emotet | 9501cbec7456d6eeb1eba3dfa925d920b142aac168a072ed178c09c26ffeb893

General

Target

9501cbec7456d6eeb1eba3dfa925d920b142aac168a072ed178c09c26ffeb893.exe
Size

102KB
MD5

c9586c4fec83638e4d28cfe03fbbcfe1
SHA1

a220ff6038547246063983aa7fa99869c153f645
SHA256

9501cbec7456d6eeb1eba3dfa925d920b142aac168a072ed178c09c26ffeb893
SHA512

977246a75503c9df6d2f806a5640213e1e5aad8f03798f85d3d60a3f0f212bef802981e54d81305238593ea549bad7af769468a9ac453098f57f6fc82a57e75f
SSDEEP

3072:8CTQd2Z+si/QWOPxLinBY21Nl8mD7+QS9LPv6GLRWrX:1Ed2NFcHOkaQS9Lvfor

Score

10^/10

emotet banker trojan

Malware Config

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Drops file in System32 directory 1 IoCs

Processes:

earconturned.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	earconturned.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 22 IoCs

Processes:

earconturned.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	earconturned.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	earconturned.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{48D02447-14AB-4AD0-9BE1-015BA179B906}	earconturned.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\12-39-70-46-89-35\WpadDetectedUrl	earconturned.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\12-39-70-46-89-35\WpadDecision = "0"	earconturned.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	earconturned.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	earconturned.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0082000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	earconturned.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{48D02447-14AB-4AD0-9BE1-015BA179B906}\12-39-70-46-89-35	earconturned.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	earconturned.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{48D02447-14AB-4AD0-9BE1-015BA179B906}\WpadDecisionReason = "1"	earconturned.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\12-39-70-46-89-35\WpadDecisionReason = "1"	earconturned.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	earconturned.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	earconturned.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	earconturned.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	earconturned.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\12-39-70-46-89-35	earconturned.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\12-39-70-46-89-35\WpadDecisionTime = f0bfcffa7205d901	earconturned.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	earconturned.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{48D02447-14AB-4AD0-9BE1-015BA179B906}\WpadDecisionTime = f0bfcffa7205d901	earconturned.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{48D02447-14AB-4AD0-9BE1-015BA179B906}\WpadDecision = "0"	earconturned.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{48D02447-14AB-4AD0-9BE1-015BA179B906}\WpadNetworkName = "Network 3"	earconturned.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

earconturned.exe

pid process

2040 earconturned.exe
2040 earconturned.exe
2040 earconturned.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

9501cbec7456d6eeb1eba3dfa925d920b142aac168a072ed178c09c26ffeb893.exe

pid process

544 9501cbec7456d6eeb1eba3dfa925d920b142aac168a072ed178c09c26ffeb893.exe

pid	process
2040	earconturned.exe
2040	earconturned.exe
2040	earconturned.exe

pid	process
544	9501cbec7456d6eeb1eba3dfa925d920b142aac168a072ed178c09c26ffeb893.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

9501cbec7456d6eeb1eba3dfa925d920b142aac168a072ed178c09c26ffeb893.exeearconturned.exe

description	pid	process	target process
PID 2036 wrote to memory of 544	2036	9501cbec7456d6eeb1eba3dfa925d920b142aac168a072ed178c09c26ffeb893.exe	9501cbec7456d6eeb1eba3dfa925d920b142aac168a072ed178c09c26ffeb893.exe
PID 2036 wrote to memory of 544	2036	9501cbec7456d6eeb1eba3dfa925d920b142aac168a072ed178c09c26ffeb893.exe	9501cbec7456d6eeb1eba3dfa925d920b142aac168a072ed178c09c26ffeb893.exe
PID 2036 wrote to memory of 544	2036	9501cbec7456d6eeb1eba3dfa925d920b142aac168a072ed178c09c26ffeb893.exe	9501cbec7456d6eeb1eba3dfa925d920b142aac168a072ed178c09c26ffeb893.exe
PID 2036 wrote to memory of 544	2036	9501cbec7456d6eeb1eba3dfa925d920b142aac168a072ed178c09c26ffeb893.exe	9501cbec7456d6eeb1eba3dfa925d920b142aac168a072ed178c09c26ffeb893.exe
PID 1992 wrote to memory of 2040	1992	earconturned.exe	earconturned.exe
PID 1992 wrote to memory of 2040	1992	earconturned.exe	earconturned.exe
PID 1992 wrote to memory of 2040	1992	earconturned.exe	earconturned.exe
PID 1992 wrote to memory of 2040	1992	earconturned.exe	earconturned.exe

C:\Users\Admin\AppData\Local\Temp\9501cbec7456d6eeb1eba3dfa925d920b142aac168a072ed178c09c26ffeb893.exe
"C:\Users\Admin\AppData\Local\Temp\9501cbec7456d6eeb1eba3dfa925d920b142aac168a072ed178c09c26ffeb893.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2036

C:\Users\Admin\AppData\Local\Temp\9501cbec7456d6eeb1eba3dfa925d920b142aac168a072ed178c09c26ffeb893.exe
--2b52d80a
2⤵
- Suspicious behavior: RenamesItself
PID:544

C:\Windows\SysWOW64\earconturned.exe
"C:\Windows\SysWOW64\earconturned.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1992

C:\Windows\SysWOW64\earconturned.exe
--8bd8faba
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2040

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/544-54-0x0000000000000000-mapping.dmp

Download
memory/544-55-0x0000000076151000-0x0000000076153000-memory.dmp

Filesize
8KB

Download
memory/2040-56-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads