emotet | 0d697553cab987c23fa567329b9073d076fa8d573501de634e19ddf474604e81

General

Target

0d697553cab987c23fa567329b9073d076fa8d573501de634e19ddf474604e81.exe
Size

136KB
MD5

8ebac733f4b1605c3c6a0a3d33b736c5
SHA1

39fc6fb560d593971d5c28bb4e34b44b2c928468
SHA256

0d697553cab987c23fa567329b9073d076fa8d573501de634e19ddf474604e81
SHA512

593501b154ae06bd2aeb5217c716039df4accda7bc185c57f3d945de36b036e14b09ebeaaad869acbd3693288df2996b53e2165040558dfa49303fb9ced57d66

Score

10^/10

emotet banker trojan

Malware Config

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
4496	0d697553cab987c23fa567329b9073d076fa8d573501de634e19ddf474604e81.exe
4496	0d697553cab987c23fa567329b9073d076fa8d573501de634e19ddf474604e81.exe
4220	0d697553cab987c23fa567329b9073d076fa8d573501de634e19ddf474604e81.exe
4220	0d697553cab987c23fa567329b9073d076fa8d573501de634e19ddf474604e81.exe
4500	atalkgdi.exe
4500	atalkgdi.exe
3928	atalkgdi.exe
3928	atalkgdi.exe
3928	atalkgdi.exe
3928	atalkgdi.exe
3928	atalkgdi.exe
3928	atalkgdi.exe
3928	atalkgdi.exe
3928	atalkgdi.exe
3928	atalkgdi.exe
3928	atalkgdi.exe
3928	atalkgdi.exe
3928	atalkgdi.exe
3928	atalkgdi.exe
3928	atalkgdi.exe
3928	atalkgdi.exe
3928	atalkgdi.exe
3928	atalkgdi.exe
3928	atalkgdi.exe
3928	atalkgdi.exe
3928	atalkgdi.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4220	0d697553cab987c23fa567329b9073d076fa8d573501de634e19ddf474604e81.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4496 wrote to memory of 4220	4496	0d697553cab987c23fa567329b9073d076fa8d573501de634e19ddf474604e81.exe	80
PID 4496 wrote to memory of 4220	4496	0d697553cab987c23fa567329b9073d076fa8d573501de634e19ddf474604e81.exe	80
PID 4496 wrote to memory of 4220	4496	0d697553cab987c23fa567329b9073d076fa8d573501de634e19ddf474604e81.exe	80
PID 4500 wrote to memory of 3928	4500	atalkgdi.exe	86
PID 4500 wrote to memory of 3928	4500	atalkgdi.exe	86
PID 4500 wrote to memory of 3928	4500	atalkgdi.exe	86

C:\Users\Admin\AppData\Local\Temp\0d697553cab987c23fa567329b9073d076fa8d573501de634e19ddf474604e81.exe
"C:\Users\Admin\AppData\Local\Temp\0d697553cab987c23fa567329b9073d076fa8d573501de634e19ddf474604e81.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4496
- C:\Users\Admin\AppData\Local\Temp\0d697553cab987c23fa567329b9073d076fa8d573501de634e19ddf474604e81.exe
  "C:\Users\Admin\AppData\Local\Temp\0d697553cab987c23fa567329b9073d076fa8d573501de634e19ddf474604e81.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: RenamesItself
  PID:4220

C:\Windows\SysWOW64\atalkgdi.exe
"C:\Windows\SysWOW64\atalkgdi.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4500
- C:\Windows\SysWOW64\atalkgdi.exe
  "C:\Windows\SysWOW64\atalkgdi.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3928

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3928-161-0x0000000000F60000-0x0000000000F79000-memory.dmp

Filesize
100KB

Download
memory/3928-159-0x0000000000F60000-0x0000000000F79000-memory.dmp

Filesize
100KB

Download
memory/3928-160-0x0000000001080000-0x00000000010A0000-memory.dmp

Filesize
128KB

Download
memory/3928-155-0x0000000000F80000-0x0000000000F99000-memory.dmp

Filesize
100KB

Download
memory/3928-151-0x0000000000F80000-0x0000000000F99000-memory.dmp

Filesize
100KB

Download
memory/4220-140-0x00000000009C0000-0x00000000009D9000-memory.dmp

Filesize
100KB

Download
memory/4220-144-0x00000000009E0000-0x0000000000A00000-memory.dmp

Filesize
128KB

Download
memory/4220-143-0x00000000009A0000-0x00000000009B9000-memory.dmp

Filesize
100KB

Download
memory/4220-158-0x00000000009A0000-0x00000000009B9000-memory.dmp

Filesize
100KB

Download
memory/4220-136-0x00000000009C0000-0x00000000009D9000-memory.dmp

Filesize
100KB

Download
memory/4496-142-0x0000000001400000-0x0000000001420000-memory.dmp

Filesize
128KB

Download
memory/4496-130-0x00000000013E0000-0x00000000013F9000-memory.dmp

Filesize
100KB

Download
memory/4496-141-0x0000000000EF0000-0x0000000000F09000-memory.dmp

Filesize
100KB

Download
memory/4496-134-0x00000000013E0000-0x00000000013F9000-memory.dmp

Filesize
100KB

Download
memory/4500-149-0x0000000000FE0000-0x0000000000FF9000-memory.dmp

Filesize
100KB

Download
memory/4500-157-0x0000000001000000-0x0000000001020000-memory.dmp

Filesize
128KB

Download
memory/4500-156-0x0000000000FC0000-0x0000000000FD9000-memory.dmp

Filesize
100KB

Download
memory/4500-145-0x0000000000FE0000-0x0000000000FF9000-memory.dmp

Filesize
100KB

Download

Analysis

Sharing