emotet | 2cddbb0ec9f9c7526a3ecb9c178a62ae0a1048712056203ae51a4435c4156930

Analysis

max time kernel
49s
max time network
107s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
03/11/2022, 17:06

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2cddbb0ec9f9c7526a3ecb9c178a62ae0a1048712056203ae51a4435c4156930.dll
Size

712KB
MD5

e4594871d98789b91e5f9ab989fb3f7f
SHA1

fcd7ae3f4bbfe2344051ada840ff64ccb9361712
SHA256

2cddbb0ec9f9c7526a3ecb9c178a62ae0a1048712056203ae51a4435c4156930
SHA512

3e5fdb034a860acef77809e111b5691a5cbcc06468b76791aa1e0b93f025d48de1ee3a317c1a0cd3c23c49ae5b6f01a0d01c0a61a0df0bfb9d043fa65ea35b77
SSDEEP

12288:Jm3ryg7+tKkrxfIoAGA8YHrKre9kca011br+0MACwlg6WggbE/A4:JuryW+5rNIoJZYHrKreiBjWCN4

Score

10^/10

emotet banker persistence trojan

Malware Config

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ztYBwVlMFwBHUA.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\CMQkOzlGXpvkbEUGD\\ztYBwVlMFwBHUA.dll\""	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2124	regsvr32.exe
2124	regsvr32.exe
2988	regsvr32.exe
2988	regsvr32.exe
2988	regsvr32.exe
2988	regsvr32.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2124	regsvr32.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 2124 wrote to memory of 2988	2124	regsvr32.exe	66
PID 2124 wrote to memory of 2988	2124	regsvr32.exe	66

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\2cddbb0ec9f9c7526a3ecb9c178a62ae0a1048712056203ae51a4435c4156930.dll
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2124
- C:\Windows\system32\regsvr32.exe
  C:\Windows\system32\regsvr32.exe "C:\Windows\system32\CMQkOzlGXpvkbEUGD\ztYBwVlMFwBHUA.dll"
  2⤵
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  PID:2988

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2124-120-0x0000000180000000-0x0000000180030000-memory.dmp

Filesize
192KB

Download