emotet | fd85ea02d9846f305a9a7d9d58d3952c4ec701d3fda59d58591c3afc4b7709c8 | Triage

Analysis

max time kernel
143s
max time network
144s
platform
windows10_x64
resource
win10-20220414-en
submitted
14-05-2022 13:44

Sharing

Report Analysis Logs

General

Target

fd85ea02d9846f305a9a7d9d58d3952c4ec701d3fda59d58591c3afc4b7709c8.dll
Size

532KB
MD5

129aaf551d349e2268ca2c82e4e7fbb5
SHA1

c6c5ea6ccf8a3f55feff29dbdeb57725b7ed45ab
SHA256

fd85ea02d9846f305a9a7d9d58d3952c4ec701d3fda59d58591c3afc4b7709c8
SHA512

349cacbef9ef0473adbfbfee5f2fec4c81c4e85f855530db6d9a291fccfc3af10032331c5d51af061a8d64cc5e9f3fb545f782cd57a0215a214f7f4a0fe8a1fd

Score

10^/10

emotet banker suricata trojan

Malware Config

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

regsvr32.exe

pid process

2304 regsvr32.exe
2304 regsvr32.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

regsvr32.exe

pid process

1840 regsvr32.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

regsvr32.exe

description	pid	process	target process
PID 1840 wrote to memory of 2304	1840	regsvr32.exe	regsvr32.exe
PID 1840 wrote to memory of 2304	1840	regsvr32.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\fd85ea02d9846f305a9a7d9d58d3952c4ec701d3fda59d58591c3afc4b7709c8.dll
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1840

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\IlxZNC\ViLRIMQpkOOQpFu.dll"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2304

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1840-117-0x0000000180000000-0x0000000180030000-memory.dmp

Filesize
192KB

Download
memory/2304-122-0x0000000000000000-mapping.dmp

Download