emotet | bfb0292c8b640dbfea20a75a72941db4c7691f2e1661175209ebd06957204902

Analysis

max time kernel
145s
max time network
151s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
26-05-2024 21:23

Target

emotet_payload_2.exe
Size

147KB
MD5

d1f09a50517e77ad56ea2f995fb2814d
SHA1

5f520b323e292cbb5e81175c32a49073b7ce5465
SHA256

c5b80faf119732d61e82129c18b0a8081d4f584b108e85d8dae6705ef60f7393
SHA512

5a96850dbd35600d975288123b1e43786bd0b9d5b1271c4925db34737cc48ea22317b8160b296a23692eb273cee2fa3e26b57020944ae88715264b5716c47577
SSDEEP

3072:Smmwuxz1qNDwxCY8EKcd/n6aI/fYgMKj:Zmr3quxCa/6Jn5/

Score

10^/10

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 10 IoCs

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2484	emotet_payload_2.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2484 wrote to memory of 2144	2484	emotet_payload_2.exe	28
PID 2484 wrote to memory of 2144	2484	emotet_payload_2.exe	28
PID 2484 wrote to memory of 2144	2484	emotet_payload_2.exe	28
PID 2484 wrote to memory of 2144	2484	emotet_payload_2.exe	28

C:\Users\Admin\AppData\Local\Temp\emotet_payload_2.exe
"C:\Users\Admin\AppData\Local\Temp\emotet_payload_2.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2484
- C:\Windows\SysWOW64\nevadagenral.exe
  "C:\Windows\SysWOW64\nevadagenral.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2144

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/2144-9-0x0000000000110000-0x000000000011F000-memory.dmp

Filesize
60KB

Download
memory/2144-14-0x0000000000120000-0x000000000012F000-memory.dmp

Filesize
60KB

Download
memory/2144-10-0x0000000000120000-0x000000000012F000-memory.dmp

Filesize
60KB

Download
memory/2144-15-0x0000000000330000-0x0000000000340000-memory.dmp

Filesize
64KB

Download
memory/2144-16-0x0000000000110000-0x000000000011F000-memory.dmp

Filesize
60KB

Download
memory/2484-0-0x00000000002D0000-0x00000000002DF000-memory.dmp

Filesize
60KB

Download
memory/2484-1-0x00000000003E0000-0x00000000003EF000-memory.dmp

Filesize
60KB

Download
memory/2484-5-0x00000000003E0000-0x00000000003EF000-memory.dmp

Filesize
60KB

Download
memory/2484-6-0x00000000003F0000-0x0000000000400000-memory.dmp

Filesize
64KB

Download
memory/2484-8-0x00000000002D0000-0x00000000002DF000-memory.dmp

Filesize
60KB

Download
memory/2484-7-0x00000000009B0000-0x00000000009DB000-memory.dmp

Filesize
172KB

Download