Analysis
-
max time kernel
3s -
max time network
8s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
22-01-2021 09:41
Static task
static1
Behavioral task
behavioral1
Sample
emotet_exe_e1_4f2f9643f342c72b7c21a592605a0706fa596c5b0f3737fa11bf155461c10706_2021-01-22__094001.exe.dll
Resource
win7v20201028
Behavioral task
behavioral2
Sample
emotet_exe_e1_4f2f9643f342c72b7c21a592605a0706fa596c5b0f3737fa11bf155461c10706_2021-01-22__094001.exe.dll
Resource
win10v20201028
General
-
Target
emotet_exe_e1_4f2f9643f342c72b7c21a592605a0706fa596c5b0f3737fa11bf155461c10706_2021-01-22__094001.exe.dll
-
Size
423KB
-
MD5
27ac4bce8d5f78dc96b2202e45af77a2
-
SHA1
6dff683b345b65b13d2631402114b9178b3b812e
-
SHA256
ff92cc5557ee9c76410c6e98f48d5108eff7fead0aae15947621be2dbc41b81f
-
SHA512
ace37e64d47564b2316144124634b1b04c86ee18e1fec8fcb7f252c81a503c03820ce221957bc5774db09770342f49c959a5d7a0309dacf984d7a2e7dfa0ba58
Malware Config
Signatures
-
Modifies registry class 13 IoCs
Processes:
regsvr32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Windows.Recipe\PreviewTitle = "prop:System.Title;System.ItemType" regsvr32.exe Key created \REGISTRY\MACHINE\Software\Classes\.recipe regsvr32.exe Key created \REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{50D9450F-2A80-4F08-93B9-2EB526477D1A} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{50D9450F-2A80-4F08-93B9-2EB526477D1A}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\emotet_exe_e1_4f2f9643f342c72b7c21a592605a0706fa596c5b0f3737fa11bf155461c10706_2021-01-22__094001.exe.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{50D9450F-2A80-4F08-93B9-2EB526477D1A}\InProcServer32\ThreadingModel = "Both" regsvr32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{50D9450F-2A80-4F08-93B9-2EB526477D1A}\ManualSafeSave = "1" regsvr32.exe Key created \REGISTRY\MACHINE\Software\Classes\Windows.Recipe regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Windows.Recipe\PreviewDetails = "prop:System.DateChanged;System.Author;System.Keywords;Microsoft.SampleRecipe.Difficulty; System.Rating;System.Comment;System.Size;System.ItemFolderPathDisplay;System.DateCreated" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.recipe\ = "Windows.Recipe" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{50D9450F-2A80-4F08-93B9-2EB526477D1A}\ = "Recipe (.recipe) Property Handler" regsvr32.exe Key created \REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{50D9450F-2A80-4F08-93B9-2EB526477D1A}\InProcServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Windows.Recipe\InfoTip = "prop:System.ItemType;System.Author;System.Rating;Microsoft.SampleRecipe.Difficulty" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Windows.Recipe\FullDetails = "prop:System.PropGroup.Description;System.Title;System.Author;System.Comment;System.Keywords;System.Rating;Microsoft.SampleRecipe.Difficulty;System.PropGroup.FileSystem;System.ItemNameDisplay;System.ItemType;System.ItemFolderPathDisplay;System.Size;System.DateCreated;System.DateModified;System.DateAccessed;System.FileAttributes;System.OfflineAvailability;System.OfflineStatus;System.SharedWith;System.FileOwner;System.ComputerName" regsvr32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
regsvr32.exedescription pid process target process PID 1656 wrote to memory of 2040 1656 regsvr32.exe regsvr32.exe PID 1656 wrote to memory of 2040 1656 regsvr32.exe regsvr32.exe PID 1656 wrote to memory of 2040 1656 regsvr32.exe regsvr32.exe PID 1656 wrote to memory of 2040 1656 regsvr32.exe regsvr32.exe PID 1656 wrote to memory of 2040 1656 regsvr32.exe regsvr32.exe PID 1656 wrote to memory of 2040 1656 regsvr32.exe regsvr32.exe PID 1656 wrote to memory of 2040 1656 regsvr32.exe regsvr32.exe
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\emotet_exe_e1_4f2f9643f342c72b7c21a592605a0706fa596c5b0f3737fa11bf155461c10706_2021-01-22__094001.exe.dll1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\emotet_exe_e1_4f2f9643f342c72b7c21a592605a0706fa596c5b0f3737fa11bf155461c10706_2021-01-22__094001.exe.dll2⤵
- Modifies registry class