emotet | 32242540fd8c6f20153fe60896aa51af1d2293adc55cfe7a87bed0537e459377 | Triage

Analysis

max time kernel
80s
max time network
146s
platform
windows10_x64
resource
win10-20220414-en
submitted
14-05-2022 14:56

Sharing

Report Analysis Logs

General

Target

32242540fd8c6f20153fe60896aa51af1d2293adc55cfe7a87bed0537e459377.dll
Size

532KB
MD5

87c29b518df691b026d28d13104cbca8
SHA1

c1dce0ec71b2432896e52e57338db22c7e732bfe
SHA256

32242540fd8c6f20153fe60896aa51af1d2293adc55cfe7a87bed0537e459377
SHA512

c76a1f0a8560881aaa24ebed5de3f8cf090531cdb55e00b9f2bdab43bb05f5c4834adbde1fdcce8ca23614b401b6e3e180ebdec57acc85c598197a8c842b94e6

Score

10^/10

emotet banker suricata trojan

Malware Config

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

regsvr32.exe

pid process

1276 regsvr32.exe
1276 regsvr32.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

regsvr32.exe

pid process

4084 regsvr32.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

regsvr32.exe

description	pid	process	target process
PID 4084 wrote to memory of 1276	4084	regsvr32.exe	regsvr32.exe
PID 4084 wrote to memory of 1276	4084	regsvr32.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\32242540fd8c6f20153fe60896aa51af1d2293adc55cfe7a87bed0537e459377.dll
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:4084

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\VvRhaosqwrjAD\FpQVIv.dll"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1276

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1276-122-0x0000000000000000-mapping.dmp

Download
memory/4084-117-0x0000000180000000-0x0000000180030000-memory.dmp

Filesize
192KB

Download