emotet | 454aa330584eb807419c9b81f9bf0093cf661f7ef717c26ca7f0302ab8e0e8c8

General

Target

454aa330584eb807419c9b81f9bf0093cf661f7ef717c26ca7f0302ab8e0e8c8.exe
Size

277KB
MD5

e8daf8e5cfcc28c69e31eb389c9ccc26
SHA1

57ecda50d08933d4a5e8ad4c41fcc4a4c7f27e54
SHA256

454aa330584eb807419c9b81f9bf0093cf661f7ef717c26ca7f0302ab8e0e8c8
SHA512

0da1da0fd88c761339308b6737d67fbc48e283667333f6082ff9d223a01f82362749c8ce5de52e70456bb17d65ae1dc4ea4d3bb5392416ffe4957bab76ab9cc4

Score

10^/10

emotet banker trojan

Malware Config

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

454aa330584eb807419c9b81f9bf0093cf661f7ef717c26ca7f0302ab8e0e8c8.exe454aa330584eb807419c9b81f9bf0093cf661f7ef717c26ca7f0302ab8e0e8c8.exexinputduplex.exexinputduplex.exe

pid	process
2068	454aa330584eb807419c9b81f9bf0093cf661f7ef717c26ca7f0302ab8e0e8c8.exe
2068	454aa330584eb807419c9b81f9bf0093cf661f7ef717c26ca7f0302ab8e0e8c8.exe
2500	454aa330584eb807419c9b81f9bf0093cf661f7ef717c26ca7f0302ab8e0e8c8.exe
2500	454aa330584eb807419c9b81f9bf0093cf661f7ef717c26ca7f0302ab8e0e8c8.exe
4552	xinputduplex.exe
4552	xinputduplex.exe
844	xinputduplex.exe
844	xinputduplex.exe
844	xinputduplex.exe
844	xinputduplex.exe
844	xinputduplex.exe
844	xinputduplex.exe
844	xinputduplex.exe
844	xinputduplex.exe
844	xinputduplex.exe
844	xinputduplex.exe
844	xinputduplex.exe
844	xinputduplex.exe
844	xinputduplex.exe
844	xinputduplex.exe
844	xinputduplex.exe
844	xinputduplex.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

454aa330584eb807419c9b81f9bf0093cf661f7ef717c26ca7f0302ab8e0e8c8.exe

pid process

2500 454aa330584eb807419c9b81f9bf0093cf661f7ef717c26ca7f0302ab8e0e8c8.exe

pid	process
2500	454aa330584eb807419c9b81f9bf0093cf661f7ef717c26ca7f0302ab8e0e8c8.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

454aa330584eb807419c9b81f9bf0093cf661f7ef717c26ca7f0302ab8e0e8c8.exexinputduplex.exe

description	pid	process	target process
PID 2068 wrote to memory of 2500	2068	454aa330584eb807419c9b81f9bf0093cf661f7ef717c26ca7f0302ab8e0e8c8.exe	454aa330584eb807419c9b81f9bf0093cf661f7ef717c26ca7f0302ab8e0e8c8.exe
PID 2068 wrote to memory of 2500	2068	454aa330584eb807419c9b81f9bf0093cf661f7ef717c26ca7f0302ab8e0e8c8.exe	454aa330584eb807419c9b81f9bf0093cf661f7ef717c26ca7f0302ab8e0e8c8.exe
PID 2068 wrote to memory of 2500	2068	454aa330584eb807419c9b81f9bf0093cf661f7ef717c26ca7f0302ab8e0e8c8.exe	454aa330584eb807419c9b81f9bf0093cf661f7ef717c26ca7f0302ab8e0e8c8.exe
PID 4552 wrote to memory of 844	4552	xinputduplex.exe	xinputduplex.exe
PID 4552 wrote to memory of 844	4552	xinputduplex.exe	xinputduplex.exe
PID 4552 wrote to memory of 844	4552	xinputduplex.exe	xinputduplex.exe

C:\Users\Admin\AppData\Local\Temp\454aa330584eb807419c9b81f9bf0093cf661f7ef717c26ca7f0302ab8e0e8c8.exe
"C:\Users\Admin\AppData\Local\Temp\454aa330584eb807419c9b81f9bf0093cf661f7ef717c26ca7f0302ab8e0e8c8.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2068

C:\Users\Admin\AppData\Local\Temp\454aa330584eb807419c9b81f9bf0093cf661f7ef717c26ca7f0302ab8e0e8c8.exe
"C:\Users\Admin\AppData\Local\Temp\454aa330584eb807419c9b81f9bf0093cf661f7ef717c26ca7f0302ab8e0e8c8.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
PID:2500

C:\Windows\SysWOW64\xinputduplex.exe
"C:\Windows\SysWOW64\xinputduplex.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4552

C:\Windows\SysWOW64\xinputduplex.exe
"C:\Windows\SysWOW64\xinputduplex.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:844

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/844-161-0x0000000001DB0000-0x0000000001DC0000-memory.dmp

Filesize
64KB

Download
memory/844-160-0x0000000001C60000-0x0000000001C77000-memory.dmp

Filesize
92KB

Download
memory/844-156-0x0000000001D90000-0x0000000001DA7000-memory.dmp

Filesize
92KB

Download
memory/844-152-0x0000000001D90000-0x0000000001DA7000-memory.dmp

Filesize
92KB

Download
memory/844-151-0x0000000000000000-mapping.dmp

Download
memory/2068-139-0x0000000000CA0000-0x0000000000CB0000-memory.dmp

Filesize
64KB

Download
memory/2068-130-0x0000000000C80000-0x0000000000C97000-memory.dmp

Filesize
92KB

Download
memory/2068-136-0x0000000000C50000-0x0000000000C67000-memory.dmp

Filesize
92KB

Download
memory/2068-134-0x0000000000C80000-0x0000000000C97000-memory.dmp

Filesize
92KB

Download
memory/2500-141-0x0000000000FC0000-0x0000000000FD7000-memory.dmp

Filesize
92KB

Download
memory/2500-143-0x00000000012D0000-0x00000000012E7000-memory.dmp

Filesize
92KB

Download
memory/2500-144-0x0000000000FF0000-0x0000000001000000-memory.dmp

Filesize
64KB

Download
memory/2500-145-0x0000000000FC0000-0x0000000000FD7000-memory.dmp

Filesize
92KB

Download
memory/2500-137-0x00000000012D0000-0x00000000012E7000-memory.dmp

Filesize
92KB

Download
memory/2500-159-0x0000000000FC0000-0x0000000000FD7000-memory.dmp

Filesize
92KB

Download
memory/2500-135-0x0000000000000000-mapping.dmp

Download
memory/4552-146-0x0000000000FA0000-0x0000000000FB7000-memory.dmp

Filesize
92KB

Download
memory/4552-158-0x0000000000FC0000-0x0000000000FD0000-memory.dmp

Filesize
64KB

Download
memory/4552-157-0x0000000000E70000-0x0000000000E87000-memory.dmp

Filesize
92KB

Download
memory/4552-150-0x0000000000FA0000-0x0000000000FB7000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing