emotet | 9d0f8bb5cebd8d1ee8f41ec21a2971ac150c632431d51a4a74fcac23db297422

Analysis

max time kernel
147s
max time network
147s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
20/05/2024, 23:51

Target

615af308123f3abe754d69de2162b383_JaffaCakes118.exe
Size

148KB
MD5

615af308123f3abe754d69de2162b383
SHA1

412a04a5ca34e217f34a26a0816055b36870314e
SHA256

9d0f8bb5cebd8d1ee8f41ec21a2971ac150c632431d51a4a74fcac23db297422
SHA512

487e057d89cdd6bf8408ad37f05a0cb0c9508ab6284368c09477b86366b591789c2f6eb3153162cb0af301178b0f830f6904512edc3cae7feff743eac2f30971
SSDEEP

3072:d3HRqRIzdRAgjZMIYMiLFqib3eiH8vKELXIu/3Z49zCWH9Y:FHRVxR/ZcLFJbD0KOXIu/itC

Score

10^/10

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 11 IoCs

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1296	615af308123f3abe754d69de2162b383_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1296 wrote to memory of 2544	1296	615af308123f3abe754d69de2162b383_JaffaCakes118.exe	28
PID 1296 wrote to memory of 2544	1296	615af308123f3abe754d69de2162b383_JaffaCakes118.exe	28
PID 1296 wrote to memory of 2544	1296	615af308123f3abe754d69de2162b383_JaffaCakes118.exe	28
PID 1296 wrote to memory of 2544	1296	615af308123f3abe754d69de2162b383_JaffaCakes118.exe	28

C:\Users\Admin\AppData\Local\Temp\615af308123f3abe754d69de2162b383_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\615af308123f3abe754d69de2162b383_JaffaCakes118.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1296
- C:\Windows\SysWOW64\lsoutilman.exe
  "C:\Windows\SysWOW64\lsoutilman.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2544

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/1296-4-0x0000000000260000-0x000000000026F000-memory.dmp

Filesize
60KB

Download
memory/1296-0-0x0000000000260000-0x000000000026F000-memory.dmp

Filesize
60KB

Download
memory/1296-6-0x00000000003E0000-0x0000000000400000-memory.dmp

Filesize
128KB

Download
memory/1296-5-0x0000000000250000-0x000000000025F000-memory.dmp

Filesize
60KB

Download
memory/1296-8-0x0000000000250000-0x000000000025F000-memory.dmp

Filesize
60KB

Download
memory/1296-7-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2544-13-0x0000000000250000-0x000000000025F000-memory.dmp

Filesize
60KB

Download
memory/2544-10-0x0000000000250000-0x000000000025F000-memory.dmp

Filesize
60KB

Download
memory/2544-15-0x00000000002F0000-0x0000000000310000-memory.dmp

Filesize
128KB

Download
memory/2544-14-0x0000000000240000-0x000000000024F000-memory.dmp

Filesize
60KB

Download
memory/2544-16-0x0000000000240000-0x000000000024F000-memory.dmp

Filesize
60KB

Download