emotet | ac6ff653497ef0da394e6485c2a29b584c602ae1fbed0a5327737e756045cc68

Analysis

max time kernel
148s
max time network
146s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
13-07-2024 18:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d60229cbc27661327c07d899e5ed973589b29ab0.exe
Size

113KB
MD5

0dfcdb84ddb47ec920abbcee00a9242f
SHA1

d60229cbc27661327c07d899e5ed973589b29ab0
SHA256

68ffb681957427596519953a7e7f9cd9802a9efb88fbc35cb7b099c7185e4322
SHA512

fc82b83bbe938362d2f66fe49659a68159cf5b57385675504cdc1a0bcdc5eb5d17b7573f725576699008ef7e0bf81b655326a5a1869fab98679f78392b7a6829
SSDEEP

3072:NdXoH140klX/1SvgDJ6gwBq1Dp1xzxfU8R4gR:XYH140ko6JvwA1DpDP48

Score

10^/10

emotet banker trojan

Malware Config

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Drops file in System32 directory 5 IoCs

Processes:

vieweriprop.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	vieweriprop.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	vieweriprop.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	vieweriprop.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	vieweriprop.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	vieweriprop.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 3 IoCs

Processes:

vieweriprop.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	vieweriprop.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	vieweriprop.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	vieweriprop.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

vieweriprop.exe

pid	process
2344	vieweriprop.exe
2344	vieweriprop.exe
2344	vieweriprop.exe
2344	vieweriprop.exe
2344	vieweriprop.exe
2344	vieweriprop.exe
2344	vieweriprop.exe
2344	vieweriprop.exe
2344	vieweriprop.exe
2344	vieweriprop.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

d60229cbc27661327c07d899e5ed973589b29ab0.exe

pid process

1972 d60229cbc27661327c07d899e5ed973589b29ab0.exe

pid	process
1972	d60229cbc27661327c07d899e5ed973589b29ab0.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

d60229cbc27661327c07d899e5ed973589b29ab0.exevieweriprop.exe

description	pid	process	target process
PID 4012 wrote to memory of 1972	4012	d60229cbc27661327c07d899e5ed973589b29ab0.exe	d60229cbc27661327c07d899e5ed973589b29ab0.exe
PID 4012 wrote to memory of 1972	4012	d60229cbc27661327c07d899e5ed973589b29ab0.exe	d60229cbc27661327c07d899e5ed973589b29ab0.exe
PID 4012 wrote to memory of 1972	4012	d60229cbc27661327c07d899e5ed973589b29ab0.exe	d60229cbc27661327c07d899e5ed973589b29ab0.exe
PID 1984 wrote to memory of 2344	1984	vieweriprop.exe	vieweriprop.exe
PID 1984 wrote to memory of 2344	1984	vieweriprop.exe	vieweriprop.exe
PID 1984 wrote to memory of 2344	1984	vieweriprop.exe	vieweriprop.exe

C:\Users\Admin\AppData\Local\Temp\d60229cbc27661327c07d899e5ed973589b29ab0.exe
"C:\Users\Admin\AppData\Local\Temp\d60229cbc27661327c07d899e5ed973589b29ab0.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4012

C:\Users\Admin\AppData\Local\Temp\d60229cbc27661327c07d899e5ed973589b29ab0.exe
--44ebdc43
2⤵
- Suspicious behavior: RenamesItself
PID:1972

C:\Windows\SysWOW64\vieweriprop.exe
"C:\Windows\SysWOW64\vieweriprop.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1984

C:\Windows\SysWOW64\vieweriprop.exe
--bd97d350
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1972-5-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1972-6-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1972-12-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1984-7-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4012-0-0x0000000002010000-0x0000000002021000-memory.dmp

Filesize
68KB

Download
memory/4012-4-0x0000000002010000-0x0000000002021000-memory.dmp

Filesize
68KB

Download
memory/4012-2-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download