emotet | cb51ef714e8cc0a98b961580cd598eb4266b86c232e501ad26ab5f5079354bd6

General

Target

cb51ef714e8cc0a98b961580cd598eb4266b86c232e501ad26ab5f5079354bd6.exe
Size

182KB
MD5

b0ed60feb4ac8a0840b745e0d1082243
SHA1

bf48099afe126b855706310ea45a78ede2e20b3c
SHA256

cb51ef714e8cc0a98b961580cd598eb4266b86c232e501ad26ab5f5079354bd6
SHA512

a8f9436478ff60e532f24ef2de105d6839a7a6531d84294814f11f6d9bd0cecf6d97498371d6a131abd1b9063e9ce076f51171dc8b1c27a5113ba6c3dc53ec74
SSDEEP

3072:CImQYNtmlphxLDTMcbHjqgm3BS8DVMTZyXBF1pWUyT:CImQY/gp3TPDrm3BpjRF1u

Score

10^/10

emotet banker trojan

Malware Config

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Drops file in System32 directory 1 IoCs

Processes:

radardefine.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	radardefine.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 22 IoCs

Processes:

radardefine.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	radardefine.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4917772D-CF6C-4CF6-A6D7-8946A8878649}\WpadDecision = "0"	radardefine.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\7e-b2-ad-6b-7a-8c	radardefine.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4917772D-CF6C-4CF6-A6D7-8946A8878649}\7e-b2-ad-6b-7a-8c	radardefine.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\7e-b2-ad-6b-7a-8c\WpadDecisionReason = "1"	radardefine.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	radardefine.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\7e-b2-ad-6b-7a-8c\WpadDecisionTime = 9016609d1534d901	radardefine.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\7e-b2-ad-6b-7a-8c\WpadDecisionTime = f0cb6f5a1534d901	radardefine.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	radardefine.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	radardefine.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4917772D-CF6C-4CF6-A6D7-8946A8878649}	radardefine.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4917772D-CF6C-4CF6-A6D7-8946A8878649}\WpadDecisionTime = f0cb6f5a1534d901	radardefine.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\7e-b2-ad-6b-7a-8c\WpadDecision = "0"	radardefine.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4917772D-CF6C-4CF6-A6D7-8946A8878649}\WpadDecisionTime = 9016609d1534d901	radardefine.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	radardefine.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	radardefine.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0014000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	radardefine.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4917772D-CF6C-4CF6-A6D7-8946A8878649}\WpadDecisionReason = "1"	radardefine.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4917772D-CF6C-4CF6-A6D7-8946A8878649}\WpadNetworkName = "Network 2"	radardefine.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\7e-b2-ad-6b-7a-8c\WpadDetectedUrl	radardefine.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000004000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0014000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	radardefine.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	radardefine.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

cb51ef714e8cc0a98b961580cd598eb4266b86c232e501ad26ab5f5079354bd6.execb51ef714e8cc0a98b961580cd598eb4266b86c232e501ad26ab5f5079354bd6.exeradardefine.exeradardefine.exe

pid	process
1652	cb51ef714e8cc0a98b961580cd598eb4266b86c232e501ad26ab5f5079354bd6.exe
976	cb51ef714e8cc0a98b961580cd598eb4266b86c232e501ad26ab5f5079354bd6.exe
940	radardefine.exe
932	radardefine.exe
932	radardefine.exe
932	radardefine.exe
932	radardefine.exe
932	radardefine.exe
932	radardefine.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

cb51ef714e8cc0a98b961580cd598eb4266b86c232e501ad26ab5f5079354bd6.exe

pid process

976 cb51ef714e8cc0a98b961580cd598eb4266b86c232e501ad26ab5f5079354bd6.exe

pid	process
976	cb51ef714e8cc0a98b961580cd598eb4266b86c232e501ad26ab5f5079354bd6.exe

Suspicious use of UnmapMainImage 4 IoCs

Processes:

cb51ef714e8cc0a98b961580cd598eb4266b86c232e501ad26ab5f5079354bd6.execb51ef714e8cc0a98b961580cd598eb4266b86c232e501ad26ab5f5079354bd6.exeradardefine.exeradardefine.exe

pid	process
1652	cb51ef714e8cc0a98b961580cd598eb4266b86c232e501ad26ab5f5079354bd6.exe
976	cb51ef714e8cc0a98b961580cd598eb4266b86c232e501ad26ab5f5079354bd6.exe
940	radardefine.exe
932	radardefine.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

cb51ef714e8cc0a98b961580cd598eb4266b86c232e501ad26ab5f5079354bd6.exeradardefine.exe

description	pid	process	target process
PID 1652 wrote to memory of 976	1652	cb51ef714e8cc0a98b961580cd598eb4266b86c232e501ad26ab5f5079354bd6.exe	cb51ef714e8cc0a98b961580cd598eb4266b86c232e501ad26ab5f5079354bd6.exe
PID 1652 wrote to memory of 976	1652	cb51ef714e8cc0a98b961580cd598eb4266b86c232e501ad26ab5f5079354bd6.exe	cb51ef714e8cc0a98b961580cd598eb4266b86c232e501ad26ab5f5079354bd6.exe
PID 1652 wrote to memory of 976	1652	cb51ef714e8cc0a98b961580cd598eb4266b86c232e501ad26ab5f5079354bd6.exe	cb51ef714e8cc0a98b961580cd598eb4266b86c232e501ad26ab5f5079354bd6.exe
PID 1652 wrote to memory of 976	1652	cb51ef714e8cc0a98b961580cd598eb4266b86c232e501ad26ab5f5079354bd6.exe	cb51ef714e8cc0a98b961580cd598eb4266b86c232e501ad26ab5f5079354bd6.exe
PID 940 wrote to memory of 932	940	radardefine.exe	radardefine.exe
PID 940 wrote to memory of 932	940	radardefine.exe	radardefine.exe
PID 940 wrote to memory of 932	940	radardefine.exe	radardefine.exe
PID 940 wrote to memory of 932	940	radardefine.exe	radardefine.exe

C:\Users\Admin\AppData\Local\Temp\cb51ef714e8cc0a98b961580cd598eb4266b86c232e501ad26ab5f5079354bd6.exe
"C:\Users\Admin\AppData\Local\Temp\cb51ef714e8cc0a98b961580cd598eb4266b86c232e501ad26ab5f5079354bd6.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1652

C:\Users\Admin\AppData\Local\Temp\cb51ef714e8cc0a98b961580cd598eb4266b86c232e501ad26ab5f5079354bd6.exe
"C:\Users\Admin\AppData\Local\Temp\cb51ef714e8cc0a98b961580cd598eb4266b86c232e501ad26ab5f5079354bd6.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
PID:976

C:\Windows\SysWOW64\radardefine.exe
"C:\Windows\SysWOW64\radardefine.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:940

C:\Windows\SysWOW64\radardefine.exe
"C:\Windows\SysWOW64\radardefine.exe"
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
PID:932

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/932-62-0x0000000000000000-mapping.dmp

Download
memory/932-66-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/940-64-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/976-55-0x0000000000000000-mapping.dmp

Download
memory/976-60-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/976-65-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1652-54-0x0000000074C91000-0x0000000074C93000-memory.dmp

Filesize
8KB

Download
memory/1652-57-0x0000000000220000-0x0000000000235000-memory.dmp

Filesize
84KB

Download
memory/1652-58-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1652-59-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads