emotet | 151cdb9a2bb9dea69dddce861966ad521df75afe5a93a7992d90a64cac35d0a5

General

Target

151cdb9a2bb9dea69dddce861966ad521df75afe5a93a7992d90a64cac35d0a5.exe
Size

286KB
MD5

f201ccf75b52afa7295b6c662092f451
SHA1

eae01e6b635b96eb094ae64af49b6cac4c7656a5
SHA256

151cdb9a2bb9dea69dddce861966ad521df75afe5a93a7992d90a64cac35d0a5
SHA512

8ade91f3731fd8fe35586be58f706c00ef9844f733fbe1cbf8a16e87d48a4a585453d6dcae2c57571f0ded91ebc838cf870e936db7e08997c15792ee96d32353

Score

10^/10

emotet banker trojan

Malware Config

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
3400	151cdb9a2bb9dea69dddce861966ad521df75afe5a93a7992d90a64cac35d0a5.exe
3400	151cdb9a2bb9dea69dddce861966ad521df75afe5a93a7992d90a64cac35d0a5.exe
4916	151cdb9a2bb9dea69dddce861966ad521df75afe5a93a7992d90a64cac35d0a5.exe
4916	151cdb9a2bb9dea69dddce861966ad521df75afe5a93a7992d90a64cac35d0a5.exe
4592	vsixplugins.exe
4592	vsixplugins.exe
4316	vsixplugins.exe
4316	vsixplugins.exe
4316	vsixplugins.exe
4316	vsixplugins.exe
4316	vsixplugins.exe
4316	vsixplugins.exe
4316	vsixplugins.exe
4316	vsixplugins.exe
4316	vsixplugins.exe
4316	vsixplugins.exe
4316	vsixplugins.exe
4316	vsixplugins.exe
4316	vsixplugins.exe
4316	vsixplugins.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4916	151cdb9a2bb9dea69dddce861966ad521df75afe5a93a7992d90a64cac35d0a5.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3400 wrote to memory of 4916	3400	151cdb9a2bb9dea69dddce861966ad521df75afe5a93a7992d90a64cac35d0a5.exe	79
PID 3400 wrote to memory of 4916	3400	151cdb9a2bb9dea69dddce861966ad521df75afe5a93a7992d90a64cac35d0a5.exe	79
PID 3400 wrote to memory of 4916	3400	151cdb9a2bb9dea69dddce861966ad521df75afe5a93a7992d90a64cac35d0a5.exe	79
PID 4592 wrote to memory of 4316	4592	vsixplugins.exe	83
PID 4592 wrote to memory of 4316	4592	vsixplugins.exe	83
PID 4592 wrote to memory of 4316	4592	vsixplugins.exe	83

C:\Users\Admin\AppData\Local\Temp\151cdb9a2bb9dea69dddce861966ad521df75afe5a93a7992d90a64cac35d0a5.exe
"C:\Users\Admin\AppData\Local\Temp\151cdb9a2bb9dea69dddce861966ad521df75afe5a93a7992d90a64cac35d0a5.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3400
- C:\Users\Admin\AppData\Local\Temp\151cdb9a2bb9dea69dddce861966ad521df75afe5a93a7992d90a64cac35d0a5.exe
  "C:\Users\Admin\AppData\Local\Temp\151cdb9a2bb9dea69dddce861966ad521df75afe5a93a7992d90a64cac35d0a5.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: RenamesItself
  PID:4916

C:\Windows\SysWOW64\vsixplugins.exe
"C:\Windows\SysWOW64\vsixplugins.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4592
- C:\Windows\SysWOW64\vsixplugins.exe
  "C:\Windows\SysWOW64\vsixplugins.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4316

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3400-130-0x00000000013F0000-0x0000000001407000-memory.dmp

Filesize
92KB

Download
memory/3400-131-0x0000000002FC0000-0x0000000002FD7000-memory.dmp

Filesize
92KB

Download
memory/3400-135-0x0000000002FC0000-0x0000000002FD7000-memory.dmp

Filesize
92KB

Download
memory/3400-136-0x0000000002FE0000-0x0000000002FF0000-memory.dmp

Filesize
64KB

Download
memory/3400-143-0x00000000013F0000-0x0000000001407000-memory.dmp

Filesize
92KB

Download
memory/4316-161-0x00000000009B0000-0x00000000009C0000-memory.dmp

Filesize
64KB

Download
memory/4316-157-0x0000000000990000-0x00000000009A7000-memory.dmp

Filesize
92KB

Download
memory/4316-163-0x0000000000970000-0x0000000000987000-memory.dmp

Filesize
92KB

Download
memory/4316-160-0x0000000000970000-0x0000000000987000-memory.dmp

Filesize
92KB

Download
memory/4316-153-0x0000000000990000-0x00000000009A7000-memory.dmp

Filesize
92KB

Download
memory/4592-159-0x0000000000E60000-0x0000000000E70000-memory.dmp

Filesize
64KB

Download
memory/4592-158-0x0000000000E10000-0x0000000000E27000-memory.dmp

Filesize
92KB

Download
memory/4592-147-0x0000000000E40000-0x0000000000E57000-memory.dmp

Filesize
92KB

Download
memory/4592-151-0x0000000000E40000-0x0000000000E57000-memory.dmp

Filesize
92KB

Download
memory/4916-138-0x0000000002580000-0x0000000002597000-memory.dmp

Filesize
92KB

Download
memory/4916-146-0x00000000008E0000-0x00000000008F7000-memory.dmp

Filesize
92KB

Download
memory/4916-145-0x00000000025A0000-0x00000000025B0000-memory.dmp

Filesize
64KB

Download
memory/4916-144-0x00000000008E0000-0x00000000008F7000-memory.dmp

Filesize
92KB

Download
memory/4916-142-0x0000000002580000-0x0000000002597000-memory.dmp

Filesize
92KB

Download
memory/4916-162-0x00000000008E0000-0x00000000008F7000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing