emotet | 5e75a50ef949bde986ee2de4a03d17988bb824dfebb1efc7ff9ef72b49b1e02b

Analysis

max time kernel
135s
max time network
161s
platform
windows10-2004_x64
resource
win10v2004-20220721-en
resource tags

arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system
submitted
31/07/2022, 20:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e75a50ef949bde986ee2de4a03d17988bb824dfebb1efc7ff9ef72b49b1e02b.exe
Size

148KB
MD5

77178bc166ac26c885d89edd503df9d4
SHA1

7be995cf52ca1e8d8907f154f8199024ff7278f2
SHA256

5e75a50ef949bde986ee2de4a03d17988bb824dfebb1efc7ff9ef72b49b1e02b
SHA512

5683c9d5312bc0e1fdfaf1609b4adb640cdc01be4cc07dee29f958fe22c37df968e8f1d28de0fa85dbc0f6d41723e91a28de84762afb9b26d96f05c9589dd85d

Score

10^/10

emotet banker trojan

Malware Config

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	190.138.221.70

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
5052	5e75a50ef949bde986ee2de4a03d17988bb824dfebb1efc7ff9ef72b49b1e02b.exe
5052	5e75a50ef949bde986ee2de4a03d17988bb824dfebb1efc7ff9ef72b49b1e02b.exe
3916	5e75a50ef949bde986ee2de4a03d17988bb824dfebb1efc7ff9ef72b49b1e02b.exe
3916	5e75a50ef949bde986ee2de4a03d17988bb824dfebb1efc7ff9ef72b49b1e02b.exe
4860	panesculture.exe
4860	panesculture.exe
2108	panesculture.exe
2108	panesculture.exe
2108	panesculture.exe
2108	panesculture.exe
2108	panesculture.exe
2108	panesculture.exe
2108	panesculture.exe
2108	panesculture.exe
2108	panesculture.exe
2108	panesculture.exe
2108	panesculture.exe
2108	panesculture.exe
2108	panesculture.exe
2108	panesculture.exe
2108	panesculture.exe
2108	panesculture.exe
2108	panesculture.exe
2108	panesculture.exe
2108	panesculture.exe
2108	panesculture.exe
2108	panesculture.exe
2108	panesculture.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3916	5e75a50ef949bde986ee2de4a03d17988bb824dfebb1efc7ff9ef72b49b1e02b.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5052 wrote to memory of 3916	5052	5e75a50ef949bde986ee2de4a03d17988bb824dfebb1efc7ff9ef72b49b1e02b.exe	83
PID 5052 wrote to memory of 3916	5052	5e75a50ef949bde986ee2de4a03d17988bb824dfebb1efc7ff9ef72b49b1e02b.exe	83
PID 5052 wrote to memory of 3916	5052	5e75a50ef949bde986ee2de4a03d17988bb824dfebb1efc7ff9ef72b49b1e02b.exe	83
PID 4860 wrote to memory of 2108	4860	panesculture.exe	85
PID 4860 wrote to memory of 2108	4860	panesculture.exe	85
PID 4860 wrote to memory of 2108	4860	panesculture.exe	85

C:\Users\Admin\AppData\Local\Temp\5e75a50ef949bde986ee2de4a03d17988bb824dfebb1efc7ff9ef72b49b1e02b.exe
"C:\Users\Admin\AppData\Local\Temp\5e75a50ef949bde986ee2de4a03d17988bb824dfebb1efc7ff9ef72b49b1e02b.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5052
- C:\Users\Admin\AppData\Local\Temp\5e75a50ef949bde986ee2de4a03d17988bb824dfebb1efc7ff9ef72b49b1e02b.exe
  "C:\Users\Admin\AppData\Local\Temp\5e75a50ef949bde986ee2de4a03d17988bb824dfebb1efc7ff9ef72b49b1e02b.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: RenamesItself
  PID:3916

C:\Windows\SysWOW64\panesculture.exe
"C:\Windows\SysWOW64\panesculture.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4860
- C:\Windows\SysWOW64\panesculture.exe
  "C:\Windows\SysWOW64\panesculture.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2108

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2108-163-0x0000000001BE0000-0x0000000001BFA000-memory.dmp

Filesize
104KB

Download
memory/2108-162-0x0000000001C20000-0x0000000001C40000-memory.dmp

Filesize
128KB

Download
memory/2108-161-0x0000000001BE0000-0x0000000001BFA000-memory.dmp

Filesize
104KB

Download
memory/2108-158-0x0000000001C00000-0x0000000001C1A000-memory.dmp

Filesize
104KB

Download
memory/2108-154-0x0000000001C00000-0x0000000001C1A000-memory.dmp

Filesize
104KB

Download
memory/3916-141-0x0000000000E10000-0x0000000000E2A000-memory.dmp

Filesize
104KB

Download
memory/3916-137-0x0000000000E10000-0x0000000000E2A000-memory.dmp

Filesize
104KB

Download
memory/3916-144-0x0000000000DD0000-0x0000000000DEA000-memory.dmp

Filesize
104KB

Download
memory/3916-145-0x0000000000E30000-0x0000000000E50000-memory.dmp

Filesize
128KB

Download
memory/3916-160-0x0000000000DD0000-0x0000000000DEA000-memory.dmp

Filesize
104KB

Download
memory/4860-146-0x0000000001650000-0x000000000166A000-memory.dmp

Filesize
104KB

Download
memory/4860-153-0x0000000001670000-0x0000000001690000-memory.dmp

Filesize
128KB

Download
memory/4860-151-0x0000000001630000-0x000000000164A000-memory.dmp

Filesize
104KB

Download
memory/4860-159-0x0000000001630000-0x000000000164A000-memory.dmp

Filesize
104KB

Download
memory/4860-150-0x0000000001650000-0x000000000166A000-memory.dmp

Filesize
104KB

Download
memory/5052-142-0x0000000002520000-0x0000000002540000-memory.dmp

Filesize
128KB

Download
memory/5052-130-0x0000000002500000-0x000000000251A000-memory.dmp

Filesize
104KB

Download
memory/5052-143-0x0000000000C00000-0x0000000000C1A000-memory.dmp

Filesize
104KB

Download
memory/5052-134-0x0000000002500000-0x000000000251A000-memory.dmp

Filesize
104KB

Download
memory/5052-135-0x0000000000C00000-0x0000000000C1A000-memory.dmp

Filesize
104KB

Download