emotet | 55a80b03ee90e27367da501b1c944d33bbaa8d602a02ea827aca646a40381eaf

General

Target

55a80b03ee90e27367da501b1c944d33bbaa8d602a02ea827aca646a40381eaf.exe
Size

474KB
MD5

1caf518700f8a969fe59ea7c35d13995
SHA1

7f6133ad68ba50920d5d353d346ec7ee7393b883
SHA256

55a80b03ee90e27367da501b1c944d33bbaa8d602a02ea827aca646a40381eaf
SHA512

f6e3e6c93a3afe7b8ce2b8b84e71c61527795728c8ab7121bc875d1731b9b4f97f56defcdba6109fcbc7d353dc4a555f87a42a75944242e79941144614e84bf5
SSDEEP

6144:ieFrEMus74tW3HvPgADDnz/HXnr/vYitorLFDPMTJYhr64Fg0:ntEMus70imrLFPMdV4Fg0

Score

10^/10

emotet epoch3 banker trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch3

C2

110.36.234.146:80

197.211.244.6:443

125.99.61.162:7080

115.88.70.226:7080

162.241.232.82:8080

194.50.163.106:8080

162.214.27.219:7080

203.150.19.63:443

179.62.18.56:443

93.78.205.196:443

176.58.93.123:80

138.197.140.163:8080

181.113.229.139:990

201.244.125.210:995

186.10.16.244:53

83.169.33.157:8080

45.33.1.161:8080

186.117.174.26:80

186.93.167.147:443

148.240.52.172:80

rsa_pubkey.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Drops file in System32 directory 1 IoCs

Processes:

tlbmira.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	tlbmira.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 21 IoCs

Processes:

tlbmira.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\1e-99-72-cf-ac-0a\WpadDecisionTime = 401f36726706d901	tlbmira.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	tlbmira.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	tlbmira.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	tlbmira.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	tlbmira.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0080000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	tlbmira.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{75538D86-5D3D-416F-AD75-E96D1A96F6C3}\WpadDecision = "0"	tlbmira.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\1e-99-72-cf-ac-0a\WpadDecisionReason = "1"	tlbmira.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	tlbmira.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	tlbmira.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\1e-99-72-cf-ac-0a	tlbmira.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	tlbmira.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	tlbmira.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	tlbmira.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{75538D86-5D3D-416F-AD75-E96D1A96F6C3}	tlbmira.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{75538D86-5D3D-416F-AD75-E96D1A96F6C3}\WpadDecisionReason = "1"	tlbmira.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{75538D86-5D3D-416F-AD75-E96D1A96F6C3}\1e-99-72-cf-ac-0a	tlbmira.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\1e-99-72-cf-ac-0a\WpadDecision = "0"	tlbmira.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	tlbmira.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{75538D86-5D3D-416F-AD75-E96D1A96F6C3}\WpadDecisionTime = 401f36726706d901	tlbmira.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{75538D86-5D3D-416F-AD75-E96D1A96F6C3}\WpadNetworkName = "Network 3"	tlbmira.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

tlbmira.exe

pid process

1052 tlbmira.exe
1052 tlbmira.exe
1052 tlbmira.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

55a80b03ee90e27367da501b1c944d33bbaa8d602a02ea827aca646a40381eaf.exe

pid process

1112 55a80b03ee90e27367da501b1c944d33bbaa8d602a02ea827aca646a40381eaf.exe

pid	process
1052	tlbmira.exe
1052	tlbmira.exe
1052	tlbmira.exe

pid	process
1112	55a80b03ee90e27367da501b1c944d33bbaa8d602a02ea827aca646a40381eaf.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

AUDIODG.EXE

description	pid	process
Token: 33	1484	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1484	AUDIODG.EXE
Token: 33	1484	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1484	AUDIODG.EXE

Suspicious use of UnmapMainImage 4 IoCs

Processes:

55a80b03ee90e27367da501b1c944d33bbaa8d602a02ea827aca646a40381eaf.exe55a80b03ee90e27367da501b1c944d33bbaa8d602a02ea827aca646a40381eaf.exetlbmira.exetlbmira.exe

pid	process
1668	55a80b03ee90e27367da501b1c944d33bbaa8d602a02ea827aca646a40381eaf.exe
1112	55a80b03ee90e27367da501b1c944d33bbaa8d602a02ea827aca646a40381eaf.exe
1992	tlbmira.exe
1052	tlbmira.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

55a80b03ee90e27367da501b1c944d33bbaa8d602a02ea827aca646a40381eaf.exetlbmira.exe

description	pid	process	target process
PID 1668 wrote to memory of 1112	1668	55a80b03ee90e27367da501b1c944d33bbaa8d602a02ea827aca646a40381eaf.exe	55a80b03ee90e27367da501b1c944d33bbaa8d602a02ea827aca646a40381eaf.exe
PID 1668 wrote to memory of 1112	1668	55a80b03ee90e27367da501b1c944d33bbaa8d602a02ea827aca646a40381eaf.exe	55a80b03ee90e27367da501b1c944d33bbaa8d602a02ea827aca646a40381eaf.exe
PID 1668 wrote to memory of 1112	1668	55a80b03ee90e27367da501b1c944d33bbaa8d602a02ea827aca646a40381eaf.exe	55a80b03ee90e27367da501b1c944d33bbaa8d602a02ea827aca646a40381eaf.exe
PID 1668 wrote to memory of 1112	1668	55a80b03ee90e27367da501b1c944d33bbaa8d602a02ea827aca646a40381eaf.exe	55a80b03ee90e27367da501b1c944d33bbaa8d602a02ea827aca646a40381eaf.exe
PID 1992 wrote to memory of 1052	1992	tlbmira.exe	tlbmira.exe
PID 1992 wrote to memory of 1052	1992	tlbmira.exe	tlbmira.exe
PID 1992 wrote to memory of 1052	1992	tlbmira.exe	tlbmira.exe
PID 1992 wrote to memory of 1052	1992	tlbmira.exe	tlbmira.exe

C:\Users\Admin\AppData\Local\Temp\55a80b03ee90e27367da501b1c944d33bbaa8d602a02ea827aca646a40381eaf.exe
"C:\Users\Admin\AppData\Local\Temp\55a80b03ee90e27367da501b1c944d33bbaa8d602a02ea827aca646a40381eaf.exe"
1⤵
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1668

C:\Users\Admin\AppData\Local\Temp\55a80b03ee90e27367da501b1c944d33bbaa8d602a02ea827aca646a40381eaf.exe
--7a82e46f
2⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
PID:1112

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x560
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1484

C:\Windows\SysWOW64\tlbmira.exe
"C:\Windows\SysWOW64\tlbmira.exe"
1⤵
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1992

C:\Windows\SysWOW64\tlbmira.exe
--1be86acb
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
PID:1052

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1052-62-0x0000000000000000-mapping.dmp

Download
memory/1112-56-0x0000000000000000-mapping.dmp

Download
memory/1112-60-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1112-63-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1668-54-0x0000000075241000-0x0000000075243000-memory.dmp

Filesize
8KB

Download
memory/1668-55-0x00000000002C0000-0x00000000002D5000-memory.dmp

Filesize
84KB

Download
memory/1668-59-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1668-57-0x00000000002C0000-0x00000000002D5000-memory.dmp

Filesize
84KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads