emotet | 045c4ab485bd45781234451af0eae62f23abceae375d5434cff37c3e5620f872

General

Target

fa5c79321dd4cc2fea795d6ebe2e823abe33ca6f.exe
Size

477KB
MD5

f1ab1fa6d2b93ae55b448b96733ff195
SHA1

fa5c79321dd4cc2fea795d6ebe2e823abe33ca6f
SHA256

045c4ab485bd45781234451af0eae62f23abceae375d5434cff37c3e5620f872
SHA512

06f5ebb1d2f1079bec579856cd676d256758961dabedc9851836ff22b6442c0efd9ec818b95715b8ee706e126df63322fd7e3ebe679e46bd91e49abb8caf5bd4
SSDEEP

12288:Ur1hcmamspxYUL24xYkPuPN1A27pNMTWdQpDx82540:IDdyxYUmA277MKwDlf

Score

10^/10

emotet epoch1 banker trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch1

C2

181.188.149.134:80

203.130.0.67:80

5.67.96.120:8080

189.245.135.12:143

143.0.245.169:8080

151.80.142.33:80

159.65.241.220:8080

109.104.79.48:8080

43.229.62.186:8080

72.47.248.48:8080

46.249.204.99:8080

181.48.174.242:80

190.230.60.129:80

89.188.124.145:443

187.242.204.142:80

200.57.102.71:8443

201.219.183.243:443

190.117.206.153:443

200.80.198.34:80

138.68.106.4:7080

rsa_pubkey.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Drops file in System32 directory 4 IoCs

Processes:

isvewatched.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	isvewatched.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	isvewatched.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	isvewatched.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	isvewatched.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

fa5c79321dd4cc2fea795d6ebe2e823abe33ca6f.exefa5c79321dd4cc2fea795d6ebe2e823abe33ca6f.exeisvewatched.exeisvewatched.exe

description	pid	process	target process
PID 1496 set thread context of 2448	1496	fa5c79321dd4cc2fea795d6ebe2e823abe33ca6f.exe	fa5c79321dd4cc2fea795d6ebe2e823abe33ca6f.exe
PID 2804 set thread context of 2880	2804	fa5c79321dd4cc2fea795d6ebe2e823abe33ca6f.exe	fa5c79321dd4cc2fea795d6ebe2e823abe33ca6f.exe
PID 2600 set thread context of 4540	2600	isvewatched.exe	isvewatched.exe
PID 4404 set thread context of 3100	4404	isvewatched.exe	isvewatched.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 3 IoCs

Processes:

isvewatched.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	isvewatched.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	isvewatched.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	isvewatched.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

isvewatched.exe

pid	process
3100	isvewatched.exe
3100	isvewatched.exe
3100	isvewatched.exe
3100	isvewatched.exe
3100	isvewatched.exe
3100	isvewatched.exe
3100	isvewatched.exe
3100	isvewatched.exe
3100	isvewatched.exe
3100	isvewatched.exe
3100	isvewatched.exe
3100	isvewatched.exe
3100	isvewatched.exe
3100	isvewatched.exe

Suspicious behavior: MapViewOfSection 4 IoCs

Processes:

fa5c79321dd4cc2fea795d6ebe2e823abe33ca6f.exefa5c79321dd4cc2fea795d6ebe2e823abe33ca6f.exeisvewatched.exeisvewatched.exe

pid process

1496 fa5c79321dd4cc2fea795d6ebe2e823abe33ca6f.exe
2804 fa5c79321dd4cc2fea795d6ebe2e823abe33ca6f.exe
2600 isvewatched.exe
4404 isvewatched.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

fa5c79321dd4cc2fea795d6ebe2e823abe33ca6f.exe

pid process

2880 fa5c79321dd4cc2fea795d6ebe2e823abe33ca6f.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

fa5c79321dd4cc2fea795d6ebe2e823abe33ca6f.exefa5c79321dd4cc2fea795d6ebe2e823abe33ca6f.exeisvewatched.exeisvewatched.exe

pid process

1496 fa5c79321dd4cc2fea795d6ebe2e823abe33ca6f.exe
2804 fa5c79321dd4cc2fea795d6ebe2e823abe33ca6f.exe
2600 isvewatched.exe
4404 isvewatched.exe

pid	process
1496	fa5c79321dd4cc2fea795d6ebe2e823abe33ca6f.exe
2804	fa5c79321dd4cc2fea795d6ebe2e823abe33ca6f.exe
2600	isvewatched.exe
4404	isvewatched.exe

pid	process
2880	fa5c79321dd4cc2fea795d6ebe2e823abe33ca6f.exe

pid	process
1496	fa5c79321dd4cc2fea795d6ebe2e823abe33ca6f.exe
2804	fa5c79321dd4cc2fea795d6ebe2e823abe33ca6f.exe
2600	isvewatched.exe
4404	isvewatched.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

fa5c79321dd4cc2fea795d6ebe2e823abe33ca6f.exefa5c79321dd4cc2fea795d6ebe2e823abe33ca6f.exefa5c79321dd4cc2fea795d6ebe2e823abe33ca6f.exeisvewatched.exeisvewatched.exeisvewatched.exe

description	pid	process	target process
PID 1496 wrote to memory of 2448	1496	fa5c79321dd4cc2fea795d6ebe2e823abe33ca6f.exe	fa5c79321dd4cc2fea795d6ebe2e823abe33ca6f.exe
PID 1496 wrote to memory of 2448	1496	fa5c79321dd4cc2fea795d6ebe2e823abe33ca6f.exe	fa5c79321dd4cc2fea795d6ebe2e823abe33ca6f.exe
PID 1496 wrote to memory of 2448	1496	fa5c79321dd4cc2fea795d6ebe2e823abe33ca6f.exe	fa5c79321dd4cc2fea795d6ebe2e823abe33ca6f.exe
PID 1496 wrote to memory of 2448	1496	fa5c79321dd4cc2fea795d6ebe2e823abe33ca6f.exe	fa5c79321dd4cc2fea795d6ebe2e823abe33ca6f.exe
PID 2448 wrote to memory of 2804	2448	fa5c79321dd4cc2fea795d6ebe2e823abe33ca6f.exe	fa5c79321dd4cc2fea795d6ebe2e823abe33ca6f.exe
PID 2448 wrote to memory of 2804	2448	fa5c79321dd4cc2fea795d6ebe2e823abe33ca6f.exe	fa5c79321dd4cc2fea795d6ebe2e823abe33ca6f.exe
PID 2448 wrote to memory of 2804	2448	fa5c79321dd4cc2fea795d6ebe2e823abe33ca6f.exe	fa5c79321dd4cc2fea795d6ebe2e823abe33ca6f.exe
PID 2804 wrote to memory of 2880	2804	fa5c79321dd4cc2fea795d6ebe2e823abe33ca6f.exe	fa5c79321dd4cc2fea795d6ebe2e823abe33ca6f.exe
PID 2804 wrote to memory of 2880	2804	fa5c79321dd4cc2fea795d6ebe2e823abe33ca6f.exe	fa5c79321dd4cc2fea795d6ebe2e823abe33ca6f.exe
PID 2804 wrote to memory of 2880	2804	fa5c79321dd4cc2fea795d6ebe2e823abe33ca6f.exe	fa5c79321dd4cc2fea795d6ebe2e823abe33ca6f.exe
PID 2804 wrote to memory of 2880	2804	fa5c79321dd4cc2fea795d6ebe2e823abe33ca6f.exe	fa5c79321dd4cc2fea795d6ebe2e823abe33ca6f.exe
PID 2600 wrote to memory of 4540	2600	isvewatched.exe	isvewatched.exe
PID 2600 wrote to memory of 4540	2600	isvewatched.exe	isvewatched.exe
PID 2600 wrote to memory of 4540	2600	isvewatched.exe	isvewatched.exe
PID 2600 wrote to memory of 4540	2600	isvewatched.exe	isvewatched.exe
PID 4540 wrote to memory of 4404	4540	isvewatched.exe	isvewatched.exe
PID 4540 wrote to memory of 4404	4540	isvewatched.exe	isvewatched.exe
PID 4540 wrote to memory of 4404	4540	isvewatched.exe	isvewatched.exe
PID 4404 wrote to memory of 3100	4404	isvewatched.exe	isvewatched.exe
PID 4404 wrote to memory of 3100	4404	isvewatched.exe	isvewatched.exe
PID 4404 wrote to memory of 3100	4404	isvewatched.exe	isvewatched.exe
PID 4404 wrote to memory of 3100	4404	isvewatched.exe	isvewatched.exe

C:\Users\Admin\AppData\Local\Temp\fa5c79321dd4cc2fea795d6ebe2e823abe33ca6f.exe
"C:\Users\Admin\AppData\Local\Temp\fa5c79321dd4cc2fea795d6ebe2e823abe33ca6f.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1496

C:\Users\Admin\AppData\Local\Temp\fa5c79321dd4cc2fea795d6ebe2e823abe33ca6f.exe
"C:\Users\Admin\AppData\Local\Temp\fa5c79321dd4cc2fea795d6ebe2e823abe33ca6f.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2448

C:\Users\Admin\AppData\Local\Temp\fa5c79321dd4cc2fea795d6ebe2e823abe33ca6f.exe
--a68cd9d0
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2804

C:\Users\Admin\AppData\Local\Temp\fa5c79321dd4cc2fea795d6ebe2e823abe33ca6f.exe
--a68cd9d0
4⤵
- Suspicious behavior: RenamesItself
PID:2880

C:\Windows\SysWOW64\isvewatched.exe
"C:\Windows\SysWOW64\isvewatched.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2600

C:\Windows\SysWOW64\isvewatched.exe
"C:\Windows\SysWOW64\isvewatched.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4540

C:\Windows\SysWOW64\isvewatched.exe
--95422b8b
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4404

C:\Windows\SysWOW64\isvewatched.exe
--95422b8b
4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:3100

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\36f062f2d141026c22528a77aa23748e_4b401a7f-b7c1-4c1c-a9cf-2b1aa260545d
Filesize
1KB

MD5
898f1720244b7033a7820fdb255fa3b4

SHA1
1132185ce8325f9f448d8d18dfddf0c1a8f1d317

SHA256
f64c8b576066cc84c4cec0a647ccfd263223de23ffe71beeba913d723706b0e7

SHA512
3efae8a0c7b3f2207e02cfd6725162a50973b9a137a949a38145ff713197f77ea8accfa3c1c10a24fe0edcc89b124bf8eec2930bbbbd4bc982615ba78a8675e9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2295526160-1155304984-640977766-1000\0f5007522459c86e95ffcc62f32308f1_4b401a7f-b7c1-4c1c-a9cf-2b1aa260545d
Filesize
1KB

MD5
e51e960b10e0da24c204582f913e2cba

SHA1
51b6ef08dc2da3de9c956fbda0b9cbd44ece5a98

SHA256
b4099004b43c1498174e80f55c47457380f569ff58743df521b30d520e3d44cc

SHA512
0d1ea1fdc505021babaffb153dacddbe5a071fba23b199871c16af307114a7d374b2d9a549014047907ed4c8a39bda788ccea7b97bafc44823d754dffa0ddd1d

Download Submit
memory/1496-132-0x0000000000690000-0x00000000006A4000-memory.dmp

Filesize
80KB

Download
memory/2448-135-0x0000000000000000-mapping.dmp

Download
memory/2448-137-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2600-145-0x0000000000F50000-0x0000000000F64000-memory.dmp

Filesize
80KB

Download
memory/2804-136-0x0000000000000000-mapping.dmp

Download
memory/2804-139-0x0000000002160000-0x0000000002174000-memory.dmp

Filesize
80KB

Download
memory/2804-143-0x0000000000610000-0x0000000000623000-memory.dmp

Filesize
76KB

Download
memory/2880-144-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2880-142-0x0000000000000000-mapping.dmp

Download
memory/2880-150-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3100-155-0x0000000000000000-mapping.dmp

Download
memory/3100-156-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3100-157-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4404-149-0x0000000000000000-mapping.dmp

Download
memory/4404-152-0x0000000000DC0000-0x0000000000DD4000-memory.dmp

Filesize
80KB

Download
memory/4540-148-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads