emotet | cf0fd5544c94b0b45d7168ad5c2fcc28502eaeb0a7f89656eb726e9fa89e32e4

General

Target

cf0fd5544c94b0b45d7168ad5c2fcc28502eaeb0a7f89656eb726e9fa89e32e4.exe
Size

306KB
MD5

cb9428c8965c8d48f5f3ca0236fcc28c
SHA1

e222e2ac35dec32973c554b1502a1719460d68a2
SHA256

cf0fd5544c94b0b45d7168ad5c2fcc28502eaeb0a7f89656eb726e9fa89e32e4
SHA512

80264af772509c1ce7aa2c6954c53b230c318f9a51a6f399ccd5ac45fdab6bedce4063aeefdd404c3fe2109051faace528b870fe0a77873bbbc8ce7f1468576d
SSDEEP

6144:63LEppKQUTtvh2VuL6g8+fGKrQ3+toJFihLt3A++:+EpITVAuL6gvfGBdJFihLt3A++

Score

10^/10

emotet banker trojan

Malware Config

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Drops file in System32 directory 1 IoCs

Processes:

menussingle.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	menussingle.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 18 IoCs

Processes:

menussingle.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	menussingle.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9F92260A-DB82-4639-A36B-503464505589}	menussingle.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\62-c3-53-ee-bd-57	menussingle.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\62-c3-53-ee-bd-57\WpadDecision = "0"	menussingle.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	menussingle.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9F92260A-DB82-4639-A36B-503464505589}\WpadDecisionReason = "1"	menussingle.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9F92260A-DB82-4639-A36B-503464505589}\WpadDecision = "0"	menussingle.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	menussingle.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	menussingle.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	menussingle.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f001f000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	menussingle.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9F92260A-DB82-4639-A36B-503464505589}\WpadNetworkName = "Network 2"	menussingle.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9F92260A-DB82-4639-A36B-503464505589}\62-c3-53-ee-bd-57	menussingle.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\62-c3-53-ee-bd-57\WpadDecisionReason = "1"	menussingle.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	menussingle.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	menussingle.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9F92260A-DB82-4639-A36B-503464505589}\WpadDecisionTime = b0cf31308806d901	menussingle.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\62-c3-53-ee-bd-57\WpadDecisionTime = b0cf31308806d901	menussingle.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

cf0fd5544c94b0b45d7168ad5c2fcc28502eaeb0a7f89656eb726e9fa89e32e4.execf0fd5544c94b0b45d7168ad5c2fcc28502eaeb0a7f89656eb726e9fa89e32e4.exemenussingle.exemenussingle.exe

pid	process
1756	cf0fd5544c94b0b45d7168ad5c2fcc28502eaeb0a7f89656eb726e9fa89e32e4.exe
948	cf0fd5544c94b0b45d7168ad5c2fcc28502eaeb0a7f89656eb726e9fa89e32e4.exe
1212	menussingle.exe
1768	menussingle.exe
1768	menussingle.exe
1768	menussingle.exe
1768	menussingle.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

cf0fd5544c94b0b45d7168ad5c2fcc28502eaeb0a7f89656eb726e9fa89e32e4.exe

pid process

948 cf0fd5544c94b0b45d7168ad5c2fcc28502eaeb0a7f89656eb726e9fa89e32e4.exe

pid	process
948	cf0fd5544c94b0b45d7168ad5c2fcc28502eaeb0a7f89656eb726e9fa89e32e4.exe

Suspicious use of UnmapMainImage 4 IoCs

Processes:

cf0fd5544c94b0b45d7168ad5c2fcc28502eaeb0a7f89656eb726e9fa89e32e4.execf0fd5544c94b0b45d7168ad5c2fcc28502eaeb0a7f89656eb726e9fa89e32e4.exemenussingle.exemenussingle.exe

pid	process
1756	cf0fd5544c94b0b45d7168ad5c2fcc28502eaeb0a7f89656eb726e9fa89e32e4.exe
948	cf0fd5544c94b0b45d7168ad5c2fcc28502eaeb0a7f89656eb726e9fa89e32e4.exe
1212	menussingle.exe
1768	menussingle.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

cf0fd5544c94b0b45d7168ad5c2fcc28502eaeb0a7f89656eb726e9fa89e32e4.exemenussingle.exe

description	pid	process	target process
PID 1756 wrote to memory of 948	1756	cf0fd5544c94b0b45d7168ad5c2fcc28502eaeb0a7f89656eb726e9fa89e32e4.exe	cf0fd5544c94b0b45d7168ad5c2fcc28502eaeb0a7f89656eb726e9fa89e32e4.exe
PID 1756 wrote to memory of 948	1756	cf0fd5544c94b0b45d7168ad5c2fcc28502eaeb0a7f89656eb726e9fa89e32e4.exe	cf0fd5544c94b0b45d7168ad5c2fcc28502eaeb0a7f89656eb726e9fa89e32e4.exe
PID 1756 wrote to memory of 948	1756	cf0fd5544c94b0b45d7168ad5c2fcc28502eaeb0a7f89656eb726e9fa89e32e4.exe	cf0fd5544c94b0b45d7168ad5c2fcc28502eaeb0a7f89656eb726e9fa89e32e4.exe
PID 1756 wrote to memory of 948	1756	cf0fd5544c94b0b45d7168ad5c2fcc28502eaeb0a7f89656eb726e9fa89e32e4.exe	cf0fd5544c94b0b45d7168ad5c2fcc28502eaeb0a7f89656eb726e9fa89e32e4.exe
PID 1212 wrote to memory of 1768	1212	menussingle.exe	menussingle.exe
PID 1212 wrote to memory of 1768	1212	menussingle.exe	menussingle.exe
PID 1212 wrote to memory of 1768	1212	menussingle.exe	menussingle.exe
PID 1212 wrote to memory of 1768	1212	menussingle.exe	menussingle.exe

C:\Users\Admin\AppData\Local\Temp\cf0fd5544c94b0b45d7168ad5c2fcc28502eaeb0a7f89656eb726e9fa89e32e4.exe
"C:\Users\Admin\AppData\Local\Temp\cf0fd5544c94b0b45d7168ad5c2fcc28502eaeb0a7f89656eb726e9fa89e32e4.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1756

C:\Users\Admin\AppData\Local\Temp\cf0fd5544c94b0b45d7168ad5c2fcc28502eaeb0a7f89656eb726e9fa89e32e4.exe
"C:\Users\Admin\AppData\Local\Temp\cf0fd5544c94b0b45d7168ad5c2fcc28502eaeb0a7f89656eb726e9fa89e32e4.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
PID:948

C:\Windows\SysWOW64\menussingle.exe
"C:\Windows\SysWOW64\menussingle.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1212

C:\Windows\SysWOW64\menussingle.exe
"C:\Windows\SysWOW64\menussingle.exe"
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
PID:1768

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/948-55-0x0000000000000000-mapping.dmp

Download
memory/948-59-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/948-64-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1756-54-0x0000000076171000-0x0000000076173000-memory.dmp

Filesize
8KB

Download
memory/1756-57-0x0000000000220000-0x0000000000235000-memory.dmp

Filesize
84KB

Download
memory/1756-58-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1768-61-0x0000000000000000-mapping.dmp

Download
memory/1768-63-0x00000000002E0000-0x00000000002F5000-memory.dmp

Filesize
84KB

Download
memory/1768-65-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1768-66-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads