emotet | 83c282f6482a1a35cf638a3dceefeb4a94ce7609e57734c67e3a0e46365fabd8 | Triage

Analysis

max time kernel
54s
max time network
137s
platform
windows10_x64
resource
win10-20220414-en
submitted
14-05-2022 14:59

Sharing

Report Analysis Logs

General

Target

83c282f6482a1a35cf638a3dceefeb4a94ce7609e57734c67e3a0e46365fabd8.dll
Size

532KB
MD5

b9d20bdf045211886a21b0abe7b3c110
SHA1

81445e19073782efefa3cde6a36790da0e099afa
SHA256

83c282f6482a1a35cf638a3dceefeb4a94ce7609e57734c67e3a0e46365fabd8
SHA512

52f9f869a92d3bc794819a8023a06834f71b528b2e13a3c421c5c845195dfbabbc2a72bc868988e3e1861c9734dded26b30ef8b67ab5841ba4328a4089ebf9bf

Score

10^/10

emotet banker suricata trojan

Malware Config

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

regsvr32.exe

pid process

2844 regsvr32.exe
2844 regsvr32.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

regsvr32.exe

pid process

2572 regsvr32.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

regsvr32.exe

description	pid	process	target process
PID 2572 wrote to memory of 2844	2572	regsvr32.exe	regsvr32.exe
PID 2572 wrote to memory of 2844	2572	regsvr32.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\83c282f6482a1a35cf638a3dceefeb4a94ce7609e57734c67e3a0e46365fabd8.dll
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2572

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\AJAlaw\uOQybT.dll"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2844

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2572-119-0x0000000180000000-0x0000000180030000-memory.dmp

Filesize
192KB

Download
memory/2844-124-0x0000000000000000-mapping.dmp

Download