emotet | e845e5c7d95b80e85fe3c3c1875ca165b2f033221b4255b313c40d4ff82d832f

Analysis

max time kernel
206s
max time network
212s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
30-11-2022 18:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e845e5c7d95b80e85fe3c3c1875ca165b2f033221b4255b313c40d4ff82d832f.exe
Size

108KB
MD5

98daa70ab692915a467779877727cf39
SHA1

dafb5dfb3eac517c342958404f99852e670b0fca
SHA256

e845e5c7d95b80e85fe3c3c1875ca165b2f033221b4255b313c40d4ff82d832f
SHA512

4bdc419df084ffa1366c05a14610f5ca210c0d42feb0e8318012bb263cf23202c10075258e8217ff3da1452942016651d2ca0df6d7e53df7d25fa78d13bd9e9b
SSDEEP

3072:W4x9Pri16G04TQhl7Z2382rlkTUbzsasOk8ljrxeFFEK4:W4XO1F01hlA8YlJAa5k8ljtL

Score

10^/10

emotet banker trojan

Malware Config

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Drops file in System32 directory 4 IoCs

Processes:

drawcntl.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	drawcntl.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	drawcntl.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	drawcntl.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	drawcntl.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 3 IoCs

Processes:

drawcntl.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	drawcntl.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	drawcntl.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	drawcntl.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

drawcntl.exe

pid process

4964 drawcntl.exe
4964 drawcntl.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

e845e5c7d95b80e85fe3c3c1875ca165b2f033221b4255b313c40d4ff82d832f.exe

pid process

4264 e845e5c7d95b80e85fe3c3c1875ca165b2f033221b4255b313c40d4ff82d832f.exe

pid	process
4964	drawcntl.exe
4964	drawcntl.exe

pid	process
4264	e845e5c7d95b80e85fe3c3c1875ca165b2f033221b4255b313c40d4ff82d832f.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

e845e5c7d95b80e85fe3c3c1875ca165b2f033221b4255b313c40d4ff82d832f.exedrawcntl.exe

description	pid	process	target process
PID 4848 wrote to memory of 4264	4848	e845e5c7d95b80e85fe3c3c1875ca165b2f033221b4255b313c40d4ff82d832f.exe	e845e5c7d95b80e85fe3c3c1875ca165b2f033221b4255b313c40d4ff82d832f.exe
PID 4848 wrote to memory of 4264	4848	e845e5c7d95b80e85fe3c3c1875ca165b2f033221b4255b313c40d4ff82d832f.exe	e845e5c7d95b80e85fe3c3c1875ca165b2f033221b4255b313c40d4ff82d832f.exe
PID 4848 wrote to memory of 4264	4848	e845e5c7d95b80e85fe3c3c1875ca165b2f033221b4255b313c40d4ff82d832f.exe	e845e5c7d95b80e85fe3c3c1875ca165b2f033221b4255b313c40d4ff82d832f.exe
PID 3088 wrote to memory of 4964	3088	drawcntl.exe	drawcntl.exe
PID 3088 wrote to memory of 4964	3088	drawcntl.exe	drawcntl.exe
PID 3088 wrote to memory of 4964	3088	drawcntl.exe	drawcntl.exe

C:\Users\Admin\AppData\Local\Temp\e845e5c7d95b80e85fe3c3c1875ca165b2f033221b4255b313c40d4ff82d832f.exe
"C:\Users\Admin\AppData\Local\Temp\e845e5c7d95b80e85fe3c3c1875ca165b2f033221b4255b313c40d4ff82d832f.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4848

C:\Users\Admin\AppData\Local\Temp\e845e5c7d95b80e85fe3c3c1875ca165b2f033221b4255b313c40d4ff82d832f.exe
--a9ad73a8
2⤵
- Suspicious behavior: RenamesItself
PID:4264

C:\Windows\SysWOW64\drawcntl.exe
"C:\Windows\SysWOW64\drawcntl.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3088

C:\Windows\SysWOW64\drawcntl.exe
--51b8f1b9
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:4964

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3088-138-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4264-133-0x0000000000000000-mapping.dmp

Download
memory/4264-136-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4264-137-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4264-142-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4848-132-0x0000000000530000-0x0000000000540000-memory.dmp

Filesize
64KB

Download
memory/4848-134-0x0000000000530000-0x0000000000540000-memory.dmp

Filesize
64KB

Download
memory/4848-135-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4964-139-0x0000000000000000-mapping.dmp

Download
memory/4964-140-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4964-141-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download