emotet | b09fc1f93c54f755f7401082b7f0908ebf1dbf92bca25f6d38170e4774c78779 | Triage

Analysis

max time kernel
52s
max time network
148s
platform
windows10_x64
resource
win10-20220414-en
submitted
14-05-2022 14:48

Sharing

Report Analysis Logs

General

Target

b09fc1f93c54f755f7401082b7f0908ebf1dbf92bca25f6d38170e4774c78779.dll
Size

532KB
MD5

3e32f5358f9fa4a7ff5962889ecdfbcd
SHA1

082ec86d6a25b563d8d855609fd97ee142f82055
SHA256

b09fc1f93c54f755f7401082b7f0908ebf1dbf92bca25f6d38170e4774c78779
SHA512

f644c21799529827d7e6194374f84cc1aeee26b5d5d73396bf8fe673dc6ed98de49a26ad7d597b7616a29025ff0087a5f7b0b531fb9849dfa73f34ceb26aafe7

Score

10^/10

emotet banker suricata trojan

Malware Config

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

regsvr32.exe

pid process

484 regsvr32.exe
484 regsvr32.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

regsvr32.exe

pid process

3028 regsvr32.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

regsvr32.exe

description	pid	process	target process
PID 3028 wrote to memory of 484	3028	regsvr32.exe	regsvr32.exe
PID 3028 wrote to memory of 484	3028	regsvr32.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\b09fc1f93c54f755f7401082b7f0908ebf1dbf92bca25f6d38170e4774c78779.dll
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:3028

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\BXEsUrxXzKs\zHCI.dll"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:484

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/484-124-0x0000000000000000-mapping.dmp

Download
memory/3028-119-0x0000000180000000-0x0000000180030000-memory.dmp

Filesize
192KB

Download