emotet | 57345e46232e31ba46f2f1392f23af8406877a39b1161f64ee92d9c42703f5b6

Analysis

max time kernel
206s
max time network
216s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
29-01-2023 18:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

57345e46232e31ba46f2f1392f23af8406877a39b1161f64ee92d9c42703f5b6.exe
Size

183KB
MD5

18df18cfc2c881ff5848253ef7b9a79b
SHA1

b2306421993de31e7387889bf9963c1fcee5c199
SHA256

57345e46232e31ba46f2f1392f23af8406877a39b1161f64ee92d9c42703f5b6
SHA512

20a666e29cb84a0eb7fbf986c68200664b7146b32c0fd9f72f51c7e6951df4870b185ac8f8a265c46bb5e6816b9f9c75890d1ad6036568690d0287b7c0ce2375
SSDEEP

3072:RV+PrAn3UAwpBFPbSbl8ZVcuGdrpWoWxiKJOXx2Q0mIOH0ZPvfdONt7T0Wf6B56j:QME7pTOMkJqiK4Bfc3MNZUPWrFt

Score

10^/10

emotet banker trojan

Malware Config

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Drops file in System32 directory 4 IoCs

Processes:

pnpmapi.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	pnpmapi.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	pnpmapi.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	pnpmapi.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	pnpmapi.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 3 IoCs

Processes:

pnpmapi.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	pnpmapi.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	pnpmapi.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	pnpmapi.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

pnpmapi.exe

pid process

2096 pnpmapi.exe
2096 pnpmapi.exe
2096 pnpmapi.exe
2096 pnpmapi.exe
2096 pnpmapi.exe
2096 pnpmapi.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

57345e46232e31ba46f2f1392f23af8406877a39b1161f64ee92d9c42703f5b6.exe

pid process

2696 57345e46232e31ba46f2f1392f23af8406877a39b1161f64ee92d9c42703f5b6.exe

pid	process
2096	pnpmapi.exe
2096	pnpmapi.exe
2096	pnpmapi.exe
2096	pnpmapi.exe
2096	pnpmapi.exe
2096	pnpmapi.exe

pid	process
2696	57345e46232e31ba46f2f1392f23af8406877a39b1161f64ee92d9c42703f5b6.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

57345e46232e31ba46f2f1392f23af8406877a39b1161f64ee92d9c42703f5b6.exepnpmapi.exe

description	pid	process	target process
PID 1952 wrote to memory of 2696	1952	57345e46232e31ba46f2f1392f23af8406877a39b1161f64ee92d9c42703f5b6.exe	57345e46232e31ba46f2f1392f23af8406877a39b1161f64ee92d9c42703f5b6.exe
PID 1952 wrote to memory of 2696	1952	57345e46232e31ba46f2f1392f23af8406877a39b1161f64ee92d9c42703f5b6.exe	57345e46232e31ba46f2f1392f23af8406877a39b1161f64ee92d9c42703f5b6.exe
PID 1952 wrote to memory of 2696	1952	57345e46232e31ba46f2f1392f23af8406877a39b1161f64ee92d9c42703f5b6.exe	57345e46232e31ba46f2f1392f23af8406877a39b1161f64ee92d9c42703f5b6.exe
PID 3580 wrote to memory of 2096	3580	pnpmapi.exe	pnpmapi.exe
PID 3580 wrote to memory of 2096	3580	pnpmapi.exe	pnpmapi.exe
PID 3580 wrote to memory of 2096	3580	pnpmapi.exe	pnpmapi.exe

C:\Users\Admin\AppData\Local\Temp\57345e46232e31ba46f2f1392f23af8406877a39b1161f64ee92d9c42703f5b6.exe
"C:\Users\Admin\AppData\Local\Temp\57345e46232e31ba46f2f1392f23af8406877a39b1161f64ee92d9c42703f5b6.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1952

C:\Users\Admin\AppData\Local\Temp\57345e46232e31ba46f2f1392f23af8406877a39b1161f64ee92d9c42703f5b6.exe
--883e7745
2⤵
- Suspicious behavior: RenamesItself
PID:2696

C:\Windows\SysWOW64\pnpmapi.exe
"C:\Windows\SysWOW64\pnpmapi.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3580

C:\Windows\SysWOW64\pnpmapi.exe
--b14dded5
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2096

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1952-132-0x00000000006C0000-0x00000000006DB000-memory.dmp

Filesize
108KB

Download
memory/1952-133-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1952-135-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2096-140-0x0000000000000000-mapping.dmp

Download
memory/2096-142-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2096-143-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2696-134-0x0000000000000000-mapping.dmp

Download
memory/2696-136-0x0000000000680000-0x000000000069B000-memory.dmp

Filesize
108KB

Download
memory/2696-137-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2696-138-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2696-141-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/3580-139-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download