emotet | b8ee2d6a048dceeb33028546e76c28b0075946b10762b1554fb3a85a3ec21f91

General

Target

b8ee2d6a048dceeb33028546e76c28b0075946b10762b1554fb3a85a3ec21f91.exe
Size

700KB
MD5

843504ebb017aa60b9bfc8a38b9b08a1
SHA1

09f4e3bf45e0f76906a00e5fac06a7c98c88c430
SHA256

b8ee2d6a048dceeb33028546e76c28b0075946b10762b1554fb3a85a3ec21f91
SHA512

6e0afabfbc96a594cd877d7953135356f54912f5c58db446f78e5566606f9d390e45db297d90376da05ec551981beface661ca585b355c8fc4efda8e961efcf4
SSDEEP

12288:BBVbS8WpG2pxlqnBc2dtqvgqDtpGCoLpwT62qX+cs4c0:bJSjtpxlmNdtjqRpJV6/X+6p

Score

10^/10

emotet epoch3 banker discovery trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch3

C2

98.178.241.106:80

190.171.153.139:80

179.5.118.12:8080

45.79.75.232:8080

124.150.175.133:80

164.68.115.146:8080

5.189.148.98:8080

46.105.128.215:8080

67.254.196.78:443

95.216.207.86:7080

181.46.176.38:80

98.15.140.226:80

217.12.70.226:80

115.179.91.58:80

41.190.148.90:80

162.144.46.90:8080

211.218.105.101:80

212.129.14.27:8080

120.51.83.89:443

200.41.121.69:443

rsa_pubkey.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
Emotet family
emotet

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	acquiremsp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b8ee2d6a048dceeb33028546e76c28b0075946b10762b1554fb3a85a3ec21f91.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b8ee2d6a048dceeb33028546e76c28b0075946b10762b1554fb3a85a3ec21f91.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	acquiremsp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	acquiremsp.exe

Modifies data under HKEY_USERS 21 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	acquiremsp.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	acquiremsp.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	acquiremsp.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-4a-10-6d-38-f1	acquiremsp.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-4a-10-6d-38-f1\WpadDecisionReason = "1"	acquiremsp.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-4a-10-6d-38-f1\WpadDecisionTime = 30f1591f9d3bdb01	acquiremsp.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	acquiremsp.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	acquiremsp.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B13A0A5D-F127-431A-B55F-75BB7957AF75}	acquiremsp.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B13A0A5D-F127-431A-B55F-75BB7957AF75}\WpadDecisionReason = "1"	acquiremsp.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B13A0A5D-F127-431A-B55F-75BB7957AF75}\WpadDecisionTime = 30f1591f9d3bdb01	acquiremsp.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B13A0A5D-F127-431A-B55F-75BB7957AF75}\WpadDecision = "0"	acquiremsp.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B13A0A5D-F127-431A-B55F-75BB7957AF75}\52-4a-10-6d-38-f1	acquiremsp.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-4a-10-6d-38-f1\WpadDecision = "0"	acquiremsp.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	acquiremsp.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	acquiremsp.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	acquiremsp.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	acquiremsp.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	acquiremsp.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f009d000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	acquiremsp.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B13A0A5D-F127-431A-B55F-75BB7957AF75}\WpadNetworkName = "Network 2"	acquiremsp.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2708	acquiremsp.exe
2708	acquiremsp.exe
2708	acquiremsp.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2796	b8ee2d6a048dceeb33028546e76c28b0075946b10762b1554fb3a85a3ec21f91.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2640	b8ee2d6a048dceeb33028546e76c28b0075946b10762b1554fb3a85a3ec21f91.exe
2640	b8ee2d6a048dceeb33028546e76c28b0075946b10762b1554fb3a85a3ec21f91.exe
2796	b8ee2d6a048dceeb33028546e76c28b0075946b10762b1554fb3a85a3ec21f91.exe
2796	b8ee2d6a048dceeb33028546e76c28b0075946b10762b1554fb3a85a3ec21f91.exe
2332	acquiremsp.exe
2332	acquiremsp.exe
2708	acquiremsp.exe
2708	acquiremsp.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2640 wrote to memory of 2796	2640	b8ee2d6a048dceeb33028546e76c28b0075946b10762b1554fb3a85a3ec21f91.exe	30
PID 2640 wrote to memory of 2796	2640	b8ee2d6a048dceeb33028546e76c28b0075946b10762b1554fb3a85a3ec21f91.exe	30
PID 2640 wrote to memory of 2796	2640	b8ee2d6a048dceeb33028546e76c28b0075946b10762b1554fb3a85a3ec21f91.exe	30
PID 2640 wrote to memory of 2796	2640	b8ee2d6a048dceeb33028546e76c28b0075946b10762b1554fb3a85a3ec21f91.exe	30
PID 2332 wrote to memory of 2708	2332	acquiremsp.exe	32
PID 2332 wrote to memory of 2708	2332	acquiremsp.exe	32
PID 2332 wrote to memory of 2708	2332	acquiremsp.exe	32
PID 2332 wrote to memory of 2708	2332	acquiremsp.exe	32

C:\Users\Admin\AppData\Local\Temp\b8ee2d6a048dceeb33028546e76c28b0075946b10762b1554fb3a85a3ec21f91.exe
"C:\Users\Admin\AppData\Local\Temp\b8ee2d6a048dceeb33028546e76c28b0075946b10762b1554fb3a85a3ec21f91.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2640
- C:\Users\Admin\AppData\Local\Temp\b8ee2d6a048dceeb33028546e76c28b0075946b10762b1554fb3a85a3ec21f91.exe
  --c16e2b9c
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: RenamesItself
  - Suspicious use of SetWindowsHookEx
  PID:2796

C:\Windows\SysWOW64\acquiremsp.exe
"C:\Windows\SysWOW64\acquiremsp.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2332
- C:\Windows\SysWOW64\acquiremsp.exe
  --dda634e6
  2⤵
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2640-1-0x0000000000320000-0x0000000000337000-memory.dmp

Filesize
92KB

Download
memory/2640-6-0x0000000000300000-0x0000000000311000-memory.dmp

Filesize
68KB

Download
memory/2640-0-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/2708-18-0x0000000000330000-0x0000000000347000-memory.dmp

Filesize
92KB

Download
memory/2796-7-0x00000000003E0000-0x00000000003F7000-memory.dmp

Filesize
92KB

Download
memory/2796-17-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download

Analysis

Sharing