Analysis
-
max time kernel
3s -
max time network
12s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
13-01-2021 16:08
Static task
static1
Behavioral task
behavioral1
Sample
emotet_exe_e1_421ff01b5042dfcb6d9d1c4f7f662183c8b95643a66730ec9313532b2e84732a_2021-01-13__160659.exe.dll
Resource
win7v20201028
Behavioral task
behavioral2
Sample
emotet_exe_e1_421ff01b5042dfcb6d9d1c4f7f662183c8b95643a66730ec9313532b2e84732a_2021-01-13__160659.exe.dll
Resource
win10v20201028
General
-
Target
emotet_exe_e1_421ff01b5042dfcb6d9d1c4f7f662183c8b95643a66730ec9313532b2e84732a_2021-01-13__160659.exe.dll
-
Size
271KB
-
MD5
c5bf1ae52c331e48c80c0cd42c769f98
-
SHA1
961fd84f3743df730cb6d93fd30409351fa0bb58
-
SHA256
421ff01b5042dfcb6d9d1c4f7f662183c8b95643a66730ec9313532b2e84732a
-
SHA512
26b1f5a20153b0dcf8eb8358b4018fbc7d3d997a951651753020022640935e8f27941ab7fc589966fcb011d8b000286ac96335ef6b08af9255b586775e5e9804
Malware Config
Signatures
-
Modifies registry class 13 IoCs
Processes:
regsvr32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Windows.Recipe\FullDetails = "prop:System.PropGroup.Description;System.Title;System.Author;System.Comment;System.Keywords;System.Rating;Microsoft.SampleRecipe.Difficulty;System.PropGroup.FileSystem;System.ItemNameDisplay;System.ItemType;System.ItemFolderPathDisplay;System.Size;System.DateCreated;System.DateModified;System.DateAccessed;System.FileAttributes;System.OfflineAvailability;System.OfflineStatus;System.SharedWith;System.FileOwner;System.ComputerName" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{50D9450F-2A80-4F08-93B9-2EB526477D1A}\ = "Recipe (.recipe) Property Handler" regsvr32.exe Key created \REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{50D9450F-2A80-4F08-93B9-2EB526477D1A}\InProcServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{50D9450F-2A80-4F08-93B9-2EB526477D1A}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\emotet_exe_e1_421ff01b5042dfcb6d9d1c4f7f662183c8b95643a66730ec9313532b2e84732a_2021-01-13__160659.exe.dll" regsvr32.exe Key created \REGISTRY\MACHINE\Software\Classes\Windows.Recipe regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Windows.Recipe\InfoTip = "prop:System.ItemType;System.Author;System.Rating;Microsoft.SampleRecipe.Difficulty" regsvr32.exe Key created \REGISTRY\MACHINE\Software\Classes\.recipe regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.recipe\ = "Windows.Recipe" regsvr32.exe Key created \REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{50D9450F-2A80-4F08-93B9-2EB526477D1A} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{50D9450F-2A80-4F08-93B9-2EB526477D1A}\InProcServer32\ThreadingModel = "Both" regsvr32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{50D9450F-2A80-4F08-93B9-2EB526477D1A}\ManualSafeSave = "1" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Windows.Recipe\PreviewDetails = "prop:System.DateChanged;System.Author;System.Keywords;Microsoft.SampleRecipe.Difficulty; System.Rating;System.Comment;System.Size;System.ItemFolderPathDisplay;System.DateCreated" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Windows.Recipe\PreviewTitle = "prop:System.Title;System.ItemType" regsvr32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
regsvr32.exedescription pid process target process PID 1120 wrote to memory of 1988 1120 regsvr32.exe regsvr32.exe PID 1120 wrote to memory of 1988 1120 regsvr32.exe regsvr32.exe PID 1120 wrote to memory of 1988 1120 regsvr32.exe regsvr32.exe PID 1120 wrote to memory of 1988 1120 regsvr32.exe regsvr32.exe PID 1120 wrote to memory of 1988 1120 regsvr32.exe regsvr32.exe PID 1120 wrote to memory of 1988 1120 regsvr32.exe regsvr32.exe PID 1120 wrote to memory of 1988 1120 regsvr32.exe regsvr32.exe
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\emotet_exe_e1_421ff01b5042dfcb6d9d1c4f7f662183c8b95643a66730ec9313532b2e84732a_2021-01-13__160659.exe.dll1⤵
- Suspicious use of WriteProcessMemory
PID:1120 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\emotet_exe_e1_421ff01b5042dfcb6d9d1c4f7f662183c8b95643a66730ec9313532b2e84732a_2021-01-13__160659.exe.dll2⤵
- Modifies registry class
PID:1988
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1988-2-0x0000000000000000-mapping.dmp