emotet | 6e8c0a21a723bf61fe5fd90005b4f38b61e8390341d34c51154d4861e4043905

General

Target

6e8c0a21a723bf61fe5fd90005b4f38b61e8390341d34c51154d4861e4043905.exe
Size

65KB
MD5

91e8195bd71c046a45f994b786e257a7
SHA1

6b9f8e04de0a349a65773c19c15a727eaa5b5244
SHA256

6e8c0a21a723bf61fe5fd90005b4f38b61e8390341d34c51154d4861e4043905
SHA512

98ea3dad053159b2a01de9724a55bfa58b5d844a9e8e1484e7eaa492a13c05ebf6824f184c988b3a52180a912d34685a418ec7a05efa81739c7941d63c677cb1

Score

10^/10

emotet banker suricata trojan

Malware Config

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
suricata: ET MALWARE Win32/Emotet CnC Activity (POST) M5
suricata: ET MALWARE Win32/Emotet CnC Activity (POST) M5
suricata
suricata: ET MALWARE Win32/Emotet CnC Activity (POST) M6
suricata: ET MALWARE Win32/Emotet CnC Activity (POST) M6
suricata

Drops file in System32 directory 3 IoCs

Processes:

manualsmo.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015	manualsmo.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	manualsmo.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	manualsmo.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 64 IoCs

Processes:

manualsmo.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\76-77-b3-a3-16-f3\WpadDecisionTime = 5064af98e89fd801	manualsmo.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	manualsmo.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	manualsmo.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	manualsmo.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	manualsmo.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	manualsmo.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	manualsmo.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	manualsmo.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	manualsmo.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	manualsmo.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\76-77-b3-a3-16-f3\WpadDecisionReason = "1"	manualsmo.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	manualsmo.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	manualsmo.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	manualsmo.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	manualsmo.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	manualsmo.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	manualsmo.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	manualsmo.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	manualsmo.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	manualsmo.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	manualsmo.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	manualsmo.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00c5000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	manualsmo.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{68A262D9-8B48-4BA6-846B-FB4217E138F5}\WpadDecisionReason = "1"	manualsmo.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{68A262D9-8B48-4BA6-846B-FB4217E138F5}\WpadDecisionTime = 5064af98e89fd801	manualsmo.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	manualsmo.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	manualsmo.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	manualsmo.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{68A262D9-8B48-4BA6-846B-FB4217E138F5}\WpadDecision = "0"	manualsmo.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\76-77-b3-a3-16-f3\WpadDecision = "0"	manualsmo.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	manualsmo.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	manualsmo.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	manualsmo.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	manualsmo.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	manualsmo.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	manualsmo.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	manualsmo.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	manualsmo.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	manualsmo.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	manualsmo.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	manualsmo.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	manualsmo.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	manualsmo.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	manualsmo.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	manualsmo.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	manualsmo.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	manualsmo.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	manualsmo.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	manualsmo.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	manualsmo.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	manualsmo.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	manualsmo.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	manualsmo.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\76-77-b3-a3-16-f3	manualsmo.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	manualsmo.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	manualsmo.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	manualsmo.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	manualsmo.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	manualsmo.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	manualsmo.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{68A262D9-8B48-4BA6-846B-FB4217E138F5}\WpadNetworkName = "Network 3"	manualsmo.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{68A262D9-8B48-4BA6-846B-FB4217E138F5}\76-77-b3-a3-16-f3	manualsmo.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	manualsmo.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	manualsmo.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

manualsmo.exe

pid process

1552 manualsmo.exe
1552 manualsmo.exe
1552 manualsmo.exe
1552 manualsmo.exe
1552 manualsmo.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

6e8c0a21a723bf61fe5fd90005b4f38b61e8390341d34c51154d4861e4043905.exe

pid process

964 6e8c0a21a723bf61fe5fd90005b4f38b61e8390341d34c51154d4861e4043905.exe

pid	process
1552	manualsmo.exe
1552	manualsmo.exe
1552	manualsmo.exe
1552	manualsmo.exe
1552	manualsmo.exe

pid	process
964	6e8c0a21a723bf61fe5fd90005b4f38b61e8390341d34c51154d4861e4043905.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

6e8c0a21a723bf61fe5fd90005b4f38b61e8390341d34c51154d4861e4043905.exemanualsmo.exe

description	pid	process	target process
PID 1768 wrote to memory of 964	1768	6e8c0a21a723bf61fe5fd90005b4f38b61e8390341d34c51154d4861e4043905.exe	6e8c0a21a723bf61fe5fd90005b4f38b61e8390341d34c51154d4861e4043905.exe
PID 1768 wrote to memory of 964	1768	6e8c0a21a723bf61fe5fd90005b4f38b61e8390341d34c51154d4861e4043905.exe	6e8c0a21a723bf61fe5fd90005b4f38b61e8390341d34c51154d4861e4043905.exe
PID 1768 wrote to memory of 964	1768	6e8c0a21a723bf61fe5fd90005b4f38b61e8390341d34c51154d4861e4043905.exe	6e8c0a21a723bf61fe5fd90005b4f38b61e8390341d34c51154d4861e4043905.exe
PID 1768 wrote to memory of 964	1768	6e8c0a21a723bf61fe5fd90005b4f38b61e8390341d34c51154d4861e4043905.exe	6e8c0a21a723bf61fe5fd90005b4f38b61e8390341d34c51154d4861e4043905.exe
PID 1728 wrote to memory of 1552	1728	manualsmo.exe	manualsmo.exe
PID 1728 wrote to memory of 1552	1728	manualsmo.exe	manualsmo.exe
PID 1728 wrote to memory of 1552	1728	manualsmo.exe	manualsmo.exe
PID 1728 wrote to memory of 1552	1728	manualsmo.exe	manualsmo.exe

C:\Users\Admin\AppData\Local\Temp\6e8c0a21a723bf61fe5fd90005b4f38b61e8390341d34c51154d4861e4043905.exe
"C:\Users\Admin\AppData\Local\Temp\6e8c0a21a723bf61fe5fd90005b4f38b61e8390341d34c51154d4861e4043905.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1768

C:\Users\Admin\AppData\Local\Temp\6e8c0a21a723bf61fe5fd90005b4f38b61e8390341d34c51154d4861e4043905.exe
--e56fb756
2⤵
- Suspicious behavior: RenamesItself
PID:964

C:\Windows\SysWOW64\manualsmo.exe
"C:\Windows\SysWOW64\manualsmo.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1728

C:\Windows\SysWOW64\manualsmo.exe
--bdb565e5
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1552

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/964-54-0x0000000000000000-mapping.dmp

Download
memory/964-55-0x00000000757E1000-0x00000000757E3000-memory.dmp

Filesize
8KB

Download
memory/1552-56-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads