421ff01b5042dfcb6d9d1c4f7f662183c8b95643a66730ec9313532b2e84732a | Triage

Analysis

max time kernel
62s
max time network
124s
platform
windows10_x64
resource
win10v20201028
submitted
13-01-2021 16:08

Sharing

Report Analysis Logs

General

Target

emotet_exe_e1_421ff01b5042dfcb6d9d1c4f7f662183c8b95643a66730ec9313532b2e84732a_2021-01-13__160659.exe.dll
Size

271KB
MD5

c5bf1ae52c331e48c80c0cd42c769f98
SHA1

961fd84f3743df730cb6d93fd30409351fa0bb58
SHA256

421ff01b5042dfcb6d9d1c4f7f662183c8b95643a66730ec9313532b2e84732a
SHA512

26b1f5a20153b0dcf8eb8358b4018fbc7d3d997a951651753020022640935e8f27941ab7fc589966fcb011d8b000286ac96335ef6b08af9255b586775e5e9804

Score

1^/10

Malware Config

Signatures

Modifies registry class 13 IoCs

Processes:

regsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{50D9450F-2A80-4F08-93B9-2EB526477D1A}\ = "Recipe (.recipe) Property Handler"	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{50D9450F-2A80-4F08-93B9-2EB526477D1A}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{50D9450F-2A80-4F08-93B9-2EB526477D1A}\InProcServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Windows.Recipe	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Windows.Recipe\PreviewTitle = "prop:System.Title;System.ItemType"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.recipe\ = "Windows.Recipe"	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.recipe	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{50D9450F-2A80-4F08-93B9-2EB526477D1A}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{50D9450F-2A80-4F08-93B9-2EB526477D1A}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\emotet_exe_e1_421ff01b5042dfcb6d9d1c4f7f662183c8b95643a66730ec9313532b2e84732a_2021-01-13__160659.exe.dll"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{50D9450F-2A80-4F08-93B9-2EB526477D1A}\ManualSafeSave = "1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Windows.Recipe\InfoTip = "prop:System.ItemType;System.Author;System.Rating;Microsoft.SampleRecipe.Difficulty"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Windows.Recipe\FullDetails = "prop:System.PropGroup.Description;System.Title;System.Author;System.Comment;System.Keywords;System.Rating;Microsoft.SampleRecipe.Difficulty;System.PropGroup.FileSystem;System.ItemNameDisplay;System.ItemType;System.ItemFolderPathDisplay;System.Size;System.DateCreated;System.DateModified;System.DateAccessed;System.FileAttributes;System.OfflineAvailability;System.OfflineStatus;System.SharedWith;System.FileOwner;System.ComputerName"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Windows.Recipe\PreviewDetails = "prop:System.DateChanged;System.Author;System.Keywords;Microsoft.SampleRecipe.Difficulty; System.Rating;System.Comment;System.Size;System.ItemFolderPathDisplay;System.DateCreated"	regsvr32.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

regsvr32.exe

description	pid	process	target process
PID 4684 wrote to memory of 4888	4684	regsvr32.exe	regsvr32.exe
PID 4684 wrote to memory of 4888	4684	regsvr32.exe	regsvr32.exe
PID 4684 wrote to memory of 4888	4684	regsvr32.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\emotet_exe_e1_421ff01b5042dfcb6d9d1c4f7f662183c8b95643a66730ec9313532b2e84732a_2021-01-13__160659.exe.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:4684

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\emotet_exe_e1_421ff01b5042dfcb6d9d1c4f7f662183c8b95643a66730ec9313532b2e84732a_2021-01-13__160659.exe.dll
2⤵
- Modifies registry class
PID:4888

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4888-2-0x0000000000000000-mapping.dmp

Download