Analysis
-
max time kernel
316s -
max time network
340s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
07-12-2022 01:58
Behavioral task
behavioral1
Sample
Emotet.dll
Resource
win10v2004-20220812-en
windows10-2004-x64
5 signatures
300 seconds
General
-
Target
Emotet.dll
-
Size
172KB
-
MD5
b85c74d71a213eab8a7bc5bc73a2c4d5
-
SHA1
9223309bb4ca102f46b528bf0b9d1469fe1353c3
-
SHA256
aed75d9f4ffee0b349c79e989c239bb7dd5efc0d646a3e70cb620c8c211f407a
-
SHA512
86d830f66c39b04d59e1a84e4b0751eb003bc115db2a97caa465f9ff65e68248bf549dea055437da945298ad450d2db821f1da5558da6eb49e54bd4ab2bf9cf6
-
SSDEEP
3072:EWva8QFJNl1ZU5PWReEjPN+Ehj/VE8PuWXsPAA6HH9s55M:EC12jl4wcAj5/VPXsPAAvQ
Score
3/10
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4756 3380 WerFault.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 480 rundll32.exe 480 rundll32.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
rundll32.exepid process 480 rundll32.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
rundll32.exedescription pid process target process PID 480 wrote to memory of 1632 480 rundll32.exe regsvr32.exe PID 480 wrote to memory of 1632 480 rundll32.exe regsvr32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\Emotet.dll,#11⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe "C:\Windows\system32\VyTcYdYoEj\yGbs.dll"2⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 476 -p 3380 -ip 33801⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3380 -s 23681⤵
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1632-132-0x0000000000000000-mapping.dmp