emotet | 2ed804b62a00797d5451138a2f0c88fc48c4cbc7da4da7a73414c9ba4e6a12ec

General

Target

2ed804b62a00797d5451138a2f0c88fc48c4cbc7da4da7a73414c9ba4e6a12ec.exe
Size

350KB
MD5

61fd6d472d3c6402c1eb5b6d7c121c06
SHA1

01f1e8eaa2c869f307ce544c486dca031c9f69ef
SHA256

2ed804b62a00797d5451138a2f0c88fc48c4cbc7da4da7a73414c9ba4e6a12ec
SHA512

2121705c36bd049c14ad1c730429edff5fa1f0150bc129cb6eddf0f75871b6d507a580f12ee331626b0bada245e893fb1248ee6e1d1bfeeeb046c72b11214890

Score

10^/10

emotet banker trojan

Malware Config

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

2ed804b62a00797d5451138a2f0c88fc48c4cbc7da4da7a73414c9ba4e6a12ec.exe2ed804b62a00797d5451138a2f0c88fc48c4cbc7da4da7a73414c9ba4e6a12ec.exeruleemit.exeruleemit.exe

pid	process
2808	2ed804b62a00797d5451138a2f0c88fc48c4cbc7da4da7a73414c9ba4e6a12ec.exe
2808	2ed804b62a00797d5451138a2f0c88fc48c4cbc7da4da7a73414c9ba4e6a12ec.exe
4488	2ed804b62a00797d5451138a2f0c88fc48c4cbc7da4da7a73414c9ba4e6a12ec.exe
4488	2ed804b62a00797d5451138a2f0c88fc48c4cbc7da4da7a73414c9ba4e6a12ec.exe
3648	ruleemit.exe
3648	ruleemit.exe
3548	ruleemit.exe
3548	ruleemit.exe
3548	ruleemit.exe
3548	ruleemit.exe
3548	ruleemit.exe
3548	ruleemit.exe
3548	ruleemit.exe
3548	ruleemit.exe
3548	ruleemit.exe
3548	ruleemit.exe
3548	ruleemit.exe
3548	ruleemit.exe
3548	ruleemit.exe
3548	ruleemit.exe
3548	ruleemit.exe
3548	ruleemit.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

2ed804b62a00797d5451138a2f0c88fc48c4cbc7da4da7a73414c9ba4e6a12ec.exe

pid process

4488 2ed804b62a00797d5451138a2f0c88fc48c4cbc7da4da7a73414c9ba4e6a12ec.exe

pid	process
4488	2ed804b62a00797d5451138a2f0c88fc48c4cbc7da4da7a73414c9ba4e6a12ec.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

2ed804b62a00797d5451138a2f0c88fc48c4cbc7da4da7a73414c9ba4e6a12ec.exeruleemit.exe

description	pid	process	target process
PID 2808 wrote to memory of 4488	2808	2ed804b62a00797d5451138a2f0c88fc48c4cbc7da4da7a73414c9ba4e6a12ec.exe	2ed804b62a00797d5451138a2f0c88fc48c4cbc7da4da7a73414c9ba4e6a12ec.exe
PID 2808 wrote to memory of 4488	2808	2ed804b62a00797d5451138a2f0c88fc48c4cbc7da4da7a73414c9ba4e6a12ec.exe	2ed804b62a00797d5451138a2f0c88fc48c4cbc7da4da7a73414c9ba4e6a12ec.exe
PID 2808 wrote to memory of 4488	2808	2ed804b62a00797d5451138a2f0c88fc48c4cbc7da4da7a73414c9ba4e6a12ec.exe	2ed804b62a00797d5451138a2f0c88fc48c4cbc7da4da7a73414c9ba4e6a12ec.exe
PID 3648 wrote to memory of 3548	3648	ruleemit.exe	ruleemit.exe
PID 3648 wrote to memory of 3548	3648	ruleemit.exe	ruleemit.exe
PID 3648 wrote to memory of 3548	3648	ruleemit.exe	ruleemit.exe

C:\Users\Admin\AppData\Local\Temp\2ed804b62a00797d5451138a2f0c88fc48c4cbc7da4da7a73414c9ba4e6a12ec.exe
"C:\Users\Admin\AppData\Local\Temp\2ed804b62a00797d5451138a2f0c88fc48c4cbc7da4da7a73414c9ba4e6a12ec.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2808

C:\Users\Admin\AppData\Local\Temp\2ed804b62a00797d5451138a2f0c88fc48c4cbc7da4da7a73414c9ba4e6a12ec.exe
"C:\Users\Admin\AppData\Local\Temp\2ed804b62a00797d5451138a2f0c88fc48c4cbc7da4da7a73414c9ba4e6a12ec.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
PID:4488

C:\Windows\SysWOW64\ruleemit.exe
"C:\Windows\SysWOW64\ruleemit.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3648

C:\Windows\SysWOW64\ruleemit.exe
"C:\Windows\SysWOW64\ruleemit.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3548

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2808-130-0x0000000000830000-0x0000000000847000-memory.dmp

Filesize
92KB

Download
memory/2808-134-0x0000000000830000-0x0000000000847000-memory.dmp

Filesize
92KB

Download
memory/2808-141-0x0000000000810000-0x0000000000827000-memory.dmp

Filesize
92KB

Download
memory/2808-142-0x0000000000850000-0x0000000000860000-memory.dmp

Filesize
64KB

Download
memory/3548-162-0x0000000000540000-0x0000000000557000-memory.dmp

Filesize
92KB

Download
memory/3548-161-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/3548-160-0x0000000000540000-0x0000000000557000-memory.dmp

Filesize
92KB

Download
memory/3548-156-0x0000000000560000-0x0000000000577000-memory.dmp

Filesize
92KB

Download
memory/3548-152-0x0000000000560000-0x0000000000577000-memory.dmp

Filesize
92KB

Download
memory/3548-151-0x0000000000000000-mapping.dmp

Download
memory/3648-146-0x0000000000960000-0x0000000000977000-memory.dmp

Filesize
92KB

Download
memory/3648-150-0x0000000000960000-0x0000000000977000-memory.dmp

Filesize
92KB

Download
memory/3648-157-0x0000000000940000-0x0000000000957000-memory.dmp

Filesize
92KB

Download
memory/3648-158-0x00000000007A0000-0x00000000007B0000-memory.dmp

Filesize
64KB

Download
memory/4488-145-0x0000000002AF0000-0x0000000002B07000-memory.dmp

Filesize
92KB

Download
memory/4488-143-0x0000000002AF0000-0x0000000002B07000-memory.dmp

Filesize
92KB

Download
memory/4488-144-0x0000000002AD0000-0x0000000002AE0000-memory.dmp

Filesize
64KB

Download
memory/4488-159-0x0000000002AF0000-0x0000000002B07000-memory.dmp

Filesize
92KB

Download
memory/4488-140-0x0000000002B10000-0x0000000002B27000-memory.dmp

Filesize
92KB

Download
memory/4488-136-0x0000000002B10000-0x0000000002B27000-memory.dmp

Filesize
92KB

Download
memory/4488-135-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing