emotet | ac6ff653497ef0da394e6485c2a29b584c602ae1fbed0a5327737e756045cc68

Analysis

max time kernel
133s
max time network
149s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
13/07/2024, 18:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f4a506797325ba974e553a421fd1974a1426956e.exe
Size

487KB
MD5

398d7c3373971509c04d5b20107530b7
SHA1

f4a506797325ba974e553a421fd1974a1426956e
SHA256

606b1b5c0f7f6b0b31825ef8d2271727c274fc8c50beada611daa47e35a10792
SHA512

7d860486408f05805a30664bccb8f43a6bfc2e27b6cde4c042051ad344b410ec5c02693c5ebc57dde1c6cf500cd4dcc369ed1e7c0c2fe3484b24d99ddfe1f0df
SSDEEP

6144:rTj57Z0Lnr0s1pWxD14XLN9JpFAeSeDXrJl3PvgJ6zU5hfQCGw6QpTDj3E8ExGlb:ZPs/WIXLHJp2VYXrJ5PvfUv33E8Aob

Score

10^/10

emotet epoch2 banker trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch2

186.75.241.230:80

181.143.194.138:443

181.143.53.227:21

85.104.59.244:20

80.11.163.139:443

104.131.44.150:8080

185.187.198.15:80

133.167.80.63:7080

198.199.114.69:8080

192.254.173.31:8080

182.76.6.2:8080

85.106.1.166:50000

59.103.164.174:80

182.176.106.43:995

92.233.128.13:143

149.202.153.252:8080

206.189.98.125:8080

190.108.228.48:990

190.226.44.20:21

85.54.169.141:8080

rsa_pubkey.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	pixeltran.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	pixeltran.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	pixeltran.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	pixeltran.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	pixeltran.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	pixeltran.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	pixeltran.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	pixeltran.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\open\ddeexec	pixeltran.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\print\command\ = "C:\\Windows\\SysWOW64\\PIXELT~1.EXE /dde"	pixeltran.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\open\ddeexec\ = "[open(\"%1\")]"	f4a506797325ba974e553a421fd1974a1426956e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\printto\ddeexec\ = "[printto(\"%1\",\"%2\",\"%3\",\"%4\")]"	f4a506797325ba974e553a421fd1974a1426956e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.RCL	f4a506797325ba974e553a421fd1974a1426956e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\open\ddeexec	f4a506797325ba974e553a421fd1974a1426956e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\open\command	f4a506797325ba974e553a421fd1974a1426956e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.RCL	f4a506797325ba974e553a421fd1974a1426956e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\printto\command	pixeltran.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\open\command	pixeltran.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\print\command	pixeltran.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\printto\ddeexec	pixeltran.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1	pixeltran.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.RCL\ShellNew\NullFile	f4a506797325ba974e553a421fd1974a1426956e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\printto\ddeexec\ = "[printto(\"%1\",\"%2\",\"%3\",\"%4\")]"	f4a506797325ba974e553a421fd1974a1426956e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.RCL\ShellNew	f4a506797325ba974e553a421fd1974a1426956e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.RCL\ShellNew\NullFile	f4a506797325ba974e553a421fd1974a1426956e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\print\ddeexec	pixeltran.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\print\ddeexec\ = "[print(\"%1\")]"	pixeltran.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\printto\command\ = "C:\\Windows\\SysWOW64\\PIXELT~1.EXE /dde"	pixeltran.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\F4A506~1.EXE,0"	f4a506797325ba974e553a421fd1974a1426956e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\print\ddeexec\ = "[print(\"%1\")]"	f4a506797325ba974e553a421fd1974a1426956e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\ = "Recalc Document"	pixeltran.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\printto\command	pixeltran.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\printto\ddeexec\ = "[printto(\"%1\",\"%2\",\"%3\",\"%4\")]"	pixeltran.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\print\command\ = "C:\\Windows\\SysWOW64\\PIXELT~1.EXE /dde"	pixeltran.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.RCL	pixeltran.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.RCL\ = "Recalc.Document.1"	pixeltran.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\DefaultIcon	f4a506797325ba974e553a421fd1974a1426956e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.RCL\ShellNew\NullFile	pixeltran.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\printto\command	f4a506797325ba974e553a421fd1974a1426956e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\F4A506~1.EXE,0"	f4a506797325ba974e553a421fd1974a1426956e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\printto\command	f4a506797325ba974e553a421fd1974a1426956e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\DefaultIcon	pixeltran.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\open\command	pixeltran.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.RCL	pixeltran.