emotet | 0ec2a2a227dc8820d737aa67cfa11181ec34259042b4db0fb73f07ae04dec26a | Triage

Analysis

max time kernel
55s
max time network
147s
platform
windows10_x64
resource
win10-20220414-en
submitted
14-05-2022 15:00

Sharing

Report Analysis Logs

General

Target

0ec2a2a227dc8820d737aa67cfa11181ec34259042b4db0fb73f07ae04dec26a.dll
Size

538KB
MD5

53990c7d6660491c7af59f78b3e22ce4
SHA1

10b09872c66094eca925a126a4d58a922a77f513
SHA256

0ec2a2a227dc8820d737aa67cfa11181ec34259042b4db0fb73f07ae04dec26a
SHA512

85ded2299faf9ce69d65bca6b6211068cd62cc2c94fe1d64c7b6d2d52994c61a706ff59629bae1406164ae942c1ac41bc214199fdc41c9b704c49948c0ecbd51

Score

10^/10

emotet banker suricata trojan

Malware Config

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

regsvr32.exe

pid process

1016 regsvr32.exe
1016 regsvr32.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

regsvr32.exe

pid process

3984 regsvr32.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

regsvr32.exe

description	pid	process	target process
PID 3984 wrote to memory of 1016	3984	regsvr32.exe	regsvr32.exe
PID 3984 wrote to memory of 1016	3984	regsvr32.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\0ec2a2a227dc8820d737aa67cfa11181ec34259042b4db0fb73f07ae04dec26a.dll
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:3984

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\SGEKAwfjWVrIfv\eMcK.dll"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1016

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1016-121-0x0000000000000000-mapping.dmp

Download
memory/3984-116-0x0000000180000000-0x0000000180032000-memory.dmp

Filesize
200KB

Download