emotet | 8deb508a95178d159b43da93160ff6d64c5ad468f1f91e222021eba9292954a1

General

Target

8deb508a95178d159b43da93160ff6d64c5ad468f1f91e222021eba9292954a1.exe
Size

400KB
MD5

7332e39a8d45ca37ee9a767fa00ec90f
SHA1

026064006b987ed951ffce4f03c4394f557bf588
SHA256

8deb508a95178d159b43da93160ff6d64c5ad468f1f91e222021eba9292954a1
SHA512

443270e1050bf8beb5898455ebd5ad5605f870315c3a3fa3768629681c0c8891d754ca9a2a83ed4c61eec331aeb0ff69153f081b2d1c36ad7f38d5af515f3478

Score

10^/10

emotet epoch1 banker trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch1

C2

189.129.4.186:80

189.244.245.238:80

79.127.57.42:80

207.180.208.175:8080

71.244.60.230:7080

119.59.124.163:8080

71.244.60.231:7080

104.236.243.129:8080

190.117.206.153:443

80.85.87.122:8080

77.245.101.134:8080

138.68.106.4:7080

187.155.233.46:443

190.230.60.129:80

200.21.90.6:8080

159.203.204.126:8080

181.188.149.134:80

62.75.143.100:7080

23.92.22.225:7080

183.87.87.73:80

rsa_pubkey.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Drops file in System32 directory 4 IoCs

Processes:

drawatoner.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	drawatoner.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	drawatoner.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	drawatoner.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	drawatoner.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

8deb508a95178d159b43da93160ff6d64c5ad468f1f91e222021eba9292954a1.exe8deb508a95178d159b43da93160ff6d64c5ad468f1f91e222021eba9292954a1.exedrawatoner.exedrawatoner.exe

description	pid	process	target process
PID 8 set thread context of 3764	8	8deb508a95178d159b43da93160ff6d64c5ad468f1f91e222021eba9292954a1.exe	8deb508a95178d159b43da93160ff6d64c5ad468f1f91e222021eba9292954a1.exe
PID 2260 set thread context of 1504	2260	8deb508a95178d159b43da93160ff6d64c5ad468f1f91e222021eba9292954a1.exe	8deb508a95178d159b43da93160ff6d64c5ad468f1f91e222021eba9292954a1.exe
PID 3184 set thread context of 1176	3184	drawatoner.exe	drawatoner.exe
PID 4824 set thread context of 5108	4824	drawatoner.exe	drawatoner.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 3 IoCs

Processes:

drawatoner.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	drawatoner.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	drawatoner.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	drawatoner.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

drawatoner.exe

pid	process
5108	drawatoner.exe
5108	drawatoner.exe
5108	drawatoner.exe
5108	drawatoner.exe
5108	drawatoner.exe
5108	drawatoner.exe
5108	drawatoner.exe
5108	drawatoner.exe

Suspicious behavior: MapViewOfSection 4 IoCs

Processes:

8deb508a95178d159b43da93160ff6d64c5ad468f1f91e222021eba9292954a1.exe8deb508a95178d159b43da93160ff6d64c5ad468f1f91e222021eba9292954a1.exedrawatoner.exedrawatoner.exe

pid	process
8	8deb508a95178d159b43da93160ff6d64c5ad468f1f91e222021eba9292954a1.exe
2260	8deb508a95178d159b43da93160ff6d64c5ad468f1f91e222021eba9292954a1.exe
3184	drawatoner.exe
4824	drawatoner.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

8deb508a95178d159b43da93160ff6d64c5ad468f1f91e222021eba9292954a1.exe

pid process

1504 8deb508a95178d159b43da93160ff6d64c5ad468f1f91e222021eba9292954a1.exe

pid	process
1504	8deb508a95178d159b43da93160ff6d64c5ad468f1f91e222021eba9292954a1.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

8deb508a95178d159b43da93160ff6d64c5ad468f1f91e222021eba9292954a1.exe8deb508a95178d159b43da93160ff6d64c5ad468f1f91e222021eba9292954a1.exedrawatoner.exedrawatoner.exe

pid	process
8	8deb508a95178d159b43da93160ff6d64c5ad468f1f91e222021eba9292954a1.exe
2260	8deb508a95178d159b43da93160ff6d64c5ad468f1f91e222021eba9292954a1.exe
3184	drawatoner.exe
4824	drawatoner.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

