emotet | 54f253b1d6ff9624c28ef96253e1bb6e7f4a5e6285a5282c4648e2f242bbc5b8

Analysis

Target

54f253b1d6ff9624c28ef96253e1bb6e7f4a5e6285a5282c4648e2f242bbc5b8.exe
Size

100KB
MD5

7134f0f2f92c6fd7008aa8fc59f69213
SHA1

b3f2cf09471d3caa5fd4ab26ae7a6076ee43b947
SHA256

54f253b1d6ff9624c28ef96253e1bb6e7f4a5e6285a5282c4648e2f242bbc5b8
SHA512

68a79b83aeab3302af5c40a3a8ee28e532c265080f9228d9c62a4060d249e5b6f1e6099e1d7eb86b8e8ad6b86ca7879d1b29ad25aee8cab6e2188063ddad63f8

Score

10^/10

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

556 1552 WerFault.exe 54f253b1d6ff9624c28ef96253e1bb6e7f4a5e6285a5282c4648e2f242bbc5b8.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

54f253b1d6ff9624c28ef96253e1bb6e7f4a5e6285a5282c4648e2f242bbc5b8.exe

pid process

1552 54f253b1d6ff9624c28ef96253e1bb6e7f4a5e6285a5282c4648e2f242bbc5b8.exe

pid	pid_target	process	target process
556	1552	WerFault.exe	54f253b1d6ff9624c28ef96253e1bb6e7f4a5e6285a5282c4648e2f242bbc5b8.exe

pid	process
1552	54f253b1d6ff9624c28ef96253e1bb6e7f4a5e6285a5282c4648e2f242bbc5b8.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

54f253b1d6ff9624c28ef96253e1bb6e7f4a5e6285a5282c4648e2f242bbc5b8.exe54f253b1d6ff9624c28ef96253e1bb6e7f4a5e6285a5282c4648e2f242bbc5b8.exe

description	pid	process	target process
PID 856 wrote to memory of 1552	856	54f253b1d6ff9624c28ef96253e1bb6e7f4a5e6285a5282c4648e2f242bbc5b8.exe	54f253b1d6ff9624c28ef96253e1bb6e7f4a5e6285a5282c4648e2f242bbc5b8.exe
PID 856 wrote to memory of 1552	856	54f253b1d6ff9624c28ef96253e1bb6e7f4a5e6285a5282c4648e2f242bbc5b8.exe	54f253b1d6ff9624c28ef96253e1bb6e7f4a5e6285a5282c4648e2f242bbc5b8.exe
PID 856 wrote to memory of 1552	856	54f253b1d6ff9624c28ef96253e1bb6e7f4a5e6285a5282c4648e2f242bbc5b8.exe	54f253b1d6ff9624c28ef96253e1bb6e7f4a5e6285a5282c4648e2f242bbc5b8.exe
PID 856 wrote to memory of 1552	856	54f253b1d6ff9624c28ef96253e1bb6e7f4a5e6285a5282c4648e2f242bbc5b8.exe	54f253b1d6ff9624c28ef96253e1bb6e7f4a5e6285a5282c4648e2f242bbc5b8.exe
PID 1552 wrote to memory of 556	1552	54f253b1d6ff9624c28ef96253e1bb6e7f4a5e6285a5282c4648e2f242bbc5b8.exe	WerFault.exe
PID 1552 wrote to memory of 556	1552	54f253b1d6ff9624c28ef96253e1bb6e7f4a5e6285a5282c4648e2f242bbc5b8.exe	WerFault.exe
PID 1552 wrote to memory of 556	1552	54f253b1d6ff9624c28ef96253e1bb6e7f4a5e6285a5282c4648e2f242bbc5b8.exe	WerFault.exe
PID 1552 wrote to memory of 556	1552	54f253b1d6ff9624c28ef96253e1bb6e7f4a5e6285a5282c4648e2f242bbc5b8.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\54f253b1d6ff9624c28ef96253e1bb6e7f4a5e6285a5282c4648e2f242bbc5b8.exe
"C:\Users\Admin\AppData\Local\Temp\54f253b1d6ff9624c28ef96253e1bb6e7f4a5e6285a5282c4648e2f242bbc5b8.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:856
- C:\Users\Admin\AppData\Local\Temp\54f253b1d6ff9624c28ef96253e1bb6e7f4a5e6285a5282c4648e2f242bbc5b8.exe
  --b2258006
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1552
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1552 -s 60
    3⤵
    - Program crash
    PID:556