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\printto\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\F4A506~1.EXE /dde"	f4a506797325ba974e553a421fd1974a1426956e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.RCL\ShellNew	f4a506797325ba974e553a421fd1974a1426956e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\open\ddeexec\ = "[open(\"%1\")]"	f4a506797325ba974e553a421fd1974a1426956e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\printto\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\F4A506~1.EXE /dde"	f4a506797325ba974e553a421fd1974a1426956e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1	pixeltran.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\open\ddeexec\ = "[open(\"%1\")]"	pixeltran.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\print\command	f4a506797325ba974e553a421fd1974a1426956e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\open\ddeexec\ = "[open(\"%1\")]"	pixeltran.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\open\command\ = "C:\\Windows\\SysWOW64\\PIXELT~1.EXE /dde"	pixeltran.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\printto\ddeexec	pixeltran.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1	f4a506797325ba974e553a421fd1974a1426956e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\open\command	f4a506797325ba974e553a421fd1974a1426956e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.RCL\ = "Recalc.Document.1"	f4a506797325ba974e553a421fd1974a1426956e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\printto\ddeexec\ = "[printto(\"%1\",\"%2\",\"%3\",\"%4\")]"	pixeltran.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\open\command\ = "C:\\Windows\\SysWOW64\\PIXELT~1.EXE /dde"	pixeltran.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\open\ddeexec	f4a506797325ba974e553a421fd1974a1426956e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.RCL\ = "Recalc.Document.1"	f4a506797325ba974e553a421fd1974a1426956e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\ = "Recalc Document"	f4a506797325ba974e553a421fd1974a1426956e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.RCL\ShellNew	pixeltran.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\print\ddeexec	pixeltran.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.RCL\ShellNew\NullFile	pixeltran.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\print	f4a506797325ba974e553a421fd1974a1426956e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\printto\ddeexec	f4a506797325ba974e553a421fd1974a1426956e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.RCL\ = "Recalc.Document.1"	pixeltran.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\open\ddeexec	pixeltran.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.RCL\ShellNew	pixeltran.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\DefaultIcon\ = "C:\\Windows\\SysWOW64\\PIXELT~1.EXE,0"	pixeltran.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\printto\command\ = "C:\\Windows\\SysWOW64\\PIXELT~1.EXE /dde"	pixeltran.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
784	pixeltran.exe
784	pixeltran.exe
784	pixeltran.exe
784	pixeltran.exe
784	pixeltran.exe
784	pixeltran.exe
784	pixeltran.exe
784	pixeltran.exe
784	pixeltran.exe
784	pixeltran.exe
784	pixeltran.exe
784	pixeltran.exe
784	pixeltran.exe
784	pixeltran.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3836	f4a506797325ba974e553a421fd1974a1426956e.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2412	f4a506797325ba974e553a421fd1974a1426956e.exe
2412	f4a506797325ba974e553a421fd1974a1426956e.exe
3836	f4a506797325ba974e553a421fd1974a1426956e.exe
3836	f4a506797325ba974e553a421fd1974a1426956e.exe
3404	pixeltran.exe
3404	pixeltran.exe
784	pixeltran.exe
784	pixeltran.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2412 wrote to memory of 3836	2412	f4a506797325ba974e553a421fd1974a1426956e.exe	73
PID 2412 wrote to memory of 3836	2412	f4a506797325ba974e553a421fd1974a1426956e.exe	73
PID 2412 wrote to memory of 3836	2412	f4a506797325ba974e553a421fd1974a1426956e.exe	73
PID 3404 wrote to memory of 784	3404	pixeltran.exe	75
PID 3404 wrote to memory of 784	3404	pixeltran.exe	75
PID 3404 wrote to memory of 784	3404	pixeltran.exe	75

C:\Users\Admin\AppData\Local\Temp\f4a506797325ba974e553a421fd1974a1426956e.exe
"C:\Users\Admin\AppData\Local\Temp\f4a506797325ba974e553a421fd1974a1426956e.exe"
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2412
- C:\Users\Admin\AppData\Local\Temp\f4a506797325ba974e553a421fd1974a1426956e.exe
  --e4ba5426
  2⤵
  - Modifies registry class
  - Suspicious behavior: RenamesItself
  - Suspicious use of SetWindowsHookEx
  PID:3836

C:\Windows\SysWOW64\pixeltran.exe
"C:\Windows\SysWOW64\pixeltran.exe"
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3404
- C:\Windows\SysWOW64\pixeltran.exe
  --7f331187
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/784-17-0x0000000000D90000-0x0000000000DA4000-memory.dmp

Filesize
80KB

Download
memory/2412-0-0x00000000021B0000-0x00000000021C4000-memory.dmp

Filesize
80KB

Download
memory/2412-5-0x0000000000670000-0x000000000067F000-memory.dmp

Filesize
60KB

Download
memory/3404-11-0x0000000000DB0000-0x0000000000DC4000-memory.dmp

Filesize
80KB

Download
memory/3836-6-0x00000000021E0000-0x00000000021F4000-memory.dmp

Filesize
80KB

Download
memory/3836-16-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download