emotet | a2a093a98781db8001734b4edb88bfdbf7750cf4aeb4cdf73ff4c1091a5e74ce | Triage

Analysis

max time kernel
157s
max time network
169s
platform
windows10_x64
resource
win10-20220414-en
submitted
14-05-2022 13:51

Sharing

Report Analysis Logs

General

Target

a2a093a98781db8001734b4edb88bfdbf7750cf4aeb4cdf73ff4c1091a5e74ce.dll
Size

532KB
MD5

2efd07c9f759bb2198e1ae26ced213c0
SHA1

c35cf7744a7b4ef6793ca8ee07be4094623580f1
SHA256

a2a093a98781db8001734b4edb88bfdbf7750cf4aeb4cdf73ff4c1091a5e74ce
SHA512

d0adc3262eddc97e128919978cea705d5e56c4a34aa291322205dc82baa697503b66ccb58331a285f2819a050cfb024b66b252d0f020d472dc8e744542e2f24a

Score

10^/10

emotet banker suricata trojan

Malware Config

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

regsvr32.exe

pid process

2688 regsvr32.exe
2688 regsvr32.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

regsvr32.exe

pid process

2404 regsvr32.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

regsvr32.exe

description	pid	process	target process
PID 2404 wrote to memory of 2688	2404	regsvr32.exe	regsvr32.exe
PID 2404 wrote to memory of 2688	2404	regsvr32.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\a2a093a98781db8001734b4edb88bfdbf7750cf4aeb4cdf73ff4c1091a5e74ce.dll
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2404

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\QhJUrLcK\HjKpoCIqB.dll"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2688

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2404-118-0x0000000180000000-0x0000000180030000-memory.dmp

Filesize
192KB

Download
memory/2688-123-0x0000000000000000-mapping.dmp

Download