emotet | 832e1d5e07406e337e2ac065b7c3d81d24c7bc5b4e6c93d238e4d9befad3eb61 | Triage

Analysis

max time kernel
54s
max time network
146s
platform
windows10_x64
resource
win10-20220414-en
submitted
14-05-2022 14:44

Sharing

Report Analysis Logs

General

Target

832e1d5e07406e337e2ac065b7c3d81d24c7bc5b4e6c93d238e4d9befad3eb61.dll
Size

538KB
MD5

a7447bd149453a116ce988d38b0e6f19
SHA1

2905facabc9ff90178fc8d0da3b5bd989828e375
SHA256

832e1d5e07406e337e2ac065b7c3d81d24c7bc5b4e6c93d238e4d9befad3eb61
SHA512

53596d57490a6480d9d7641f8b38b8e488b5fa878a9fb827a8922ca69a6c6c0dfeedf7575d73df1fb1e0c6f49c6a3475961d6c7ba6cf3259193855fd81963982

Score

10^/10

emotet banker trojan

Malware Config

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

regsvr32.exe

pid process

4656 regsvr32.exe
4656 regsvr32.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

regsvr32.exe

pid process

2860 regsvr32.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

regsvr32.exe

description	pid	process	target process
PID 2860 wrote to memory of 4656	2860	regsvr32.exe	regsvr32.exe
PID 2860 wrote to memory of 4656	2860	regsvr32.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\832e1d5e07406e337e2ac065b7c3d81d24c7bc5b4e6c93d238e4d9befad3eb61.dll
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2860

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\GGmETnxYtkUtU\kIvhxNujgzTlsMU.dll"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4656

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2860-114-0x0000000180000000-0x0000000180032000-memory.dmp

Filesize
200KB

Download
memory/4656-119-0x0000000000000000-mapping.dmp

Download