emotet | 8ac8e7c7d38192eeb5edd4fab3adab9437c456fbe2cd1a757fd1da79c74ee897

Resubmissions

11-11-2021 07:04

211111-hv496aahd5 10

04-11-2021 08:03

211104-jxwapsgba5 10

Analysis

max time kernel
292s
max time network
295s
platform
windows10_x64
resource
win10-en-20211014
submitted
04-11-2021 08:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8ac8e7c7d38192eeb5edd4fab3adab9437c456fbe2cd1a757fd1da79c74ee897.exe
Size

352KB
MD5

6cb0a519e981f65f5fa3eb7894a9d975
SHA1

564285b2d70cc9c592c84ae0774f25825cff7cc4
SHA256

8ac8e7c7d38192eeb5edd4fab3adab9437c456fbe2cd1a757fd1da79c74ee897
SHA512

e66cc0f6e3d6ed2fd6ee9692d6c78a4e32a94322aee775cfd8c0ef8a22f25eec5f0c8625a2c45da50a631535e5f460e88b5749b4cb81840359cbd68b247a3085

Score

10^/10

emotet banker trojan

Malware Config

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Emotet Payload 3 IoCs

Detects Emotet payload in memory.

Processes:

resource	yara_rule
behavioral1/memory/2452-115-0x00000000027C0000-0x00000000027FD000-memory.dmp	emotet
behavioral1/memory/2452-118-0x0000000002801000-0x000000000280C000-memory.dmp	emotet
behavioral1/memory/2452-121-0x0000000002300000-0x000000000233A000-memory.dmp	emotet

Modifies data under HKEY_USERS 1 IoCs

Processes:

svchost.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\NGC\SoftLockoutVolatileKey svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\NGC\SoftLockoutVolatileKey	svchost.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

8ac8e7c7d38192eeb5edd4fab3adab9437c456fbe2cd1a757fd1da79c74ee897.exe

pid	process
2452	8ac8e7c7d38192eeb5edd4fab3adab9437c456fbe2cd1a757fd1da79c74ee897.exe
2452	8ac8e7c7d38192eeb5edd4fab3adab9437c456fbe2cd1a757fd1da79c74ee897.exe
2452	8ac8e7c7d38192eeb5edd4fab3adab9437c456fbe2cd1a757fd1da79c74ee897.exe
2452	8ac8e7c7d38192eeb5edd4fab3adab9437c456fbe2cd1a757fd1da79c74ee897.exe
2452	8ac8e7c7d38192eeb5edd4fab3adab9437c456fbe2cd1a757fd1da79c74ee897.exe
2452	8ac8e7c7d38192eeb5edd4fab3adab9437c456fbe2cd1a757fd1da79c74ee897.exe
2452	8ac8e7c7d38192eeb5edd4fab3adab9437c456fbe2cd1a757fd1da79c74ee897.exe
2452	8ac8e7c7d38192eeb5edd4fab3adab9437c456fbe2cd1a757fd1da79c74ee897.exe
2452	8ac8e7c7d38192eeb5edd4fab3adab9437c456fbe2cd1a757fd1da79c74ee897.exe
2452	8ac8e7c7d38192eeb5edd4fab3adab9437c456fbe2cd1a757fd1da79c74ee897.exe
2452	8ac8e7c7d38192eeb5edd4fab3adab9437c456fbe2cd1a757fd1da79c74ee897.exe
2452	8ac8e7c7d38192eeb5edd4fab3adab9437c456fbe2cd1a757fd1da79c74ee897.exe
2452	8ac8e7c7d38192eeb5edd4fab3adab9437c456fbe2cd1a757fd1da79c74ee897.exe
2452	8ac8e7c7d38192eeb5edd4fab3adab9437c456fbe2cd1a757fd1da79c74ee897.exe
2452	8ac8e7c7d38192eeb5edd4fab3adab9437c456fbe2cd1a757fd1da79c74ee897.exe
2452	8ac8e7c7d38192eeb5edd4fab3adab9437c456fbe2cd1a757fd1da79c74ee897.exe
2452	8ac8e7c7d38192eeb5edd4fab3adab9437c456fbe2cd1a757fd1da79c74ee897.exe
2452	8ac8e7c7d38192eeb5edd4fab3adab9437c456fbe2cd1a757fd1da79c74ee897.exe
2452	8ac8e7c7d38192eeb5edd4fab3adab9437c456fbe2cd1a757fd1da79c74ee897.exe
2452	8ac8e7c7d38192eeb5edd4fab3adab9437c456fbe2cd1a757fd1da79c74ee897.exe
2452	8ac8e7c7d38192eeb5edd4fab3adab9437c456fbe2cd1a757fd1da79c74ee897.exe
2452	8ac8e7c7d38192eeb5edd4fab3adab9437c456fbe2cd1a757fd1da79c74ee897.exe
2452	8ac8e7c7d38192eeb5edd4fab3adab9437c456fbe2cd1a757fd1da79c74ee897.exe
2452	8ac8e7c7d38192eeb5edd4fab3adab9437c456fbe2cd1a757fd1da79c74ee897.exe
2452	8ac8e7c7d38192eeb5edd4fab3adab9437c456fbe2cd1a757fd1da79c74ee897.exe
2452	8ac8e7c7d38192eeb5edd4fab3adab9437c456fbe2cd1a757fd1da79c74ee897.exe
2452	8ac8e7c7d38192eeb5edd4fab3adab9437c456fbe2cd1a757fd1da79c74ee897.exe
2452	8ac8e7c7d38192eeb5edd4fab3adab9437c456fbe2cd1a757fd1da79c74ee897.exe
2452	8ac8e7c7d38192eeb5edd4fab3adab9437c456fbe2cd1a757fd1da79c74ee897.exe
2452	8ac8e7c7d38192eeb5edd4fab3adab9437c456fbe2cd1a757fd1da79c74ee897.exe

C:\Users\Admin\AppData\Local\Temp\8ac8e7c7d38192eeb5edd4fab3adab9437c456fbe2cd1a757fd1da79c74ee897.exe
"C:\Users\Admin\AppData\Local\Temp\8ac8e7c7d38192eeb5edd4fab3adab9437c456fbe2cd1a757fd1da79c74ee897.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2452

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NgcSvc
1⤵
PID:2228

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s DeviceAssociationService
1⤵
PID:3708

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s NgcCtnrSvc
1⤵
- Modifies data under HKEY_USERS
PID:2256

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2452-115-0x00000000027C0000-0x00000000027FD000-memory.dmp

Filesize
244KB

Download
memory/2452-118-0x0000000002801000-0x000000000280C000-memory.dmp

Filesize
44KB

Download
memory/2452-119-0x000000000280C000-0x000000000280D000-memory.dmp

Filesize
4KB

Download
memory/2452-120-0x0000000002810000-0x000000000283C000-memory.dmp

Filesize
176KB

Download
memory/2452-121-0x0000000002300000-0x000000000233A000-memory.dmp

Filesize
232KB

Download