8deb508a95178d159b43da93160ff6d64c5ad468f1f91e222021eba9292954a1.exe8deb508a95178d159b43da93160ff6d64c5ad468f1f91e222021eba9292954a1.exe8deb508a95178d159b43da93160ff6d64c5ad468f1f91e222021eba9292954a1.exedrawatoner.exedrawatoner.exedrawatoner.exe

description	pid	process	target process
PID 8 wrote to memory of 3764	8	8deb508a95178d159b43da93160ff6d64c5ad468f1f91e222021eba9292954a1.exe	8deb508a95178d159b43da93160ff6d64c5ad468f1f91e222021eba9292954a1.exe
PID 8 wrote to memory of 3764	8	8deb508a95178d159b43da93160ff6d64c5ad468f1f91e222021eba9292954a1.exe	8deb508a95178d159b43da93160ff6d64c5ad468f1f91e222021eba9292954a1.exe
PID 8 wrote to memory of 3764	8	8deb508a95178d159b43da93160ff6d64c5ad468f1f91e222021eba9292954a1.exe	8deb508a95178d159b43da93160ff6d64c5ad468f1f91e222021eba9292954a1.exe
PID 8 wrote to memory of 3764	8	8deb508a95178d159b43da93160ff6d64c5ad468f1f91e222021eba9292954a1.exe	8deb508a95178d159b43da93160ff6d64c5ad468f1f91e222021eba9292954a1.exe
PID 3764 wrote to memory of 2260	3764	8deb508a95178d159b43da93160ff6d64c5ad468f1f91e222021eba9292954a1.exe	8deb508a95178d159b43da93160ff6d64c5ad468f1f91e222021eba9292954a1.exe
PID 3764 wrote to memory of 2260	3764	8deb508a95178d159b43da93160ff6d64c5ad468f1f91e222021eba9292954a1.exe	8deb508a95178d159b43da93160ff6d64c5ad468f1f91e222021eba9292954a1.exe
PID 3764 wrote to memory of 2260	3764	8deb508a95178d159b43da93160ff6d64c5ad468f1f91e222021eba9292954a1.exe	8deb508a95178d159b43da93160ff6d64c5ad468f1f91e222021eba9292954a1.exe
PID 2260 wrote to memory of 1504	2260	8deb508a95178d159b43da93160ff6d64c5ad468f1f91e222021eba9292954a1.exe	8deb508a95178d159b43da93160ff6d64c5ad468f1f91e222021eba9292954a1.exe
PID 2260 wrote to memory of 1504	2260	8deb508a95178d159b43da93160ff6d64c5ad468f1f91e222021eba9292954a1.exe	8deb508a95178d159b43da93160ff6d64c5ad468f1f91e222021eba9292954a1.exe
PID 2260 wrote to memory of 1504	2260	8deb508a95178d159b43da93160ff6d64c5ad468f1f91e222021eba9292954a1.exe	8deb508a95178d159b43da93160ff6d64c5ad468f1f91e222021eba9292954a1.exe
PID 2260 wrote to memory of 1504	2260	8deb508a95178d159b43da93160ff6d64c5ad468f1f91e222021eba9292954a1.exe	8deb508a95178d159b43da93160ff6d64c5ad468f1f91e222021eba9292954a1.exe
PID 3184 wrote to memory of 1176	3184	drawatoner.exe	drawatoner.exe
PID 3184 wrote to memory of 1176	3184	drawatoner.exe	drawatoner.exe
PID 3184 wrote to memory of 1176	3184	drawatoner.exe	drawatoner.exe
PID 3184 wrote to memory of 1176	3184	drawatoner.exe	drawatoner.exe
PID 1176 wrote to memory of 4824	1176	drawatoner.exe	drawatoner.exe
PID 1176 wrote to memory of 4824	1176	drawatoner.exe	drawatoner.exe
PID 1176 wrote to memory of 4824	1176	drawatoner.exe	drawatoner.exe
PID 4824 wrote to memory of 5108	4824	drawatoner.exe	drawatoner.exe
PID 4824 wrote to memory of 5108	4824	drawatoner.exe	drawatoner.exe
PID 4824 wrote to memory of 5108	4824	drawatoner.exe	drawatoner.exe
PID 4824 wrote to memory of 5108	4824	drawatoner.exe	drawatoner.exe

