emotet | 4fef4af097a84e95f901d3b35dc5638a1e50f432cb758165c70aab89b81d0fc8 | Triage

Analysis

max time kernel
73s
max time network
134s
platform
windows10_x64
resource
win10-20220414-en
submitted
14-05-2022 15:06

Sharing

Report Analysis Logs

General

Target

4fef4af097a84e95f901d3b35dc5638a1e50f432cb758165c70aab89b81d0fc8.dll
Size

532KB
MD5

1e34e15df8ba31aa5c06e38d65476011
SHA1

a44104314277e58a3f2bc281a744302bb4742bc0
SHA256

4fef4af097a84e95f901d3b35dc5638a1e50f432cb758165c70aab89b81d0fc8
SHA512

02fe2e5aee33e44e1fd89998d5c172de7c4a6971e2c1d9aaa89d3208147440d5e49f78275624ab0bc1c6ae3bd768e6c45dbced5dadc8fffabdf7af37f1a8c406

Score

10^/10

emotet banker suricata trojan

Malware Config

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

regsvr32.exe

pid process

4404 regsvr32.exe
4404 regsvr32.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

regsvr32.exe

pid process

4692 regsvr32.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

regsvr32.exe

description	pid	process	target process
PID 4692 wrote to memory of 4404	4692	regsvr32.exe	regsvr32.exe
PID 4692 wrote to memory of 4404	4692	regsvr32.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\4fef4af097a84e95f901d3b35dc5638a1e50f432cb758165c70aab89b81d0fc8.dll
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:4692

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\OwxWAbmgnd\wDPtHUiYNiLzJ.dll"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4404

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4404-122-0x0000000000000000-mapping.dmp

Download
memory/4692-117-0x0000000180000000-0x0000000180030000-memory.dmp

Filesize
192KB

Download