emotet | da1734ab08daca55156f837ee6a639856fb4bcac5434f179554dbef59d0ac9ac

Analysis

max time kernel
139s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
18-05-2024 16:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

55c332f782624d49e8763f6253d92df9_JaffaCakes118.exe
Size

140KB
MD5

55c332f782624d49e8763f6253d92df9
SHA1

59a35abd7d762e0a217f2911682e9f77971b4248
SHA256

da1734ab08daca55156f837ee6a639856fb4bcac5434f179554dbef59d0ac9ac
SHA512

bc41327e296c997670dc73ed683b032a46465a4a1a7ad1917f3397de36740f131ea572a55c3b93b5d8b239ce2b669c6b6f72588830716c0cf2d1fda7bfd0922d
SSDEEP

3072:5owvV8/ExewHGfmvkFdCBaUVWQI5lElZ+dSvTNIHV:5owvVRJHGDGk6u5lzdS7N

Score

10^/10

emotet banker trojan

Malware Config

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

55c332f782624d49e8763f6253d92df9_JaffaCakes118.exe55c332f782624d49e8763f6253d92df9_JaffaCakes118.exedeppremium.exedeppremium.exe

pid	process
1524	55c332f782624d49e8763f6253d92df9_JaffaCakes118.exe
1524	55c332f782624d49e8763f6253d92df9_JaffaCakes118.exe
3184	55c332f782624d49e8763f6253d92df9_JaffaCakes118.exe
3184	55c332f782624d49e8763f6253d92df9_JaffaCakes118.exe
4140	deppremium.exe
4140	deppremium.exe
3916	deppremium.exe
3916	deppremium.exe
3916	deppremium.exe
3916	deppremium.exe
3916	deppremium.exe
3916	deppremium.exe
3916	deppremium.exe
3916	deppremium.exe
3916	deppremium.exe
3916	deppremium.exe
3916	deppremium.exe
3916	deppremium.exe
3916	deppremium.exe
3916	deppremium.exe
3916	deppremium.exe
3916	deppremium.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

55c332f782624d49e8763f6253d92df9_JaffaCakes118.exe

pid process

3184 55c332f782624d49e8763f6253d92df9_JaffaCakes118.exe

pid	process
3184	55c332f782624d49e8763f6253d92df9_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

55c332f782624d49e8763f6253d92df9_JaffaCakes118.exedeppremium.exe

description	pid	process	target process
PID 1524 wrote to memory of 3184	1524	55c332f782624d49e8763f6253d92df9_JaffaCakes118.exe	55c332f782624d49e8763f6253d92df9_JaffaCakes118.exe
PID 1524 wrote to memory of 3184	1524	55c332f782624d49e8763f6253d92df9_JaffaCakes118.exe	55c332f782624d49e8763f6253d92df9_JaffaCakes118.exe
PID 1524 wrote to memory of 3184	1524	55c332f782624d49e8763f6253d92df9_JaffaCakes118.exe	55c332f782624d49e8763f6253d92df9_JaffaCakes118.exe
PID 4140 wrote to memory of 3916	4140	deppremium.exe	deppremium.exe
PID 4140 wrote to memory of 3916	4140	deppremium.exe	deppremium.exe
PID 4140 wrote to memory of 3916	4140	deppremium.exe	deppremium.exe

C:\Users\Admin\AppData\Local\Temp\55c332f782624d49e8763f6253d92df9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\55c332f782624d49e8763f6253d92df9_JaffaCakes118.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1524

C:\Users\Admin\AppData\Local\Temp\55c332f782624d49e8763f6253d92df9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\55c332f782624d49e8763f6253d92df9_JaffaCakes118.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
PID:3184

C:\Windows\SysWOW64\deppremium.exe
"C:\Windows\SysWOW64\deppremium.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4140

C:\Windows\SysWOW64\deppremium.exe
"C:\Windows\SysWOW64\deppremium.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1524-0-0x0000000002920000-0x0000000002939000-memory.dmp

Filesize
100KB

Download
memory/1524-4-0x0000000002920000-0x0000000002939000-memory.dmp

Filesize
100KB

Download
memory/1524-6-0x0000000002940000-0x0000000002960000-memory.dmp

Filesize
128KB

Download
memory/1524-5-0x0000000000D90000-0x0000000000DA9000-memory.dmp

Filesize
100KB

Download
memory/1524-14-0x0000000000D90000-0x0000000000DA9000-memory.dmp

Filesize
100KB

Download
memory/3184-11-0x0000000001130000-0x0000000001149000-memory.dmp

Filesize
100KB

Download
memory/3184-13-0x0000000001150000-0x0000000001170000-memory.dmp

Filesize
128KB

Download
memory/3184-12-0x0000000001110000-0x0000000001129000-memory.dmp

Filesize
100KB

Download
memory/3184-7-0x0000000001130000-0x0000000001149000-memory.dmp

Filesize
100KB

Download
memory/3184-31-0x0000000001110000-0x0000000001129000-memory.dmp

Filesize
100KB

Download
memory/3184-30-0x0000000000680000-0x00000000006A5000-memory.dmp

Filesize
148KB

Download
memory/3916-28-0x00000000016C0000-0x00000000016E0000-memory.dmp

Filesize
128KB

Download
memory/3916-22-0x00000000016A0000-0x00000000016B9000-memory.dmp

Filesize
100KB

Download
memory/3916-26-0x00000000016A0000-0x00000000016B9000-memory.dmp

Filesize
100KB

Download
memory/3916-27-0x0000000000E40000-0x0000000000E59000-memory.dmp

Filesize
100KB

Download
memory/3916-32-0x0000000000E40000-0x0000000000E59000-memory.dmp

Filesize
100KB

Download
memory/4140-20-0x00000000007B0000-0x00000000007C9000-memory.dmp

Filesize
100KB

Download
memory/4140-21-0x00000000007F0000-0x0000000000810000-memory.dmp

Filesize
128KB

Download
memory/4140-29-0x00000000007B0000-0x00000000007C9000-memory.dmp

Filesize
100KB

Download
memory/4140-19-0x00000000007D0000-0x00000000007E9000-memory.dmp

Filesize
100KB

Download
memory/4140-15-0x00000000007D0000-0x00000000007E9000-memory.dmp

Filesize
100KB

Download