Analysis Overview
SHA256
65c97fcbc4483c7dbd4692342ce8c7089573603677f917e40b45cea43a30abab
Threat Level: Known bad
The file bb49d3fbd4cb3fdc2bb2256463275826 was found to be: Known bad.
Malicious Activity Summary
Emotet
Drops file in System32 directory
Enumerates physical storage devices
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Modifies data under HKEY_USERS
Suspicious behavior: RenamesItself
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-08 12:42
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-08 12:42
Reported
2024-03-08 12:45
Platform
win7-20240221-en
Max time kernel
135s
Max time network
148s
Command Line
Signatures
Emotet
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat | C:\Windows\SysWOW64\sestargets.exe | N/A |
Enumerates physical storage devices
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad | C:\Windows\SysWOW64\sestargets.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0085000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\SysWOW64\sestargets.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D7D33897-E920-4B4C-BF10-C6A364CD478E}\WpadDecisionReason = "1" | C:\Windows\SysWOW64\sestargets.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D7D33897-E920-4B4C-BF10-C6A364CD478E}\WpadDecision = "0" | C:\Windows\SysWOW64\sestargets.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\82-f1-3d-f4-cb-9d\WpadDecision = "0" | C:\Windows\SysWOW64\sestargets.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | C:\Windows\SysWOW64\sestargets.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" | C:\Windows\SysWOW64\sestargets.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" | C:\Windows\SysWOW64\sestargets.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D7D33897-E920-4B4C-BF10-C6A364CD478E} | C:\Windows\SysWOW64\sestargets.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D7D33897-E920-4B4C-BF10-C6A364CD478E}\WpadNetworkName = "Network 3" | C:\Windows\SysWOW64\sestargets.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\82-f1-3d-f4-cb-9d\WpadDecisionTime = f051233d5671da01 | C:\Windows\SysWOW64\sestargets.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings | C:\Windows\SysWOW64\sestargets.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\SysWOW64\sestargets.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings | C:\Windows\SysWOW64\sestargets.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\82-f1-3d-f4-cb-9d\WpadDecisionReason = "1" | C:\Windows\SysWOW64\sestargets.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\SysWOW64\sestargets.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D7D33897-E920-4B4C-BF10-C6A364CD478E}\WpadDecisionTime = f051233d5671da01 | C:\Windows\SysWOW64\sestargets.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\82-f1-3d-f4-cb-9d | C:\Windows\SysWOW64\sestargets.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix | C:\Windows\SysWOW64\sestargets.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" | C:\Windows\SysWOW64\sestargets.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D7D33897-E920-4B4C-BF10-C6A364CD478E}\82-f1-3d-f4-cb-9d | C:\Windows\SysWOW64\sestargets.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sestargets.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sestargets.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sestargets.exe | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bb49d3fbd4cb3fdc2bb2256463275826.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bb49d3fbd4cb3fdc2bb2256463275826.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bb49d3fbd4cb3fdc2bb2256463275826.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bb49d3fbd4cb3fdc2bb2256463275826.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bb49d3fbd4cb3fdc2bb2256463275826.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sestargets.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sestargets.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sestargets.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sestargets.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\bb49d3fbd4cb3fdc2bb2256463275826.exe
"C:\Users\Admin\AppData\Local\Temp\bb49d3fbd4cb3fdc2bb2256463275826.exe"
C:\Users\Admin\AppData\Local\Temp\bb49d3fbd4cb3fdc2bb2256463275826.exe
--a40aa9df
C:\Windows\SysWOW64\sestargets.exe
"C:\Windows\SysWOW64\sestargets.exe"
C:\Windows\SysWOW64\sestargets.exe
--235e9d13
Network
| Country | Destination | Domain | Proto |
| AR | 152.169.31.120:8080 | tcp | |
| AR | 152.169.31.120:8080 | tcp | |
| TW | 211.20.154.102:80 | tcp | |
| TW | 211.20.154.102:80 | tcp | |
| US | 45.55.179.121:8080 | tcp |
Files
memory/2648-0-0x0000000001E50000-0x0000000001E74000-memory.dmp
memory/2648-3-0x0000000001E20000-0x0000000001E43000-memory.dmp
memory/3008-7-0x0000000001EB0000-0x0000000001ED4000-memory.dmp
memory/2568-13-0x0000000000A00000-0x0000000000A24000-memory.dmp
memory/2368-19-0x0000000000540000-0x0000000000564000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-08 12:42
Reported
2024-03-08 12:45
Platform
win10v2004-20240226-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
Emotet
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 | C:\Windows\SysWOW64\sidebarwmp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE | C:\Windows\SysWOW64\sidebarwmp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies | C:\Windows\SysWOW64\sidebarwmp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 | C:\Windows\SysWOW64\sidebarwmp.exe | N/A |
Enumerates physical storage devices
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix | C:\Windows\SysWOW64\sidebarwmp.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" | C:\Windows\SysWOW64\sidebarwmp.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" | C:\Windows\SysWOW64\sidebarwmp.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sidebarwmp.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sidebarwmp.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sidebarwmp.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sidebarwmp.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sidebarwmp.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sidebarwmp.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sidebarwmp.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sidebarwmp.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sidebarwmp.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sidebarwmp.exe | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bb49d3fbd4cb3fdc2bb2256463275826.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bb49d3fbd4cb3fdc2bb2256463275826.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bb49d3fbd4cb3fdc2bb2256463275826.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bb49d3fbd4cb3fdc2bb2256463275826.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bb49d3fbd4cb3fdc2bb2256463275826.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sidebarwmp.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sidebarwmp.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sidebarwmp.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sidebarwmp.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4964 wrote to memory of 1972 | N/A | C:\Users\Admin\AppData\Local\Temp\bb49d3fbd4cb3fdc2bb2256463275826.exe | C:\Users\Admin\AppData\Local\Temp\bb49d3fbd4cb3fdc2bb2256463275826.exe |
| PID 4964 wrote to memory of 1972 | N/A | C:\Users\Admin\AppData\Local\Temp\bb49d3fbd4cb3fdc2bb2256463275826.exe | C:\Users\Admin\AppData\Local\Temp\bb49d3fbd4cb3fdc2bb2256463275826.exe |
| PID 4964 wrote to memory of 1972 | N/A | C:\Users\Admin\AppData\Local\Temp\bb49d3fbd4cb3fdc2bb2256463275826.exe | C:\Users\Admin\AppData\Local\Temp\bb49d3fbd4cb3fdc2bb2256463275826.exe |
| PID 4992 wrote to memory of 4556 | N/A | C:\Windows\SysWOW64\sidebarwmp.exe | C:\Windows\SysWOW64\sidebarwmp.exe |
| PID 4992 wrote to memory of 4556 | N/A | C:\Windows\SysWOW64\sidebarwmp.exe | C:\Windows\SysWOW64\sidebarwmp.exe |
| PID 4992 wrote to memory of 4556 | N/A | C:\Windows\SysWOW64\sidebarwmp.exe | C:\Windows\SysWOW64\sidebarwmp.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\bb49d3fbd4cb3fdc2bb2256463275826.exe
"C:\Users\Admin\AppData\Local\Temp\bb49d3fbd4cb3fdc2bb2256463275826.exe"
C:\Users\Admin\AppData\Local\Temp\bb49d3fbd4cb3fdc2bb2256463275826.exe
--a40aa9df
C:\Windows\SysWOW64\sidebarwmp.exe
"C:\Windows\SysWOW64\sidebarwmp.exe"
C:\Windows\SysWOW64\sidebarwmp.exe
--e45a3410
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.53.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.5.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| AR | 152.169.31.120:8080 | tcp | |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 179.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.135.221.88.in-addr.arpa | udp |
| TW | 211.20.154.102:80 | tcp | |
| US | 8.8.8.8:53 | 201.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.36.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 45.19.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 181.178.17.96.in-addr.arpa | udp |
| US | 45.55.179.121:8080 | tcp | |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| NL | 198.211.121.27:8080 | tcp | |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 193.178.17.96.in-addr.arpa | udp |
| GB | 82.145.43.153:8080 | tcp | |
| GB | 96.17.178.193:80 | tcp |
Files
memory/4964-0-0x0000000002430000-0x0000000002454000-memory.dmp
memory/4964-3-0x0000000002400000-0x0000000002423000-memory.dmp
memory/1972-7-0x0000000002420000-0x0000000002444000-memory.dmp
memory/4992-13-0x0000000001690000-0x00000000016B4000-memory.dmp
memory/4556-19-0x00000000016D0000-0x00000000016F4000-memory.dmp