emotet | beae5e7d36efb3444669a5b51818e9f968e52a496435bc1332737a9ae4ff4f47

Analysis

max time kernel
82s
max time network
108s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
02/11/2022, 23:29

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

beae5e7d36efb3444669a5b51818e9f968e52a496435bc1332737a9ae4ff4f47.dll
Size

629KB
MD5

cd78728b8782df947f047715777cd0b9
SHA1

7989d6eab9148cf3acc908e53f4785093da002b7
SHA256

beae5e7d36efb3444669a5b51818e9f968e52a496435bc1332737a9ae4ff4f47
SHA512

26e702412c6f7c73cb3f89afd2554af68aff0397b300c9139ae842d5db09396d05a2c8a508e2366d08fe09c518833772e05b6de7b1800ca6d00a49b2782441e4
SSDEEP

12288:6tGis7p49VmD3OjG7QbBtLs5WhNye5JHKVu6cig1Doa:6tGis1T3OjueLLhd5NKAD3

Score

10^/10

emotet banker persistence trojan

Malware Config

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vyKJOoEimuBB.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\NOdictzLv\\vyKJOoEimuBB.dll\""	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2900	regsvr32.exe
2900	regsvr32.exe
8	regsvr32.exe
8	regsvr32.exe
8	regsvr32.exe
8	regsvr32.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2900	regsvr32.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 2900 wrote to memory of 8	2900	regsvr32.exe	66
PID 2900 wrote to memory of 8	2900	regsvr32.exe	66

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\beae5e7d36efb3444669a5b51818e9f968e52a496435bc1332737a9ae4ff4f47.dll
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2900
- C:\Windows\system32\regsvr32.exe
  C:\Windows\system32\regsvr32.exe "C:\Windows\system32\NOdictzLv\vyKJOoEimuBB.dll"
  2⤵
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  PID:8

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2900-115-0x0000000180000000-0x000000018002F000-memory.dmp

Filesize
188KB

Download