C:\Users\Admin\AppData\Local\Temp\8deb508a95178d159b43da93160ff6d64c5ad468f1f91e222021eba9292954a1.exe
"C:\Users\Admin\AppData\Local\Temp\8deb508a95178d159b43da93160ff6d64c5ad468f1f91e222021eba9292954a1.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:8

C:\Users\Admin\AppData\Local\Temp\8deb508a95178d159b43da93160ff6d64c5ad468f1f91e222021eba9292954a1.exe
"C:\Users\Admin\AppData\Local\Temp\8deb508a95178d159b43da93160ff6d64c5ad468f1f91e222021eba9292954a1.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3764

C:\Users\Admin\AppData\Local\Temp\8deb508a95178d159b43da93160ff6d64c5ad468f1f91e222021eba9292954a1.exe
--1f35d5ed
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2260

C:\Users\Admin\AppData\Local\Temp\8deb508a95178d159b43da93160ff6d64c5ad468f1f91e222021eba9292954a1.exe
--1f35d5ed
4⤵
- Suspicious behavior: RenamesItself
PID:1504

C:\Windows\SysWOW64\drawatoner.exe
"C:\Windows\SysWOW64\drawatoner.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3184

C:\Windows\SysWOW64\drawatoner.exe
"C:\Windows\SysWOW64\drawatoner.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1176

C:\Windows\SysWOW64\drawatoner.exe
--ce5d7755
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4824

C:\Windows\SysWOW64\drawatoner.exe
--ce5d7755
4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:5108

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\2586c361c08b9f9af8674ef9a6c9f2d7_e2a67401-6492-4cbf-87ab-b664c084dada
Filesize
1KB

MD5
f77c474ac607e3f4937875d2cc3baa59

SHA1
fbb230e37579aba29875a3f4b34e4f9a1fe744a7

SHA256
8b7ad0cf4b3ae161497d03ffb603cb9a7efd73afa76cad810a6e48909b31d6f0

SHA512
3d6946437f7f4db8978f51e619e5c29eb1703aa5587f88fbb7d34579b5f10901057a20a638ec8598096d62f7fe96fa8a24ee26fd9700b3c4c40f4d18f9cc6748

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2372564722-193526734-2636556182-1000\0f5007522459c86e95ffcc62f32308f1_e2a67401-6492-4cbf-87ab-b664c084dada
Filesize
1KB

MD5
92ed80f0662dd5ae39bdc76b37aab6cf

SHA1
b6515a49efd08d008b0cfd23f4fe6be822fbd2e8

SHA256
4883d27eb706118515bffbeea43544ac5cab001196574f9b4884a3e7b6938376

SHA512
162fafba54f3cb18d1ccdc487771d3ad5a2800402ae925989eba3c3a5d5b2cc429c925aa78e23e62a5808b383973e7afc3b6cc8a26b5d08ac5ed95ead3df5dcb

Download Submit
memory/8-134-0x0000000002270000-0x0000000002283000-memory.dmp

Filesize
76KB

Download
memory/8-130-0x00000000022B0000-0x00000000022C4000-memory.dmp

Filesize
80KB

Download
memory/1176-147-0x0000000000000000-mapping.dmp

Download
memory/1504-149-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1504-141-0x0000000000000000-mapping.dmp

Download
memory/1504-142-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1504-143-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2260-135-0x0000000000000000-mapping.dmp

Download
memory/2260-138-0x00000000025D0000-0x00000000025E4000-memory.dmp

Filesize
80KB

Download
memory/3184-144-0x0000000000E20000-0x0000000000E34000-memory.dmp

Filesize
80KB

Download
memory/3764-136-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3764-133-0x0000000000000000-mapping.dmp

Download
memory/4824-148-0x0000000000000000-mapping.dmp

Download
memory/4824-151-0x0000000000DE0000-0x0000000000DF4000-memory.dmp

Filesize
80KB

Download
memory/5108-154-0x0000000000000000-mapping.dmp

Download
memory/5108-155-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/5108-156-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads