emotet | 816720a67eccfdba29cdf52573f8a3787f3888f039820519a1eb24c1b2bce743 | Triage

Analysis

max time kernel
148s
max time network
151s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03/11/2022, 01:34

Sharing

Report Analysis Logs

General

Target

kdpByAbuC.dll
Size

629KB
MD5

cb967e5bc94016585b22a06f1497082e
SHA1

0e43edf6427023d02fc952d111402bc4a4781fba
SHA256

816720a67eccfdba29cdf52573f8a3787f3888f039820519a1eb24c1b2bce743
SHA512

940130d4ecd980d5d3d5b0e77d4b7fd503c7cabd0a6c33b0cbc8976bf55161de177c602ec171d9925c33d2fac3efbe3d50f6c29f8e356703a7164c6edd5f0ce7
SSDEEP

12288:6tGis7p49VmD3OjG7QbBtL05WhNye5JHKVu6cig1Doa:6tGis1T3OjueLzhd5NKAD3

Score

10^/10

emotet banker trojan

Malware Config

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1688	regsvr32.exe
1136	regsvr32.exe
1136	regsvr32.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1688	regsvr32.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 1688 wrote to memory of 1136	1688	regsvr32.exe	27
PID 1688 wrote to memory of 1136	1688	regsvr32.exe	27
PID 1688 wrote to memory of 1136	1688	regsvr32.exe	27
PID 1688 wrote to memory of 1136	1688	regsvr32.exe	27
PID 1688 wrote to memory of 1136	1688	regsvr32.exe	27

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\kdpByAbuC.dll
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1688
- C:\Windows\system32\regsvr32.exe
  C:\Windows\system32\regsvr32.exe "C:\Windows\system32\WKPIQwCFtKAbNkoLV\iQZleBxgzGcegiO.dll"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1136

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1688-54-0x000007FEFB6A1000-0x000007FEFB6A3000-memory.dmp

Filesize
8KB

Download
memory/1688-55-0x0000000180000000-0x000000018002F000-memory.dmp

Filesize
188KB

Download