emotet | 0d4177b3616d93464ba2f0a20849e9e79e5e190789ea17a74b9c6d787a92561c

General

Target

0d4177b3616d93464ba2f0a20849e9e79e5e190789ea17a74b9c6d787a92561c.exe
Size

148KB
MD5

adce284377cd66d0b73e10e7d01c20c1
SHA1

83f73b3e5add87fda0ea1b1962ab282122118687
SHA256

0d4177b3616d93464ba2f0a20849e9e79e5e190789ea17a74b9c6d787a92561c
SHA512

375af3e19e4a54f27343781207347248afff18bbfd52fe93e3f2666e88e5aca931f8e64d71d7e91136e32bd4769046b62379b4cebaee8598a2e3d14dca196d0f

Score

10^/10

emotet banker trojan

Malware Config

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

0d4177b3616d93464ba2f0a20849e9e79e5e190789ea17a74b9c6d787a92561c.exe0d4177b3616d93464ba2f0a20849e9e79e5e190789ea17a74b9c6d787a92561c.exelimedefine.exelimedefine.exe

pid	process
2176	0d4177b3616d93464ba2f0a20849e9e79e5e190789ea17a74b9c6d787a92561c.exe
2176	0d4177b3616d93464ba2f0a20849e9e79e5e190789ea17a74b9c6d787a92561c.exe
2116	0d4177b3616d93464ba2f0a20849e9e79e5e190789ea17a74b9c6d787a92561c.exe
2116	0d4177b3616d93464ba2f0a20849e9e79e5e190789ea17a74b9c6d787a92561c.exe
4288	limedefine.exe
4288	limedefine.exe
4312	limedefine.exe
4312	limedefine.exe
4312	limedefine.exe
4312	limedefine.exe
4312	limedefine.exe
4312	limedefine.exe
4312	limedefine.exe
4312	limedefine.exe
4312	limedefine.exe
4312	limedefine.exe
4312	limedefine.exe
4312	limedefine.exe
4312	limedefine.exe
4312	limedefine.exe
4312	limedefine.exe
4312	limedefine.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

0d4177b3616d93464ba2f0a20849e9e79e5e190789ea17a74b9c6d787a92561c.exe

pid process

2116 0d4177b3616d93464ba2f0a20849e9e79e5e190789ea17a74b9c6d787a92561c.exe

pid	process
2116	0d4177b3616d93464ba2f0a20849e9e79e5e190789ea17a74b9c6d787a92561c.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

0d4177b3616d93464ba2f0a20849e9e79e5e190789ea17a74b9c6d787a92561c.exelimedefine.exe

description	pid	process	target process
PID 2176 wrote to memory of 2116	2176	0d4177b3616d93464ba2f0a20849e9e79e5e190789ea17a74b9c6d787a92561c.exe	0d4177b3616d93464ba2f0a20849e9e79e5e190789ea17a74b9c6d787a92561c.exe
PID 2176 wrote to memory of 2116	2176	0d4177b3616d93464ba2f0a20849e9e79e5e190789ea17a74b9c6d787a92561c.exe	0d4177b3616d93464ba2f0a20849e9e79e5e190789ea17a74b9c6d787a92561c.exe
PID 2176 wrote to memory of 2116	2176	0d4177b3616d93464ba2f0a20849e9e79e5e190789ea17a74b9c6d787a92561c.exe	0d4177b3616d93464ba2f0a20849e9e79e5e190789ea17a74b9c6d787a92561c.exe
PID 4288 wrote to memory of 4312	4288	limedefine.exe	limedefine.exe
PID 4288 wrote to memory of 4312	4288	limedefine.exe	limedefine.exe
PID 4288 wrote to memory of 4312	4288	limedefine.exe	limedefine.exe

C:\Users\Admin\AppData\Local\Temp\0d4177b3616d93464ba2f0a20849e9e79e5e190789ea17a74b9c6d787a92561c.exe
"C:\Users\Admin\AppData\Local\Temp\0d4177b3616d93464ba2f0a20849e9e79e5e190789ea17a74b9c6d787a92561c.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2176

C:\Users\Admin\AppData\Local\Temp\0d4177b3616d93464ba2f0a20849e9e79e5e190789ea17a74b9c6d787a92561c.exe
"C:\Users\Admin\AppData\Local\Temp\0d4177b3616d93464ba2f0a20849e9e79e5e190789ea17a74b9c6d787a92561c.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
PID:2116

C:\Windows\SysWOW64\limedefine.exe
"C:\Windows\SysWOW64\limedefine.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4288

C:\Windows\SysWOW64\limedefine.exe
"C:\Windows\SysWOW64\limedefine.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4312

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2116-141-0x0000000000710000-0x000000000072A000-memory.dmp

Filesize
104KB

Download
memory/2116-134-0x0000000000000000-mapping.dmp

Download
memory/2116-135-0x0000000000730000-0x000000000074A000-memory.dmp

Filesize
104KB

Download
memory/2116-154-0x0000000000710000-0x000000000072A000-memory.dmp

Filesize
104KB

Download
memory/2116-142-0x0000000000C60000-0x0000000000C78000-memory.dmp

Filesize
96KB

Download
memory/2176-140-0x0000000000D90000-0x0000000000DA8000-memory.dmp

Filesize
96KB

Download
memory/2176-130-0x0000000000D70000-0x0000000000D8A000-memory.dmp

Filesize
104KB

Download
memory/2176-139-0x0000000000D50000-0x0000000000D6A000-memory.dmp

Filesize
104KB

Download
memory/4288-143-0x00000000019C0000-0x00000000019DA000-memory.dmp

Filesize
104KB

Download
memory/4288-152-0x00000000019A0000-0x00000000019BA000-memory.dmp

Filesize
104KB

Download
memory/4288-153-0x00000000019E0000-0x00000000019F8000-memory.dmp

Filesize
96KB

Download
memory/4312-147-0x0000000000000000-mapping.dmp

Download
memory/4312-148-0x0000000000C70000-0x0000000000C8A000-memory.dmp

Filesize
104KB

Download
memory/4312-155-0x0000000000C50000-0x0000000000C6A000-memory.dmp

Filesize
104KB

Download
memory/4312-156-0x0000000001440000-0x0000000001458000-memory.dmp

Filesize
96KB

Download
memory/4312-157-0x0000000000C50000-0x0000000000C6A000-memory.dmp

Filesize
104KB

Download

Analysis

Sharing