487262f1db45bf66acd95a2cce3c9ebe9750c80645ce4268199e34361fe1fdfd

Analysis

Target

emotet_exe_e2_487262f1db45bf66acd95a2cce3c9ebe9750c80645ce4268199e34361fe1fdfd_2021-01-13__000249.exe.dll
Size

269KB
MD5

7e2ba4955c53baf49136f50ded353827
SHA1

3931879cc0f9848cb68eb8c2e3ee1a4803f3512f
SHA256

487262f1db45bf66acd95a2cce3c9ebe9750c80645ce4268199e34361fe1fdfd
SHA512

e2f286724154af64455fe4bab6b6cf28e331f426b203494e9dee173593512007a156f119959f05fde7b256ef85352b09291487c3de5f6494b10b16a844938f1c

Score

8^/10

Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exe

flow pid process

21 1500 rundll32.exe
23 1500 rundll32.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

rundll32.exe

pid process

1500 rundll32.exe
1500 rundll32.exe
1500 rundll32.exe
1500 rundll32.exe
1500 rundll32.exe
1500 rundll32.exe

flow	pid	process
21	1500	rundll32.exe
23	1500	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 412 wrote to memory of 1500	412	rundll32.exe	rundll32.exe
PID 412 wrote to memory of 1500	412	rundll32.exe	rundll32.exe
PID 412 wrote to memory of 1500	412	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\emotet_exe_e2_487262f1db45bf66acd95a2cce3c9ebe9750c80645ce4268199e34361fe1fdfd_2021-01-13__000249.exe.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:412
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\emotet_exe_e2_487262f1db45bf66acd95a2cce3c9ebe9750c80645ce4268199e34361fe1fdfd_2021-01-13__000249.exe.dll,#1
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  PID:1500