19a873c4620825f19ba9f803238c70f55b54f1c617f2556c238585e7806c024e | Triage

Analysis

max time kernel
33s
max time network
44s
platform
windows10_x64
resource
win10v20201028
submitted
14-01-2021 08:31

Sharing

Report Analysis Logs

General

Target

emotet_exe_e1_7bfa1b33a817ad2ba90522634c4ad7eb9cf7018d19aaa536f4dc574afc20d8d8_2021-01-14__083101._exe.dll
Size

271KB
MD5

8be89870111b46aa2d0f06f5fbc965f6
SHA1

38a43a1cdabc251d3473aa3d4b07ac8683a1e74d
SHA256

19a873c4620825f19ba9f803238c70f55b54f1c617f2556c238585e7806c024e
SHA512

2da5ade9fc873497c3b548abd6222b054f627e75735af3d33f412020876e4337bb28de45b616231249d7866b48ee952a26cc5fe291933a386c78ffd3a38f8326

Score

1^/10

Malware Config

Signatures

Modifies registry class 13 IoCs

Processes:

regsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{50D9450F-2A80-4F08-93B9-2EB526477D1A}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\emotet_exe_e1_7bfa1b33a817ad2ba90522634c4ad7eb9cf7018d19aaa536f4dc574afc20d8d8_2021-01-14__083101._exe.dll"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{50D9450F-2A80-4F08-93B9-2EB526477D1A}\ManualSafeSave = "1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Windows.Recipe	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Windows.Recipe\InfoTip = "prop:System.ItemType;System.Author;System.Rating;Microsoft.SampleRecipe.Difficulty"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Windows.Recipe\PreviewTitle = "prop:System.Title;System.ItemType"	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.recipe	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{50D9450F-2A80-4F08-93B9-2EB526477D1A}	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{50D9450F-2A80-4F08-93B9-2EB526477D1A}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{50D9450F-2A80-4F08-93B9-2EB526477D1A}\InProcServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Windows.Recipe\FullDetails = "prop:System.PropGroup.Description;System.Title;System.Author;System.Comment;System.Keywords;System.Rating;Microsoft.SampleRecipe.Difficulty;System.PropGroup.FileSystem;System.ItemNameDisplay;System.ItemType;System.ItemFolderPathDisplay;System.Size;System.DateCreated;System.DateModified;System.DateAccessed;System.FileAttributes;System.OfflineAvailability;System.OfflineStatus;System.SharedWith;System.FileOwner;System.ComputerName"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Windows.Recipe\PreviewDetails = "prop:System.DateChanged;System.Author;System.Keywords;Microsoft.SampleRecipe.Difficulty; System.Rating;System.Comment;System.Size;System.ItemFolderPathDisplay;System.DateCreated"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.recipe\ = "Windows.Recipe"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{50D9450F-2A80-4F08-93B9-2EB526477D1A}\ = "Recipe (.recipe) Property Handler"	regsvr32.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

regsvr32.exe

description	pid	process	target process
PID 4644 wrote to memory of 4768	4644	regsvr32.exe	regsvr32.exe
PID 4644 wrote to memory of 4768	4644	regsvr32.exe	regsvr32.exe
PID 4644 wrote to memory of 4768	4644	regsvr32.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\emotet_exe_e1_7bfa1b33a817ad2ba90522634c4ad7eb9cf7018d19aaa536f4dc574afc20d8d8_2021-01-14__083101._exe.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:4644

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\emotet_exe_e1_7bfa1b33a817ad2ba90522634c4ad7eb9cf7018d19aaa536f4dc574afc20d8d8_2021-01-14__083101._exe.dll
2⤵
- Modifies registry class
PID:4768

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4768-2-0x0000000000000000-mapping.dmp

Download