emotet | 9635c10648c4dccb9c9de1260429441a6936fcbd0f7eb16c4c149adc5888a32f

Analysis

max time kernel
215s
max time network
223s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
30-11-2022 15:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9635c10648c4dccb9c9de1260429441a6936fcbd0f7eb16c4c149adc5888a32f.exe
Size

108KB
MD5

c8bd995346f61308e200199c7e041b3c
SHA1

46a39c9425bff794916493459f8bffd9e6915af4
SHA256

9635c10648c4dccb9c9de1260429441a6936fcbd0f7eb16c4c149adc5888a32f
SHA512

9f820d527a5b05d8003d3350ef2428f6d956ec63b42f3d9097df9989f1d1a219841ebe4959eb75c7cc3ab9e36dbebab0e32d9cfc49c114bfc2d7a30373124755
SSDEEP

3072:FCrRG9LgWHyMp6awrpEoNLna7TpP7N5LtgxH:FCrskJaYvn+PdgB

Score

10^/10

emotet banker trojan

Malware Config

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Drops file in System32 directory 4 IoCs

Processes:

portalbears.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	portalbears.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	portalbears.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	portalbears.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	portalbears.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 3 IoCs

Processes:

portalbears.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	portalbears.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	portalbears.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	portalbears.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

portalbears.exe

pid	process
4624	portalbears.exe
4624	portalbears.exe
4624	portalbears.exe
4624	portalbears.exe
4624	portalbears.exe
4624	portalbears.exe
4624	portalbears.exe
4624	portalbears.exe
4624	portalbears.exe
4624	portalbears.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

9635c10648c4dccb9c9de1260429441a6936fcbd0f7eb16c4c149adc5888a32f.exe

pid process

4792 9635c10648c4dccb9c9de1260429441a6936fcbd0f7eb16c4c149adc5888a32f.exe

pid	process
4792	9635c10648c4dccb9c9de1260429441a6936fcbd0f7eb16c4c149adc5888a32f.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

9635c10648c4dccb9c9de1260429441a6936fcbd0f7eb16c4c149adc5888a32f.exeportalbears.exe

description	pid	process	target process
PID 4864 wrote to memory of 4792	4864	9635c10648c4dccb9c9de1260429441a6936fcbd0f7eb16c4c149adc5888a32f.exe	9635c10648c4dccb9c9de1260429441a6936fcbd0f7eb16c4c149adc5888a32f.exe
PID 4864 wrote to memory of 4792	4864	9635c10648c4dccb9c9de1260429441a6936fcbd0f7eb16c4c149adc5888a32f.exe	9635c10648c4dccb9c9de1260429441a6936fcbd0f7eb16c4c149adc5888a32f.exe
PID 4864 wrote to memory of 4792	4864	9635c10648c4dccb9c9de1260429441a6936fcbd0f7eb16c4c149adc5888a32f.exe	9635c10648c4dccb9c9de1260429441a6936fcbd0f7eb16c4c149adc5888a32f.exe
PID 1712 wrote to memory of 4624	1712	portalbears.exe	portalbears.exe
PID 1712 wrote to memory of 4624	1712	portalbears.exe	portalbears.exe
PID 1712 wrote to memory of 4624	1712	portalbears.exe	portalbears.exe

C:\Users\Admin\AppData\Local\Temp\9635c10648c4dccb9c9de1260429441a6936fcbd0f7eb16c4c149adc5888a32f.exe
"C:\Users\Admin\AppData\Local\Temp\9635c10648c4dccb9c9de1260429441a6936fcbd0f7eb16c4c149adc5888a32f.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4864

C:\Users\Admin\AppData\Local\Temp\9635c10648c4dccb9c9de1260429441a6936fcbd0f7eb16c4c149adc5888a32f.exe
--167b5551
2⤵
- Suspicious behavior: RenamesItself
PID:4792

C:\Windows\SysWOW64\portalbears.exe
"C:\Windows\SysWOW64\portalbears.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1712

C:\Windows\SysWOW64\portalbears.exe
--f0f2e09
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:4624

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1712-138-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4624-139-0x0000000000000000-mapping.dmp

Download
memory/4624-141-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4624-142-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4792-133-0x0000000000000000-mapping.dmp

Download
memory/4792-136-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4792-137-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4792-140-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4864-132-0x00000000004E0000-0x00000000004F1000-memory.dmp

Filesize
68KB

Download
memory/4864-134-0x00000000004E0000-0x00000000004F1000-memory.dmp

Filesize
68KB

Download
memory/4864-135-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download