emotet | 6133c66304706806d04fe3938b85d901de0b06fe9b43b313f1fa95c6f280eb48

General

Target

6133c66304706806d04fe3938b85d901de0b06fe9b43b313f1fa95c6f280eb48.exe
Size

300KB
MD5

0f80dc57270ad210a4bd8ebfcbe7dca7
SHA1

b50009947c87c0f0a3b95a8bd27bc5952446c912
SHA256

6133c66304706806d04fe3938b85d901de0b06fe9b43b313f1fa95c6f280eb48
SHA512

ac938ea57812730a25e4ac5cb53e46b08095305dc66660cb7fc9cfcfb9f64efaaa066403c3d8d90d959520fbb1886607004bc04ded2aa5f8190eb35365e91d26

Score

10^/10

emotet epoch1 banker trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch1

C2

190.158.19.141:80

139.5.237.27:443

201.214.74.71:80

80.240.141.141:7080

185.187.198.10:8080

46.41.134.46:8080

178.249.187.151:8080

217.199.160.224:8080

123.168.4.66:22

201.184.65.229:80

190.221.50.210:8080

119.59.124.163:8080

212.71.237.140:8080

109.169.86.13:8080

190.19.42.131:80

190.230.60.129:80

190.1.37.125:443

62.75.143.100:7080

203.25.159.3:8080

87.106.77.40:7080

rsa_pubkey.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Drops file in System32 directory 1 IoCs

Processes:

tonercounter.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	tonercounter.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

6133c66304706806d04fe3938b85d901de0b06fe9b43b313f1fa95c6f280eb48.exe6133c66304706806d04fe3938b85d901de0b06fe9b43b313f1fa95c6f280eb48.exetonercounter.exetonercounter.exe

description	pid	process	target process
PID 1396 set thread context of 1052	1396	6133c66304706806d04fe3938b85d901de0b06fe9b43b313f1fa95c6f280eb48.exe	6133c66304706806d04fe3938b85d901de0b06fe9b43b313f1fa95c6f280eb48.exe
PID 1140 set thread context of 984	1140	6133c66304706806d04fe3938b85d901de0b06fe9b43b313f1fa95c6f280eb48.exe	6133c66304706806d04fe3938b85d901de0b06fe9b43b313f1fa95c6f280eb48.exe
PID 1624 set thread context of 1744	1624	tonercounter.exe	tonercounter.exe
PID 1684 set thread context of 1784	1684	tonercounter.exe	tonercounter.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 21 IoCs

Processes:

tonercounter.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\9a-1c-cc-b9-2d-33\WpadDecisionReason = "1"	tonercounter.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\9a-1c-cc-b9-2d-33\WpadDecision = "0"	tonercounter.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	tonercounter.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	tonercounter.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	tonercounter.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	tonercounter.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	tonercounter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{90F9924E-44DB-40B7-B42A-F0591A8850BD}\WpadNetworkName = "Network 3"	tonercounter.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{90F9924E-44DB-40B7-B42A-F0591A8850BD}\9a-1c-cc-b9-2d-33	tonercounter.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\9a-1c-cc-b9-2d-33	tonercounter.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\9a-1c-cc-b9-2d-33\WpadDecisionTime = c0ee913c63a4d801	tonercounter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	tonercounter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	tonercounter.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{90F9924E-44DB-40B7-B42A-F0591A8850BD}\WpadDecisionReason = "1"	tonercounter.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{90F9924E-44DB-40B7-B42A-F0591A8850BD}\WpadDecisionTime = c0ee913c63a4d801	tonercounter.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{90F9924E-44DB-40B7-B42A-F0591A8850BD}	tonercounter.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{90F9924E-44DB-40B7-B42A-F0591A8850BD}\WpadDecision = "0"	tonercounter.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	tonercounter.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	tonercounter.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	tonercounter.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00ea000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	tonercounter.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

tonercounter.exe

pid process

1784 tonercounter.exe
1784 tonercounter.exe
1784 tonercounter.exe

pid	process
1784	tonercounter.exe
1784	tonercounter.exe
1784	tonercounter.exe

Suspicious behavior: MapViewOfSection 4 IoCs

Processes:

6133c66304706806d04fe3938b85d901de0b06fe9b43b313f1fa95c6f280eb48.exe6133c66304706806d04fe3938b85d901de0b06fe9b43b313f1fa95c6f280eb48.exetonercounter.exetonercounter.exe

pid	process
1396	6133c66304706806d04fe3938b85d901de0b06fe9b43b313f1fa95c6f280eb48.exe
1140	6133c66304706806d04fe3938b85d901de0b06fe9b43b313f1fa95c6f280eb48.exe
1624	tonercounter.exe
1684	tonercounter.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

