emotet | c3be44de65945ca8ee4da7fa1ac8d3d33bc098960c717657ab3f62462ae07ddf

Analysis

max time kernel
384s
max time network
452s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
30-11-2022 15:36

Target

c3be44de65945ca8ee4da7fa1ac8d3d33bc098960c717657ab3f62462ae07ddf.exe
Size

116KB
MD5

89368f12753a9657d1a0c7fe1817aa8c
SHA1

6ae1889a752a23479550c037647e2d8bc60601f4
SHA256

c3be44de65945ca8ee4da7fa1ac8d3d33bc098960c717657ab3f62462ae07ddf
SHA512

2b646be52e62d3bc487acc26def7dc25fb9876bddbaf5bbc25b30f17e911c340067e6cbbe0976fa6ab1a7530e663dad01d3a3adf1049f5d83f1d5c6c9ef27bc1
SSDEEP

3072:b8ENSRg5KrR52iOG7jWXlnYNav5KLdIIPst5tKRlU:b8KSRg5KPHOGErRKL6GgZ

Score

10^/10

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: RenamesItself 1 IoCs

Processes:

c3be44de65945ca8ee4da7fa1ac8d3d33bc098960c717657ab3f62462ae07ddf.exe

pid process

1848 c3be44de65945ca8ee4da7fa1ac8d3d33bc098960c717657ab3f62462ae07ddf.exe

pid	process
1848	c3be44de65945ca8ee4da7fa1ac8d3d33bc098960c717657ab3f62462ae07ddf.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

c3be44de65945ca8ee4da7fa1ac8d3d33bc098960c717657ab3f62462ae07ddf.exebearslics.exe

description	pid	process	target process
PID 4196 wrote to memory of 1848	4196	c3be44de65945ca8ee4da7fa1ac8d3d33bc098960c717657ab3f62462ae07ddf.exe	c3be44de65945ca8ee4da7fa1ac8d3d33bc098960c717657ab3f62462ae07ddf.exe
PID 4196 wrote to memory of 1848	4196	c3be44de65945ca8ee4da7fa1ac8d3d33bc098960c717657ab3f62462ae07ddf.exe	c3be44de65945ca8ee4da7fa1ac8d3d33bc098960c717657ab3f62462ae07ddf.exe
PID 4196 wrote to memory of 1848	4196	c3be44de65945ca8ee4da7fa1ac8d3d33bc098960c717657ab3f62462ae07ddf.exe	c3be44de65945ca8ee4da7fa1ac8d3d33bc098960c717657ab3f62462ae07ddf.exe
PID 1552 wrote to memory of 2056	1552	bearslics.exe	bearslics.exe
PID 1552 wrote to memory of 2056	1552	bearslics.exe	bearslics.exe
PID 1552 wrote to memory of 2056	1552	bearslics.exe	bearslics.exe

C:\Users\Admin\AppData\Local\Temp\c3be44de65945ca8ee4da7fa1ac8d3d33bc098960c717657ab3f62462ae07ddf.exe
"C:\Users\Admin\AppData\Local\Temp\c3be44de65945ca8ee4da7fa1ac8d3d33bc098960c717657ab3f62462ae07ddf.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4196

C:\Users\Admin\AppData\Local\Temp\c3be44de65945ca8ee4da7fa1ac8d3d33bc098960c717657ab3f62462ae07ddf.exe
--70751afc
2⤵
- Suspicious behavior: RenamesItself
PID:1848

C:\Windows\SysWOW64\bearslics.exe
"C:\Windows\SysWOW64\bearslics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1552

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

memory/1552-138-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1552-139-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1848-141-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1848-136-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1848-137-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1848-134-0x0000000000000000-mapping.dmp

Download
memory/2056-140-0x0000000000000000-mapping.dmp

Download
memory/2056-142-0x0000000000490000-0x00000000004A1000-memory.dmp

Filesize
68KB

Download
memory/2056-143-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2056-144-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4196-135-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4196-133-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4196-132-0x0000000000670000-0x0000000000681000-memory.dmp

Filesize
68KB

Download