emotet | 8997ef91b7271ff02d95c68c8101d5b3008bc3da527bfe1d7dd03d425963b7c7 | Triage

Analysis

max time kernel
53s
max time network
139s
platform
windows10_x64
resource
win10-20220414-en
submitted
14-05-2022 14:27

Sharing

Report Analysis Logs

General

Target

8997ef91b7271ff02d95c68c8101d5b3008bc3da527bfe1d7dd03d425963b7c7.dll
Size

532KB
MD5

c79f3ea07d1c5621e5c52ae41ce2838f
SHA1

6f838ad4285ec3f494285b475dc344f348c1d7fe
SHA256

8997ef91b7271ff02d95c68c8101d5b3008bc3da527bfe1d7dd03d425963b7c7
SHA512

11bde3806df72ce1bb270be278ad4a37e668fbfed207222631d22fab56cd0cb4b736682de9365505298f52369844fcfd70572a0b801a7af89e67bc095593c37b

Score

10^/10

emotet banker suricata trojan

Malware Config

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

regsvr32.exe

pid process

2380 regsvr32.exe
2380 regsvr32.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

regsvr32.exe

pid process

1924 regsvr32.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

regsvr32.exe

description	pid	process	target process
PID 1924 wrote to memory of 2380	1924	regsvr32.exe	regsvr32.exe
PID 1924 wrote to memory of 2380	1924	regsvr32.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\8997ef91b7271ff02d95c68c8101d5b3008bc3da527bfe1d7dd03d425963b7c7.dll
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1924

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\DHrzR\PrNrwQPBXOOkQ.dll"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2380

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1924-117-0x0000000180000000-0x0000000180030000-memory.dmp

Filesize
192KB

Download
memory/2380-122-0x0000000000000000-mapping.dmp

Download