d1d9c724a709955a475f9126fd20b0858ffa92512bd4bb498e86e4ebe57848d1 | Triage

Analysis

max time kernel
56s
max time network
56s
platform
windows10_x64
resource
win10v20201028
submitted
14-01-2021 00:01

Sharing

Report Analysis Logs

General

Target

emotet_exe_e1_d1d9c724a709955a475f9126fd20b0858ffa92512bd4bb498e86e4ebe57848d1_2021-01-14__000140._exe.dll
Size

271KB
MD5

72075981d2517f387c9cc35d55a0da51
SHA1

13a95d6eeccdb95c86b326d582f86172a5b0ee76
SHA256

d1d9c724a709955a475f9126fd20b0858ffa92512bd4bb498e86e4ebe57848d1
SHA512

2c9e5be4122516d3b18b2fa2e76d059e84b29c9befd10f04ba93b35d7f297c5f62603bd9a06581d66f54c45712269a85a8ea4ae3d7e78829bdb9ec64b4a0cbb2

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exe

flow pid process

13 1500 rundll32.exe
18 1500 rundll32.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

rundll32.exe

pid process

1500 rundll32.exe
1500 rundll32.exe
1500 rundll32.exe
1500 rundll32.exe
1500 rundll32.exe
1500 rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 648 wrote to memory of 1500	648	rundll32.exe	rundll32.exe
PID 648 wrote to memory of 1500	648	rundll32.exe	rundll32.exe
PID 648 wrote to memory of 1500	648	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\emotet_exe_e1_d1d9c724a709955a475f9126fd20b0858ffa92512bd4bb498e86e4ebe57848d1_2021-01-14__000140._exe.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:648

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\emotet_exe_e1_d1d9c724a709955a475f9126fd20b0858ffa92512bd4bb498e86e4ebe57848d1_2021-01-14__000140._exe.dll,#1
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:1500

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1500-2-0x0000000000000000-mapping.dmp

Download