emotet | 247da7a92e4efe5d8b853b103f81ec0842e6794a1be403871a48f6c285b13ae0 | Triage

Analysis

max time kernel
54s
max time network
141s
platform
windows10_x64
resource
win10-20220414-en
submitted
14-05-2022 14:35

Sharing

Report Analysis Logs

General

Target

247da7a92e4efe5d8b853b103f81ec0842e6794a1be403871a48f6c285b13ae0.dll
Size

532KB
MD5

e221e631f44009ca98f7af3209e33bb8
SHA1

1805a5b414ae1809f0ae32ab5a55b19488c0cc9f
SHA256

247da7a92e4efe5d8b853b103f81ec0842e6794a1be403871a48f6c285b13ae0
SHA512

dd6a2ca6a50d7b37c743a5fad19a8b89443afcef733040ff5e69b86da431b96b4f383e99396a5b1fd07cc0a77b6b90652ce3f1934cdcade0d2719a3d981876ca

Score

10^/10

emotet banker suricata trojan

Malware Config

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

regsvr32.exe

pid process

2196 regsvr32.exe
2196 regsvr32.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

regsvr32.exe

pid process

3192 regsvr32.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

regsvr32.exe

description	pid	process	target process
PID 3192 wrote to memory of 2196	3192	regsvr32.exe	regsvr32.exe
PID 3192 wrote to memory of 2196	3192	regsvr32.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\247da7a92e4efe5d8b853b103f81ec0842e6794a1be403871a48f6c285b13ae0.dll
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:3192

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\UAxyKrcZXkb\ntnItWUSPONnnWR.dll"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2196

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2196-121-0x0000000000000000-mapping.dmp

Download
memory/3192-116-0x0000000180000000-0x0000000180030000-memory.dmp

Filesize
192KB

Download