emotet | 767dfe11d3ea44701e77cc64b527ecb3a2452de27c707c3101b4d4cda1e98f4c

General

Target

767dfe11d3ea44701e77cc64b527ecb3a2452de27c707c3101b4d4cda1e98f4c.exe
Size

330KB
MD5

f9a727fbbc6daa67c7588a1b0e324f24
SHA1

1a11e9bfda0b8a800ee802d65dd14706eaa2a3d3
SHA256

767dfe11d3ea44701e77cc64b527ecb3a2452de27c707c3101b4d4cda1e98f4c
SHA512

fa8b820d6c264a5720a3297af8366801af35e5863ba4e9c1ada5a6e8ba78ac71cb366c0147119e1ed2302abb4b5e89a7918f16466f5174211643b05ae7e1960d
SSDEEP

3072:xd40HStXd+Yy7XCQW4rKMXxgT1uyIdxOnvluXMp3cKAArDZz4N9GhbkUNEkol:xd2dhAKCxgA3o9ucpxyN90vEf

Score

10^/10

emotet banker trojan

Malware Config

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Drops file in System32 directory 4 IoCs

Processes:

enrolldaf.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	enrolldaf.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	enrolldaf.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	enrolldaf.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	enrolldaf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 3 IoCs

Processes:

enrolldaf.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	enrolldaf.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	enrolldaf.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	enrolldaf.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

767dfe11d3ea44701e77cc64b527ecb3a2452de27c707c3101b4d4cda1e98f4c.exe767dfe11d3ea44701e77cc64b527ecb3a2452de27c707c3101b4d4cda1e98f4c.exeenrolldaf.exeenrolldaf.exe

pid	process
1868	767dfe11d3ea44701e77cc64b527ecb3a2452de27c707c3101b4d4cda1e98f4c.exe
1868	767dfe11d3ea44701e77cc64b527ecb3a2452de27c707c3101b4d4cda1e98f4c.exe
1668	767dfe11d3ea44701e77cc64b527ecb3a2452de27c707c3101b4d4cda1e98f4c.exe
1668	767dfe11d3ea44701e77cc64b527ecb3a2452de27c707c3101b4d4cda1e98f4c.exe
4028	enrolldaf.exe
4028	enrolldaf.exe
4292	enrolldaf.exe
4292	enrolldaf.exe
4292	enrolldaf.exe
4292	enrolldaf.exe
4292	enrolldaf.exe
4292	enrolldaf.exe
4292	enrolldaf.exe
4292	enrolldaf.exe
4292	enrolldaf.exe
4292	enrolldaf.exe
4292	enrolldaf.exe
4292	enrolldaf.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

767dfe11d3ea44701e77cc64b527ecb3a2452de27c707c3101b4d4cda1e98f4c.exe

pid process

1668 767dfe11d3ea44701e77cc64b527ecb3a2452de27c707c3101b4d4cda1e98f4c.exe

pid	process
1668	767dfe11d3ea44701e77cc64b527ecb3a2452de27c707c3101b4d4cda1e98f4c.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

767dfe11d3ea44701e77cc64b527ecb3a2452de27c707c3101b4d4cda1e98f4c.exeenrolldaf.exe

description	pid	process	target process
PID 1868 wrote to memory of 1668	1868	767dfe11d3ea44701e77cc64b527ecb3a2452de27c707c3101b4d4cda1e98f4c.exe	767dfe11d3ea44701e77cc64b527ecb3a2452de27c707c3101b4d4cda1e98f4c.exe
PID 1868 wrote to memory of 1668	1868	767dfe11d3ea44701e77cc64b527ecb3a2452de27c707c3101b4d4cda1e98f4c.exe	767dfe11d3ea44701e77cc64b527ecb3a2452de27c707c3101b4d4cda1e98f4c.exe
PID 1868 wrote to memory of 1668	1868	767dfe11d3ea44701e77cc64b527ecb3a2452de27c707c3101b4d4cda1e98f4c.exe	767dfe11d3ea44701e77cc64b527ecb3a2452de27c707c3101b4d4cda1e98f4c.exe
PID 4028 wrote to memory of 4292	4028	enrolldaf.exe	enrolldaf.exe
PID 4028 wrote to memory of 4292	4028	enrolldaf.exe	enrolldaf.exe
PID 4028 wrote to memory of 4292	4028	enrolldaf.exe	enrolldaf.exe

C:\Users\Admin\AppData\Local\Temp\767dfe11d3ea44701e77cc64b527ecb3a2452de27c707c3101b4d4cda1e98f4c.exe
"C:\Users\Admin\AppData\Local\Temp\767dfe11d3ea44701e77cc64b527ecb3a2452de27c707c3101b4d4cda1e98f4c.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1868

C:\Users\Admin\AppData\Local\Temp\767dfe11d3ea44701e77cc64b527ecb3a2452de27c707c3101b4d4cda1e98f4c.exe
"C:\Users\Admin\AppData\Local\Temp\767dfe11d3ea44701e77cc64b527ecb3a2452de27c707c3101b4d4cda1e98f4c.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
PID:1668

C:\Windows\SysWOW64\enrolldaf.exe
"C:\Windows\SysWOW64\enrolldaf.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4028

C:\Windows\SysWOW64\enrolldaf.exe
"C:\Windows\SysWOW64\enrolldaf.exe"
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:4292

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1668-133-0x0000000000000000-mapping.dmp

Download
memory/1668-136-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1668-137-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1668-141-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1868-132-0x00000000005F0000-0x0000000000602000-memory.dmp

Filesize
72KB

Download
memory/1868-135-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1868-134-0x00000000005F0000-0x0000000000602000-memory.dmp

Filesize
72KB

Download
memory/4028-139-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4292-138-0x0000000000000000-mapping.dmp

Download
memory/4292-140-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4292-142-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads