emotet | 9f28366f6790d28630e10b5f1bd5717713abba69e2dfe28b9e1c1363b23ece9d | Triage

Analysis

max time kernel
55s
max time network
148s
platform
windows10_x64
resource
win10-20220414-en
submitted
14-05-2022 14:59

Sharing

Report Analysis Logs

General

Target

9f28366f6790d28630e10b5f1bd5717713abba69e2dfe28b9e1c1363b23ece9d.dll
Size

532KB
MD5

51337b6b79a1031b408dbf98c55f55ab
SHA1

dd524db67a445c309a9ad51eb0f4de9558d6f5b6
SHA256

9f28366f6790d28630e10b5f1bd5717713abba69e2dfe28b9e1c1363b23ece9d
SHA512

9275de88b80be02810ab1c639edfe3cdbe0a94e9002f41d3d1796a2bdf2b3dd0def6b8a98461235b7bc5f31393e210793c0aa97a6986f100a5de6ea812d7e453

Score

10^/10

emotet banker suricata trojan

Malware Config

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

regsvr32.exe

pid process

1500 regsvr32.exe
1500 regsvr32.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

regsvr32.exe

pid process

1888 regsvr32.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

regsvr32.exe

description	pid	process	target process
PID 1888 wrote to memory of 1500	1888	regsvr32.exe	regsvr32.exe
PID 1888 wrote to memory of 1500	1888	regsvr32.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\9f28366f6790d28630e10b5f1bd5717713abba69e2dfe28b9e1c1363b23ece9d.dll
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1888

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\NyXDjYNJ\UHGTxHUqB.dll"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1500

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1500-124-0x0000000000000000-mapping.dmp

Download
memory/1888-119-0x0000000180000000-0x0000000180030000-memory.dmp

Filesize
192KB

Download