emotet | e368c85ee14f4888f3d90c5b7ba3ce1b5a83f99446f6eb7c54bf177ab8c04085

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
03/11/2022, 00:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

65834980d19021397076facf09ade76a.dll
Size

727KB
MD5

65834980d19021397076facf09ade76a
SHA1

31109d0a7cd1392b7208c0b134fe71d096a3d639
SHA256

e368c85ee14f4888f3d90c5b7ba3ce1b5a83f99446f6eb7c54bf177ab8c04085
SHA512

100ab475d332ebf2ac6178d7e792615396d1bcdb14f43082a504573dafbcaee3d4ab8cb7b930eae2bd4e7a481a01259930fec4908d3229a70d15f548cf73cd66
SSDEEP

12288:ezhsu7PWe6Fth9tmzQS+37pzGIz/mXpo1z+HSjq+DsCJqzfo:ktR6rhjmzhsT/Yg6yjtJqzf

Score

10^/10

emotet banker persistence trojan

Malware Config

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VWluiEimoIj.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\FalJWR\\VWluiEimoIj.dll\""	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1944	regsvr32.exe
1944	regsvr32.exe
2388	regsvr32.exe
2388	regsvr32.exe
2388	regsvr32.exe
2388	regsvr32.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1944	regsvr32.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 1944 wrote to memory of 2388	1944	regsvr32.exe	76
PID 1944 wrote to memory of 2388	1944	regsvr32.exe	76

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\65834980d19021397076facf09ade76a.dll
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1944
- C:\Windows\system32\regsvr32.exe
  C:\Windows\system32\regsvr32.exe "C:\Windows\system32\FalJWR\VWluiEimoIj.dll"
  2⤵
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  PID:2388

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1944-132-0x0000000180000000-0x0000000180030000-memory.dmp

Filesize
192KB

Download