emotet | 766966e7290e6ec39da0b95478a619a00998669b79758a4cc72a41da5a932161

Analysis

max time kernel
152s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
30-11-2022 13:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

766966e7290e6ec39da0b95478a619a00998669b79758a4cc72a41da5a932161.exe
Size

104KB
MD5

2d3423339177ee4c7312a227e223468a
SHA1

729752ad88a404f4a0eaffd44f9c3001bc1d436e
SHA256

766966e7290e6ec39da0b95478a619a00998669b79758a4cc72a41da5a932161
SHA512

904b7c08df327deb0bce723d0233ce47c3a455c669dfb6899ee82c3c0b03b13d5e83f9ccd53fdb95cc57d82a0af10531466c961049c2c4da7f22f9890e428ca8
SSDEEP

3072:teOu7+iAakCyv7kVJhtjqZeWsjIiq9Yn50VR:cKimD7kVJhMZeNNq9Ynw

Score

10^/10

emotet banker trojan

Malware Config

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Drops file in System32 directory 4 IoCs

Processes:

licsmatrix.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	licsmatrix.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	licsmatrix.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	licsmatrix.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	licsmatrix.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 3 IoCs

Processes:

licsmatrix.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	licsmatrix.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	licsmatrix.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	licsmatrix.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

licsmatrix.exe

pid	process
3976	licsmatrix.exe
3976	licsmatrix.exe
3976	licsmatrix.exe
3976	licsmatrix.exe
3976	licsmatrix.exe
3976	licsmatrix.exe
3976	licsmatrix.exe
3976	licsmatrix.exe
3976	licsmatrix.exe
3976	licsmatrix.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

766966e7290e6ec39da0b95478a619a00998669b79758a4cc72a41da5a932161.exe

pid process

5084 766966e7290e6ec39da0b95478a619a00998669b79758a4cc72a41da5a932161.exe

pid	process
5084	766966e7290e6ec39da0b95478a619a00998669b79758a4cc72a41da5a932161.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

766966e7290e6ec39da0b95478a619a00998669b79758a4cc72a41da5a932161.exelicsmatrix.exe

description	pid	process	target process
PID 2732 wrote to memory of 5084	2732	766966e7290e6ec39da0b95478a619a00998669b79758a4cc72a41da5a932161.exe	766966e7290e6ec39da0b95478a619a00998669b79758a4cc72a41da5a932161.exe
PID 2732 wrote to memory of 5084	2732	766966e7290e6ec39da0b95478a619a00998669b79758a4cc72a41da5a932161.exe	766966e7290e6ec39da0b95478a619a00998669b79758a4cc72a41da5a932161.exe
PID 2732 wrote to memory of 5084	2732	766966e7290e6ec39da0b95478a619a00998669b79758a4cc72a41da5a932161.exe	766966e7290e6ec39da0b95478a619a00998669b79758a4cc72a41da5a932161.exe
PID 3060 wrote to memory of 3976	3060	licsmatrix.exe	licsmatrix.exe
PID 3060 wrote to memory of 3976	3060	licsmatrix.exe	licsmatrix.exe
PID 3060 wrote to memory of 3976	3060	licsmatrix.exe	licsmatrix.exe

C:\Users\Admin\AppData\Local\Temp\766966e7290e6ec39da0b95478a619a00998669b79758a4cc72a41da5a932161.exe
"C:\Users\Admin\AppData\Local\Temp\766966e7290e6ec39da0b95478a619a00998669b79758a4cc72a41da5a932161.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2732
- C:\Users\Admin\AppData\Local\Temp\766966e7290e6ec39da0b95478a619a00998669b79758a4cc72a41da5a932161.exe
  --9db3a936
  2⤵
  - Suspicious behavior: RenamesItself
  PID:5084

C:\Windows\SysWOW64\licsmatrix.exe
"C:\Windows\SysWOW64\licsmatrix.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3060
- C:\Windows\SysWOW64\licsmatrix.exe
  --ced16e60
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:3976

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2732-132-0x0000000002160000-0x0000000002171000-memory.dmp

Filesize
68KB

Download
memory/2732-134-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3976-138-0x0000000000000000-mapping.dmp

Download
memory/3976-140-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3976-141-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/5084-133-0x0000000000000000-mapping.dmp

Download
memory/5084-135-0x0000000000590000-0x00000000005A1000-memory.dmp

Filesize
68KB

Download
memory/5084-136-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/5084-137-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/5084-139-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download