emotet | 813877bb7f4d81ccc4c1be2905894a587e82dbd34d36a2eccfa279aa56e4c687 | Triage

Analysis

max time kernel
76s
max time network
147s
platform
windows10_x64
resource
win10-20220414-en
submitted
14-05-2022 15:00

Sharing

Report Analysis Logs

General

Target

813877bb7f4d81ccc4c1be2905894a587e82dbd34d36a2eccfa279aa56e4c687.dll
Size

532KB
MD5

ffe19dd7258fbd01e5265940323ae3df
SHA1

bb07ec6432bbaec1d431d5def837b7401ce83829
SHA256

813877bb7f4d81ccc4c1be2905894a587e82dbd34d36a2eccfa279aa56e4c687
SHA512

2bb7dbfde771374270efe43465462f4eb67b415096b3df3e6e545864ebe080733998d154529919f2abf4e39a916e6bb65a6e2b15ac079d06874b4f4115b4c254

Score

10^/10

emotet banker suricata trojan

Malware Config

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

regsvr32.exe

pid process

4100 regsvr32.exe
4100 regsvr32.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

regsvr32.exe

pid process

3896 regsvr32.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

regsvr32.exe

description	pid	process	target process
PID 3896 wrote to memory of 4100	3896	regsvr32.exe	regsvr32.exe
PID 3896 wrote to memory of 4100	3896	regsvr32.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\813877bb7f4d81ccc4c1be2905894a587e82dbd34d36a2eccfa279aa56e4c687.dll
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:3896

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\QBVlKS\kMsciYLDtTwsSJh.dll"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4100

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3896-114-0x0000000180000000-0x0000000180030000-memory.dmp

Filesize
192KB

Download
memory/4100-119-0x0000000000000000-mapping.dmp

Download