emotet | c22b1dd5348d6fe4afd2c96f07846b5f02a2b3baca520fd4c8da641f2774217f

Analysis

max time kernel
146s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20220721-en
resource tags

arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system
submitted
24-07-2022 17:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c22b1dd5348d6fe4afd2c96f07846b5f02a2b3baca520fd4c8da641f2774217f.exe
Size

132KB
MD5

3b9b969e59a65fcc1844c2860c8d9cda
SHA1

6cc639ce11936daa8cfd6038c21d5a1eaada2abc
SHA256

c22b1dd5348d6fe4afd2c96f07846b5f02a2b3baca520fd4c8da641f2774217f
SHA512

c8a84028a3238cc3b37a4ce5bc499837fd283587537a90aa64d3e14ea5782b74eec251569d37ea1e614122eebfa60988fba72816f914030b6d8a6a2c92383a69

Score

10^/10

emotet banker trojan

Malware Config

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
3476	c22b1dd5348d6fe4afd2c96f07846b5f02a2b3baca520fd4c8da641f2774217f.exe
3476	c22b1dd5348d6fe4afd2c96f07846b5f02a2b3baca520fd4c8da641f2774217f.exe
1376	c22b1dd5348d6fe4afd2c96f07846b5f02a2b3baca520fd4c8da641f2774217f.exe
1376	c22b1dd5348d6fe4afd2c96f07846b5f02a2b3baca520fd4c8da641f2774217f.exe
3188	engnsensor.exe
3188	engnsensor.exe
4852	engnsensor.exe
4852	engnsensor.exe
4852	engnsensor.exe
4852	engnsensor.exe
4852	engnsensor.exe
4852	engnsensor.exe
4852	engnsensor.exe
4852	engnsensor.exe
4852	engnsensor.exe
4852	engnsensor.exe
4852	engnsensor.exe
4852	engnsensor.exe
4852	engnsensor.exe
4852	engnsensor.exe
4852	engnsensor.exe
4852	engnsensor.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1376	c22b1dd5348d6fe4afd2c96f07846b5f02a2b3baca520fd4c8da641f2774217f.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3476 wrote to memory of 1376	3476	c22b1dd5348d6fe4afd2c96f07846b5f02a2b3baca520fd4c8da641f2774217f.exe	79
PID 3476 wrote to memory of 1376	3476	c22b1dd5348d6fe4afd2c96f07846b5f02a2b3baca520fd4c8da641f2774217f.exe	79
PID 3476 wrote to memory of 1376	3476	c22b1dd5348d6fe4afd2c96f07846b5f02a2b3baca520fd4c8da641f2774217f.exe	79
PID 3188 wrote to memory of 4852	3188	engnsensor.exe	81
PID 3188 wrote to memory of 4852	3188	engnsensor.exe	81
PID 3188 wrote to memory of 4852	3188	engnsensor.exe	81

C:\Users\Admin\AppData\Local\Temp\c22b1dd5348d6fe4afd2c96f07846b5f02a2b3baca520fd4c8da641f2774217f.exe
"C:\Users\Admin\AppData\Local\Temp\c22b1dd5348d6fe4afd2c96f07846b5f02a2b3baca520fd4c8da641f2774217f.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3476
- C:\Users\Admin\AppData\Local\Temp\c22b1dd5348d6fe4afd2c96f07846b5f02a2b3baca520fd4c8da641f2774217f.exe
  "C:\Users\Admin\AppData\Local\Temp\c22b1dd5348d6fe4afd2c96f07846b5f02a2b3baca520fd4c8da641f2774217f.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: RenamesItself
  PID:1376

C:\Windows\SysWOW64\engnsensor.exe
"C:\Windows\SysWOW64\engnsensor.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3188
- C:\Windows\SysWOW64\engnsensor.exe
  "C:\Windows\SysWOW64\engnsensor.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4852

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1376-143-0x0000000001200000-0x0000000001219000-memory.dmp

Filesize
100KB

Download
memory/1376-158-0x0000000001200000-0x0000000001219000-memory.dmp

Filesize
100KB

Download
memory/1376-136-0x0000000001230000-0x0000000001249000-memory.dmp

Filesize
100KB

Download
memory/1376-140-0x0000000001230000-0x0000000001249000-memory.dmp

Filesize
100KB

Download
memory/1376-144-0x0000000001250000-0x0000000001270000-memory.dmp

Filesize
128KB

Download
memory/3188-157-0x00000000005A0000-0x00000000005C0000-memory.dmp

Filesize
128KB

Download
memory/3188-149-0x0000000000580000-0x0000000000599000-memory.dmp

Filesize
100KB

Download
memory/3188-156-0x0000000000520000-0x0000000000539000-memory.dmp

Filesize
100KB

Download
memory/3188-145-0x0000000000580000-0x0000000000599000-memory.dmp

Filesize
100KB

Download
memory/3476-134-0x0000000002A10000-0x0000000002A29000-memory.dmp

Filesize
100KB

Download
memory/3476-141-0x00000000029F0000-0x0000000002A09000-memory.dmp

Filesize
100KB

Download
memory/3476-130-0x0000000002A10000-0x0000000002A29000-memory.dmp

Filesize
100KB

Download
memory/3476-142-0x0000000002A30000-0x0000000002A50000-memory.dmp

Filesize
128KB

Download
memory/4852-151-0x0000000000DC0000-0x0000000000DD9000-memory.dmp

Filesize
100KB

Download
memory/4852-155-0x0000000000DC0000-0x0000000000DD9000-memory.dmp

Filesize
100KB

Download
memory/4852-159-0x0000000000520000-0x0000000000539000-memory.dmp

Filesize
100KB

Download
memory/4852-160-0x0000000000DE0000-0x0000000000E00000-memory.dmp

Filesize
128KB

Download
memory/4852-161-0x0000000000520000-0x0000000000539000-memory.dmp

Filesize
100KB

Download