emotet | f74f6562b30b702ec39647e1807da49a5d013bb50888a7f03e6022d5b7c1b6bb | Triage

Analysis

max time kernel
83s
max time network
137s
platform
windows10_x64
resource
win10-20220414-en
submitted
14-05-2022 14:27

Sharing

Report Analysis Logs

General

Target

f74f6562b30b702ec39647e1807da49a5d013bb50888a7f03e6022d5b7c1b6bb.dll
Size

532KB
MD5

f71bf83474d04c51cfe5387a79143988
SHA1

4672ead9689ae47fc9c2ba0080da37e6a13dc342
SHA256

f74f6562b30b702ec39647e1807da49a5d013bb50888a7f03e6022d5b7c1b6bb
SHA512

fba78dfb49176a3dd1649348147b1193890b64f67acb3761513cde9c489135eeb8d3b66c1e70dbe2980400710af87634152689969b9eb6572cfed0c0e08aa598

Score

10^/10

emotet banker suricata trojan

Malware Config

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

regsvr32.exe

pid process

680 regsvr32.exe
680 regsvr32.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

regsvr32.exe

pid process

2692 regsvr32.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

regsvr32.exe

description	pid	process	target process
PID 2692 wrote to memory of 680	2692	regsvr32.exe	regsvr32.exe
PID 2692 wrote to memory of 680	2692	regsvr32.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\f74f6562b30b702ec39647e1807da49a5d013bb50888a7f03e6022d5b7c1b6bb.dll
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2692

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\VvUXOjtJlAe\EytXFHnWvgNq.dll"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:680

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/680-123-0x0000000000000000-mapping.dmp

Download
memory/2692-118-0x0000000180000000-0x0000000180030000-memory.dmp

Filesize
192KB

Download