emotet | 2a0b41e0efa49625a9922bdb25a1525b271d3c72befcb175e3dffa4b7c0afcf7

General

Target

2a0b41e0efa49625a9922bdb25a1525b271d3c72befcb175e3dffa4b7c0afcf7.exe
Size

348KB
MD5

4d12ca95ea970a75d97c63d920e7a90c
SHA1

9f029bcf682c4ab3101a9acb10dc27ab7bb3ca02
SHA256

2a0b41e0efa49625a9922bdb25a1525b271d3c72befcb175e3dffa4b7c0afcf7
SHA512

94f2de2b01ef0619113e7a0856f3df48263fda985330a0b77a48f4e85ac3c33de05b311aa961a4686a78fead1bcf56574abbfae588e15477da084936a9479128

Score

10^/10

emotet banker trojan

Malware Config

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
2540	2a0b41e0efa49625a9922bdb25a1525b271d3c72befcb175e3dffa4b7c0afcf7.exe
2540	2a0b41e0efa49625a9922bdb25a1525b271d3c72befcb175e3dffa4b7c0afcf7.exe
4488	2a0b41e0efa49625a9922bdb25a1525b271d3c72befcb175e3dffa4b7c0afcf7.exe
4488	2a0b41e0efa49625a9922bdb25a1525b271d3c72befcb175e3dffa4b7c0afcf7.exe
1556	mtpbtecho.exe
1556	mtpbtecho.exe
996	mtpbtecho.exe
996	mtpbtecho.exe
996	mtpbtecho.exe
996	mtpbtecho.exe
996	mtpbtecho.exe
996	mtpbtecho.exe
996	mtpbtecho.exe
996	mtpbtecho.exe
996	mtpbtecho.exe
996	mtpbtecho.exe
996	mtpbtecho.exe
996	mtpbtecho.exe
996	mtpbtecho.exe
996	mtpbtecho.exe
996	mtpbtecho.exe
996	mtpbtecho.exe
996	mtpbtecho.exe
996	mtpbtecho.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4488	2a0b41e0efa49625a9922bdb25a1525b271d3c72befcb175e3dffa4b7c0afcf7.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2540 wrote to memory of 4488	2540	2a0b41e0efa49625a9922bdb25a1525b271d3c72befcb175e3dffa4b7c0afcf7.exe	81
PID 2540 wrote to memory of 4488	2540	2a0b41e0efa49625a9922bdb25a1525b271d3c72befcb175e3dffa4b7c0afcf7.exe	81
PID 2540 wrote to memory of 4488	2540	2a0b41e0efa49625a9922bdb25a1525b271d3c72befcb175e3dffa4b7c0afcf7.exe	81
PID 1556 wrote to memory of 996	1556	mtpbtecho.exe	83
PID 1556 wrote to memory of 996	1556	mtpbtecho.exe	83
PID 1556 wrote to memory of 996	1556	mtpbtecho.exe	83

C:\Users\Admin\AppData\Local\Temp\2a0b41e0efa49625a9922bdb25a1525b271d3c72befcb175e3dffa4b7c0afcf7.exe
"C:\Users\Admin\AppData\Local\Temp\2a0b41e0efa49625a9922bdb25a1525b271d3c72befcb175e3dffa4b7c0afcf7.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2540
- C:\Users\Admin\AppData\Local\Temp\2a0b41e0efa49625a9922bdb25a1525b271d3c72befcb175e3dffa4b7c0afcf7.exe
  "C:\Users\Admin\AppData\Local\Temp\2a0b41e0efa49625a9922bdb25a1525b271d3c72befcb175e3dffa4b7c0afcf7.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: RenamesItself
  PID:4488

C:\Windows\SysWOW64\mtpbtecho.exe
"C:\Windows\SysWOW64\mtpbtecho.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1556
- C:\Windows\SysWOW64\mtpbtecho.exe
  "C:\Windows\SysWOW64\mtpbtecho.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:996

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/996-161-0x0000000000900000-0x0000000000919000-memory.dmp

Filesize
100KB

Download
memory/996-160-0x0000000000920000-0x0000000000930000-memory.dmp

Filesize
64KB

Download
memory/996-159-0x0000000000900000-0x0000000000919000-memory.dmp

Filesize
100KB

Download
memory/996-155-0x0000000000A40000-0x0000000000A59000-memory.dmp

Filesize
100KB

Download
memory/996-151-0x0000000000A40000-0x0000000000A59000-memory.dmp

Filesize
100KB

Download
memory/1556-157-0x0000000000DA0000-0x0000000000DB0000-memory.dmp

Filesize
64KB

Download
memory/1556-149-0x0000000000D80000-0x0000000000D99000-memory.dmp

Filesize
100KB

Download
memory/1556-156-0x0000000000D60000-0x0000000000D79000-memory.dmp

Filesize
100KB

Download
memory/1556-145-0x0000000000D80000-0x0000000000D99000-memory.dmp

Filesize
100KB

Download
memory/2540-137-0x00000000010B0000-0x00000000010C0000-memory.dmp

Filesize
64KB

Download
memory/2540-130-0x0000000002BD0000-0x0000000002BE9000-memory.dmp

Filesize
100KB

Download
memory/2540-136-0x0000000002BB0000-0x0000000002BC9000-memory.dmp

Filesize
100KB

Download
memory/2540-134-0x0000000002BD0000-0x0000000002BE9000-memory.dmp

Filesize
100KB

Download
memory/4488-142-0x0000000000B30000-0x0000000000B49000-memory.dmp

Filesize
100KB

Download
memory/4488-138-0x0000000000B30000-0x0000000000B49000-memory.dmp

Filesize
100KB

Download
memory/4488-143-0x0000000000B10000-0x0000000000B29000-memory.dmp

Filesize
100KB

Download
memory/4488-144-0x00000000003F0000-0x0000000000400000-memory.dmp

Filesize
64KB

Download
memory/4488-158-0x0000000000B10000-0x0000000000B29000-memory.dmp

Filesize
100KB

Download

Analysis

Sharing