emotet | 0119425e6f2986eb36aa9fa7548f09786b69f60295a2f0500ab912660e5b40ee | Triage

Analysis

max time kernel
54s
max time network
137s
platform
windows10_x64
resource
win10-20220414-en
submitted
14-05-2022 14:49

Sharing

Report Analysis Logs

General

Target

0119425e6f2986eb36aa9fa7548f09786b69f60295a2f0500ab912660e5b40ee.dll
Size

532KB
MD5

bf6cabd2a7f416a468961c604385f294
SHA1

6764adea4e159edfba1697585262ae657bc31b34
SHA256

0119425e6f2986eb36aa9fa7548f09786b69f60295a2f0500ab912660e5b40ee
SHA512

5b40fb52a8afca6d734bfb04406d782c123a337fc3d4c60f7f82dbf3d425500b312eb49b2cc5f0f0b67c9b1da2855b16a716f262fad6298f594a8fbded07eff4

Score

10^/10

emotet banker suricata trojan

Malware Config

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

regsvr32.exe

pid process

2180 regsvr32.exe
2180 regsvr32.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

regsvr32.exe

pid process

1792 regsvr32.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

regsvr32.exe

description	pid	process	target process
PID 1792 wrote to memory of 2180	1792	regsvr32.exe	regsvr32.exe
PID 1792 wrote to memory of 2180	1792	regsvr32.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\0119425e6f2986eb36aa9fa7548f09786b69f60295a2f0500ab912660e5b40ee.dll
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1792

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\QFxhqoymeHPDUF\feanlgNXwzLk.dll"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2180

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1792-114-0x0000000180000000-0x0000000180030000-memory.dmp

Filesize
192KB

Download
memory/2180-119-0x0000000000000000-mapping.dmp

Download