emotet | c6352bc272cd568c6b65472d25d77588556b0aa40d49e1ce1b94f41b9caa3f83 | Triage

Analysis

max time kernel
83s
max time network
141s
platform
windows10_x64
resource
win10-20220414-en
submitted
14-05-2022 14:28

Sharing

Report Analysis Logs

General

Target

c6352bc272cd568c6b65472d25d77588556b0aa40d49e1ce1b94f41b9caa3f83.dll
Size

538KB
MD5

973bf8dc2f231a25daa85ab84112b81a
SHA1

9e9823eda5595509e7b3d77a73d18c90d1292356
SHA256

c6352bc272cd568c6b65472d25d77588556b0aa40d49e1ce1b94f41b9caa3f83
SHA512

afe4cd4559b10eec9fc93902be73572fdfedcc3180d834fc9d12ced9dd204d48f8a66fa1c5c4aec9d7251502f8eb22290fa7d387f3577fcb16953b0d09522791

Score

10^/10

emotet banker suricata trojan

Malware Config

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

regsvr32.exe

pid process

628 regsvr32.exe
628 regsvr32.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

regsvr32.exe

pid process

2700 regsvr32.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

regsvr32.exe

description	pid	process	target process
PID 2700 wrote to memory of 628	2700	regsvr32.exe	regsvr32.exe
PID 2700 wrote to memory of 628	2700	regsvr32.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\c6352bc272cd568c6b65472d25d77588556b0aa40d49e1ce1b94f41b9caa3f83.dll
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2700

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\KZOChrmjV\CdxuFqOcbnSckf.dll"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:628

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/628-124-0x0000000000000000-mapping.dmp

Download
memory/2700-119-0x0000000180000000-0x0000000180032000-memory.dmp

Filesize
200KB

Download