6133c66304706806d04fe3938b85d901de0b06fe9b43b313f1fa95c6f280eb48.exe

pid process

984 6133c66304706806d04fe3938b85d901de0b06fe9b43b313f1fa95c6f280eb48.exe

pid	process
984	6133c66304706806d04fe3938b85d901de0b06fe9b43b313f1fa95c6f280eb48.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

6133c66304706806d04fe3938b85d901de0b06fe9b43b313f1fa95c6f280eb48.exe6133c66304706806d04fe3938b85d901de0b06fe9b43b313f1fa95c6f280eb48.exetonercounter.exetonercounter.exe

pid	process
1396	6133c66304706806d04fe3938b85d901de0b06fe9b43b313f1fa95c6f280eb48.exe
1140	6133c66304706806d04fe3938b85d901de0b06fe9b43b313f1fa95c6f280eb48.exe
1624	tonercounter.exe
1684	tonercounter.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

6133c66304706806d04fe3938b85d901de0b06fe9b43b313f1fa95c6f280eb48.exe6133c66304706806d04fe3938b85d901de0b06fe9b43b313f1fa95c6f280eb48.exe6133c66304706806d04fe3938b85d901de0b06fe9b43b313f1fa95c6f280eb48.exetonercounter.exetonercounter.exetonercounter.exe

description	pid	process	target process
PID 1396 wrote to memory of 1052	1396	6133c66304706806d04fe3938b85d901de0b06fe9b43b313f1fa95c6f280eb48.exe	6133c66304706806d04fe3938b85d901de0b06fe9b43b313f1fa95c6f280eb48.exe
PID 1396 wrote to memory of 1052	1396	6133c66304706806d04fe3938b85d901de0b06fe9b43b313f1fa95c6f280eb48.exe	6133c66304706806d04fe3938b85d901de0b06fe9b43b313f1fa95c6f280eb48.exe
PID 1396 wrote to memory of 1052	1396	6133c66304706806d04fe3938b85d901de0b06fe9b43b313f1fa95c6f280eb48.exe	6133c66304706806d04fe3938b85d901de0b06fe9b43b313f1fa95c6f280eb48.exe
PID 1396 wrote to memory of 1052	1396	6133c66304706806d04fe3938b85d901de0b06fe9b43b313f1fa95c6f280eb48.exe	6133c66304706806d04fe3938b85d901de0b06fe9b43b313f1fa95c6f280eb48.exe
PID 1396 wrote to memory of 1052	1396	6133c66304706806d04fe3938b85d901de0b06fe9b43b313f1fa95c6f280eb48.exe	6133c66304706806d04fe3938b85d901de0b06fe9b43b313f1fa95c6f280eb48.exe
PID 1052 wrote to memory of 1140	1052	6133c66304706806d04fe3938b85d901de0b06fe9b43b313f1fa95c6f280eb48.exe	6133c66304706806d04fe3938b85d901de0b06fe9b43b313f1fa95c6f280eb48.exe
PID 1052 wrote to memory of 1140	1052	6133c66304706806d04fe3938b85d901de0b06fe9b43b313f1fa95c6f280eb48.exe	6133c66304706806d04fe3938b85d901de0b06fe9b43b313f1fa95c6f280eb48.exe
PID 1052 wrote to memory of 1140	1052	6133c66304706806d04fe3938b85d901de0b06fe9b43b313f1fa95c6f280eb48.exe	6133c66304706806d04fe3938b85d901de0b06fe9b43b313f1fa95c6f280eb48.exe
PID 1052 wrote to memory of 1140	1052	6133c66304706806d04fe3938b85d901de0b06fe9b43b313f1fa95c6f280eb48.exe	6133c66304706806d04fe3938b85d901de0b06fe9b43b313f1fa95c6f280eb48.exe
PID 1140 wrote to memory of 984	1140	6133c66304706806d04fe3938b85d901de0b06fe9b43b313f1fa95c6f280eb48.exe	6133c66304706806d04fe3938b85d901de0b06fe9b43b313f1fa95c6f280eb48.exe
PID 1140 wrote to memory of 984	1140	6133c66304706806d04fe3938b85d901de0b06fe9b43b313f1fa95c6f280eb48.exe	6133c66304706806d04fe3938b85d901de0b06fe9b43b313f1fa95c6f280eb48.exe
PID 1140 wrote to memory of 984	1140	6133c66304706806d04fe3938b85d901de0b06fe9b43b313f1fa95c6f280eb48.exe	6133c66304706806d04fe3938b85d901de0b06fe9b43b313f1fa95c6f280eb48.exe
PID 1140 wrote to memory of 984	1140	6133c66304706806d04fe3938b85d901de0b06fe9b43b313f1fa95c6f280eb48.exe	6133c66304706806d04fe3938b85d901de0b06fe9b43b313f1fa95c6f280eb48.exe
PID 1140 wrote to memory of 984	1140	6133c66304706806d04fe3938b85d901de0b06fe9b43b313f1fa95c6f280eb48.exe	6133c66304706806d04fe3938b85d901de0b06fe9b43b313f1fa95c6f280eb48.exe
PID 1624 wrote to memory of 1744	1624	tonercounter.exe	tonercounter.exe
PID 1624 wrote to memory of 1744	1624	tonercounter.exe	tonercounter.exe
PID 1624 wrote to memory of 1744	1624	tonercounter.exe	tonercounter.exe
PID 1624 wrote to memory of 1744	1624	tonercounter.exe	tonercounter.exe
PID 1624 wrote to memory of 1744	1624	tonercounter.exe	tonercounter.exe
PID 1744 wrote to memory of 1684	1744	tonercounter.exe	tonercounter.exe
PID 1744 wrote to memory of 1684	1744	tonercounter.exe	tonercounter.exe
PID 1744 wrote to memory of 1684	1744	tonercounter.exe	tonercounter.exe
PID 1744 wrote to memory of 1684	1744	tonercounter.exe	tonercounter.exe
PID 1684 wrote to memory of 1784	1684	tonercounter.exe	tonercounter.exe
PID 1684 wrote to memory of 1784	1684	tonercounter.exe	tonercounter.exe
PID 1684 wrote to memory of 1784	1684	tonercounter.exe	tonercounter.exe
PID 1684 wrote to memory of 1784	1684	tonercounter.exe	tonercounter.exe
PID 1684 wrote to memory of 1784	1684	tonercounter.exe	tonercounter.exe

