emotet | 417ea8a38b776801bc0547ba7ec36842c436974a0aab56fe41aff1ff8df57356 | Triage

Analysis

max time kernel
55s
max time network
138s
platform
windows10_x64
resource
win10-20220414-en
submitted
14-05-2022 14:28

Sharing

Report Analysis Logs

General

Target

417ea8a38b776801bc0547ba7ec36842c436974a0aab56fe41aff1ff8df57356.dll
Size

538KB
MD5

aae2511ecfdb0bd046c842419944a52d
SHA1

5ad05476e2d6d1e9ed2d19527364f211ce6f85c4
SHA256

417ea8a38b776801bc0547ba7ec36842c436974a0aab56fe41aff1ff8df57356
SHA512

ca9b70dc842df07c36786e190163377cf65d1ed3f06cf142abafabf685df16c259f57e349f12323ff698cdceb177dd685bbad46891310b640984aeacdd88cc4b

Score

10^/10

emotet banker suricata trojan

Malware Config

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

regsvr32.exe

pid process

1460 regsvr32.exe
1460 regsvr32.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

regsvr32.exe

pid process

912 regsvr32.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

regsvr32.exe

description	pid	process	target process
PID 912 wrote to memory of 1460	912	regsvr32.exe	regsvr32.exe
PID 912 wrote to memory of 1460	912	regsvr32.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\417ea8a38b776801bc0547ba7ec36842c436974a0aab56fe41aff1ff8df57356.dll
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:912

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\NOnnmsOXaQhFtq\sWQLfMcgdfTHP.dll"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1460

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/912-116-0x0000000180000000-0x0000000180032000-memory.dmp

Filesize
200KB

Download
memory/1460-121-0x0000000000000000-mapping.dmp

Download