emotet | 7c1d4923d7f9b0beaf6e1632b5eb0a1bbeeee4cb9aec2e6e43b00486d4754329 | Triage

Analysis

max time kernel
55s
max time network
144s
platform
windows10_x64
resource
win10-20220414-en
submitted
14-05-2022 14:59

Sharing

Report Analysis Logs

General

Target

7c1d4923d7f9b0beaf6e1632b5eb0a1bbeeee4cb9aec2e6e43b00486d4754329.dll
Size

532KB
MD5

3855a2805febf9b9e45ae13e0c90650e
SHA1

41641016dc37299aef7b4bcec6ae8f77cc09fb0e
SHA256

7c1d4923d7f9b0beaf6e1632b5eb0a1bbeeee4cb9aec2e6e43b00486d4754329
SHA512

bbaee549ced122da27692ef31c8b22fe1bf9bcb7d8606638a5c6f84e89d31fe11175d6b0b07f9ad07becd35bba0815425c58463b21aeb46563864cc9eb885b1f

Score

10^/10

emotet banker suricata trojan

Malware Config

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

regsvr32.exe

pid process

1052 regsvr32.exe
1052 regsvr32.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

regsvr32.exe

pid process

936 regsvr32.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

regsvr32.exe

description	pid	process	target process
PID 936 wrote to memory of 1052	936	regsvr32.exe	regsvr32.exe
PID 936 wrote to memory of 1052	936	regsvr32.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\7c1d4923d7f9b0beaf6e1632b5eb0a1bbeeee4cb9aec2e6e43b00486d4754329.dll
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:936

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\QUgmUINGf\InNoZuoLvfwUnE.dll"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1052

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/936-118-0x0000000180000000-0x0000000180030000-memory.dmp

Filesize
192KB

Download
memory/1052-123-0x0000000000000000-mapping.dmp

Download