emotet | 4000772a9f50e0ea5b033e2a35247a82a9eb989c29e1cf48bcf127f3508d5889

Analysis

max time kernel
90s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
03-11-2022 01:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c7ac6d138ce783fada68cf7d442e88cc.dll
Size

629KB
MD5

c7ac6d138ce783fada68cf7d442e88cc
SHA1

3b9649106fe37c010119ccb88681cbf9f5cf62f3
SHA256

4000772a9f50e0ea5b033e2a35247a82a9eb989c29e1cf48bcf127f3508d5889
SHA512

789a57656506fc0756fa33958a8c0b3356235abc5f91e4c046362a7432b3e2e67f68ec9bb68e37814ed53aa91483935c9398442e9fde995574af4c854f1776c5
SSDEEP

12288:6tGis7p49VmD3OjG7QbBtLq5WhNye5JHKVu6cig1Doa:6tGis1T3OjueLlhd5NKAD3

Score

10^/10

emotet banker persistence trojan

Malware Config

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MrggYDwhgxVze.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\NKQSpVyULBjKk\\MrggYDwhgxVze.dll\""	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1556	regsvr32.exe
1556	regsvr32.exe
4712	regsvr32.exe
4712	regsvr32.exe
4712	regsvr32.exe
4712	regsvr32.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1556	regsvr32.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 1556 wrote to memory of 4712	1556	regsvr32.exe	80
PID 1556 wrote to memory of 4712	1556	regsvr32.exe	80

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\c7ac6d138ce783fada68cf7d442e88cc.dll
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1556
- C:\Windows\system32\regsvr32.exe
  C:\Windows\system32\regsvr32.exe "C:\Windows\system32\NKQSpVyULBjKk\MrggYDwhgxVze.dll"
  2⤵
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  PID:4712

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1556-132-0x0000000180000000-0x000000018002F000-memory.dmp

Filesize
188KB

Download