emotet | e8586b9bb42c2945cfaa33c85b76e109d6daef2cd293d50389f39d85c3f6c9a9 | Triage

Analysis

max time kernel
56s
max time network
145s
platform
windows10_x64
resource
win10-20220414-en
submitted
14-05-2022 14:49

Sharing

Report Analysis Logs

General

Target

e8586b9bb42c2945cfaa33c85b76e109d6daef2cd293d50389f39d85c3f6c9a9.dll
Size

532KB
MD5

ee53a73aeb5d65a39075791f8e129f60
SHA1

efc457dbafc629cbb4d1c47e79e927acc6d8b0a4
SHA256

e8586b9bb42c2945cfaa33c85b76e109d6daef2cd293d50389f39d85c3f6c9a9
SHA512

6a41dcda00ab4d112fc767218f83692a66cf4278c7c5124e4c4985fcf1434ca47cd2c8220487f27b3217474dae893b6b365e3f9aaff5afd52ad546f9e93852ca

Score

10^/10

emotet banker trojan

Malware Config

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

regsvr32.exe

pid process

3052 regsvr32.exe
3052 regsvr32.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

regsvr32.exe

pid process

2776 regsvr32.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

regsvr32.exe

description	pid	process	target process
PID 2776 wrote to memory of 3052	2776	regsvr32.exe	regsvr32.exe
PID 2776 wrote to memory of 3052	2776	regsvr32.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\e8586b9bb42c2945cfaa33c85b76e109d6daef2cd293d50389f39d85c3f6c9a9.dll
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2776

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\QheYLoyiD\MLYuOFrmvkFpw.dll"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3052

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2776-114-0x0000000180000000-0x0000000180030000-memory.dmp

Filesize
192KB

Download
memory/3052-119-0x0000000000000000-mapping.dmp

Download