emotet | 47dba610a04ef1d7f18a795108cf9e62d2d6e9e22f0fba51143462f4d569a70d

Analysis

max time kernel
30s
max time network
32s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
10-06-2023 14:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

47dba610a04ef1d7f18a795108cf9e62d2d6e9e22f0fba51143462f4d569a70d.exe
Size

65KB
MD5

176b6e4649ccebe0f73d40146d0b7fa1
SHA1

4941b675ed6aae118932f8ced2b1db3f52a6eab3
SHA256

47dba610a04ef1d7f18a795108cf9e62d2d6e9e22f0fba51143462f4d569a70d
SHA512

ac1b8b695c9c0b3afebf4b7277b638b1317399c2dc910b2cd26ae9e548dc684974ede9f3e14268dfda3ce901ee23ac74663a06386e403a652cca070ed557f78a
SSDEEP

1536:1E1SjujsC8XANkPZgJkM8Ydwqo0fdWoz5I9lKcfc6hxRGS+w:mLjsXANkR/fkfdWolI9AiDZ

Score

10^/10

emotet banker trojan

Malware Config

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Drops file in System32 directory 4 IoCs

Processes:

chinesebuilder.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	chinesebuilder.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	chinesebuilder.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	chinesebuilder.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	chinesebuilder.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 3 IoCs

Processes:

chinesebuilder.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	chinesebuilder.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	chinesebuilder.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	chinesebuilder.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

chinesebuilder.exe

pid process

3784 chinesebuilder.exe
3784 chinesebuilder.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

47dba610a04ef1d7f18a795108cf9e62d2d6e9e22f0fba51143462f4d569a70d.exe

pid process

2192 47dba610a04ef1d7f18a795108cf9e62d2d6e9e22f0fba51143462f4d569a70d.exe

pid	process
3784	chinesebuilder.exe
3784	chinesebuilder.exe

pid	process
2192	47dba610a04ef1d7f18a795108cf9e62d2d6e9e22f0fba51143462f4d569a70d.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

47dba610a04ef1d7f18a795108cf9e62d2d6e9e22f0fba51143462f4d569a70d.exechinesebuilder.exe

description	pid	process	target process
PID 4676 wrote to memory of 2192	4676	47dba610a04ef1d7f18a795108cf9e62d2d6e9e22f0fba51143462f4d569a70d.exe	47dba610a04ef1d7f18a795108cf9e62d2d6e9e22f0fba51143462f4d569a70d.exe
PID 4676 wrote to memory of 2192	4676	47dba610a04ef1d7f18a795108cf9e62d2d6e9e22f0fba51143462f4d569a70d.exe	47dba610a04ef1d7f18a795108cf9e62d2d6e9e22f0fba51143462f4d569a70d.exe
PID 4676 wrote to memory of 2192	4676	47dba610a04ef1d7f18a795108cf9e62d2d6e9e22f0fba51143462f4d569a70d.exe	47dba610a04ef1d7f18a795108cf9e62d2d6e9e22f0fba51143462f4d569a70d.exe
PID 5004 wrote to memory of 3784	5004	chinesebuilder.exe	chinesebuilder.exe
PID 5004 wrote to memory of 3784	5004	chinesebuilder.exe	chinesebuilder.exe
PID 5004 wrote to memory of 3784	5004	chinesebuilder.exe	chinesebuilder.exe

C:\Users\Admin\AppData\Local\Temp\47dba610a04ef1d7f18a795108cf9e62d2d6e9e22f0fba51143462f4d569a70d.exe
"C:\Users\Admin\AppData\Local\Temp\47dba610a04ef1d7f18a795108cf9e62d2d6e9e22f0fba51143462f4d569a70d.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4676

C:\Users\Admin\AppData\Local\Temp\47dba610a04ef1d7f18a795108cf9e62d2d6e9e22f0fba51143462f4d569a70d.exe
--3390afee
2⤵
- Suspicious behavior: RenamesItself
PID:2192

C:\Windows\SysWOW64\chinesebuilder.exe
"C:\Windows\SysWOW64\chinesebuilder.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5004

C:\Windows\SysWOW64\chinesebuilder.exe
--9b4e3320
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:3784

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads