emotet | eb543cbb9105448e57a3c791a39a8988287bc66770b997a8c3e5898e981dba78 | Triage

Analysis

max time kernel
51s
max time network
135s
platform
windows10_x64
resource
win10-20220414-en
submitted
14-05-2022 14:31

Sharing

Report Analysis Logs

General

Target

eb543cbb9105448e57a3c791a39a8988287bc66770b997a8c3e5898e981dba78.dll
Size

532KB
MD5

f752a534d34e65f93e071f66f3b5ea02
SHA1

1c5c0b51aac9b86ed89ea3e90003c6590d329797
SHA256

eb543cbb9105448e57a3c791a39a8988287bc66770b997a8c3e5898e981dba78
SHA512

877d353a7dce7c73d5ab419025e4de031512ec15271f1f913a774d7155fcb213e632da0d63d42e76453462d3cfb8cc239654a71088918ef8d23d775ae8925bf5

Score

10^/10

emotet banker suricata trojan

Malware Config

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

regsvr32.exe

pid process

4612 regsvr32.exe
4612 regsvr32.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

regsvr32.exe

pid process

3128 regsvr32.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

regsvr32.exe

description	pid	process	target process
PID 3128 wrote to memory of 4612	3128	regsvr32.exe	regsvr32.exe
PID 3128 wrote to memory of 4612	3128	regsvr32.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\eb543cbb9105448e57a3c791a39a8988287bc66770b997a8c3e5898e981dba78.dll
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:3128

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\PcxiZqZb\MmIW.dll"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4612

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3128-114-0x0000000180000000-0x0000000180030000-memory.dmp

Filesize
192KB

Download
memory/4612-119-0x0000000000000000-mapping.dmp

Download