emotet | 1c329a3284737d400b6d2ae5f926ba51640cf8c60e5ca888d8352ada5d77aad1

General

Target

1c329a3284737d400b6d2ae5f926ba51640cf8c60e5ca888d8352ada5d77aad1.exe
Size

150KB
MD5

49d1ea956c9865f9356e14c145ef652e
SHA1

c046935baf11e19bebecc5cf3998ef3d60f52067
SHA256

1c329a3284737d400b6d2ae5f926ba51640cf8c60e5ca888d8352ada5d77aad1
SHA512

18743a61bf325df3ca45416a70e8a4e6fda751de92e2cb65550223e77be0bcbc24e6cf92ac3d1b61025e7c69b4825fb2f57abd5aadbe232fb5bc272dbfde9bd0
SSDEEP

3072:Bx9PrNoQSsdBb74jipqV7SDRRb79X1yGZYDpZ:BXpoHMnAVuDRRbx0GiZ

Score

10^/10

emotet banker trojan

Malware Config

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Drops file in System32 directory 1 IoCs

Processes:

classicnumber.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	classicnumber.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 21 IoCs

Processes:

classicnumber.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	classicnumber.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	classicnumber.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ee-f5-ce-c5-05-0a\WpadDecisionReason = "1"	classicnumber.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ee-f5-ce-c5-05-0a\WpadDecision = "0"	classicnumber.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	classicnumber.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	classicnumber.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6C58B634-D8CB-4FCE-AE26-89192FEFC5BB}\WpadDecisionTime = 80c359527f06d901	classicnumber.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6C58B634-D8CB-4FCE-AE26-89192FEFC5BB}\ee-f5-ce-c5-05-0a	classicnumber.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	classicnumber.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	classicnumber.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0093000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	classicnumber.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6C58B634-D8CB-4FCE-AE26-89192FEFC5BB}\WpadNetworkName = "Network 3"	classicnumber.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ee-f5-ce-c5-05-0a	classicnumber.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	classicnumber.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	classicnumber.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	classicnumber.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	classicnumber.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6C58B634-D8CB-4FCE-AE26-89192FEFC5BB}	classicnumber.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6C58B634-D8CB-4FCE-AE26-89192FEFC5BB}\WpadDecisionReason = "1"	classicnumber.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6C58B634-D8CB-4FCE-AE26-89192FEFC5BB}\WpadDecision = "0"	classicnumber.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ee-f5-ce-c5-05-0a\WpadDecisionTime = 80c359527f06d901	classicnumber.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

classicnumber.exe

pid process

1984 classicnumber.exe
1984 classicnumber.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

1c329a3284737d400b6d2ae5f926ba51640cf8c60e5ca888d8352ada5d77aad1.exe

pid process

1892 1c329a3284737d400b6d2ae5f926ba51640cf8c60e5ca888d8352ada5d77aad1.exe

pid	process
1984	classicnumber.exe
1984	classicnumber.exe

pid	process
1892	1c329a3284737d400b6d2ae5f926ba51640cf8c60e5ca888d8352ada5d77aad1.exe

Suspicious use of UnmapMainImage 4 IoCs

Processes:

1c329a3284737d400b6d2ae5f926ba51640cf8c60e5ca888d8352ada5d77aad1.exe1c329a3284737d400b6d2ae5f926ba51640cf8c60e5ca888d8352ada5d77aad1.execlassicnumber.execlassicnumber.exe

pid	process
1640	1c329a3284737d400b6d2ae5f926ba51640cf8c60e5ca888d8352ada5d77aad1.exe
1892	1c329a3284737d400b6d2ae5f926ba51640cf8c60e5ca888d8352ada5d77aad1.exe
1972	classicnumber.exe
1984	classicnumber.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

1c329a3284737d400b6d2ae5f926ba51640cf8c60e5ca888d8352ada5d77aad1.execlassicnumber.exe

description	pid	process	target process
PID 1640 wrote to memory of 1892	1640	1c329a3284737d400b6d2ae5f926ba51640cf8c60e5ca888d8352ada5d77aad1.exe	1c329a3284737d400b6d2ae5f926ba51640cf8c60e5ca888d8352ada5d77aad1.exe
PID 1640 wrote to memory of 1892	1640	1c329a3284737d400b6d2ae5f926ba51640cf8c60e5ca888d8352ada5d77aad1.exe	1c329a3284737d400b6d2ae5f926ba51640cf8c60e5ca888d8352ada5d77aad1.exe
PID 1640 wrote to memory of 1892	1640	1c329a3284737d400b6d2ae5f926ba51640cf8c60e5ca888d8352ada5d77aad1.exe	1c329a3284737d400b6d2ae5f926ba51640cf8c60e5ca888d8352ada5d77aad1.exe
PID 1640 wrote to memory of 1892	1640	1c329a3284737d400b6d2ae5f926ba51640cf8c60e5ca888d8352ada5d77aad1.exe	1c329a3284737d400b6d2ae5f926ba51640cf8c60e5ca888d8352ada5d77aad1.exe
PID 1972 wrote to memory of 1984	1972	classicnumber.exe	classicnumber.exe
PID 1972 wrote to memory of 1984	1972	classicnumber.exe	classicnumber.exe
PID 1972 wrote to memory of 1984	1972	classicnumber.exe	classicnumber.exe
PID 1972 wrote to memory of 1984	1972	classicnumber.exe	classicnumber.exe

C:\Users\Admin\AppData\Local\Temp\1c329a3284737d400b6d2ae5f926ba51640cf8c60e5ca888d8352ada5d77aad1.exe
"C:\Users\Admin\AppData\Local\Temp\1c329a3284737d400b6d2ae5f926ba51640cf8c60e5ca888d8352ada5d77aad1.exe"
1⤵
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1640

C:\Users\Admin\AppData\Local\Temp\1c329a3284737d400b6d2ae5f926ba51640cf8c60e5ca888d8352ada5d77aad1.exe
--d256853c
2⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
PID:1892

C:\Windows\SysWOW64\classicnumber.exe
"C:\Windows\SysWOW64\classicnumber.exe"
1⤵
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1972

C:\Windows\SysWOW64\classicnumber.exe
--5b047511
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
PID:1984

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1640-55-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/1640-56-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1892-54-0x0000000000000000-mapping.dmp

Download
memory/1892-57-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1892-58-0x0000000075921000-0x0000000075923000-memory.dmp

Filesize
8KB

Download
memory/1892-61-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1972-59-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/1984-60-0x0000000000000000-mapping.dmp

Download
memory/1984-62-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads