emotet | cd29e9f12faffd3f7f487051af426d71b339f77c855c30b83b0246848e0e8ff4

General

Target

cd29e9f12faffd3f7f487051af426d71b339f77c855c30b83b0246848e0e8ff4.exe
Size

116KB
MD5

4bd4c647e92d54e89ed3a4ddbbbf1619
SHA1

62beaf4e76704b117a87819bf074a170b5cdc7c9
SHA256

cd29e9f12faffd3f7f487051af426d71b339f77c855c30b83b0246848e0e8ff4
SHA512

ca742f33b106ed7839f4229d4ca004aa20c12587d6de8f75139f623fc478aaa24ac3983a0bfd0fc3cdcb8f2cbb3ab0fd1868b1c59eee89c2be38031b262e1532
SSDEEP

3072:P8ENSRg5KrR52iOG7jWXlnYNav5KLdIIPst5tKRc:P8KSRg5KPHOGErRKL6GgP

Score

10^/10

emotet banker trojan

Malware Config

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Drops file in System32 directory 1 IoCs

Processes:

portalcloud.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	portalcloud.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 21 IoCs

Processes:

portalcloud.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ca-10-4b-a7-0a-2d\WpadDecision = "0"	portalcloud.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	portalcloud.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	portalcloud.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0041000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	portalcloud.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{84744ECC-045B-4F38-94FA-146AF895EB99}\WpadDecisionTime = 20e388901534d901	portalcloud.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{84744ECC-045B-4F38-94FA-146AF895EB99}\WpadDecision = "0"	portalcloud.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{84744ECC-045B-4F38-94FA-146AF895EB99}\WpadNetworkName = "Network 2"	portalcloud.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{84744ECC-045B-4F38-94FA-146AF895EB99}\ca-10-4b-a7-0a-2d	portalcloud.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	portalcloud.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	portalcloud.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	portalcloud.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	portalcloud.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{84744ECC-045B-4F38-94FA-146AF895EB99}	portalcloud.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ca-10-4b-a7-0a-2d\WpadDecisionTime = 20e388901534d901	portalcloud.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	portalcloud.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{84744ECC-045B-4F38-94FA-146AF895EB99}\WpadDecisionReason = "1"	portalcloud.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ca-10-4b-a7-0a-2d	portalcloud.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	portalcloud.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	portalcloud.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	portalcloud.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ca-10-4b-a7-0a-2d\WpadDecisionReason = "1"	portalcloud.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

portalcloud.exe

pid process

584 portalcloud.exe
584 portalcloud.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

cd29e9f12faffd3f7f487051af426d71b339f77c855c30b83b0246848e0e8ff4.exe

pid process

1276 cd29e9f12faffd3f7f487051af426d71b339f77c855c30b83b0246848e0e8ff4.exe

pid	process
584	portalcloud.exe
584	portalcloud.exe

pid	process
1276	cd29e9f12faffd3f7f487051af426d71b339f77c855c30b83b0246848e0e8ff4.exe

Suspicious use of UnmapMainImage 4 IoCs

Processes:

cd29e9f12faffd3f7f487051af426d71b339f77c855c30b83b0246848e0e8ff4.execd29e9f12faffd3f7f487051af426d71b339f77c855c30b83b0246848e0e8ff4.exeportalcloud.exeportalcloud.exe

pid	process
1324	cd29e9f12faffd3f7f487051af426d71b339f77c855c30b83b0246848e0e8ff4.exe
1276	cd29e9f12faffd3f7f487051af426d71b339f77c855c30b83b0246848e0e8ff4.exe
1368	portalcloud.exe
584	portalcloud.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

cd29e9f12faffd3f7f487051af426d71b339f77c855c30b83b0246848e0e8ff4.exeportalcloud.exe

description	pid	process	target process
PID 1324 wrote to memory of 1276	1324	cd29e9f12faffd3f7f487051af426d71b339f77c855c30b83b0246848e0e8ff4.exe	cd29e9f12faffd3f7f487051af426d71b339f77c855c30b83b0246848e0e8ff4.exe
PID 1324 wrote to memory of 1276	1324	cd29e9f12faffd3f7f487051af426d71b339f77c855c30b83b0246848e0e8ff4.exe	cd29e9f12faffd3f7f487051af426d71b339f77c855c30b83b0246848e0e8ff4.exe
PID 1324 wrote to memory of 1276	1324	cd29e9f12faffd3f7f487051af426d71b339f77c855c30b83b0246848e0e8ff4.exe	cd29e9f12faffd3f7f487051af426d71b339f77c855c30b83b0246848e0e8ff4.exe
PID 1324 wrote to memory of 1276	1324	cd29e9f12faffd3f7f487051af426d71b339f77c855c30b83b0246848e0e8ff4.exe	cd29e9f12faffd3f7f487051af426d71b339f77c855c30b83b0246848e0e8ff4.exe
PID 1368 wrote to memory of 584	1368	portalcloud.exe	portalcloud.exe
PID 1368 wrote to memory of 584	1368	portalcloud.exe	portalcloud.exe
PID 1368 wrote to memory of 584	1368	portalcloud.exe	portalcloud.exe
PID 1368 wrote to memory of 584	1368	portalcloud.exe	portalcloud.exe

C:\Users\Admin\AppData\Local\Temp\cd29e9f12faffd3f7f487051af426d71b339f77c855c30b83b0246848e0e8ff4.exe
"C:\Users\Admin\AppData\Local\Temp\cd29e9f12faffd3f7f487051af426d71b339f77c855c30b83b0246848e0e8ff4.exe"
1⤵
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1324

C:\Users\Admin\AppData\Local\Temp\cd29e9f12faffd3f7f487051af426d71b339f77c855c30b83b0246848e0e8ff4.exe
--ab9f0987
2⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
PID:1276

C:\Windows\SysWOW64\portalcloud.exe
"C:\Windows\SysWOW64\portalcloud.exe"
1⤵
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1368

C:\Windows\SysWOW64\portalcloud.exe
--55a965ff
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
PID:584

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/584-63-0x0000000000000000-mapping.dmp

Download
memory/584-66-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1276-55-0x0000000000000000-mapping.dmp

Download
memory/1276-59-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1276-60-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1276-64-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1324-54-0x0000000075E81000-0x0000000075E83000-memory.dmp

Filesize
8KB

Download
memory/1324-56-0x00000000002B0000-0x00000000002C1000-memory.dmp

Filesize
68KB

Download
memory/1324-58-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1368-62-0x00000000003A0000-0x00000000003B1000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads