emotet | 69a2ab72eb15c6bc8cc6cbd3d66bb445821c822f41494b54c48bc94388fa1f0c

Analysis

max time kernel
144s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
11-05-2023 00:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2019-05-01-Emotet-and-Trickbot-malware-and-artifacts(1)/2019-05-01-Emotet-binary-updated-after-initial-infection-1-of-2.exe
Size

168KB
MD5

1cc91941efd6d3da54a1054d9c9d870f
SHA1

b6531c99b2fb0c51941ac3a636c5c3cf69073f65
SHA256

6d7aff70a84d9237bde3b149ff04532cafb29b6f358886b5038a737af5934d1f
SHA512

bade1e20f1a892e33d20535235f0ed45b625ef8cdd1ba9a391f074d3b77f971fb63f68f6d0f97e51fa48ef211fa7bea76a56da9deb88c85dbd0aa892ae78ed69
SSDEEP

3072:5JYzFEhjHHIUjCgArLEZXApH3UHE360ESYUspf:r4FeHIU2Y9KEHE36FS2pf

Score

10^/10

emotet banker trojan

Malware Config

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Drops file in System32 directory 4 IoCs

Processes:

relsound.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	relsound.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	relsound.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	relsound.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	relsound.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 3 IoCs

Processes:

relsound.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	relsound.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	relsound.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	relsound.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

relsound.exe

pid	process
1200	relsound.exe
1200	relsound.exe
1200	relsound.exe
1200	relsound.exe
1200	relsound.exe
1200	relsound.exe
1200	relsound.exe
1200	relsound.exe
1200	relsound.exe
1200	relsound.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

2019-05-01-Emotet-binary-updated-after-initial-infection-1-of-2.exe

pid process

1772 2019-05-01-Emotet-binary-updated-after-initial-infection-1-of-2.exe

pid	process
1772	2019-05-01-Emotet-binary-updated-after-initial-infection-1-of-2.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

2019-05-01-Emotet-binary-updated-after-initial-infection-1-of-2.exerelsound.exe

description	pid	process	target process
PID 1668 wrote to memory of 1772	1668	2019-05-01-Emotet-binary-updated-after-initial-infection-1-of-2.exe	2019-05-01-Emotet-binary-updated-after-initial-infection-1-of-2.exe
PID 1668 wrote to memory of 1772	1668	2019-05-01-Emotet-binary-updated-after-initial-infection-1-of-2.exe	2019-05-01-Emotet-binary-updated-after-initial-infection-1-of-2.exe
PID 1668 wrote to memory of 1772	1668	2019-05-01-Emotet-binary-updated-after-initial-infection-1-of-2.exe	2019-05-01-Emotet-binary-updated-after-initial-infection-1-of-2.exe
PID 4112 wrote to memory of 1200	4112	relsound.exe	relsound.exe
PID 4112 wrote to memory of 1200	4112	relsound.exe	relsound.exe
PID 4112 wrote to memory of 1200	4112	relsound.exe	relsound.exe

C:\Users\Admin\AppData\Local\Temp\2019-05-01-Emotet-and-Trickbot-malware-and-artifacts(1)\2019-05-01-Emotet-binary-updated-after-initial-infection-1-of-2.exe
"C:\Users\Admin\AppData\Local\Temp\2019-05-01-Emotet-and-Trickbot-malware-and-artifacts(1)\2019-05-01-Emotet-binary-updated-after-initial-infection-1-of-2.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1668
- C:\Users\Admin\AppData\Local\Temp\2019-05-01-Emotet-and-Trickbot-malware-and-artifacts(1)\2019-05-01-Emotet-binary-updated-after-initial-infection-1-of-2.exe
  --48098e76
  2⤵
  - Suspicious behavior: RenamesItself
  PID:1772

C:\Windows\SysWOW64\relsound.exe
"C:\Windows\SysWOW64\relsound.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4112
- C:\Windows\SysWOW64\relsound.exe
  --15f8448
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:1200

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1200-143-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1200-145-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1668-133-0x0000000002160000-0x0000000002171000-memory.dmp

Filesize
68KB

Download
memory/1668-134-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1668-136-0x0000000002160000-0x0000000002171000-memory.dmp

Filesize
68KB

Download
memory/1772-137-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1772-141-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download