emotet | 991733473e2f2cd9f1e28f11d9429a27751a85ed1b805929aa2ad71b8e1b6152

General

Target

991733473e2f2cd9f1e28f11d9429a27751a85ed1b805929aa2ad71b8e1b6152.exe
Size

201KB
MD5

30193e56b6b89ebb74635f72d4e6a854
SHA1

63022da3e2aae7fbb2a79a1269c991e372c0c1c0
SHA256

991733473e2f2cd9f1e28f11d9429a27751a85ed1b805929aa2ad71b8e1b6152
SHA512

7539ba938f69ac67b0fa043d6b7a9f4ec76f07c10c3dc8e7b59874ff562c2545e287a1c0457c7d74f8d449951143a439c3859ff54f38ff9a9b975512363726af
SSDEEP

3072:EDSXf2ro/JcXsFptLu3GIPkqu8J27A76NY36EZukoXVW4wFGmjZqMNeNV:EDef2roRc+1uFP9/J27A76OZZZvEV

Score

10^/10

emotet banker trojan

Malware Config

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Drops file in System32 directory 1 IoCs

Processes:

mfidlwordpad.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	mfidlwordpad.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 21 IoCs

Processes:

mfidlwordpad.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{41DC94A8-3232-42FE-B62E-4F0001F395FC}\5a-60-4c-ec-88-89	mfidlwordpad.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	mfidlwordpad.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	mfidlwordpad.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	mfidlwordpad.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{41DC94A8-3232-42FE-B62E-4F0001F395FC}\WpadDecisionReason = "1"	mfidlwordpad.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{41DC94A8-3232-42FE-B62E-4F0001F395FC}\WpadNetworkName = "Network 2"	mfidlwordpad.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\5a-60-4c-ec-88-89	mfidlwordpad.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mfidlwordpad.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0037000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mfidlwordpad.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{41DC94A8-3232-42FE-B62E-4F0001F395FC}\WpadDecision = "0"	mfidlwordpad.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\5a-60-4c-ec-88-89\WpadDecision = "0"	mfidlwordpad.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	mfidlwordpad.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{41DC94A8-3232-42FE-B62E-4F0001F395FC}	mfidlwordpad.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\5a-60-4c-ec-88-89\WpadDecisionTime = 808730e85d06d901	mfidlwordpad.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\5a-60-4c-ec-88-89\WpadDecisionReason = "1"	mfidlwordpad.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	mfidlwordpad.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mfidlwordpad.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	mfidlwordpad.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	mfidlwordpad.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	mfidlwordpad.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{41DC94A8-3232-42FE-B62E-4F0001F395FC}\WpadDecisionTime = 808730e85d06d901	mfidlwordpad.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

mfidlwordpad.exe

pid process

588 mfidlwordpad.exe
588 mfidlwordpad.exe
588 mfidlwordpad.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

991733473e2f2cd9f1e28f11d9429a27751a85ed1b805929aa2ad71b8e1b6152.exe

pid process

1340 991733473e2f2cd9f1e28f11d9429a27751a85ed1b805929aa2ad71b8e1b6152.exe

pid	process
588	mfidlwordpad.exe
588	mfidlwordpad.exe
588	mfidlwordpad.exe

pid	process
1340	991733473e2f2cd9f1e28f11d9429a27751a85ed1b805929aa2ad71b8e1b6152.exe

Suspicious use of UnmapMainImage 4 IoCs

Processes:

991733473e2f2cd9f1e28f11d9429a27751a85ed1b805929aa2ad71b8e1b6152.exe991733473e2f2cd9f1e28f11d9429a27751a85ed1b805929aa2ad71b8e1b6152.exemfidlwordpad.exemfidlwordpad.exe

pid	process
1736	991733473e2f2cd9f1e28f11d9429a27751a85ed1b805929aa2ad71b8e1b6152.exe
1340	991733473e2f2cd9f1e28f11d9429a27751a85ed1b805929aa2ad71b8e1b6152.exe
1872	mfidlwordpad.exe
588	mfidlwordpad.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

991733473e2f2cd9f1e28f11d9429a27751a85ed1b805929aa2ad71b8e1b6152.exemfidlwordpad.exe

description	pid	process	target process
PID 1736 wrote to memory of 1340	1736	991733473e2f2cd9f1e28f11d9429a27751a85ed1b805929aa2ad71b8e1b6152.exe	991733473e2f2cd9f1e28f11d9429a27751a85ed1b805929aa2ad71b8e1b6152.exe
PID 1736 wrote to memory of 1340	1736	991733473e2f2cd9f1e28f11d9429a27751a85ed1b805929aa2ad71b8e1b6152.exe	991733473e2f2cd9f1e28f11d9429a27751a85ed1b805929aa2ad71b8e1b6152.exe
PID 1736 wrote to memory of 1340	1736	991733473e2f2cd9f1e28f11d9429a27751a85ed1b805929aa2ad71b8e1b6152.exe	991733473e2f2cd9f1e28f11d9429a27751a85ed1b805929aa2ad71b8e1b6152.exe
PID 1736 wrote to memory of 1340	1736	991733473e2f2cd9f1e28f11d9429a27751a85ed1b805929aa2ad71b8e1b6152.exe	991733473e2f2cd9f1e28f11d9429a27751a85ed1b805929aa2ad71b8e1b6152.exe
PID 1872 wrote to memory of 588	1872	mfidlwordpad.exe	mfidlwordpad.exe
PID 1872 wrote to memory of 588	1872	mfidlwordpad.exe	mfidlwordpad.exe
PID 1872 wrote to memory of 588	1872	mfidlwordpad.exe	mfidlwordpad.exe
PID 1872 wrote to memory of 588	1872	mfidlwordpad.exe	mfidlwordpad.exe

C:\Users\Admin\AppData\Local\Temp\991733473e2f2cd9f1e28f11d9429a27751a85ed1b805929aa2ad71b8e1b6152.exe
"C:\Users\Admin\AppData\Local\Temp\991733473e2f2cd9f1e28f11d9429a27751a85ed1b805929aa2ad71b8e1b6152.exe"
1⤵
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1736

C:\Users\Admin\AppData\Local\Temp\991733473e2f2cd9f1e28f11d9429a27751a85ed1b805929aa2ad71b8e1b6152.exe
--cd2aec66
2⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
PID:1340

C:\Windows\SysWOW64\mfidlwordpad.exe
"C:\Windows\SysWOW64\mfidlwordpad.exe"
1⤵
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1872

C:\Windows\SysWOW64\mfidlwordpad.exe
--3fa3f2a3
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
PID:588

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/588-61-0x0000000000000000-mapping.dmp

Download
memory/588-63-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/588-65-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1340-54-0x0000000000000000-mapping.dmp

Download
memory/1340-57-0x0000000000220000-0x000000000023B000-memory.dmp

Filesize
108KB

Download
memory/1340-58-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1340-59-0x00000000759C1000-0x00000000759C3000-memory.dmp

Filesize
8KB

Download
memory/1340-60-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1340-62-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1736-55-0x0000000000220000-0x000000000023B000-memory.dmp

Filesize
108KB

Download
memory/1736-56-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads