emotet | 3bf39799a9bb6d00ba06c9ce58a0305c2cd0c70c5d2989fe3d5f62002262aeec

Analysis

max time kernel
63s
max time network
73s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
03/11/2022, 16:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3bf39799a9bb6d00ba06c9ce58a0305c2cd0c70c5d2989fe3d5f62002262aeec.dll
Size

712KB
MD5

d42f08e457604a2d7c005b5027aa9865
SHA1

0f25c799fabd98572bd3b3df5fa4f5661bfbeeb2
SHA256

3bf39799a9bb6d00ba06c9ce58a0305c2cd0c70c5d2989fe3d5f62002262aeec
SHA512

28f489d208cb4958e05c8a7e7b08fc99149596883de410eab0291d0d3802cf619f4e0b295e99b2d2a6cde217a40186d52bc1bf5a3a113ad146f4e30def44570c
SSDEEP

12288:Jm3ryg7+tKkrxfIoAGA8YHrKreIkca011br+0MACwlg6WggbE/A4:JuryW+5rNIoJZYHrKrevBjWCN4

Score

10^/10

emotet banker persistence trojan

Malware Config

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uKLcdQDdxE.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\LvDpjvgiAsVLdouDw\\uKLcdQDdxE.dll\""	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4792	regsvr32.exe
4792	regsvr32.exe
4832	regsvr32.exe
4832	regsvr32.exe
4832	regsvr32.exe
4832	regsvr32.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4792	regsvr32.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4792 wrote to memory of 4832	4792	regsvr32.exe	66
PID 4792 wrote to memory of 4832	4792	regsvr32.exe	66

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\3bf39799a9bb6d00ba06c9ce58a0305c2cd0c70c5d2989fe3d5f62002262aeec.dll
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:4792
- C:\Windows\system32\regsvr32.exe
  C:\Windows\system32\regsvr32.exe "C:\Windows\system32\LvDpjvgiAsVLdouDw\uKLcdQDdxE.dll"
  2⤵
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  PID:4832

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4792-116-0x0000000180000000-0x0000000180030000-memory.dmp

Filesize
192KB

Download