emotet | 2d01f6f379d029362d1257d7186015d73af0f984d3e08634af25681217919dc7 | Triage

Analysis

max time kernel
146s
max time network
149s
platform
windows10_x64
resource
win10-20220414-en
submitted
13-05-2022 10:07

Sharing

Report Analysis Logs

General

Target

2d01f6f379d029362d1257d7186015d73af0f984d3e08634af25681217919dc7.dll
Size

532KB
MD5

a3148a27064f5c1d41e2ac03e1d7dc5f
SHA1

82349f44db3ab94a898f6429a8ea73be18e72ecb
SHA256

2d01f6f379d029362d1257d7186015d73af0f984d3e08634af25681217919dc7
SHA512

e2174a15d20e7edff7a99f3b4050cff50a09acd8a4e833baf5be7daf2aeae60aae83973703309f283c8c6ecbbaa0aa848c35edec5aecb1fc749678e657b3988b

Score

10^/10

emotet banker suricata trojan

Malware Config

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2580	regsvr32.exe
2580	regsvr32.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2308	regsvr32.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 2308 wrote to memory of 2580	2308	regsvr32.exe	67
PID 2308 wrote to memory of 2580	2308	regsvr32.exe	67

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\2d01f6f379d029362d1257d7186015d73af0f984d3e08634af25681217919dc7.dll
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2308
- C:\Windows\system32\regsvr32.exe
  C:\Windows\system32\regsvr32.exe "C:\Windows\system32\JRUDraydlw\nLkqSCWcpWzTM.dll"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2580

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2308-118-0x0000000180000000-0x0000000180030000-memory.dmp

Filesize
192KB

Download