emotet | 017a38c8b1ea67cc72ade902f1c5551a785f5c5a1f515fb43b5e7d2109225cb5

General

Target

017a38c8b1ea67cc72ade902f1c5551a785f5c5a1f515fb43b5e7d2109225cb5.exe
Size

148KB
MD5

7893d57cd60b412ef68220ce395f9a59
SHA1

a20fd845d6569d26ffcbc4a1c9c9aae51f7ffb85
SHA256

017a38c8b1ea67cc72ade902f1c5551a785f5c5a1f515fb43b5e7d2109225cb5
SHA512

14fd790842e5cc420bba09bf08fe0732b1c0d145b696515f3e43535f55f8ff3aa49a3ce7d04af245a62b8d2e023f3ea2a4a04a997f3eafec3386b4f861249a61

Score

10^/10

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2068	017a38c8b1ea67cc72ade902f1c5551a785f5c5a1f515fb43b5e7d2109225cb5.exe
2068	017a38c8b1ea67cc72ade902f1c5551a785f5c5a1f515fb43b5e7d2109225cb5.exe
2828	017a38c8b1ea67cc72ade902f1c5551a785f5c5a1f515fb43b5e7d2109225cb5.exe
2828	017a38c8b1ea67cc72ade902f1c5551a785f5c5a1f515fb43b5e7d2109225cb5.exe
4144	colorerpwd.exe
4144	colorerpwd.exe
3200	colorerpwd.exe
3200	colorerpwd.exe
3200	colorerpwd.exe
3200	colorerpwd.exe
3200	colorerpwd.exe
3200	colorerpwd.exe
3200	colorerpwd.exe
3200	colorerpwd.exe
3200	colorerpwd.exe
3200	colorerpwd.exe
3200	colorerpwd.exe
3200	colorerpwd.exe
3200	colorerpwd.exe
3200	colorerpwd.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2828	017a38c8b1ea67cc72ade902f1c5551a785f5c5a1f515fb43b5e7d2109225cb5.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2068 wrote to memory of 2828	2068	017a38c8b1ea67cc72ade902f1c5551a785f5c5a1f515fb43b5e7d2109225cb5.exe	25
PID 2068 wrote to memory of 2828	2068	017a38c8b1ea67cc72ade902f1c5551a785f5c5a1f515fb43b5e7d2109225cb5.exe	25
PID 2068 wrote to memory of 2828	2068	017a38c8b1ea67cc72ade902f1c5551a785f5c5a1f515fb43b5e7d2109225cb5.exe	25
PID 4144 wrote to memory of 3200	4144	colorerpwd.exe	80
PID 4144 wrote to memory of 3200	4144	colorerpwd.exe	80
PID 4144 wrote to memory of 3200	4144	colorerpwd.exe	80

C:\Windows\SysWOW64\colorerpwd.exe
"C:\Windows\SysWOW64\colorerpwd.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4144
- C:\Windows\SysWOW64\colorerpwd.exe
  "C:\Windows\SysWOW64\colorerpwd.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3200

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/2068-139-0x0000000002050000-0x0000000002069000-memory.dmp

Filesize
100KB

Download
memory/2068-130-0x0000000002140000-0x0000000002159000-memory.dmp

Filesize
100KB

Download
memory/2068-140-0x0000000002160000-0x0000000002178000-memory.dmp

Filesize
96KB

Download
memory/2828-141-0x0000000000590000-0x00000000005A9000-memory.dmp

Filesize
100KB

Download
memory/2828-142-0x0000000002140000-0x0000000002158000-memory.dmp

Filesize
96KB

Download
memory/2828-135-0x0000000002120000-0x0000000002139000-memory.dmp

Filesize
100KB

Download
memory/3200-148-0x0000000000E00000-0x0000000000E19000-memory.dmp

Filesize
100KB

Download
memory/3200-154-0x0000000000DE0000-0x0000000000DF9000-memory.dmp

Filesize
100KB

Download
memory/3200-155-0x0000000000E20000-0x0000000000E38000-memory.dmp

Filesize
96KB

Download
memory/4144-143-0x0000000000F30000-0x0000000000F49000-memory.dmp

Filesize
100KB

Download
memory/4144-153-0x0000000000F50000-0x0000000000F68000-memory.dmp

Filesize
96KB

Download
memory/4144-152-0x00000000007E0000-0x00000000007F9000-memory.dmp

Filesize
100KB

Download