emotet | d733819a7dc233f0f80b32158b9066ef3167eeb19a56980b008f182fd10353f1

Analysis

max time kernel
143s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
15/05/2024, 01:16

Target

43ede37974d66b9c4f589a8f4ca914ff_JaffaCakes118.exe
Size

355KB
MD5

43ede37974d66b9c4f589a8f4ca914ff
SHA1

c16d2f987d78ef1b5a37ac007011655e020b4202
SHA256

d733819a7dc233f0f80b32158b9066ef3167eeb19a56980b008f182fd10353f1
SHA512

2c15ce9244eb71ab2458763e2997b06dc2b371ec75a00bbc274fc29f9461793861675a31cd7aee0884780779bdb1a7e31dcfb03633cd584dfe7cd8ee36b4e6d7
SSDEEP

6144:ZKo0ddRrhesOPI2KRyj2KFrorZTBzpxt:ZP0d79HOQcz09P

Score

10^/10

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
1524	43ede37974d66b9c4f589a8f4ca914ff_JaffaCakes118.exe
1524	43ede37974d66b9c4f589a8f4ca914ff_JaffaCakes118.exe
5044	43ede37974d66b9c4f589a8f4ca914ff_JaffaCakes118.exe
5044	43ede37974d66b9c4f589a8f4ca914ff_JaffaCakes118.exe
2700	taupedim.exe
2700	taupedim.exe
384	taupedim.exe
384	taupedim.exe
384	taupedim.exe
384	taupedim.exe
384	taupedim.exe
384	taupedim.exe
384	taupedim.exe
384	taupedim.exe
384	taupedim.exe
384	taupedim.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
5044	43ede37974d66b9c4f589a8f4ca914ff_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1524 wrote to memory of 5044	1524	43ede37974d66b9c4f589a8f4ca914ff_JaffaCakes118.exe	88
PID 1524 wrote to memory of 5044	1524	43ede37974d66b9c4f589a8f4ca914ff_JaffaCakes118.exe	88
PID 1524 wrote to memory of 5044	1524	43ede37974d66b9c4f589a8f4ca914ff_JaffaCakes118.exe	88
PID 2700 wrote to memory of 384	2700	taupedim.exe	93
PID 2700 wrote to memory of 384	2700	taupedim.exe	93
PID 2700 wrote to memory of 384	2700	taupedim.exe	93

C:\Windows\SysWOW64\taupedim.exe
"C:\Windows\SysWOW64\taupedim.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2700
- C:\Windows\SysWOW64\taupedim.exe
  "C:\Windows\SysWOW64\taupedim.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:384

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/384-22-0x00000000006F0000-0x0000000000753000-memory.dmp

Filesize
396KB

Download
memory/384-28-0x00000000006F0000-0x0000000000753000-memory.dmp

Filesize
396KB

Download
memory/384-26-0x00000000006F0000-0x0000000000753000-memory.dmp

Filesize
396KB

Download
memory/384-19-0x00000000006F0000-0x0000000000753000-memory.dmp

Filesize
396KB

Download
memory/384-16-0x00000000006F0000-0x0000000000753000-memory.dmp

Filesize
396KB

Download
memory/384-24-0x00000000006F0000-0x0000000000753000-memory.dmp

Filesize
396KB

Download
memory/384-21-0x00000000006F0000-0x0000000000753000-memory.dmp

Filesize
396KB

Download
memory/1524-0-0x00000000006F0000-0x0000000000753000-memory.dmp

Filesize
396KB

Download
memory/1524-2-0x0000000000720000-0x0000000000724000-memory.dmp

Filesize
16KB

Download
memory/1524-3-0x00000000006F0000-0x0000000000753000-memory.dmp

Filesize
396KB

Download
memory/2700-10-0x00000000006F0000-0x0000000000753000-memory.dmp

Filesize
396KB

Download
memory/2700-12-0x00000000006F0000-0x0000000000753000-memory.dmp

Filesize
396KB

Download
memory/5044-8-0x00000000006F0000-0x0000000000753000-memory.dmp

Filesize
396KB

Download
memory/5044-20-0x00000000006F0000-0x0000000000753000-memory.dmp

Filesize
396KB

Download
memory/5044-9-0x00000000006F0000-0x0000000000753000-memory.dmp

Filesize
396KB

Download
memory/5044-5-0x00000000006F0000-0x0000000000753000-memory.dmp

Filesize
396KB

Download