emotet | 1febf4ebc138dd01f1a4e9e302ffaeb5207f8a3e7de9e790a8755b5d125d67b8

Analysis

max time kernel
161s
max time network
218s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
30-11-2022 18:33

Target

1febf4ebc138dd01f1a4e9e302ffaeb5207f8a3e7de9e790a8755b5d125d67b8.exe
Size

279KB
MD5

2838dbfc712c09e9797dafb02e1a7f3f
SHA1

4107eb23bca94f3adfe6c5ddefcf83b12a4312e8
SHA256

1febf4ebc138dd01f1a4e9e302ffaeb5207f8a3e7de9e790a8755b5d125d67b8
SHA512

45af689b9c2881ba67e98551acf62c1c1b9920580e0cb5f4805a9c6a4c0aafa74c0d247c21a0349992684307a362a0f4db251e3f82adb22595aebdbe2acc8b35
SSDEEP

6144:jKkCmx7H9i7+iFINAS+S/9M4Fea4qZAU0rZpX6:dCmx7Hg7+vW4o2AU0rZV6

Score

10^/10

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: RenamesItself 1 IoCs

Processes:

1febf4ebc138dd01f1a4e9e302ffaeb5207f8a3e7de9e790a8755b5d125d67b8.exe

pid process

4432 1febf4ebc138dd01f1a4e9e302ffaeb5207f8a3e7de9e790a8755b5d125d67b8.exe

pid	process
4432	1febf4ebc138dd01f1a4e9e302ffaeb5207f8a3e7de9e790a8755b5d125d67b8.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

1febf4ebc138dd01f1a4e9e302ffaeb5207f8a3e7de9e790a8755b5d125d67b8.exe

description	pid	process	target process
PID 3032 wrote to memory of 4432	3032	1febf4ebc138dd01f1a4e9e302ffaeb5207f8a3e7de9e790a8755b5d125d67b8.exe	1febf4ebc138dd01f1a4e9e302ffaeb5207f8a3e7de9e790a8755b5d125d67b8.exe
PID 3032 wrote to memory of 4432	3032	1febf4ebc138dd01f1a4e9e302ffaeb5207f8a3e7de9e790a8755b5d125d67b8.exe	1febf4ebc138dd01f1a4e9e302ffaeb5207f8a3e7de9e790a8755b5d125d67b8.exe
PID 3032 wrote to memory of 4432	3032	1febf4ebc138dd01f1a4e9e302ffaeb5207f8a3e7de9e790a8755b5d125d67b8.exe	1febf4ebc138dd01f1a4e9e302ffaeb5207f8a3e7de9e790a8755b5d125d67b8.exe

C:\Users\Admin\AppData\Local\Temp\1febf4ebc138dd01f1a4e9e302ffaeb5207f8a3e7de9e790a8755b5d125d67b8.exe
"C:\Users\Admin\AppData\Local\Temp\1febf4ebc138dd01f1a4e9e302ffaeb5207f8a3e7de9e790a8755b5d125d67b8.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3032

C:\Users\Admin\AppData\Local\Temp\1febf4ebc138dd01f1a4e9e302ffaeb5207f8a3e7de9e790a8755b5d125d67b8.exe
--704c6c78
2⤵
- Suspicious behavior: RenamesItself
PID:4432

C:\Windows\SysWOW64\slidesonic.exe
"C:\Windows\SysWOW64\slidesonic.exe"
1⤵
PID:3188

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

memory/3032-132-0x00000000006E0000-0x00000000006F1000-memory.dmp

Filesize
68KB

Download
memory/3032-133-0x00000000006E0000-0x00000000006F1000-memory.dmp

Filesize
68KB

Download
memory/3032-134-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3032-135-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3032-137-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3188-140-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4432-136-0x0000000000000000-mapping.dmp

Download
memory/4432-138-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4432-139-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download