emotet | 10339b0cc22729340f8e538735d29b8839fe325bb8d4f70a33026765dd7f71b2

General

Target

10339b0cc22729340f8e538735d29b8839fe325bb8d4f70a33026765dd7f71b2.exe
Size

448KB
MD5

d984329d7732da39de1085ac9cdcb428
SHA1

ce1fe98f8e01e9e721b8af936aac9f315ffd7ba4
SHA256

10339b0cc22729340f8e538735d29b8839fe325bb8d4f70a33026765dd7f71b2
SHA512

1d3e167d6f1f9e201251ecfd5a649bcb438db26fb2f53495264ae04744838aba8c0293898e7867e9c9e12f46915c0de80b11146b8e68c4e7ffdd9ce4815d8b0f

Score

10^/10

emotet banker trojan

Malware Config

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
3320	10339b0cc22729340f8e538735d29b8839fe325bb8d4f70a33026765dd7f71b2.exe
3320	10339b0cc22729340f8e538735d29b8839fe325bb8d4f70a33026765dd7f71b2.exe
4964	10339b0cc22729340f8e538735d29b8839fe325bb8d4f70a33026765dd7f71b2.exe
4964	10339b0cc22729340f8e538735d29b8839fe325bb8d4f70a33026765dd7f71b2.exe
4156	componusbccid.exe
4156	componusbccid.exe
4436	componusbccid.exe
4436	componusbccid.exe
4436	componusbccid.exe
4436	componusbccid.exe
4436	componusbccid.exe
4436	componusbccid.exe
4436	componusbccid.exe
4436	componusbccid.exe
4436	componusbccid.exe
4436	componusbccid.exe
4436	componusbccid.exe
4436	componusbccid.exe
4436	componusbccid.exe
4436	componusbccid.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4964	10339b0cc22729340f8e538735d29b8839fe325bb8d4f70a33026765dd7f71b2.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3320 wrote to memory of 4964	3320	10339b0cc22729340f8e538735d29b8839fe325bb8d4f70a33026765dd7f71b2.exe	81
PID 3320 wrote to memory of 4964	3320	10339b0cc22729340f8e538735d29b8839fe325bb8d4f70a33026765dd7f71b2.exe	81
PID 3320 wrote to memory of 4964	3320	10339b0cc22729340f8e538735d29b8839fe325bb8d4f70a33026765dd7f71b2.exe	81
PID 4156 wrote to memory of 4436	4156	componusbccid.exe	85
PID 4156 wrote to memory of 4436	4156	componusbccid.exe	85
PID 4156 wrote to memory of 4436	4156	componusbccid.exe	85

C:\Users\Admin\AppData\Local\Temp\10339b0cc22729340f8e538735d29b8839fe325bb8d4f70a33026765dd7f71b2.exe
"C:\Users\Admin\AppData\Local\Temp\10339b0cc22729340f8e538735d29b8839fe325bb8d4f70a33026765dd7f71b2.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3320
- C:\Users\Admin\AppData\Local\Temp\10339b0cc22729340f8e538735d29b8839fe325bb8d4f70a33026765dd7f71b2.exe
  "C:\Users\Admin\AppData\Local\Temp\10339b0cc22729340f8e538735d29b8839fe325bb8d4f70a33026765dd7f71b2.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: RenamesItself
  PID:4964

C:\Windows\SysWOW64\componusbccid.exe
"C:\Windows\SysWOW64\componusbccid.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4156
- C:\Windows\SysWOW64\componusbccid.exe
  "C:\Windows\SysWOW64\componusbccid.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4436

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3320-141-0x0000000000640000-0x0000000000659000-memory.dmp

Filesize
100KB

Download
memory/3320-134-0x0000000000660000-0x0000000000679000-memory.dmp

Filesize
100KB

Download
memory/3320-130-0x0000000000660000-0x0000000000679000-memory.dmp

Filesize
100KB

Download
memory/3320-142-0x0000000000600000-0x0000000000610000-memory.dmp

Filesize
64KB

Download
memory/4156-146-0x0000000000D70000-0x0000000000D89000-memory.dmp

Filesize
100KB

Download
memory/4156-150-0x0000000000D70000-0x0000000000D89000-memory.dmp

Filesize
100KB

Download
memory/4156-158-0x0000000000D90000-0x0000000000DA0000-memory.dmp

Filesize
64KB

Download
memory/4156-157-0x0000000000D50000-0x0000000000D69000-memory.dmp

Filesize
100KB

Download
memory/4436-160-0x0000000000560000-0x0000000000570000-memory.dmp

Filesize
64KB

Download
memory/4436-152-0x0000000000540000-0x0000000000559000-memory.dmp

Filesize
100KB

Download
memory/4436-156-0x0000000000540000-0x0000000000559000-memory.dmp

Filesize
100KB

Download
memory/4436-159-0x0000000000510000-0x0000000000529000-memory.dmp

Filesize
100KB

Download
memory/4436-162-0x0000000000510000-0x0000000000529000-memory.dmp

Filesize
100KB

Download
memory/4964-145-0x00000000021D0000-0x00000000021E9000-memory.dmp

Filesize
100KB

Download
memory/4964-144-0x0000000002210000-0x0000000002220000-memory.dmp

Filesize
64KB

Download
memory/4964-143-0x00000000021D0000-0x00000000021E9000-memory.dmp

Filesize
100KB

Download
memory/4964-136-0x00000000021F0000-0x0000000002209000-memory.dmp

Filesize
100KB

Download
memory/4964-140-0x00000000021F0000-0x0000000002209000-memory.dmp

Filesize
100KB

Download
memory/4964-161-0x00000000021D0000-0x00000000021E9000-memory.dmp

Filesize
100KB

Download

Analysis

Sharing