emotet | 7c62bc62922feb27ef8eb84ad59dc5742fe12d25382253ff746c7c04edee6901 | Triage

Analysis

max time kernel
75s
max time network
142s
platform
windows10_x64
resource
win10-20220414-en
submitted
14-05-2022 13:47

Sharing

Report Analysis Logs

General

Target

7c62bc62922feb27ef8eb84ad59dc5742fe12d25382253ff746c7c04edee6901.dll
Size

532KB
MD5

ee04bfc21fbf9e7e8eb297b9c4385d62
SHA1

0ea03848d461417acfd0fa48c45a4cee1ec97b45
SHA256

7c62bc62922feb27ef8eb84ad59dc5742fe12d25382253ff746c7c04edee6901
SHA512

5c9eab2509ec2294a326c09226e6f92e9a62408bed50a91f6231d10adfa4a5665e6c99744c6abca9ecc168fa6cc6f5c73273c0622311ed526415589e14db621b

Score

10^/10

emotet banker suricata trojan

Malware Config

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

regsvr32.exe

pid process

2760 regsvr32.exe
2760 regsvr32.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

regsvr32.exe

pid process

2384 regsvr32.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

regsvr32.exe

description	pid	process	target process
PID 2384 wrote to memory of 2760	2384	regsvr32.exe	regsvr32.exe
PID 2384 wrote to memory of 2760	2384	regsvr32.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\7c62bc62922feb27ef8eb84ad59dc5742fe12d25382253ff746c7c04edee6901.dll
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2384
- C:\Windows\system32\regsvr32.exe
  C:\Windows\system32\regsvr32.exe "C:\Windows\system32\ITOlYOCv\lZhvZiQwPXjaFv.dll"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2760

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2384-118-0x0000000180000000-0x0000000180030000-memory.dmp

Filesize
192KB

Download
memory/2760-123-0x0000000000000000-mapping.dmp

Download