emotet | 2f3e99a8bdb080cad97881bc33b88ab9084003b649909895c3a8c156e5b8b83f

Analysis

max time kernel
146s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
06/01/2023, 07:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

test3/08b0baa49485954e408eb2ddc02004b1aa7b451e6f704cf1c914d23f3ac0ee8c.exe
Size

214KB
MD5

736acf3822d3427fd6eb4655effdb265
SHA1

1fb8256161d7e296a3e54fc85444f5ee970ef0e3
SHA256

08b0baa49485954e408eb2ddc02004b1aa7b451e6f704cf1c914d23f3ac0ee8c
SHA512

31bfc3077109f1b05e52bf11b92e5ff82f680164be36e6ead39dfe1679ac4b76003dac7d7d56435b596ce578586e737f2b46e0ff6f54d19dbda29a134b7f1bb0
SSDEEP

6144:EQcM8WDqVJY3laxQwNgs/YPNha3EzEZCxgKqApdLg70CTTNLvzySzVFet+H9ikLB:n8WDqVJY3laxQwNgs/YPNha3EzEZCxgn

Score

10^/10

emotet banker trojan

Malware Config

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	SiteCim.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	SiteCim.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	SiteCim.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	SiteCim.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	SiteCim.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	SiteCim.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	SiteCim.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3452	SiteCim.exe
3452	SiteCim.exe
3452	SiteCim.exe
3452	SiteCim.exe
3452	SiteCim.exe
3452	SiteCim.exe
3452	SiteCim.exe
3452	SiteCim.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2120	08b0baa49485954e408eb2ddc02004b1aa7b451e6f704cf1c914d23f3ac0ee8c.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4700 wrote to memory of 2120	4700	08b0baa49485954e408eb2ddc02004b1aa7b451e6f704cf1c914d23f3ac0ee8c.exe	79
PID 4700 wrote to memory of 2120	4700	08b0baa49485954e408eb2ddc02004b1aa7b451e6f704cf1c914d23f3ac0ee8c.exe	79
PID 4700 wrote to memory of 2120	4700	08b0baa49485954e408eb2ddc02004b1aa7b451e6f704cf1c914d23f3ac0ee8c.exe	79
PID 3124 wrote to memory of 3452	3124	SiteCim.exe	81
PID 3124 wrote to memory of 3452	3124	SiteCim.exe	81
PID 3124 wrote to memory of 3452	3124	SiteCim.exe	81

C:\Users\Admin\AppData\Local\Temp\test3\08b0baa49485954e408eb2ddc02004b1aa7b451e6f704cf1c914d23f3ac0ee8c.exe
"C:\Users\Admin\AppData\Local\Temp\test3\08b0baa49485954e408eb2ddc02004b1aa7b451e6f704cf1c914d23f3ac0ee8c.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4700
- C:\Users\Admin\AppData\Local\Temp\test3\08b0baa49485954e408eb2ddc02004b1aa7b451e6f704cf1c914d23f3ac0ee8c.exe
  "C:\Users\Admin\AppData\Local\Temp\test3\08b0baa49485954e408eb2ddc02004b1aa7b451e6f704cf1c914d23f3ac0ee8c.exe"
  2⤵
  - Suspicious behavior: RenamesItself
  PID:2120

C:\Windows\SysWOW64\SiteCim.exe
C:\Windows\SysWOW64\SiteCim.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:3124
- C:\Windows\SysWOW64\SiteCim.exe
  "C:\Windows\SysWOW64\SiteCim.exe"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:3452

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2120-144-0x0000000002060000-0x000000000206E000-memory.dmp

Filesize
56KB

Download
memory/2120-161-0x0000000002050000-0x000000000205E000-memory.dmp

Filesize
56KB

Download
memory/2120-147-0x0000000002070000-0x0000000002080000-memory.dmp

Filesize
64KB

Download
memory/2120-146-0x0000000002050000-0x000000000205E000-memory.dmp

Filesize
56KB

Download
memory/2120-140-0x0000000002060000-0x000000000206E000-memory.dmp

Filesize
56KB

Download
memory/3124-148-0x0000000000E70000-0x0000000000E7E000-memory.dmp

Filesize
56KB

Download
memory/3124-152-0x0000000000E70000-0x0000000000E7E000-memory.dmp

Filesize
56KB

Download
memory/3124-160-0x0000000000E80000-0x0000000000E90000-memory.dmp

Filesize
64KB

Download
memory/3124-159-0x0000000000E60000-0x0000000000E6E000-memory.dmp

Filesize
56KB

Download
memory/3452-154-0x0000000000580000-0x000000000058E000-memory.dmp

Filesize
56KB

Download
memory/3452-158-0x0000000000580000-0x000000000058E000-memory.dmp

Filesize
56KB

Download
memory/3452-162-0x0000000000570000-0x000000000057E000-memory.dmp

Filesize
56KB

Download
memory/3452-163-0x0000000000BF0000-0x0000000000C00000-memory.dmp

Filesize
64KB

Download
memory/3452-164-0x0000000000570000-0x000000000057E000-memory.dmp

Filesize
56KB

Download
memory/4700-132-0x00000000021A0000-0x00000000021AE000-memory.dmp

Filesize
56KB

Download
memory/4700-145-0x0000000002190000-0x000000000219E000-memory.dmp

Filesize
56KB

Download
memory/4700-137-0x0000000002190000-0x000000000219E000-memory.dmp

Filesize
56KB

Download
memory/4700-138-0x00000000021B0000-0x00000000021C0000-memory.dmp

Filesize
64KB

Download
memory/4700-136-0x00000000021A0000-0x00000000021AE000-memory.dmp

Filesize
56KB

Download