emotet | d7a745533209956b23fafe533d54e93193c7cda43457924693dbe60ec77ef8f2

Analysis

max time kernel
177s
max time network
207s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
30-11-2022 14:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d7a745533209956b23fafe533d54e93193c7cda43457924693dbe60ec77ef8f2.exe
Size

100KB
MD5

8dc2977abe0b363aca606378bf7fd385
SHA1

82fd6c30ebb2b3b5bb5911a3b57fd29142ce6fa8
SHA256

d7a745533209956b23fafe533d54e93193c7cda43457924693dbe60ec77ef8f2
SHA512

59f33d6707902aaa8704420a213541cfb758fe2cdfa49fce82d0c29f941d855d77799ef6cde5e5db6d307b8c620f4ba8eb2466dbb87d798c37757212e5786325
SSDEEP

1536:S9XM2K4Y3kK5MNq5cktsVPkRcT5nEYJyuXtg/7rSLh50Uj7z3nYxV:S98xkK5h5xwPDTZrKrqh50Uj7z3nYxV

Score

10^/10

emotet banker trojan

Malware Config

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Drops file in System32 directory 4 IoCs

Processes:

targetsiell.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	targetsiell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	targetsiell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	targetsiell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	targetsiell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 3 IoCs

Processes:

targetsiell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	targetsiell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	targetsiell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	targetsiell.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

targetsiell.exe

pid	process
2492	targetsiell.exe
2492	targetsiell.exe
2492	targetsiell.exe
2492	targetsiell.exe
2492	targetsiell.exe
2492	targetsiell.exe
2492	targetsiell.exe
2492	targetsiell.exe
2492	targetsiell.exe
2492	targetsiell.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

d7a745533209956b23fafe533d54e93193c7cda43457924693dbe60ec77ef8f2.exe

pid process

2260 d7a745533209956b23fafe533d54e93193c7cda43457924693dbe60ec77ef8f2.exe

pid	process
2260	d7a745533209956b23fafe533d54e93193c7cda43457924693dbe60ec77ef8f2.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

d7a745533209956b23fafe533d54e93193c7cda43457924693dbe60ec77ef8f2.exetargetsiell.exe

description	pid	process	target process
PID 2452 wrote to memory of 2260	2452	d7a745533209956b23fafe533d54e93193c7cda43457924693dbe60ec77ef8f2.exe	d7a745533209956b23fafe533d54e93193c7cda43457924693dbe60ec77ef8f2.exe
PID 2452 wrote to memory of 2260	2452	d7a745533209956b23fafe533d54e93193c7cda43457924693dbe60ec77ef8f2.exe	d7a745533209956b23fafe533d54e93193c7cda43457924693dbe60ec77ef8f2.exe
PID 2452 wrote to memory of 2260	2452	d7a745533209956b23fafe533d54e93193c7cda43457924693dbe60ec77ef8f2.exe	d7a745533209956b23fafe533d54e93193c7cda43457924693dbe60ec77ef8f2.exe
PID 4600 wrote to memory of 2492	4600	targetsiell.exe	targetsiell.exe
PID 4600 wrote to memory of 2492	4600	targetsiell.exe	targetsiell.exe
PID 4600 wrote to memory of 2492	4600	targetsiell.exe	targetsiell.exe

C:\Users\Admin\AppData\Local\Temp\d7a745533209956b23fafe533d54e93193c7cda43457924693dbe60ec77ef8f2.exe
"C:\Users\Admin\AppData\Local\Temp\d7a745533209956b23fafe533d54e93193c7cda43457924693dbe60ec77ef8f2.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2452

C:\Users\Admin\AppData\Local\Temp\d7a745533209956b23fafe533d54e93193c7cda43457924693dbe60ec77ef8f2.exe
--c5edc055
2⤵
- Suspicious behavior: RenamesItself
PID:2260

C:\Windows\SysWOW64\targetsiell.exe
"C:\Windows\SysWOW64\targetsiell.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4600

C:\Windows\SysWOW64\targetsiell.exe
--13060574
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2492

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2260-134-0x0000000000000000-mapping.dmp

Download
memory/2260-137-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2260-138-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2260-140-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2452-133-0x0000000002030000-0x0000000002041000-memory.dmp

Filesize
68KB

Download
memory/2452-135-0x0000000002030000-0x0000000002041000-memory.dmp

Filesize
68KB

Download
memory/2452-136-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2492-139-0x0000000000000000-mapping.dmp

Download
memory/2492-141-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2492-142-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download