emotet | 766966e7290e6ec39da0b95478a619a00998669b79758a4cc72a41da5a932161

General

Target

766966e7290e6ec39da0b95478a619a00998669b79758a4cc72a41da5a932161.exe
Size

104KB
MD5

2d3423339177ee4c7312a227e223468a
SHA1

729752ad88a404f4a0eaffd44f9c3001bc1d436e
SHA256

766966e7290e6ec39da0b95478a619a00998669b79758a4cc72a41da5a932161
SHA512

904b7c08df327deb0bce723d0233ce47c3a455c669dfb6899ee82c3c0b03b13d5e83f9ccd53fdb95cc57d82a0af10531466c961049c2c4da7f22f9890e428ca8
SSDEEP

3072:teOu7+iAakCyv7kVJhtjqZeWsjIiq9Yn50VR:cKimD7kVJhMZeNNq9Ynw

Score

10^/10

emotet banker trojan

Malware Config

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Drops file in System32 directory 1 IoCs

Processes:

ipropboxes.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	ipropboxes.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 21 IoCs

Processes:

ipropboxes.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	ipropboxes.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	ipropboxes.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{008F2908-CE95-4B61-8E93-47EA8C10AE65}\WpadDecisionReason = "1"	ipropboxes.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{008F2908-CE95-4B61-8E93-47EA8C10AE65}\WpadDecisionTime = 60e400804006d901	ipropboxes.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{008F2908-CE95-4B61-8E93-47EA8C10AE65}\WpadDecision = "0"	ipropboxes.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\be-e2-cf-3a-b1-91	ipropboxes.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	ipropboxes.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	ipropboxes.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\be-e2-cf-3a-b1-91\WpadDecisionTime = 60e400804006d901	ipropboxes.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\be-e2-cf-3a-b1-91\WpadDecisionReason = "1"	ipropboxes.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	ipropboxes.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	ipropboxes.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	ipropboxes.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{008F2908-CE95-4B61-8E93-47EA8C10AE65}	ipropboxes.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{008F2908-CE95-4B61-8E93-47EA8C10AE65}\WpadNetworkName = "Network 3"	ipropboxes.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	ipropboxes.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	ipropboxes.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{008F2908-CE95-4B61-8E93-47EA8C10AE65}\be-e2-cf-3a-b1-91	ipropboxes.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\be-e2-cf-3a-b1-91\WpadDecision = "0"	ipropboxes.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	ipropboxes.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0086000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	ipropboxes.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

ipropboxes.exe

pid process

1988 ipropboxes.exe
1988 ipropboxes.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

766966e7290e6ec39da0b95478a619a00998669b79758a4cc72a41da5a932161.exe

pid process

1908 766966e7290e6ec39da0b95478a619a00998669b79758a4cc72a41da5a932161.exe

pid	process
1988	ipropboxes.exe
1988	ipropboxes.exe

pid	process
1908	766966e7290e6ec39da0b95478a619a00998669b79758a4cc72a41da5a932161.exe

Suspicious use of UnmapMainImage 4 IoCs

Processes:

766966e7290e6ec39da0b95478a619a00998669b79758a4cc72a41da5a932161.exe766966e7290e6ec39da0b95478a619a00998669b79758a4cc72a41da5a932161.exeipropboxes.exeipropboxes.exe

pid	process
1500	766966e7290e6ec39da0b95478a619a00998669b79758a4cc72a41da5a932161.exe
1908	766966e7290e6ec39da0b95478a619a00998669b79758a4cc72a41da5a932161.exe
1136	ipropboxes.exe
1988	ipropboxes.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

766966e7290e6ec39da0b95478a619a00998669b79758a4cc72a41da5a932161.exeipropboxes.exe

description	pid	process	target process
PID 1500 wrote to memory of 1908	1500	766966e7290e6ec39da0b95478a619a00998669b79758a4cc72a41da5a932161.exe	766966e7290e6ec39da0b95478a619a00998669b79758a4cc72a41da5a932161.exe
PID 1500 wrote to memory of 1908	1500	766966e7290e6ec39da0b95478a619a00998669b79758a4cc72a41da5a932161.exe	766966e7290e6ec39da0b95478a619a00998669b79758a4cc72a41da5a932161.exe
PID 1500 wrote to memory of 1908	1500	766966e7290e6ec39da0b95478a619a00998669b79758a4cc72a41da5a932161.exe	766966e7290e6ec39da0b95478a619a00998669b79758a4cc72a41da5a932161.exe
PID 1500 wrote to memory of 1908	1500	766966e7290e6ec39da0b95478a619a00998669b79758a4cc72a41da5a932161.exe	766966e7290e6ec39da0b95478a619a00998669b79758a4cc72a41da5a932161.exe
PID 1136 wrote to memory of 1988	1136	ipropboxes.exe	ipropboxes.exe
PID 1136 wrote to memory of 1988	1136	ipropboxes.exe	ipropboxes.exe
PID 1136 wrote to memory of 1988	1136	ipropboxes.exe	ipropboxes.exe
PID 1136 wrote to memory of 1988	1136	ipropboxes.exe	ipropboxes.exe

C:\Users\Admin\AppData\Local\Temp\766966e7290e6ec39da0b95478a619a00998669b79758a4cc72a41da5a932161.exe
"C:\Users\Admin\AppData\Local\Temp\766966e7290e6ec39da0b95478a619a00998669b79758a4cc72a41da5a932161.exe"
1⤵
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1500
- C:\Users\Admin\AppData\Local\Temp\766966e7290e6ec39da0b95478a619a00998669b79758a4cc72a41da5a932161.exe
  --9db3a936
  2⤵
  - Suspicious behavior: RenamesItself
  - Suspicious use of UnmapMainImage
  PID:1908

C:\Windows\SysWOW64\ipropboxes.exe
"C:\Windows\SysWOW64\ipropboxes.exe"
1⤵
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1136
- C:\Windows\SysWOW64\ipropboxes.exe
  --49bbf5df
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  PID:1988

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1500-54-0x0000000075DA1000-0x0000000075DA3000-memory.dmp

Filesize
8KB

Download
memory/1500-56-0x0000000000230000-0x0000000000241000-memory.dmp

Filesize
68KB

Download
memory/1500-58-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1908-55-0x0000000000000000-mapping.dmp

Download
memory/1908-59-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1908-62-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1988-61-0x0000000000000000-mapping.dmp

Download
memory/1988-64-0x0000000000220000-0x0000000000231000-memory.dmp

Filesize
68KB

Download
memory/1988-65-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1988-66-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads