emotet | 181e680869610b198f54c9a238ddf0f43847c9f2376cd22c3bb0c4dfd73d9f92

General

Target

181e680869610b198f54c9a238ddf0f43847c9f2376cd22c3bb0c4dfd73d9f92.exe
Size

392KB
MD5

2786dfd0ed97686709bc57c8ad423e75
SHA1

a87120c4082f3bf46ac4a924e2479d2a317f43d4
SHA256

181e680869610b198f54c9a238ddf0f43847c9f2376cd22c3bb0c4dfd73d9f92
SHA512

b60e29ea0429700478447104b84ed3aeefe38ddb7914a354c18197eef502dd4fff2a308fe42d13c46c975f48c21d065879a205d6acfcf9cbdea13207d0d71833

Score

10^/10

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: RenamesItself 1 IoCs

Processes:

181e680869610b198f54c9a238ddf0f43847c9f2376cd22c3bb0c4dfd73d9f92.exe

pid process

1680 181e680869610b198f54c9a238ddf0f43847c9f2376cd22c3bb0c4dfd73d9f92.exe

pid	process
1680	181e680869610b198f54c9a238ddf0f43847c9f2376cd22c3bb0c4dfd73d9f92.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

181e680869610b198f54c9a238ddf0f43847c9f2376cd22c3bb0c4dfd73d9f92.exeredistrelated.exe

description	pid	process	target process
PID 1276 wrote to memory of 1680	1276	181e680869610b198f54c9a238ddf0f43847c9f2376cd22c3bb0c4dfd73d9f92.exe	181e680869610b198f54c9a238ddf0f43847c9f2376cd22c3bb0c4dfd73d9f92.exe
PID 1276 wrote to memory of 1680	1276	181e680869610b198f54c9a238ddf0f43847c9f2376cd22c3bb0c4dfd73d9f92.exe	181e680869610b198f54c9a238ddf0f43847c9f2376cd22c3bb0c4dfd73d9f92.exe
PID 1276 wrote to memory of 1680	1276	181e680869610b198f54c9a238ddf0f43847c9f2376cd22c3bb0c4dfd73d9f92.exe	181e680869610b198f54c9a238ddf0f43847c9f2376cd22c3bb0c4dfd73d9f92.exe
PID 1276 wrote to memory of 1680	1276	181e680869610b198f54c9a238ddf0f43847c9f2376cd22c3bb0c4dfd73d9f92.exe	181e680869610b198f54c9a238ddf0f43847c9f2376cd22c3bb0c4dfd73d9f92.exe
PID 2040 wrote to memory of 2036	2040	redistrelated.exe	redistrelated.exe
PID 2040 wrote to memory of 2036	2040	redistrelated.exe	redistrelated.exe
PID 2040 wrote to memory of 2036	2040	redistrelated.exe	redistrelated.exe
PID 2040 wrote to memory of 2036	2040	redistrelated.exe	redistrelated.exe

C:\Users\Admin\AppData\Local\Temp\181e680869610b198f54c9a238ddf0f43847c9f2376cd22c3bb0c4dfd73d9f92.exe
"C:\Users\Admin\AppData\Local\Temp\181e680869610b198f54c9a238ddf0f43847c9f2376cd22c3bb0c4dfd73d9f92.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1276
- C:\Users\Admin\AppData\Local\Temp\181e680869610b198f54c9a238ddf0f43847c9f2376cd22c3bb0c4dfd73d9f92.exe
  --2cbd0846
  2⤵
  - Suspicious behavior: RenamesItself
  PID:1680

C:\Windows\SysWOW64\redistrelated.exe
"C:\Windows\SysWOW64\redistrelated.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2040
- C:\Windows\SysWOW64\redistrelated.exe
  --378d4888
  2⤵
  PID:2036

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/1276-55-0x0000000000BF0000-0x0000000000C57000-memory.dmp

Filesize
412KB

Download
memory/1276-54-0x0000000000BF0000-0x0000000000C04000-memory.dmp

Filesize
80KB

Download
memory/1680-56-0x0000000000000000-mapping.dmp

Download
memory/1680-58-0x0000000000BF0000-0x0000000000C57000-memory.dmp

Filesize
412KB

Download
memory/1680-59-0x0000000076C01000-0x0000000076C03000-memory.dmp

Filesize
8KB

Download
memory/2036-62-0x0000000000000000-mapping.dmp

Download
memory/2036-64-0x0000000000BF0000-0x0000000000C57000-memory.dmp

Filesize
412KB

Download
memory/2040-61-0x0000000000BF0000-0x0000000000C57000-memory.dmp

Filesize
412KB

Download