emotet | 9d0f8bb5cebd8d1ee8f41ec21a2971ac150c632431d51a4a74fcac23db297422

Analysis

max time kernel
145s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
20/05/2024, 23:51

Target

615af308123f3abe754d69de2162b383_JaffaCakes118.exe
Size

148KB
MD5

615af308123f3abe754d69de2162b383
SHA1

412a04a5ca34e217f34a26a0816055b36870314e
SHA256

9d0f8bb5cebd8d1ee8f41ec21a2971ac150c632431d51a4a74fcac23db297422
SHA512

487e057d89cdd6bf8408ad37f05a0cb0c9508ab6284368c09477b86366b591789c2f6eb3153162cb0af301178b0f830f6904512edc3cae7feff743eac2f30971
SSDEEP

3072:d3HRqRIzdRAgjZMIYMiLFqib3eiH8vKELXIu/3Z49zCWH9Y:FHRVxR/ZcLFJbD0KOXIu/itC

Score

10^/10

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 20 IoCs

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1856	615af308123f3abe754d69de2162b383_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1856 wrote to memory of 2892	1856	615af308123f3abe754d69de2162b383_JaffaCakes118.exe	93
PID 1856 wrote to memory of 2892	1856	615af308123f3abe754d69de2162b383_JaffaCakes118.exe	93
PID 1856 wrote to memory of 2892	1856	615af308123f3abe754d69de2162b383_JaffaCakes118.exe	93

C:\Users\Admin\AppData\Local\Temp\615af308123f3abe754d69de2162b383_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\615af308123f3abe754d69de2162b383_JaffaCakes118.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1856
- C:\Windows\SysWOW64\mcrmarkers.exe
  "C:\Windows\SysWOW64\mcrmarkers.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2892

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4604,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=1300 /prefetch:8
1⤵
PID:1792

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/1856-0-0x00000000006A0000-0x00000000006AF000-memory.dmp

Filesize
60KB

Download
memory/1856-6-0x00000000008D0000-0x00000000008F0000-memory.dmp

Filesize
128KB

Download
memory/1856-5-0x0000000000540000-0x000000000054F000-memory.dmp

Filesize
60KB

Download
memory/1856-4-0x00000000006A0000-0x00000000006AF000-memory.dmp

Filesize
60KB

Download
memory/1856-8-0x0000000000540000-0x000000000054F000-memory.dmp

Filesize
60KB

Download
memory/1856-7-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2892-13-0x00000000007C0000-0x00000000007CF000-memory.dmp

Filesize
60KB

Download
memory/2892-9-0x00000000007C0000-0x00000000007CF000-memory.dmp

Filesize
60KB

Download
memory/2892-15-0x00000000007D0000-0x00000000007F0000-memory.dmp

Filesize
128KB

Download
memory/2892-14-0x00000000007B0000-0x00000000007BF000-memory.dmp

Filesize
60KB

Download
memory/2892-16-0x00000000007B0000-0x00000000007BF000-memory.dmp

Filesize
60KB

Download