emotet | 55646d034c47ddec8b91c0e0fc20d8a84e179f322ddcc947efd9d843700ae28b

Analysis

max time kernel
150s
max time network
204s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2022 08:53

Target

55646d034c47ddec8b91c0e0fc20d8a84e179f322ddcc947efd9d843700ae28b.exe
Size

207KB
MD5

4a9eab928b94427188ef30782f14d181
SHA1

08554b3ab7044a918e782f12a09b83970fe3d47e
SHA256

55646d034c47ddec8b91c0e0fc20d8a84e179f322ddcc947efd9d843700ae28b
SHA512

24e2aa30dacf9b5b07a9381cbaa79c35e8a0af15b380588ac073d5679b54a8b0d2b3a95949fcc2ecbe045e530cde846da88b600ba790dccb7aa6faaf2177f67b
SSDEEP

3072:vtK8sN3+yM6f0tH5KWR8iIKyVppK3kQIzl6r0WZH0ZxiCcWMKj1NPjet:vo5MyStjRDybMkQTv0Zx+bG1Nw

Score

10^/10

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: RenamesItself 1 IoCs

Processes:

55646d034c47ddec8b91c0e0fc20d8a84e179f322ddcc947efd9d843700ae28b.exe

pid process

1376 55646d034c47ddec8b91c0e0fc20d8a84e179f322ddcc947efd9d843700ae28b.exe

pid	process
1376	55646d034c47ddec8b91c0e0fc20d8a84e179f322ddcc947efd9d843700ae28b.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

55646d034c47ddec8b91c0e0fc20d8a84e179f322ddcc947efd9d843700ae28b.exeservdiag.exe

description	pid	process	target process
PID 1748 wrote to memory of 1376	1748	55646d034c47ddec8b91c0e0fc20d8a84e179f322ddcc947efd9d843700ae28b.exe	55646d034c47ddec8b91c0e0fc20d8a84e179f322ddcc947efd9d843700ae28b.exe
PID 1748 wrote to memory of 1376	1748	55646d034c47ddec8b91c0e0fc20d8a84e179f322ddcc947efd9d843700ae28b.exe	55646d034c47ddec8b91c0e0fc20d8a84e179f322ddcc947efd9d843700ae28b.exe
PID 1748 wrote to memory of 1376	1748	55646d034c47ddec8b91c0e0fc20d8a84e179f322ddcc947efd9d843700ae28b.exe	55646d034c47ddec8b91c0e0fc20d8a84e179f322ddcc947efd9d843700ae28b.exe
PID 4092 wrote to memory of 364	4092	servdiag.exe	servdiag.exe
PID 4092 wrote to memory of 364	4092	servdiag.exe	servdiag.exe
PID 4092 wrote to memory of 364	4092	servdiag.exe	servdiag.exe

C:\Users\Admin\AppData\Local\Temp\55646d034c47ddec8b91c0e0fc20d8a84e179f322ddcc947efd9d843700ae28b.exe
"C:\Users\Admin\AppData\Local\Temp\55646d034c47ddec8b91c0e0fc20d8a84e179f322ddcc947efd9d843700ae28b.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1748

C:\Users\Admin\AppData\Local\Temp\55646d034c47ddec8b91c0e0fc20d8a84e179f322ddcc947efd9d843700ae28b.exe
--bef9fffa
2⤵
- Suspicious behavior: RenamesItself
PID:1376

C:\Windows\SysWOW64\servdiag.exe
"C:\Windows\SysWOW64\servdiag.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4092

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

memory/364-139-0x0000000000000000-mapping.dmp

Download
memory/364-141-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/364-142-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1376-133-0x0000000000000000-mapping.dmp

Download
memory/1376-135-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1376-136-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1376-140-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1748-132-0x00000000005F0000-0x000000000060B000-memory.dmp

Filesize
108KB

Download
memory/1748-134-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/4092-137-0x0000000000590000-0x00000000005AB000-memory.dmp

Filesize
108KB

Download
memory/4092-138-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download