emotet | 767dfe11d3ea44701e77cc64b527ecb3a2452de27c707c3101b4d4cda1e98f4c

General

Target

767dfe11d3ea44701e77cc64b527ecb3a2452de27c707c3101b4d4cda1e98f4c.exe
Size

330KB
MD5

f9a727fbbc6daa67c7588a1b0e324f24
SHA1

1a11e9bfda0b8a800ee802d65dd14706eaa2a3d3
SHA256

767dfe11d3ea44701e77cc64b527ecb3a2452de27c707c3101b4d4cda1e98f4c
SHA512

fa8b820d6c264a5720a3297af8366801af35e5863ba4e9c1ada5a6e8ba78ac71cb366c0147119e1ed2302abb4b5e89a7918f16466f5174211643b05ae7e1960d
SSDEEP

3072:xd40HStXd+Yy7XCQW4rKMXxgT1uyIdxOnvluXMp3cKAArDZz4N9GhbkUNEkol:xd2dhAKCxgA3o9ucpxyN90vEf

Score

10^/10

emotet banker trojan

Malware Config

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Drops file in System32 directory 1 IoCs

Processes:

indexermini.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	indexermini.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 21 IoCs

Processes:

indexermini.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	indexermini.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	indexermini.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F771D068-E3DA-48B9-B1A8-BE2A35849FE6}\WpadDecision = "0"	indexermini.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\72-bb-a2-2a-60-c1\WpadDecisionTime = 705ae8ad8106d901	indexermini.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	indexermini.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	indexermini.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	indexermini.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F771D068-E3DA-48B9-B1A8-BE2A35849FE6}\WpadDecisionReason = "1"	indexermini.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\72-bb-a2-2a-60-c1	indexermini.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\72-bb-a2-2a-60-c1\WpadDecisionReason = "1"	indexermini.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	indexermini.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	indexermini.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F771D068-E3DA-48B9-B1A8-BE2A35849FE6}\WpadNetworkName = "Network 2"	indexermini.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F771D068-E3DA-48B9-B1A8-BE2A35849FE6}\72-bb-a2-2a-60-c1	indexermini.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	indexermini.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F771D068-E3DA-48B9-B1A8-BE2A35849FE6}\WpadDecisionTime = 705ae8ad8106d901	indexermini.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0036000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	indexermini.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F771D068-E3DA-48B9-B1A8-BE2A35849FE6}	indexermini.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\72-bb-a2-2a-60-c1\WpadDecision = "0"	indexermini.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	indexermini.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	indexermini.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

767dfe11d3ea44701e77cc64b527ecb3a2452de27c707c3101b4d4cda1e98f4c.exe767dfe11d3ea44701e77cc64b527ecb3a2452de27c707c3101b4d4cda1e98f4c.exeindexermini.exeindexermini.exe

pid	process
2040	767dfe11d3ea44701e77cc64b527ecb3a2452de27c707c3101b4d4cda1e98f4c.exe
2044	767dfe11d3ea44701e77cc64b527ecb3a2452de27c707c3101b4d4cda1e98f4c.exe
268	indexermini.exe
560	indexermini.exe
560	indexermini.exe
560	indexermini.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

767dfe11d3ea44701e77cc64b527ecb3a2452de27c707c3101b4d4cda1e98f4c.exe

pid process

2044 767dfe11d3ea44701e77cc64b527ecb3a2452de27c707c3101b4d4cda1e98f4c.exe

pid	process
2044	767dfe11d3ea44701e77cc64b527ecb3a2452de27c707c3101b4d4cda1e98f4c.exe

Suspicious use of UnmapMainImage 4 IoCs

Processes:

767dfe11d3ea44701e77cc64b527ecb3a2452de27c707c3101b4d4cda1e98f4c.exe767dfe11d3ea44701e77cc64b527ecb3a2452de27c707c3101b4d4cda1e98f4c.exeindexermini.exeindexermini.exe

pid	process
2040	767dfe11d3ea44701e77cc64b527ecb3a2452de27c707c3101b4d4cda1e98f4c.exe
2044	767dfe11d3ea44701e77cc64b527ecb3a2452de27c707c3101b4d4cda1e98f4c.exe
268	indexermini.exe
560	indexermini.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

767dfe11d3ea44701e77cc64b527ecb3a2452de27c707c3101b4d4cda1e98f4c.exeindexermini.exe

description	pid	process	target process
PID 2040 wrote to memory of 2044	2040	767dfe11d3ea44701e77cc64b527ecb3a2452de27c707c3101b4d4cda1e98f4c.exe	767dfe11d3ea44701e77cc64b527ecb3a2452de27c707c3101b4d4cda1e98f4c.exe
PID 2040 wrote to memory of 2044	2040	767dfe11d3ea44701e77cc64b527ecb3a2452de27c707c3101b4d4cda1e98f4c.exe	767dfe11d3ea44701e77cc64b527ecb3a2452de27c707c3101b4d4cda1e98f4c.exe
PID 2040 wrote to memory of 2044	2040	767dfe11d3ea44701e77cc64b527ecb3a2452de27c707c3101b4d4cda1e98f4c.exe	767dfe11d3ea44701e77cc64b527ecb3a2452de27c707c3101b4d4cda1e98f4c.exe
PID 2040 wrote to memory of 2044	2040	767dfe11d3ea44701e77cc64b527ecb3a2452de27c707c3101b4d4cda1e98f4c.exe	767dfe11d3ea44701e77cc64b527ecb3a2452de27c707c3101b4d4cda1e98f4c.exe
PID 268 wrote to memory of 560	268	indexermini.exe	indexermini.exe
PID 268 wrote to memory of 560	268	indexermini.exe	indexermini.exe
PID 268 wrote to memory of 560	268	indexermini.exe	indexermini.exe
PID 268 wrote to memory of 560	268	indexermini.exe	indexermini.exe

C:\Users\Admin\AppData\Local\Temp\767dfe11d3ea44701e77cc64b527ecb3a2452de27c707c3101b4d4cda1e98f4c.exe
"C:\Users\Admin\AppData\Local\Temp\767dfe11d3ea44701e77cc64b527ecb3a2452de27c707c3101b4d4cda1e98f4c.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2040

C:\Users\Admin\AppData\Local\Temp\767dfe11d3ea44701e77cc64b527ecb3a2452de27c707c3101b4d4cda1e98f4c.exe
"C:\Users\Admin\AppData\Local\Temp\767dfe11d3ea44701e77cc64b527ecb3a2452de27c707c3101b4d4cda1e98f4c.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
PID:2044

C:\Windows\SysWOW64\indexermini.exe
"C:\Windows\SysWOW64\indexermini.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:268

C:\Windows\SysWOW64\indexermini.exe
"C:\Windows\SysWOW64\indexermini.exe"
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
PID:560

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/560-61-0x0000000000000000-mapping.dmp

Download
memory/560-63-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2040-54-0x0000000000220000-0x0000000000232000-memory.dmp

Filesize
72KB

Download
memory/2040-56-0x0000000000220000-0x0000000000232000-memory.dmp

Filesize
72KB

Download
memory/2040-57-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2044-55-0x0000000000000000-mapping.dmp

Download
memory/2044-58-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2044-59-0x00000000761E1000-0x00000000761E3000-memory.dmp

Filesize
8KB

Download
memory/2044-60-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2044-62-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads