emotet | 215ad70e2d6fa1c7321bc7f9f84f8a593e2db3345f6f93e2ecb84b31ad566a6b

General

Target

215ad70e2d6fa1c7321bc7f9f84f8a593e2db3345f6f93e2ecb84b31ad566a6b.exe
Size

214KB
MD5

4bde039fefaeaec56e7537af88cb2750
SHA1

1a1e019a459ef6e025d8f92cc450d5b1c722c122
SHA256

215ad70e2d6fa1c7321bc7f9f84f8a593e2db3345f6f93e2ecb84b31ad566a6b
SHA512

fae751731dbc0b0d3327426246af74e4abfdec0104e7a946913643fd4637c3f042efb02890c287168d6e443245bdebe6c54c5377e46bcc92ace518bd29a9b694

Score

10^/10

emotet banker trojan

Malware Config

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
5060	215ad70e2d6fa1c7321bc7f9f84f8a593e2db3345f6f93e2ecb84b31ad566a6b.exe
5060	215ad70e2d6fa1c7321bc7f9f84f8a593e2db3345f6f93e2ecb84b31ad566a6b.exe
2212	215ad70e2d6fa1c7321bc7f9f84f8a593e2db3345f6f93e2ecb84b31ad566a6b.exe
2212	215ad70e2d6fa1c7321bc7f9f84f8a593e2db3345f6f93e2ecb84b31ad566a6b.exe
2764	mdmmcdtmpl.exe
2764	mdmmcdtmpl.exe
1080	mdmmcdtmpl.exe
1080	mdmmcdtmpl.exe
1080	mdmmcdtmpl.exe
1080	mdmmcdtmpl.exe
1080	mdmmcdtmpl.exe
1080	mdmmcdtmpl.exe
1080	mdmmcdtmpl.exe
1080	mdmmcdtmpl.exe
1080	mdmmcdtmpl.exe
1080	mdmmcdtmpl.exe
1080	mdmmcdtmpl.exe
1080	mdmmcdtmpl.exe
1080	mdmmcdtmpl.exe
1080	mdmmcdtmpl.exe
1080	mdmmcdtmpl.exe
1080	mdmmcdtmpl.exe
1080	mdmmcdtmpl.exe
1080	mdmmcdtmpl.exe
1080	mdmmcdtmpl.exe
1080	mdmmcdtmpl.exe
1080	mdmmcdtmpl.exe
1080	mdmmcdtmpl.exe
1080	mdmmcdtmpl.exe
1080	mdmmcdtmpl.exe
1080	mdmmcdtmpl.exe
1080	mdmmcdtmpl.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2212	215ad70e2d6fa1c7321bc7f9f84f8a593e2db3345f6f93e2ecb84b31ad566a6b.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5060 wrote to memory of 2212	5060	215ad70e2d6fa1c7321bc7f9f84f8a593e2db3345f6f93e2ecb84b31ad566a6b.exe	82
PID 5060 wrote to memory of 2212	5060	215ad70e2d6fa1c7321bc7f9f84f8a593e2db3345f6f93e2ecb84b31ad566a6b.exe	82
PID 5060 wrote to memory of 2212	5060	215ad70e2d6fa1c7321bc7f9f84f8a593e2db3345f6f93e2ecb84b31ad566a6b.exe	82
PID 2764 wrote to memory of 1080	2764	mdmmcdtmpl.exe	88
PID 2764 wrote to memory of 1080	2764	mdmmcdtmpl.exe	88
PID 2764 wrote to memory of 1080	2764	mdmmcdtmpl.exe	88

C:\Users\Admin\AppData\Local\Temp\215ad70e2d6fa1c7321bc7f9f84f8a593e2db3345f6f93e2ecb84b31ad566a6b.exe
"C:\Users\Admin\AppData\Local\Temp\215ad70e2d6fa1c7321bc7f9f84f8a593e2db3345f6f93e2ecb84b31ad566a6b.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5060
- C:\Users\Admin\AppData\Local\Temp\215ad70e2d6fa1c7321bc7f9f84f8a593e2db3345f6f93e2ecb84b31ad566a6b.exe
  "C:\Users\Admin\AppData\Local\Temp\215ad70e2d6fa1c7321bc7f9f84f8a593e2db3345f6f93e2ecb84b31ad566a6b.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: RenamesItself
  PID:2212

C:\Windows\SysWOW64\mdmmcdtmpl.exe
"C:\Windows\SysWOW64\mdmmcdtmpl.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2764
- C:\Windows\SysWOW64\mdmmcdtmpl.exe
  "C:\Windows\SysWOW64\mdmmcdtmpl.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1080

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1080-160-0x0000000000840000-0x0000000000850000-memory.dmp

Filesize
64KB

Download
memory/1080-162-0x0000000000700000-0x000000000071A000-memory.dmp

Filesize
104KB

Download
memory/1080-152-0x0000000000820000-0x000000000083A000-memory.dmp

Filesize
104KB

Download
memory/1080-156-0x0000000000820000-0x000000000083A000-memory.dmp

Filesize
104KB

Download
memory/1080-159-0x0000000000700000-0x000000000071A000-memory.dmp

Filesize
104KB

Download
memory/2212-136-0x0000000001540000-0x000000000155A000-memory.dmp

Filesize
104KB

Download
memory/2212-143-0x0000000001520000-0x000000000153A000-memory.dmp

Filesize
104KB

Download
memory/2212-144-0x0000000001400000-0x0000000001410000-memory.dmp

Filesize
64KB

Download
memory/2212-145-0x0000000001520000-0x000000000153A000-memory.dmp

Filesize
104KB

Download
memory/2212-161-0x0000000001520000-0x000000000153A000-memory.dmp

Filesize
104KB

Download
memory/2212-140-0x0000000001540000-0x000000000155A000-memory.dmp

Filesize
104KB

Download
memory/2764-157-0x0000000001310000-0x000000000132A000-memory.dmp

Filesize
104KB

Download
memory/2764-150-0x00000000017D0000-0x00000000017EA000-memory.dmp

Filesize
104KB

Download
memory/2764-158-0x00000000017F0000-0x0000000001800000-memory.dmp

Filesize
64KB

Download
memory/2764-146-0x00000000017D0000-0x00000000017EA000-memory.dmp

Filesize
104KB

Download
memory/5060-130-0x0000000000C20000-0x0000000000C3A000-memory.dmp

Filesize
104KB

Download
memory/5060-142-0x0000000000C40000-0x0000000000C50000-memory.dmp

Filesize
64KB

Download
memory/5060-141-0x0000000000C00000-0x0000000000C1A000-memory.dmp

Filesize
104KB

Download
memory/5060-134-0x0000000000C20000-0x0000000000C3A000-memory.dmp

Filesize
104KB

Download

Analysis

Sharing