emotet | a25157f686cfce09013798a272c14097fa2ddb0ef1d1a5b2fc77c00d7dfc41cb

Analysis

max time kernel
52s
max time network
103s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
02/11/2022, 23:01 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a25157f686cfce09013798a272c14097fa2ddb0ef1d1a5b2fc77c00d7dfc41cb.dll
Size

629KB
MD5

c9c69f06d8578c13ba70f7ab1f793da7
SHA1

d9b3f7517277c896c8733f79f26c3dc7091ad58f
SHA256

a25157f686cfce09013798a272c14097fa2ddb0ef1d1a5b2fc77c00d7dfc41cb
SHA512

1ba2b828b31d0fd712343fac529f5d82ff4cfce1dffd47ea52c3b58db2e5db28f090f3a597600d255d27127c51232be9999c6a8f38e96d44356a1e510fe8f9d0
SSDEEP

12288:6tGis7p49VmD3OjG7QbBtLu5WhNye5JHKVu6cig1Doa:6tGis1T3OjueLhhd5NKAD3

Score

10^/10

emotet banker persistence trojan

Malware Config

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bxLPxWBKtzwOqdi.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\MyNzhzM\\bxLPxWBKtzwOqdi.dll\""	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2496	regsvr32.exe
2496	regsvr32.exe
2780	regsvr32.exe
2780	regsvr32.exe
2780	regsvr32.exe
2780	regsvr32.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2496	regsvr32.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 2496 wrote to memory of 2780	2496	regsvr32.exe	66
PID 2496 wrote to memory of 2780	2496	regsvr32.exe	66

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\a25157f686cfce09013798a272c14097fa2ddb0ef1d1a5b2fc77c00d7dfc41cb.dll
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2496
- C:\Windows\system32\regsvr32.exe
  C:\Windows\system32\regsvr32.exe "C:\Windows\system32\MyNzhzM\bxLPxWBKtzwOqdi.dll"
  2⤵
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  PID:2780

Network

GET

https://182.162.143.56/

regsvr32.exe

Remote address:

182.162.143.56:443

Request

GET / HTTP/1.1
Connection: Keep-Alive
Cookie: QTBd=BSTjci69ZUIM9QyTgkqxfK5UzzzYgM8fyZhp0TRO/pwD6XJYxD9J+3fJB3kVQeZZOu9MmOMX+u7uuBPwSJ0nYInzaF39AbprHFuE2VCxyNFfj1qoZUpHcI8V0t6jnvDYQUvMOU8Ph0RuNLGEbDFH9Kvph8ZpT3XTWnsi/4ZYmM+tzWLEqg+OTYMjT92y6T14yUlpZyvJuV0kH1p6wgAevpCsraiGwG9nk8BkOuLSoSeSyC1SPBaDl/7Hi42cw7mPk3Qj1AvoOrV10CdpdCrtcaDcyhHDwlTrNv9YEXcwlnlWE8MYaE8SsQLDELpiljkrddXRoQwJfwmUpDzf/7UzgirYbQfqjJU=
Host: 182.162.143.56

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 02 Nov 2022 23:02:23 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive

13.69.109.131:443

322 B
7
8.252.118.126:80

322 B
7
182.162.143.56:443

https://182.162.143.56/

tls, http

regsvr32.exe

1.2kB
2.7kB
11
10

HTTP Request

GET https://182.162.143.56/

HTTP Response

200

No results found

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2496-117-0x0000000180000000-0x000000018002F000-memory.dmp

Filesize
188KB

Download