emotet | 5971ecacc3c38a51a640d1ff69f7de46324ddc89244df6cb7e5974a4c4fdb3a2 | Triage

Analysis

max time kernel
53s
max time network
141s
platform
windows10_x64
resource
win10-20220414-en
submitted
14-05-2022 13:30

Sharing

Report Analysis Logs

General

Target

5971ecacc3c38a51a640d1ff69f7de46324ddc89244df6cb7e5974a4c4fdb3a2.dll
Size

538KB
MD5

d273f3a93e6691f5606cadddfb34e092
SHA1

38023d53fd519d7fa91665d1de0f71aba7629417
SHA256

5971ecacc3c38a51a640d1ff69f7de46324ddc89244df6cb7e5974a4c4fdb3a2
SHA512

359f3b276bd60696ac7c74a370106659b36075d11ada6b2b97dd3da4f117e8700a5996aeb26af13cdfe9217c92e35941dc5eb4bdbac064f2efe4f3cdad34459c

Score

10^/10

emotet banker suricata trojan

Malware Config

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

regsvr32.exe

pid process

2384 regsvr32.exe
2384 regsvr32.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

regsvr32.exe

pid process

1920 regsvr32.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

regsvr32.exe

description	pid	process	target process
PID 1920 wrote to memory of 2384	1920	regsvr32.exe	regsvr32.exe
PID 1920 wrote to memory of 2384	1920	regsvr32.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\5971ecacc3c38a51a640d1ff69f7de46324ddc89244df6cb7e5974a4c4fdb3a2.dll
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1920
- C:\Windows\system32\regsvr32.exe
  C:\Windows\system32\regsvr32.exe "C:\Windows\system32\JUUlkc\DLcDkG.dll"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2384

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1920-117-0x0000000180000000-0x0000000180032000-memory.dmp

Filesize
200KB

Download
memory/2384-122-0x0000000000000000-mapping.dmp

Download