C:\Users\Admin\AppData\Local\Temp\6133c66304706806d04fe3938b85d901de0b06fe9b43b313f1fa95c6f280eb48.exe
"C:\Users\Admin\AppData\Local\Temp\6133c66304706806d04fe3938b85d901de0b06fe9b43b313f1fa95c6f280eb48.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1396

C:\Users\Admin\AppData\Local\Temp\6133c66304706806d04fe3938b85d901de0b06fe9b43b313f1fa95c6f280eb48.exe
"C:\Users\Admin\AppData\Local\Temp\6133c66304706806d04fe3938b85d901de0b06fe9b43b313f1fa95c6f280eb48.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1052

C:\Users\Admin\AppData\Local\Temp\6133c66304706806d04fe3938b85d901de0b06fe9b43b313f1fa95c6f280eb48.exe
--2cbb23e4
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1140

C:\Users\Admin\AppData\Local\Temp\6133c66304706806d04fe3938b85d901de0b06fe9b43b313f1fa95c6f280eb48.exe
--2cbb23e4
4⤵
- Suspicious behavior: RenamesItself
PID:984

C:\Windows\SysWOW64\tonercounter.exe
"C:\Windows\SysWOW64\tonercounter.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1624

C:\Windows\SysWOW64\tonercounter.exe
"C:\Windows\SysWOW64\tonercounter.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1744

C:\Windows\SysWOW64\tonercounter.exe
--8a2ef98e
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1684

C:\Windows\SysWOW64\tonercounter.exe
--8a2ef98e
4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1784

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/984-75-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/984-67-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/984-66-0x000000000040D977-mapping.dmp

Download
memory/1052-58-0x000000000040D977-mapping.dmp

Download
memory/1052-61-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1140-60-0x0000000000000000-mapping.dmp

Download
memory/1140-63-0x00000000002F0000-0x0000000000304000-memory.dmp

Filesize
80KB

Download
memory/1396-59-0x00000000001E0000-0x00000000001F3000-memory.dmp

Filesize
76KB

Download
memory/1396-55-0x0000000000280000-0x0000000000294000-memory.dmp

Filesize
80KB

Download
memory/1396-54-0x0000000076091000-0x0000000076093000-memory.dmp

Filesize
8KB

Download
memory/1624-70-0x0000000000760000-0x0000000000774000-memory.dmp

Filesize
80KB

Download
memory/1684-74-0x0000000000000000-mapping.dmp

Download
memory/1684-77-0x0000000000910000-0x0000000000924000-memory.dmp

Filesize
80KB

Download
memory/1744-73-0x000000000040D977-mapping.dmp

Download
memory/1784-80-0x000000000040D977-mapping.dmp

Download
memory/1784-81-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1784-83-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads