emotet | cf0fd5544c94b0b45d7168ad5c2fcc28502eaeb0a7f89656eb726e9fa89e32e4

Analysis

max time kernel
149s
max time network
181s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
30-11-2022 19:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cf0fd5544c94b0b45d7168ad5c2fcc28502eaeb0a7f89656eb726e9fa89e32e4.exe
Size

306KB
MD5

cb9428c8965c8d48f5f3ca0236fcc28c
SHA1

e222e2ac35dec32973c554b1502a1719460d68a2
SHA256

cf0fd5544c94b0b45d7168ad5c2fcc28502eaeb0a7f89656eb726e9fa89e32e4
SHA512

80264af772509c1ce7aa2c6954c53b230c318f9a51a6f399ccd5ac45fdab6bedce4063aeefdd404c3fe2109051faace528b870fe0a77873bbbc8ce7f1468576d
SSDEEP

6144:63LEppKQUTtvh2VuL6g8+fGKrQ3+toJFihLt3A++:+EpITVAuL6gvfGBdJFihLt3A++

Score

10^/10

emotet banker trojan

Malware Config

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

cf0fd5544c94b0b45d7168ad5c2fcc28502eaeb0a7f89656eb726e9fa89e32e4.execf0fd5544c94b0b45d7168ad5c2fcc28502eaeb0a7f89656eb726e9fa89e32e4.exepanescbs.exepanescbs.exe

pid	process
2084	cf0fd5544c94b0b45d7168ad5c2fcc28502eaeb0a7f89656eb726e9fa89e32e4.exe
2084	cf0fd5544c94b0b45d7168ad5c2fcc28502eaeb0a7f89656eb726e9fa89e32e4.exe
2656	cf0fd5544c94b0b45d7168ad5c2fcc28502eaeb0a7f89656eb726e9fa89e32e4.exe
2656	cf0fd5544c94b0b45d7168ad5c2fcc28502eaeb0a7f89656eb726e9fa89e32e4.exe
3548	panescbs.exe
3548	panescbs.exe
4668	panescbs.exe
4668	panescbs.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

cf0fd5544c94b0b45d7168ad5c2fcc28502eaeb0a7f89656eb726e9fa89e32e4.exe

pid process

2656 cf0fd5544c94b0b45d7168ad5c2fcc28502eaeb0a7f89656eb726e9fa89e32e4.exe

pid	process
2656	cf0fd5544c94b0b45d7168ad5c2fcc28502eaeb0a7f89656eb726e9fa89e32e4.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

cf0fd5544c94b0b45d7168ad5c2fcc28502eaeb0a7f89656eb726e9fa89e32e4.exepanescbs.exe

description	pid	process	target process
PID 2084 wrote to memory of 2656	2084	cf0fd5544c94b0b45d7168ad5c2fcc28502eaeb0a7f89656eb726e9fa89e32e4.exe	cf0fd5544c94b0b45d7168ad5c2fcc28502eaeb0a7f89656eb726e9fa89e32e4.exe
PID 2084 wrote to memory of 2656	2084	cf0fd5544c94b0b45d7168ad5c2fcc28502eaeb0a7f89656eb726e9fa89e32e4.exe	cf0fd5544c94b0b45d7168ad5c2fcc28502eaeb0a7f89656eb726e9fa89e32e4.exe
PID 2084 wrote to memory of 2656	2084	cf0fd5544c94b0b45d7168ad5c2fcc28502eaeb0a7f89656eb726e9fa89e32e4.exe	cf0fd5544c94b0b45d7168ad5c2fcc28502eaeb0a7f89656eb726e9fa89e32e4.exe
PID 3548 wrote to memory of 4668	3548	panescbs.exe	panescbs.exe
PID 3548 wrote to memory of 4668	3548	panescbs.exe	panescbs.exe
PID 3548 wrote to memory of 4668	3548	panescbs.exe	panescbs.exe

C:\Users\Admin\AppData\Local\Temp\cf0fd5544c94b0b45d7168ad5c2fcc28502eaeb0a7f89656eb726e9fa89e32e4.exe
"C:\Users\Admin\AppData\Local\Temp\cf0fd5544c94b0b45d7168ad5c2fcc28502eaeb0a7f89656eb726e9fa89e32e4.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2084

C:\Users\Admin\AppData\Local\Temp\cf0fd5544c94b0b45d7168ad5c2fcc28502eaeb0a7f89656eb726e9fa89e32e4.exe
"C:\Users\Admin\AppData\Local\Temp\cf0fd5544c94b0b45d7168ad5c2fcc28502eaeb0a7f89656eb726e9fa89e32e4.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
PID:2656

C:\Windows\SysWOW64\panescbs.exe
"C:\Windows\SysWOW64\panescbs.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3548

C:\Windows\SysWOW64\panescbs.exe
"C:\Windows\SysWOW64\panescbs.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4668

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2084-132-0x0000000000640000-0x0000000000655000-memory.dmp

Filesize
84KB

Download
memory/2084-134-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2084-135-0x0000000000640000-0x0000000000655000-memory.dmp

Filesize
84KB

Download
memory/2084-136-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2656-133-0x0000000000000000-mapping.dmp

Download
memory/2656-137-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2656-138-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2656-140-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4668-139-0x0000000000000000-mapping.dmp

Download
memory/4668-141-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download