emotet | e6c95255a8926b0f99d7b83bd00b7062bea8e815838e7e8cda471edc32253ffb

General

Target

e6c95255a8926b0f99d7b83bd00b7062bea8e815838e7e8cda471edc32253ffb.exe
Size

448KB
MD5

684ed792f2ae26e0fbfa34ac1cef5f40
SHA1

a687998b7ad3624122e3bfc1ad5f343cd9b33af2
SHA256

e6c95255a8926b0f99d7b83bd00b7062bea8e815838e7e8cda471edc32253ffb
SHA512

0e8a276f32f8184319b2128cef4452be68afda40df17dd9eaf965b98d4cca71b39225edadbf9d82149171c73e35e04f4155e3e644b41805094e3d6822e28247a

Score

10^/10

emotet banker trojan

Malware Config

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Drops file in System32 directory 1 IoCs

Processes:

wbemallow.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	wbemallow.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

e6c95255a8926b0f99d7b83bd00b7062bea8e815838e7e8cda471edc32253ffb.exee6c95255a8926b0f99d7b83bd00b7062bea8e815838e7e8cda471edc32253ffb.exewbemallow.exewbemallow.exe

pid	process
908	e6c95255a8926b0f99d7b83bd00b7062bea8e815838e7e8cda471edc32253ffb.exe
908	e6c95255a8926b0f99d7b83bd00b7062bea8e815838e7e8cda471edc32253ffb.exe
3556	e6c95255a8926b0f99d7b83bd00b7062bea8e815838e7e8cda471edc32253ffb.exe
3556	e6c95255a8926b0f99d7b83bd00b7062bea8e815838e7e8cda471edc32253ffb.exe
3988	wbemallow.exe
3988	wbemallow.exe
1996	wbemallow.exe
1996	wbemallow.exe
1996	wbemallow.exe
1996	wbemallow.exe
1996	wbemallow.exe
1996	wbemallow.exe
1996	wbemallow.exe
1996	wbemallow.exe
1996	wbemallow.exe
1996	wbemallow.exe
1996	wbemallow.exe
1996	wbemallow.exe
1996	wbemallow.exe
1996	wbemallow.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

e6c95255a8926b0f99d7b83bd00b7062bea8e815838e7e8cda471edc32253ffb.exe

pid process

3556 e6c95255a8926b0f99d7b83bd00b7062bea8e815838e7e8cda471edc32253ffb.exe

pid	process
3556	e6c95255a8926b0f99d7b83bd00b7062bea8e815838e7e8cda471edc32253ffb.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

e6c95255a8926b0f99d7b83bd00b7062bea8e815838e7e8cda471edc32253ffb.exewbemallow.exe

description	pid	process	target process
PID 908 wrote to memory of 3556	908	e6c95255a8926b0f99d7b83bd00b7062bea8e815838e7e8cda471edc32253ffb.exe	e6c95255a8926b0f99d7b83bd00b7062bea8e815838e7e8cda471edc32253ffb.exe
PID 908 wrote to memory of 3556	908	e6c95255a8926b0f99d7b83bd00b7062bea8e815838e7e8cda471edc32253ffb.exe	e6c95255a8926b0f99d7b83bd00b7062bea8e815838e7e8cda471edc32253ffb.exe
PID 908 wrote to memory of 3556	908	e6c95255a8926b0f99d7b83bd00b7062bea8e815838e7e8cda471edc32253ffb.exe	e6c95255a8926b0f99d7b83bd00b7062bea8e815838e7e8cda471edc32253ffb.exe
PID 3988 wrote to memory of 1996	3988	wbemallow.exe	wbemallow.exe
PID 3988 wrote to memory of 1996	3988	wbemallow.exe	wbemallow.exe
PID 3988 wrote to memory of 1996	3988	wbemallow.exe	wbemallow.exe

C:\Users\Admin\AppData\Local\Temp\e6c95255a8926b0f99d7b83bd00b7062bea8e815838e7e8cda471edc32253ffb.exe
"C:\Users\Admin\AppData\Local\Temp\e6c95255a8926b0f99d7b83bd00b7062bea8e815838e7e8cda471edc32253ffb.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:908
- C:\Users\Admin\AppData\Local\Temp\e6c95255a8926b0f99d7b83bd00b7062bea8e815838e7e8cda471edc32253ffb.exe
  "C:\Users\Admin\AppData\Local\Temp\e6c95255a8926b0f99d7b83bd00b7062bea8e815838e7e8cda471edc32253ffb.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: RenamesItself
  PID:3556

C:\Windows\SysWOW64\wbemallow.exe
"C:\Windows\SysWOW64\wbemallow.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3988
- C:\Windows\SysWOW64\wbemallow.exe
  "C:\Windows\SysWOW64\wbemallow.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:1996

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/908-124-0x0000000000610000-0x0000000000620000-memory.dmp

Filesize
64KB

Download
memory/908-117-0x00000000005F0000-0x0000000000609000-memory.dmp

Filesize
100KB

Download
memory/908-115-0x00000000005F0000-0x0000000000609000-memory.dmp

Filesize
100KB

Download
memory/908-123-0x0000000000570000-0x00000000006BA000-memory.dmp

Filesize
1.3MB

Download
memory/1996-133-0x0000000000510000-0x0000000000529000-memory.dmp

Filesize
100KB

Download
memory/1996-131-0x0000000000000000-mapping.dmp

Download
memory/1996-135-0x0000000000510000-0x0000000000529000-memory.dmp

Filesize
100KB

Download
memory/1996-138-0x0000000000480000-0x000000000052E000-memory.dmp

Filesize
696KB

Download
memory/1996-139-0x0000000000530000-0x0000000000540000-memory.dmp

Filesize
64KB

Download
memory/3556-122-0x0000000000530000-0x0000000000549000-memory.dmp

Filesize
100KB

Download
memory/3556-125-0x00000000004F0000-0x0000000000509000-memory.dmp

Filesize
100KB

Download
memory/3556-126-0x0000000000510000-0x0000000000520000-memory.dmp

Filesize
64KB

Download
memory/3556-120-0x0000000000530000-0x0000000000549000-memory.dmp

Filesize
100KB

Download
memory/3556-118-0x0000000000000000-mapping.dmp

Download
memory/3988-127-0x0000000000D80000-0x0000000000D99000-memory.dmp

Filesize
100KB

Download
memory/3988-130-0x0000000000D80000-0x0000000000D99000-memory.dmp

Filesize
100KB

Download
memory/3988-137-0x00000000001D0000-0x00000000001E0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads