emotet | 4a8692be9a1585c9eee64cadf16aed09c3b3e75cc6e0c4220935e9e57f54ba50 | Triage

Analysis

max time kernel
54s
max time network
140s
platform
windows10_x64
resource
win10-20220414-en
submitted
14-05-2022 15:03

Sharing

Report Analysis Logs

General

Target

4a8692be9a1585c9eee64cadf16aed09c3b3e75cc6e0c4220935e9e57f54ba50.dll
Size

532KB
MD5

26dd23d9fd20a8514a42a84759678381
SHA1

01ebc0f7ea50110899fb5ead52ab6b8a8b64f2fb
SHA256

4a8692be9a1585c9eee64cadf16aed09c3b3e75cc6e0c4220935e9e57f54ba50
SHA512

f2a6fab1440606eda557ee27ac769e322588d470a058881862cffde455bcc84e5bbdb191aafceb4f8aaab7ee4fb94537519ae2db1752eb2e33306176a31ee58f

Score

10^/10

emotet banker suricata trojan

Malware Config

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

regsvr32.exe

pid process

2676 regsvr32.exe
2676 regsvr32.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

regsvr32.exe

pid process

2532 regsvr32.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

regsvr32.exe

description	pid	process	target process
PID 2532 wrote to memory of 2676	2532	regsvr32.exe	regsvr32.exe
PID 2532 wrote to memory of 2676	2532	regsvr32.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\4a8692be9a1585c9eee64cadf16aed09c3b3e75cc6e0c4220935e9e57f54ba50.dll
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2532

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\NTecphDOOVR\dQQBE.dll"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2676

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2532-117-0x0000000180000000-0x0000000180030000-memory.dmp

Filesize
192KB

Download
memory/2676-122-0x0000000000000000-mapping.dmp

Download