emotet | 513937eca95b5c969a67c9592045a66bfeedd732003832ea51a39d2e9e493480

General

Target

90152e847d02fe9ed6802bf437c89bbad41abfc0b9552c5c75f7432541e8e94b.exe
Size

192KB
MD5

5ef571b6a4f2ff6300f3a3b50bfd0632
SHA1

9360645cf56f7b512046a2734fdc845bedbe6742
SHA256

90152e847d02fe9ed6802bf437c89bbad41abfc0b9552c5c75f7432541e8e94b
SHA512

b553c9637b09cd7e11984e5e532a412601ba149ad0af5168be54273dbb9750fa43133e9c71264de9cae423f55394b7ad7051f067928e957f003726c8cad16a58
SSDEEP

3072:5Mvj+eIAbeWsy7hy/049Vem7l2fySg7+ehmIHELhxVy/5/YoayJ8gCy6IKxzQy:+vj2AbeWsy204rLlKlk+HIqhxVyhweAg

Score

10^/10

emotet banker trojan

Malware Config

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Drops file in System32 directory 1 IoCs

Processes:

caseasp.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	caseasp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 18 IoCs

Processes:

caseasp.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	caseasp.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ce-1f-ed-c7-3d-d3\WpadDecision = "0"	caseasp.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A7399F84-C8E4-4D19-977A-80288B7A82AB}\WpadDecision = "0"	caseasp.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A7399F84-C8E4-4D19-977A-80288B7A82AB}\WpadNetworkName = "Network 3"	caseasp.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	caseasp.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	caseasp.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A7399F84-C8E4-4D19-977A-80288B7A82AB}\WpadDecisionReason = "1"	caseasp.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A7399F84-C8E4-4D19-977A-80288B7A82AB}\ce-1f-ed-c7-3d-d3	caseasp.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ce-1f-ed-c7-3d-d3\WpadDecisionReason = "1"	caseasp.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ce-1f-ed-c7-3d-d3\WpadDecisionTime = 207ca0f641a9da01	caseasp.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	caseasp.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	caseasp.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A7399F84-C8E4-4D19-977A-80288B7A82AB}\WpadDecisionTime = 207ca0f641a9da01	caseasp.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A7399F84-C8E4-4D19-977A-80288B7A82AB}	caseasp.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ce-1f-ed-c7-3d-d3	caseasp.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	caseasp.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	caseasp.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f011c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	caseasp.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

90152e847d02fe9ed6802bf437c89bbad41abfc0b9552c5c75f7432541e8e94b.exe90152e847d02fe9ed6802bf437c89bbad41abfc0b9552c5c75f7432541e8e94b.execaseasp.execaseasp.exe

pid	process
3000	90152e847d02fe9ed6802bf437c89bbad41abfc0b9552c5c75f7432541e8e94b.exe
2828	90152e847d02fe9ed6802bf437c89bbad41abfc0b9552c5c75f7432541e8e94b.exe
2636	caseasp.exe
2552	caseasp.exe
2552	caseasp.exe
2552	caseasp.exe
2552	caseasp.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

90152e847d02fe9ed6802bf437c89bbad41abfc0b9552c5c75f7432541e8e94b.exe

pid process

2828 90152e847d02fe9ed6802bf437c89bbad41abfc0b9552c5c75f7432541e8e94b.exe

pid	process
2828	90152e847d02fe9ed6802bf437c89bbad41abfc0b9552c5c75f7432541e8e94b.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

90152e847d02fe9ed6802bf437c89bbad41abfc0b9552c5c75f7432541e8e94b.execaseasp.exe

description	pid	process	target process
PID 3000 wrote to memory of 2828	3000	90152e847d02fe9ed6802bf437c89bbad41abfc0b9552c5c75f7432541e8e94b.exe	90152e847d02fe9ed6802bf437c89bbad41abfc0b9552c5c75f7432541e8e94b.exe
PID 3000 wrote to memory of 2828	3000	90152e847d02fe9ed6802bf437c89bbad41abfc0b9552c5c75f7432541e8e94b.exe	90152e847d02fe9ed6802bf437c89bbad41abfc0b9552c5c75f7432541e8e94b.exe
PID 3000 wrote to memory of 2828	3000	90152e847d02fe9ed6802bf437c89bbad41abfc0b9552c5c75f7432541e8e94b.exe	90152e847d02fe9ed6802bf437c89bbad41abfc0b9552c5c75f7432541e8e94b.exe
PID 3000 wrote to memory of 2828	3000	90152e847d02fe9ed6802bf437c89bbad41abfc0b9552c5c75f7432541e8e94b.exe	90152e847d02fe9ed6802bf437c89bbad41abfc0b9552c5c75f7432541e8e94b.exe
PID 2636 wrote to memory of 2552	2636	caseasp.exe	caseasp.exe
PID 2636 wrote to memory of 2552	2636	caseasp.exe	caseasp.exe
PID 2636 wrote to memory of 2552	2636	caseasp.exe	caseasp.exe
PID 2636 wrote to memory of 2552	2636	caseasp.exe	caseasp.exe

C:\Users\Admin\AppData\Local\Temp\90152e847d02fe9ed6802bf437c89bbad41abfc0b9552c5c75f7432541e8e94b.exe
"C:\Users\Admin\AppData\Local\Temp\90152e847d02fe9ed6802bf437c89bbad41abfc0b9552c5c75f7432541e8e94b.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3000

C:\Users\Admin\AppData\Local\Temp\90152e847d02fe9ed6802bf437c89bbad41abfc0b9552c5c75f7432541e8e94b.exe
"C:\Users\Admin\AppData\Local\Temp\90152e847d02fe9ed6802bf437c89bbad41abfc0b9552c5c75f7432541e8e94b.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
PID:2828

C:\Windows\SysWOW64\caseasp.exe
"C:\Windows\SysWOW64\caseasp.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2636

C:\Windows\SysWOW64\caseasp.exe
"C:\Windows\SysWOW64\caseasp.exe"
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2552-35-0x00000000002B0000-0x00000000002C6000-memory.dmp

Filesize
88KB

Download
memory/2552-31-0x00000000002B0000-0x00000000002C6000-memory.dmp

Filesize
88KB

Download
memory/2636-20-0x0000000000B70000-0x0000000000BA1000-memory.dmp

Filesize
196KB

Download
memory/2636-26-0x0000000000370000-0x0000000000386000-memory.dmp

Filesize
88KB

Download
memory/2636-22-0x0000000000370000-0x0000000000386000-memory.dmp

Filesize
88KB

Download
memory/2636-28-0x0000000000390000-0x00000000003B0000-memory.dmp

Filesize
128KB

Download
memory/2636-27-0x0000000000350000-0x0000000000366000-memory.dmp

Filesize
88KB

Download
memory/2636-36-0x0000000000350000-0x0000000000366000-memory.dmp

Filesize
88KB

Download
memory/2636-37-0x0000000000B70000-0x0000000000BA1000-memory.dmp

Filesize
196KB

Download
memory/2636-29-0x00000000005F0000-0x0000000000621000-memory.dmp

Filesize
196KB

Download
memory/2828-15-0x0000000000190000-0x00000000001A6000-memory.dmp

Filesize
88KB

Download
memory/2828-38-0x0000000000B70000-0x0000000000BA1000-memory.dmp

Filesize
196KB

Download
memory/2828-39-0x0000000000170000-0x0000000000186000-memory.dmp

Filesize
88KB

Download
memory/2828-17-0x00000000001D0000-0x00000000001F0000-memory.dmp

Filesize
128KB

Download
memory/2828-16-0x0000000000170000-0x0000000000186000-memory.dmp

Filesize
88KB

Download
memory/2828-11-0x0000000000190000-0x00000000001A6000-memory.dmp

Filesize
88KB

Download
memory/2828-9-0x0000000000B70000-0x0000000000BA1000-memory.dmp

Filesize
196KB

Download
memory/3000-7-0x0000000000250000-0x0000000000266000-memory.dmp

Filesize
88KB

Download
memory/3000-2-0x0000000000930000-0x0000000000946000-memory.dmp

Filesize
88KB

Download
memory/3000-6-0x0000000000930000-0x0000000000946000-memory.dmp

Filesize
88KB

Download
memory/3000-19-0x0000000000250000-0x0000000000266000-memory.dmp

Filesize
88KB

Download
memory/3000-8-0x0000000000950000-0x0000000000970000-memory.dmp

Filesize
128KB

Download
memory/3000-18-0x0000000000B70000-0x0000000000BA1000-memory.dmp

Filesize
196KB

Download
memory/3000-0-0x0000000000B70000-0x0000000000BA1000-memory.dmp

Filesize
196KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads