emotet | b5db7a6e39a94016cbbb235874b7c6d1ce75db3a3028fa6945587e4d8314f907 | Triage

Analysis

max time kernel
52s
max time network
137s
platform
windows10_x64
resource
win10-20220414-en
submitted
14-05-2022 14:59

Sharing

Report Analysis Logs

General

Target

b5db7a6e39a94016cbbb235874b7c6d1ce75db3a3028fa6945587e4d8314f907.dll
Size

532KB
MD5

62d9c1e0f52acb679f59315008d99125
SHA1

e4e8958a3386d07ebbf83a5337ca0f0b6e8252f2
SHA256

b5db7a6e39a94016cbbb235874b7c6d1ce75db3a3028fa6945587e4d8314f907
SHA512

533b0ec414a158d54c431d6f8bbc6933f5c9bc6e03ac7f3384b2721c0920aae0e6e03440d016a2f5b6c973b78698139f88a7166d1b0bd0c85df473a59054ed61

Score

10^/10

emotet banker trojan

Malware Config

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

regsvr32.exe

pid process

392 regsvr32.exe
392 regsvr32.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

regsvr32.exe

pid process

3176 regsvr32.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

regsvr32.exe

description	pid	process	target process
PID 3176 wrote to memory of 392	3176	regsvr32.exe	regsvr32.exe
PID 3176 wrote to memory of 392	3176	regsvr32.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\b5db7a6e39a94016cbbb235874b7c6d1ce75db3a3028fa6945587e4d8314f907.dll
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:3176

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\BwasY\fkWloddlNm.dll"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:392

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/392-122-0x0000000000000000-mapping.dmp

Download
memory/3176-117-0x0000000180000000-0x0000000180030000-memory.dmp

Filesize
192KB

Download