wrote to memory of 984	956	sercloud.exe	sercloud.exe
PID 956 wrote to memory of 984	956	sercloud.exe	sercloud.exe

C:\Users\Admin\AppData\Local\Temp\4d041cb67dd05b71c2da8c2b85ab6972e7fd097f3268295f4679480273bf1647.exe
"C:\Users\Admin\AppData\Local\Temp\4d041cb67dd05b71c2da8c2b85ab6972e7fd097f3268295f4679480273bf1647.exe"
1⤵
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1592

C:\Users\Admin\AppData\Local\Temp\4d041cb67dd05b71c2da8c2b85ab6972e7fd097f3268295f4679480273bf1647.exe
--86a46e14
2⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
PID:872

C:\Windows\SysWOW64\sercloud.exe
"C:\Windows\SysWOW64\sercloud.exe"
1⤵
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:956

C:\Windows\SysWOW64\sercloud.exe
--b1e7c0e7
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
PID:984

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/872-55-0x0000000000000000-mapping.dmp

Download
memory/872-59-0x0000000000220000-0x0000000000231000-memory.dmp

Filesize
68KB

Download
memory/872-60-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/872-64-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/984-62-0x0000000000000000-mapping.dmp

Download
memory/984-65-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/984-66-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1592-54-0x0000000076201000-0x0000000076203000-memory.dmp

Filesize
8KB

Download
memory/1592-56-0x00000000003A0000-0x00000000003B1000-memory.dmp

Filesize
68KB

Download
memory/1592-58-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads