emotet | 6ba98b281334cb744333cfb623405fc9bbdd933f28c5ca3906ae9088d04b7273 | Triage

Analysis

max time kernel
299s
max time network
303s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
02/11/2022, 21:26

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

e5-d2404d9db2b667e83c0454c94fa564b3.dll
Size

809KB
MD5

d2404d9db2b667e83c0454c94fa564b3
SHA1

2d57c978110cb05f8ffc3cfdad4888b7139b1f32
SHA256

6ba98b281334cb744333cfb623405fc9bbdd933f28c5ca3906ae9088d04b7273
SHA512

125624718579b2ce9d6450826707ab4aa9f6cab608dd80b8429fbbd63fc32fce55f5a51cb296f3b81e53778fa57a7b3e0308c156a5d349b9f4eb176a24dd6fc5
SSDEEP

24576:fp7r9TOZH6Xf/Xfs11IWzsf6gB/d833dBG:hX9qZH4f01IWzsSgRw3C

Score

10^/10

emotet banker trojan

Malware Config

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1192	regsvr32.exe
792	regsvr32.exe
792	regsvr32.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1192	regsvr32.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 1192 wrote to memory of 792	1192	regsvr32.exe	27
PID 1192 wrote to memory of 792	1192	regsvr32.exe	27
PID 1192 wrote to memory of 792	1192	regsvr32.exe	27
PID 1192 wrote to memory of 792	1192	regsvr32.exe	27
PID 1192 wrote to memory of 792	1192	regsvr32.exe	27

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\e5-d2404d9db2b667e83c0454c94fa564b3.dll
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1192
- C:\Windows\system32\regsvr32.exe
  C:\Windows\system32\regsvr32.exe "C:\Windows\system32\UjowuaCBgpMgbNpFG\ucjJwPdJ.dll"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:792

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1192-54-0x000007FEFC391000-0x000007FEFC393000-memory.dmp

Filesize
8KB

Download
memory/1192-55-0x0000000180000000-0x0000000180030000-memory.dmp

Filesize
192KB

Download