emotet | 54bc56e089ad144f902f0a478365628e3c7b0a1739abb56200c3e1a724fd5232

Analysis

max time kernel
184s
max time network
234s
platform
windows10-2004_x64
resource
win10v2004-20220721-en
resource tags

arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system
submitted
25-07-2022 18:26

Target

54bc56e089ad144f902f0a478365628e3c7b0a1739abb56200c3e1a724fd5232.exe
Size

136KB
MD5

7ebfdaade79a9176976fa08d700204ac
SHA1

58cb57bd8b5dbd1d85ba931f20522e93666141e6
SHA256

54bc56e089ad144f902f0a478365628e3c7b0a1739abb56200c3e1a724fd5232
SHA512

ecc1501a1e547d853d8e14a284b68235c2c26871a4aa5e46bb3bfe78278ca64ee99f07d0a828ee795312348796be3f4aaf0c331d70417f98dbe558c151bc33b9

Score

10^/10

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 32 IoCs

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3340	54bc56e089ad144f902f0a478365628e3c7b0a1739abb56200c3e1a724fd5232.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1476 wrote to memory of 3340	1476	54bc56e089ad144f902f0a478365628e3c7b0a1739abb56200c3e1a724fd5232.exe	81
PID 1476 wrote to memory of 3340	1476	54bc56e089ad144f902f0a478365628e3c7b0a1739abb56200c3e1a724fd5232.exe	81
PID 1476 wrote to memory of 3340	1476	54bc56e089ad144f902f0a478365628e3c7b0a1739abb56200c3e1a724fd5232.exe	81
PID 3972 wrote to memory of 1196	3972	tmpliprop.exe	84
PID 3972 wrote to memory of 1196	3972	tmpliprop.exe	84
PID 3972 wrote to memory of 1196	3972	tmpliprop.exe	84

C:\Windows\SysWOW64\tmpliprop.exe
"C:\Windows\SysWOW64\tmpliprop.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3972
- C:\Windows\SysWOW64\tmpliprop.exe
  "C:\Windows\SysWOW64\tmpliprop.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1196

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/1196-157-0x0000000000E50000-0x0000000000E68000-memory.dmp

Filesize
96KB

Download
memory/1196-158-0x0000000000E10000-0x0000000000E2A000-memory.dmp

Filesize
104KB

Download
memory/1196-156-0x0000000000E10000-0x0000000000E2A000-memory.dmp

Filesize
104KB

Download
memory/1196-149-0x0000000000E30000-0x0000000000E4A000-memory.dmp

Filesize
104KB

Download
memory/1476-139-0x0000000000D00000-0x0000000000D1A000-memory.dmp

Filesize
104KB

Download
memory/1476-130-0x0000000000D20000-0x0000000000D3A000-memory.dmp

Filesize
104KB

Download
memory/1476-140-0x0000000000D40000-0x0000000000D58000-memory.dmp

Filesize
96KB

Download
memory/3340-142-0x00000000012F0000-0x0000000001308000-memory.dmp

Filesize
96KB

Download
memory/3340-143-0x00000000012B0000-0x00000000012CA000-memory.dmp

Filesize
104KB

Download
memory/3340-141-0x00000000012B0000-0x00000000012CA000-memory.dmp

Filesize
104KB

Download
memory/3340-135-0x00000000012D0000-0x00000000012EA000-memory.dmp

Filesize
104KB

Download
memory/3340-155-0x00000000012B0000-0x00000000012CA000-memory.dmp

Filesize
104KB

Download
memory/3972-144-0x0000000001100000-0x000000000111A000-memory.dmp

Filesize
104KB

Download
memory/3972-154-0x0000000001120000-0x0000000001138000-memory.dmp

Filesize
96KB

Download
memory/3972-153-0x0000000000FC0000-0x0000000000FDA000-memory.dmp

Filesize
104KB

Download