emotet | c8bb4b6976c689f6a85b0962007d70dc2a45f10abff139c444f62304ecca4f4d

Analysis

max time kernel
76s
max time network
102s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
03/11/2022, 15:11

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c8bb4b6976c689f6a85b0962007d70dc2a45f10abff139c444f62304ecca4f4d.dll
Size

814KB
MD5

bfb05c80a5a84386c50c8234d794db27
SHA1

7d03cebb4adc0fba3c8c23e1f113af3475111c36
SHA256

c8bb4b6976c689f6a85b0962007d70dc2a45f10abff139c444f62304ecca4f4d
SHA512

5914c9df23e938fb0d485f520b65375f2252fb26d0e11a123215fb078a204d65faff41aac4d99f95e60617ef397db73e3f7544de105e99b6aa3de32793071b86
SSDEEP

12288:5sIyzbpudwh9PQx873eHeLs15pZ6yRQof04Tn/WMideaik:5JyzbwdG4eLsjpZfRQe/q8fk

Score

10^/10

emotet banker persistence trojan

Malware Config

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nSKaUfcsoKvV.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\BRqWaGxrNNG\\nSKaUfcsoKvV.dll\""	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2508	regsvr32.exe
2508	regsvr32.exe
3800	regsvr32.exe
3800	regsvr32.exe
3800	regsvr32.exe
3800	regsvr32.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2508	regsvr32.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 2508 wrote to memory of 3800	2508	regsvr32.exe	66
PID 2508 wrote to memory of 3800	2508	regsvr32.exe	66

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\c8bb4b6976c689f6a85b0962007d70dc2a45f10abff139c444f62304ecca4f4d.dll
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2508
- C:\Windows\system32\regsvr32.exe
  C:\Windows\system32\regsvr32.exe "C:\Windows\system32\BRqWaGxrNNG\nSKaUfcsoKvV.dll"
  2⤵
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  PID:3800

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2508-115-0x0000000180000000-0x000000018002F000-memory.dmp

Filesize
188KB

Download