emotet | d82767751280c173d75b7eac6591bcff4ee4e3e03a683cf6436635a873299daa

General

Target

d82767751280c173d75b7eac6591bcff4ee4e3e03a683cf6436635a873299daa.exe
Size

172KB
MD5

c3d04a3a5520a2f58516c2f0acbd4055
SHA1

f97acd5a5384d81f003d382b5c3a5ac448a9bb62
SHA256

d82767751280c173d75b7eac6591bcff4ee4e3e03a683cf6436635a873299daa
SHA512

fd5bfb01b5f5c6d857620797ed4add60869ee662dcb5aaf721e3ee1a1fee01fcad08fd4b4b2eaa6dc626d6ac0438033f30d5affde3f12b159fdffe4bca5e41fd

Score

10^/10

emotet banker trojan

Malware Config

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	187.207.114.26

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
3008	d82767751280c173d75b7eac6591bcff4ee4e3e03a683cf6436635a873299daa.exe
3008	d82767751280c173d75b7eac6591bcff4ee4e3e03a683cf6436635a873299daa.exe
3800	d82767751280c173d75b7eac6591bcff4ee4e3e03a683cf6436635a873299daa.exe
3800	d82767751280c173d75b7eac6591bcff4ee4e3e03a683cf6436635a873299daa.exe
3504	metagenzip.exe
3504	metagenzip.exe
4928	metagenzip.exe
4928	metagenzip.exe
4928	metagenzip.exe
4928	metagenzip.exe
4928	metagenzip.exe
4928	metagenzip.exe
4928	metagenzip.exe
4928	metagenzip.exe
4928	metagenzip.exe
4928	metagenzip.exe
4928	metagenzip.exe
4928	metagenzip.exe
4928	metagenzip.exe
4928	metagenzip.exe
4928	metagenzip.exe
4928	metagenzip.exe
4928	metagenzip.exe
4928	metagenzip.exe
4928	metagenzip.exe
4928	metagenzip.exe
4928	metagenzip.exe
4928	metagenzip.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3800	d82767751280c173d75b7eac6591bcff4ee4e3e03a683cf6436635a873299daa.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3008 wrote to memory of 3800	3008	d82767751280c173d75b7eac6591bcff4ee4e3e03a683cf6436635a873299daa.exe	82
PID 3008 wrote to memory of 3800	3008	d82767751280c173d75b7eac6591bcff4ee4e3e03a683cf6436635a873299daa.exe	82
PID 3008 wrote to memory of 3800	3008	d82767751280c173d75b7eac6591bcff4ee4e3e03a683cf6436635a873299daa.exe	82
PID 3504 wrote to memory of 4928	3504	metagenzip.exe	87
PID 3504 wrote to memory of 4928	3504	metagenzip.exe	87
PID 3504 wrote to memory of 4928	3504	metagenzip.exe	87

C:\Users\Admin\AppData\Local\Temp\d82767751280c173d75b7eac6591bcff4ee4e3e03a683cf6436635a873299daa.exe
"C:\Users\Admin\AppData\Local\Temp\d82767751280c173d75b7eac6591bcff4ee4e3e03a683cf6436635a873299daa.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3008
- C:\Users\Admin\AppData\Local\Temp\d82767751280c173d75b7eac6591bcff4ee4e3e03a683cf6436635a873299daa.exe
  "C:\Users\Admin\AppData\Local\Temp\d82767751280c173d75b7eac6591bcff4ee4e3e03a683cf6436635a873299daa.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: RenamesItself
  PID:3800

C:\Windows\SysWOW64\metagenzip.exe
"C:\Windows\SysWOW64\metagenzip.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3504
- C:\Windows\SysWOW64\metagenzip.exe
  "C:\Windows\SysWOW64\metagenzip.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4928

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3008-130-0x00000000005E0000-0x00000000005FA000-memory.dmp

Filesize
104KB

Download
memory/3008-134-0x00000000005E0000-0x00000000005FA000-memory.dmp

Filesize
104KB

Download
memory/3008-141-0x00000000005C0000-0x00000000005DA000-memory.dmp

Filesize
104KB

Download
memory/3008-142-0x0000000000A70000-0x0000000000A90000-memory.dmp

Filesize
128KB

Download
memory/3504-157-0x00000000006F0000-0x0000000000710000-memory.dmp

Filesize
128KB

Download
memory/3504-156-0x0000000000590000-0x00000000005AA000-memory.dmp

Filesize
104KB

Download
memory/3504-149-0x00000000005B0000-0x00000000005CA000-memory.dmp

Filesize
104KB

Download
memory/3504-145-0x00000000005B0000-0x00000000005CA000-memory.dmp

Filesize
104KB

Download
memory/3800-144-0x00000000008E0000-0x0000000000900000-memory.dmp

Filesize
128KB

Download
memory/3800-143-0x00000000008A0000-0x00000000008BA000-memory.dmp

Filesize
104KB

Download
memory/3800-140-0x00000000008C0000-0x00000000008DA000-memory.dmp

Filesize
104KB

Download
memory/3800-136-0x00000000008C0000-0x00000000008DA000-memory.dmp

Filesize
104KB

Download
memory/4928-151-0x0000000000D30000-0x0000000000D4A000-memory.dmp

Filesize
104KB

Download
memory/4928-155-0x0000000000D30000-0x0000000000D4A000-memory.dmp

Filesize
104KB

Download
memory/4928-158-0x0000000000D10000-0x0000000000D2A000-memory.dmp

Filesize
104KB

Download
memory/4928-159-0x0000000000D50000-0x0000000000D70000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing