emotet | 55073efe1efc561f5355ef68cbe011074ab198c5e4e52fb30e48ac62f64b1a57

Analysis

max time kernel
152s
max time network
196s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
30-11-2022 19:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

55073efe1efc561f5355ef68cbe011074ab198c5e4e52fb30e48ac62f64b1a57.exe
Size

134KB
MD5

ac4988df4640960f91201063930b8e9a
SHA1

f9b037e8744390170cb0aba551890662711af928
SHA256

55073efe1efc561f5355ef68cbe011074ab198c5e4e52fb30e48ac62f64b1a57
SHA512

f43e2a33418a74a6668aecf6020aaaa9eed7cea470fc6ad872faad489b323cf4d037f7b7d20d0590a0ec5a8f7af2e870fe459ccb5b332f70fa33a33590c438fe
SSDEEP

3072:pAAxt4uylSM0zijiK6Y4wQ1oP3i9AFPdXdZ47AhmXYb0g:9v4uylSkjiKV4w9P3i9A3Xj/hl

Score

10^/10

emotet banker trojan

Malware Config

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Drops file in System32 directory 4 IoCs

Processes:

cbssource.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	cbssource.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	cbssource.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	cbssource.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	cbssource.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 3 IoCs

Processes:

cbssource.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	cbssource.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	cbssource.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	cbssource.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

cbssource.exe

pid process

3480 cbssource.exe
3480 cbssource.exe
3480 cbssource.exe
3480 cbssource.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

55073efe1efc561f5355ef68cbe011074ab198c5e4e52fb30e48ac62f64b1a57.exe

pid process

1532 55073efe1efc561f5355ef68cbe011074ab198c5e4e52fb30e48ac62f64b1a57.exe

pid	process
3480	cbssource.exe
3480	cbssource.exe
3480	cbssource.exe
3480	cbssource.exe

pid	process
1532	55073efe1efc561f5355ef68cbe011074ab198c5e4e52fb30e48ac62f64b1a57.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

55073efe1efc561f5355ef68cbe011074ab198c5e4e52fb30e48ac62f64b1a57.execbssource.exe

description	pid	process	target process
PID 2292 wrote to memory of 1532	2292	55073efe1efc561f5355ef68cbe011074ab198c5e4e52fb30e48ac62f64b1a57.exe	55073efe1efc561f5355ef68cbe011074ab198c5e4e52fb30e48ac62f64b1a57.exe
PID 2292 wrote to memory of 1532	2292	55073efe1efc561f5355ef68cbe011074ab198c5e4e52fb30e48ac62f64b1a57.exe	55073efe1efc561f5355ef68cbe011074ab198c5e4e52fb30e48ac62f64b1a57.exe
PID 2292 wrote to memory of 1532	2292	55073efe1efc561f5355ef68cbe011074ab198c5e4e52fb30e48ac62f64b1a57.exe	55073efe1efc561f5355ef68cbe011074ab198c5e4e52fb30e48ac62f64b1a57.exe
PID 3436 wrote to memory of 3480	3436	cbssource.exe	cbssource.exe
PID 3436 wrote to memory of 3480	3436	cbssource.exe	cbssource.exe
PID 3436 wrote to memory of 3480	3436	cbssource.exe	cbssource.exe

C:\Users\Admin\AppData\Local\Temp\55073efe1efc561f5355ef68cbe011074ab198c5e4e52fb30e48ac62f64b1a57.exe
"C:\Users\Admin\AppData\Local\Temp\55073efe1efc561f5355ef68cbe011074ab198c5e4e52fb30e48ac62f64b1a57.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2292

C:\Users\Admin\AppData\Local\Temp\55073efe1efc561f5355ef68cbe011074ab198c5e4e52fb30e48ac62f64b1a57.exe
--a90dac0d
2⤵
- Suspicious behavior: RenamesItself
PID:1532

C:\Windows\SysWOW64\cbssource.exe
"C:\Windows\SysWOW64\cbssource.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3436

C:\Windows\SysWOW64\cbssource.exe
--57b38865
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:3480

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1532-134-0x0000000000000000-mapping.dmp

Download
memory/1532-136-0x00000000004A0000-0x00000000004BB000-memory.dmp

Filesize
108KB

Download
memory/1532-137-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1532-138-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1532-141-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2292-132-0x00000000005D0000-0x00000000005EB000-memory.dmp

Filesize
108KB

Download
memory/2292-133-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2292-135-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/3436-139-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3480-140-0x0000000000000000-mapping.dmp

Download
memory/3480-142-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3480-143-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download