emotet | 2664a2ce4378bef9bc12987fcd474f4cee94f3fea454921d655a91b711bf8fc6

Analysis

max time kernel
151s
max time network
198s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
30-11-2022 17:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2664a2ce4378bef9bc12987fcd474f4cee94f3fea454921d655a91b711bf8fc6.exe
Size

140KB
MD5

b54ffc6ba8b369c20d93e59a82776781
SHA1

54e18fca6685237a96ee425f254a9f12f83395da
SHA256

2664a2ce4378bef9bc12987fcd474f4cee94f3fea454921d655a91b711bf8fc6
SHA512

dddd6304e907d5f3b65db45fbcbc11d2275a5043fa0a993e49a926b002bc76bd6688740ad03f90f388497f8ee6fb25b67a23ae41c8124aa0e9c996e63c9b9e06
SSDEEP

3072:XmRT9gkAY+PGTs3nhYNOybHbhKkhiiVOKEWH:XmRT9IRt3ne3Dg6

Score

10^/10

emotet banker trojan

Malware Config

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

2664a2ce4378bef9bc12987fcd474f4cee94f3fea454921d655a91b711bf8fc6.exe2664a2ce4378bef9bc12987fcd474f4cee94f3fea454921d655a91b711bf8fc6.exeearconwab.exeearconwab.exe

pid	process
4376	2664a2ce4378bef9bc12987fcd474f4cee94f3fea454921d655a91b711bf8fc6.exe
4376	2664a2ce4378bef9bc12987fcd474f4cee94f3fea454921d655a91b711bf8fc6.exe
316	2664a2ce4378bef9bc12987fcd474f4cee94f3fea454921d655a91b711bf8fc6.exe
316	2664a2ce4378bef9bc12987fcd474f4cee94f3fea454921d655a91b711bf8fc6.exe
1092	earconwab.exe
1092	earconwab.exe
1972	earconwab.exe
1972	earconwab.exe
1972	earconwab.exe
1972	earconwab.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

2664a2ce4378bef9bc12987fcd474f4cee94f3fea454921d655a91b711bf8fc6.exe

pid process

316 2664a2ce4378bef9bc12987fcd474f4cee94f3fea454921d655a91b711bf8fc6.exe

pid	process
316	2664a2ce4378bef9bc12987fcd474f4cee94f3fea454921d655a91b711bf8fc6.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

2664a2ce4378bef9bc12987fcd474f4cee94f3fea454921d655a91b711bf8fc6.exeearconwab.exe

description	pid	process	target process
PID 4376 wrote to memory of 316	4376	2664a2ce4378bef9bc12987fcd474f4cee94f3fea454921d655a91b711bf8fc6.exe	2664a2ce4378bef9bc12987fcd474f4cee94f3fea454921d655a91b711bf8fc6.exe
PID 4376 wrote to memory of 316	4376	2664a2ce4378bef9bc12987fcd474f4cee94f3fea454921d655a91b711bf8fc6.exe	2664a2ce4378bef9bc12987fcd474f4cee94f3fea454921d655a91b711bf8fc6.exe
PID 4376 wrote to memory of 316	4376	2664a2ce4378bef9bc12987fcd474f4cee94f3fea454921d655a91b711bf8fc6.exe	2664a2ce4378bef9bc12987fcd474f4cee94f3fea454921d655a91b711bf8fc6.exe
PID 1092 wrote to memory of 1972	1092	earconwab.exe	earconwab.exe
PID 1092 wrote to memory of 1972	1092	earconwab.exe	earconwab.exe
PID 1092 wrote to memory of 1972	1092	earconwab.exe	earconwab.exe

C:\Users\Admin\AppData\Local\Temp\2664a2ce4378bef9bc12987fcd474f4cee94f3fea454921d655a91b711bf8fc6.exe
"C:\Users\Admin\AppData\Local\Temp\2664a2ce4378bef9bc12987fcd474f4cee94f3fea454921d655a91b711bf8fc6.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4376

C:\Users\Admin\AppData\Local\Temp\2664a2ce4378bef9bc12987fcd474f4cee94f3fea454921d655a91b711bf8fc6.exe
"C:\Users\Admin\AppData\Local\Temp\2664a2ce4378bef9bc12987fcd474f4cee94f3fea454921d655a91b711bf8fc6.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
PID:316

C:\Windows\SysWOW64\earconwab.exe
"C:\Windows\SysWOW64\earconwab.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1092

C:\Windows\SysWOW64\earconwab.exe
"C:\Windows\SysWOW64\earconwab.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1972

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/316-143-0x0000000000F10000-0x0000000000F2A000-memory.dmp

Filesize
104KB

Download
memory/316-136-0x0000000000000000-mapping.dmp

Download
memory/316-137-0x0000000000F30000-0x0000000000F4A000-memory.dmp

Filesize
104KB

Download
memory/316-159-0x0000000000F10000-0x0000000000F2A000-memory.dmp

Filesize
104KB

Download
memory/316-144-0x0000000000F50000-0x0000000000F68000-memory.dmp

Filesize
96KB

Download
memory/1092-156-0x00000000017F0000-0x000000000180A000-memory.dmp

Filesize
104KB

Download
memory/1092-145-0x0000000001810000-0x000000000182A000-memory.dmp

Filesize
104KB

Download
memory/1092-149-0x00000000017F0000-0x000000000180A000-memory.dmp

Filesize
104KB

Download
memory/1092-150-0x0000000001830000-0x0000000001848000-memory.dmp

Filesize
96KB

Download
memory/1972-151-0x0000000000000000-mapping.dmp

Download
memory/1972-152-0x0000000001B20000-0x0000000001B3A000-memory.dmp

Filesize
104KB

Download
memory/1972-157-0x0000000001B00000-0x0000000001B1A000-memory.dmp

Filesize
104KB

Download
memory/1972-158-0x0000000001B40000-0x0000000001B58000-memory.dmp

Filesize
96KB

Download
memory/1972-160-0x0000000001B00000-0x0000000001B1A000-memory.dmp

Filesize
104KB

Download
memory/4376-142-0x0000000001220000-0x0000000001238000-memory.dmp

Filesize
96KB

Download
memory/4376-132-0x0000000001200000-0x000000000121A000-memory.dmp

Filesize
104KB

Download
memory/4376-141-0x00000000011E0000-0x00000000011FA000-memory.dmp

Filesize
104KB

Download