Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
14-01-2021 00:02
Static task
static1
Behavioral task
behavioral1
Sample
emotet_exe_e3_1256cd8773234155c67ed3293c81b926d2d16d94960dfb7ea9f2df14b6a7f27d_2021-01-14__000231._exe.dll
Resource
win7v20201028
Behavioral task
behavioral2
Sample
emotet_exe_e3_1256cd8773234155c67ed3293c81b926d2d16d94960dfb7ea9f2df14b6a7f27d_2021-01-14__000231._exe.dll
Resource
win10v20201028
General
-
Target
emotet_exe_e3_1256cd8773234155c67ed3293c81b926d2d16d94960dfb7ea9f2df14b6a7f27d_2021-01-14__000231._exe.dll
-
Size
278KB
-
MD5
666bee305fc67f19cfa59236ffa9e0fe
-
SHA1
43800c7777f68cfb96a5317da9405eae0f43f301
-
SHA256
1256cd8773234155c67ed3293c81b926d2d16d94960dfb7ea9f2df14b6a7f27d
-
SHA512
6d4df799e0e2d8aaed795f03711bdb4878cef08e038fc507af95f99a8a52f7d655743814a1f8ae3ad229766513ecc12553429f48bf226567dcf29a60ee88796e
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
rundll32.exedescription pid process target process PID 1972 wrote to memory of 1520 1972 rundll32.exe rundll32.exe PID 1972 wrote to memory of 1520 1972 rundll32.exe rundll32.exe PID 1972 wrote to memory of 1520 1972 rundll32.exe rundll32.exe PID 1972 wrote to memory of 1520 1972 rundll32.exe rundll32.exe PID 1972 wrote to memory of 1520 1972 rundll32.exe rundll32.exe PID 1972 wrote to memory of 1520 1972 rundll32.exe rundll32.exe PID 1972 wrote to memory of 1520 1972 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\emotet_exe_e3_1256cd8773234155c67ed3293c81b926d2d16d94960dfb7ea9f2df14b6a7f27d_2021-01-14__000231._exe.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\emotet_exe_e3_1256cd8773234155c67ed3293c81b926d2d16d94960dfb7ea9f2df14b6a7f27d_2021-01-14__000231._exe.dll,#12⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1520-2-0x0000000000000000-mapping.dmp