Analysis
-
max time kernel
12s -
max time network
111s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
22-01-2021 09:41
Static task
static1
Behavioral task
behavioral1
Sample
emotet_exe_e1_4f2f9643f342c72b7c21a592605a0706fa596c5b0f3737fa11bf155461c10706_2021-01-22__094001.exe.dll
Resource
win7v20201028
Behavioral task
behavioral2
Sample
emotet_exe_e1_4f2f9643f342c72b7c21a592605a0706fa596c5b0f3737fa11bf155461c10706_2021-01-22__094001.exe.dll
Resource
win10v20201028
General
-
Target
emotet_exe_e1_4f2f9643f342c72b7c21a592605a0706fa596c5b0f3737fa11bf155461c10706_2021-01-22__094001.exe.dll
-
Size
423KB
-
MD5
27ac4bce8d5f78dc96b2202e45af77a2
-
SHA1
6dff683b345b65b13d2631402114b9178b3b812e
-
SHA256
ff92cc5557ee9c76410c6e98f48d5108eff7fead0aae15947621be2dbc41b81f
-
SHA512
ace37e64d47564b2316144124634b1b04c86ee18e1fec8fcb7f252c81a503c03820ce221957bc5774db09770342f49c959a5d7a0309dacf984d7a2e7dfa0ba58
Malware Config
Signatures
-
Modifies registry class 13 IoCs
Processes:
regsvr32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{50D9450F-2A80-4F08-93B9-2EB526477D1A}\InProcServer32\ThreadingModel = "Both" regsvr32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{50D9450F-2A80-4F08-93B9-2EB526477D1A}\ManualSafeSave = "1" regsvr32.exe Key created \REGISTRY\MACHINE\Software\Classes\Windows.Recipe regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Windows.Recipe\FullDetails = "prop:System.PropGroup.Description;System.Title;System.Author;System.Comment;System.Keywords;System.Rating;Microsoft.SampleRecipe.Difficulty;System.PropGroup.FileSystem;System.ItemNameDisplay;System.ItemType;System.ItemFolderPathDisplay;System.Size;System.DateCreated;System.DateModified;System.DateAccessed;System.FileAttributes;System.OfflineAvailability;System.OfflineStatus;System.SharedWith;System.FileOwner;System.ComputerName" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Windows.Recipe\PreviewTitle = "prop:System.Title;System.ItemType" regsvr32.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{50D9450F-2A80-4F08-93B9-2EB526477D1A} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{50D9450F-2A80-4F08-93B9-2EB526477D1A}\ = "Recipe (.recipe) Property Handler" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{50D9450F-2A80-4F08-93B9-2EB526477D1A}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\emotet_exe_e1_4f2f9643f342c72b7c21a592605a0706fa596c5b0f3737fa11bf155461c10706_2021-01-22__094001.exe.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.recipe\ = "Windows.Recipe" regsvr32.exe Key created \REGISTRY\MACHINE\Software\Classes\.recipe regsvr32.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{50D9450F-2A80-4F08-93B9-2EB526477D1A}\InProcServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Windows.Recipe\InfoTip = "prop:System.ItemType;System.Author;System.Rating;Microsoft.SampleRecipe.Difficulty" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Windows.Recipe\PreviewDetails = "prop:System.DateChanged;System.Author;System.Keywords;Microsoft.SampleRecipe.Difficulty; System.Rating;System.Comment;System.Size;System.ItemFolderPathDisplay;System.DateCreated" regsvr32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
regsvr32.exedescription pid process target process PID 4776 wrote to memory of 4100 4776 regsvr32.exe regsvr32.exe PID 4776 wrote to memory of 4100 4776 regsvr32.exe regsvr32.exe PID 4776 wrote to memory of 4100 4776 regsvr32.exe regsvr32.exe
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\emotet_exe_e1_4f2f9643f342c72b7c21a592605a0706fa596c5b0f3737fa11bf155461c10706_2021-01-22__094001.exe.dll1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\emotet_exe_e1_4f2f9643f342c72b7c21a592605a0706fa596c5b0f3737fa11bf155461c10706_2021-01-22__094001.exe.dll2⤵
- Modifies registry class
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4100-2-0x0000000000000000-mapping.dmp