emotet | 679c910b36a607bd704049c9d7a30c1d0c4c04c6b9d23b7658e6bd2d0d7bd1a6 | Triage

Analysis

max time kernel
55s
max time network
139s
platform
windows10_x64
resource
win10-20220414-en
submitted
14-05-2022 13:47

Sharing

Report Analysis Logs

General

Target

679c910b36a607bd704049c9d7a30c1d0c4c04c6b9d23b7658e6bd2d0d7bd1a6.dll
Size

532KB
MD5

a01d53f3965ba24910940ff79a9fb93b
SHA1

6c79643322975b6df1ad6a2632b6027b49fa9f9e
SHA256

679c910b36a607bd704049c9d7a30c1d0c4c04c6b9d23b7658e6bd2d0d7bd1a6
SHA512

99a4131380666f9e42fda1a6507fb8715f0b45606302642bf3e3c658617c1af0d538203d55ef09412ba56153db881210586c0e8bed1007d45cb5e674bdb82f17

Score

10^/10

emotet banker suricata trojan

Malware Config

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

regsvr32.exe

pid process

2784 regsvr32.exe
2784 regsvr32.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

regsvr32.exe

pid process

2328 regsvr32.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

regsvr32.exe

description	pid	process	target process
PID 2328 wrote to memory of 2784	2328	regsvr32.exe	regsvr32.exe
PID 2328 wrote to memory of 2784	2328	regsvr32.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\679c910b36a607bd704049c9d7a30c1d0c4c04c6b9d23b7658e6bd2d0d7bd1a6.dll
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2328

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\TefGaiQqcjDKX\UtTvnvubU.dll"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2784

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2328-118-0x0000000180000000-0x0000000180030000-memory.dmp

Filesize
192KB

Download
memory/2784-123-0x0000000000000000-mapping.dmp

Download