emotet | 4dd92acabaf20c9749713447692a0f91dc672b960cb7e2fcdc6e018960d90caf

General

Target

4dd92acabaf20c9749713447692a0f91dc672b960cb7e2fcdc6e018960d90caf.exe
Size

211KB
MD5

35e92fe30af505779b26a7b877eb0f70
SHA1

9936ba4740f138abb49f07d282ee18b5997ba648
SHA256

4dd92acabaf20c9749713447692a0f91dc672b960cb7e2fcdc6e018960d90caf
SHA512

a8342cf4bd5f7b1bcc72687df083017672c0421f45d2973f48bafa03f7a07a19e6aef07777b93d41b27f59b738ae12126d0a351b07b8b82ad6bd5d2eb48a5ef9

Score

10^/10

emotet banker trojan

Malware Config

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

4dd92acabaf20c9749713447692a0f91dc672b960cb7e2fcdc6e018960d90caf.exe4dd92acabaf20c9749713447692a0f91dc672b960cb7e2fcdc6e018960d90caf.exeuuidgensubs.exeuuidgensubs.exe

pid	process
2364	4dd92acabaf20c9749713447692a0f91dc672b960cb7e2fcdc6e018960d90caf.exe
2364	4dd92acabaf20c9749713447692a0f91dc672b960cb7e2fcdc6e018960d90caf.exe
1708	4dd92acabaf20c9749713447692a0f91dc672b960cb7e2fcdc6e018960d90caf.exe
1708	4dd92acabaf20c9749713447692a0f91dc672b960cb7e2fcdc6e018960d90caf.exe
1088	uuidgensubs.exe
1088	uuidgensubs.exe
1104	uuidgensubs.exe
1104	uuidgensubs.exe
1104	uuidgensubs.exe
1104	uuidgensubs.exe
1104	uuidgensubs.exe
1104	uuidgensubs.exe
1104	uuidgensubs.exe
1104	uuidgensubs.exe
1104	uuidgensubs.exe
1104	uuidgensubs.exe
1104	uuidgensubs.exe
1104	uuidgensubs.exe
1104	uuidgensubs.exe
1104	uuidgensubs.exe
1104	uuidgensubs.exe
1104	uuidgensubs.exe
1104	uuidgensubs.exe
1104	uuidgensubs.exe
1104	uuidgensubs.exe
1104	uuidgensubs.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

4dd92acabaf20c9749713447692a0f91dc672b960cb7e2fcdc6e018960d90caf.exe

pid process

1708 4dd92acabaf20c9749713447692a0f91dc672b960cb7e2fcdc6e018960d90caf.exe

pid	process
1708	4dd92acabaf20c9749713447692a0f91dc672b960cb7e2fcdc6e018960d90caf.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

4dd92acabaf20c9749713447692a0f91dc672b960cb7e2fcdc6e018960d90caf.exeuuidgensubs.exe

description	pid	process	target process
PID 2364 wrote to memory of 1708	2364	4dd92acabaf20c9749713447692a0f91dc672b960cb7e2fcdc6e018960d90caf.exe	4dd92acabaf20c9749713447692a0f91dc672b960cb7e2fcdc6e018960d90caf.exe
PID 2364 wrote to memory of 1708	2364	4dd92acabaf20c9749713447692a0f91dc672b960cb7e2fcdc6e018960d90caf.exe	4dd92acabaf20c9749713447692a0f91dc672b960cb7e2fcdc6e018960d90caf.exe
PID 2364 wrote to memory of 1708	2364	4dd92acabaf20c9749713447692a0f91dc672b960cb7e2fcdc6e018960d90caf.exe	4dd92acabaf20c9749713447692a0f91dc672b960cb7e2fcdc6e018960d90caf.exe
PID 1088 wrote to memory of 1104	1088	uuidgensubs.exe	uuidgensubs.exe
PID 1088 wrote to memory of 1104	1088	uuidgensubs.exe	uuidgensubs.exe
PID 1088 wrote to memory of 1104	1088	uuidgensubs.exe	uuidgensubs.exe

C:\Users\Admin\AppData\Local\Temp\4dd92acabaf20c9749713447692a0f91dc672b960cb7e2fcdc6e018960d90caf.exe
"C:\Users\Admin\AppData\Local\Temp\4dd92acabaf20c9749713447692a0f91dc672b960cb7e2fcdc6e018960d90caf.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2364

C:\Users\Admin\AppData\Local\Temp\4dd92acabaf20c9749713447692a0f91dc672b960cb7e2fcdc6e018960d90caf.exe
"C:\Users\Admin\AppData\Local\Temp\4dd92acabaf20c9749713447692a0f91dc672b960cb7e2fcdc6e018960d90caf.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
PID:1708

C:\Windows\SysWOW64\uuidgensubs.exe
"C:\Windows\SysWOW64\uuidgensubs.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1088

C:\Windows\SysWOW64\uuidgensubs.exe
"C:\Windows\SysWOW64\uuidgensubs.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1104

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1088-160-0x0000000000EB0000-0x0000000000EC0000-memory.dmp

Filesize
64KB

Download
memory/1088-151-0x0000000000E90000-0x0000000000EAA000-memory.dmp

Filesize
104KB

Download
memory/1088-147-0x0000000000E90000-0x0000000000EAA000-memory.dmp

Filesize
104KB

Download
memory/1088-159-0x0000000000690000-0x0000000000694000-memory.dmp

Filesize
16KB

Download
memory/1088-158-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1104-163-0x00000000005C0000-0x00000000005DA000-memory.dmp

Filesize
104KB

Download
memory/1104-153-0x00000000006F0000-0x000000000070A000-memory.dmp

Filesize
104KB

Download
memory/1104-164-0x0000000000710000-0x0000000000720000-memory.dmp

Filesize
64KB

Download
memory/1104-162-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1104-157-0x00000000006F0000-0x000000000070A000-memory.dmp

Filesize
104KB

Download
memory/1104-165-0x00000000005C0000-0x00000000005DA000-memory.dmp

Filesize
104KB

Download
memory/1104-152-0x0000000000000000-mapping.dmp

Download
memory/1708-138-0x0000000000000000-mapping.dmp

Download
memory/1708-139-0x00000000020B0000-0x00000000020CA000-memory.dmp

Filesize
104KB

Download
memory/1708-145-0x0000000002090000-0x00000000020AA000-memory.dmp

Filesize
104KB

Download
memory/1708-161-0x0000000002090000-0x00000000020AA000-memory.dmp

Filesize
104KB

Download
memory/1708-144-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1708-143-0x00000000020B0000-0x00000000020CA000-memory.dmp

Filesize
104KB

Download
memory/1708-146-0x0000000002040000-0x0000000002050000-memory.dmp

Filesize
64KB

Download
memory/2364-134-0x00000000020A0000-0x00000000020BA000-memory.dmp

Filesize
104KB

Download
memory/2364-137-0x00000000020C0000-0x00000000020D0000-memory.dmp

Filesize
64KB

Download
memory/2364-136-0x0000000002070000-0x000000000208A000-memory.dmp

Filesize
104KB

Download
memory/2364-130-0x00000000020A0000-0x00000000020BA000-memory.dmp

Filesize
104KB

Download
memory/2364-135-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download

Analysis

Sharing