emotet | ac6ff653497ef0da394e6485c2a29b584c602ae1fbed0a5327737e756045cc68

Analysis

max time kernel
145s
max time network
156s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
13-07-2024 18:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eaf6bd6c1d144a187cbba7eac449431cd495d395.exe
Size

1.6MB
MD5

2af7051104bd1f3dfc2933a8babf9c7d
SHA1

eaf6bd6c1d144a187cbba7eac449431cd495d395
SHA256

2d3a46719f23e22fde8a87c70dfad0380276cc849e08f1a73c0071ade8765c67
SHA512

0580f8b8c14fcc5143d70f1778542e7b73c17a1ade80fe69834f9a0aaa7b348fbb023640ab679347c67005d694f90d1e71fe6de3037d449db40030bea186cb3f
SSDEEP

6144:SA2zzjthnX1GUeMiNjCHiHJKuuuuuuuduuuuuuu/uuuuuuu3QgYaQscx/1XuuuuN:SA0jvX1+JNj2ipagNj2ipagNj2ipat

Score

10^/10

emotet banker trojan

Malware Config

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Drops file in System32 directory 1 IoCs

Processes:

ifacesame.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	ifacesame.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

eaf6bd6c1d144a187cbba7eac449431cd495d395.exeeaf6bd6c1d144a187cbba7eac449431cd495d395.exeifacesame.exeifacesame.exe

pid	process
4980	eaf6bd6c1d144a187cbba7eac449431cd495d395.exe
4980	eaf6bd6c1d144a187cbba7eac449431cd495d395.exe
696	eaf6bd6c1d144a187cbba7eac449431cd495d395.exe
696	eaf6bd6c1d144a187cbba7eac449431cd495d395.exe
200	ifacesame.exe
200	ifacesame.exe
2224	ifacesame.exe
2224	ifacesame.exe
2224	ifacesame.exe
2224	ifacesame.exe
2224	ifacesame.exe
2224	ifacesame.exe
2224	ifacesame.exe
2224	ifacesame.exe
2224	ifacesame.exe
2224	ifacesame.exe
2224	ifacesame.exe
2224	ifacesame.exe
2224	ifacesame.exe
2224	ifacesame.exe
2224	ifacesame.exe
2224	ifacesame.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

eaf6bd6c1d144a187cbba7eac449431cd495d395.exe

pid process

696 eaf6bd6c1d144a187cbba7eac449431cd495d395.exe

pid	process
696	eaf6bd6c1d144a187cbba7eac449431cd495d395.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

eaf6bd6c1d144a187cbba7eac449431cd495d395.exeifacesame.exe

description	pid	process	target process
PID 4980 wrote to memory of 696	4980	eaf6bd6c1d144a187cbba7eac449431cd495d395.exe	eaf6bd6c1d144a187cbba7eac449431cd495d395.exe
PID 4980 wrote to memory of 696	4980	eaf6bd6c1d144a187cbba7eac449431cd495d395.exe	eaf6bd6c1d144a187cbba7eac449431cd495d395.exe
PID 4980 wrote to memory of 696	4980	eaf6bd6c1d144a187cbba7eac449431cd495d395.exe	eaf6bd6c1d144a187cbba7eac449431cd495d395.exe
PID 200 wrote to memory of 2224	200	ifacesame.exe	ifacesame.exe
PID 200 wrote to memory of 2224	200	ifacesame.exe	ifacesame.exe
PID 200 wrote to memory of 2224	200	ifacesame.exe	ifacesame.exe

C:\Users\Admin\AppData\Local\Temp\eaf6bd6c1d144a187cbba7eac449431cd495d395.exe
"C:\Users\Admin\AppData\Local\Temp\eaf6bd6c1d144a187cbba7eac449431cd495d395.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4980

C:\Users\Admin\AppData\Local\Temp\eaf6bd6c1d144a187cbba7eac449431cd495d395.exe
"C:\Users\Admin\AppData\Local\Temp\eaf6bd6c1d144a187cbba7eac449431cd495d395.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
PID:696

C:\Windows\SysWOW64\ifacesame.exe
"C:\Windows\SysWOW64\ifacesame.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:200

C:\Windows\SysWOW64\ifacesame.exe
"C:\Windows\SysWOW64\ifacesame.exe"
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/200-18-0x0000000002E00000-0x0000000002E19000-memory.dmp

Filesize
100KB

Download
memory/200-30-0x0000000002DE0000-0x0000000002DF9000-memory.dmp

Filesize
100KB

Download
memory/200-22-0x0000000002DE0000-0x0000000002DF9000-memory.dmp

Filesize
100KB

Download
memory/200-23-0x0000000002E20000-0x0000000002E38000-memory.dmp

Filesize
96KB

Download
memory/696-10-0x0000000002BA0000-0x0000000002BB9000-memory.dmp

Filesize
100KB

Download
memory/696-15-0x00000000042A0000-0x00000000042B8000-memory.dmp

Filesize
96KB

Download
memory/696-14-0x0000000002B80000-0x0000000002B99000-memory.dmp

Filesize
100KB

Download
memory/696-31-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/696-32-0x0000000002B80000-0x0000000002B99000-memory.dmp

Filesize
100KB

Download
memory/2224-26-0x0000000002B90000-0x0000000002BA9000-memory.dmp

Filesize
100KB

Download
memory/4980-2-0x00000000025E0000-0x00000000025F9000-memory.dmp

Filesize
100KB

Download
memory/4980-7-0x0000000002600000-0x0000000002618000-memory.dmp

Filesize
96KB

Download
memory/4980-6-0x00000000025C0000-0x00000000025D9000-memory.dmp

Filesize
100KB

Download