emotet | 3570ac965e8704aa56dc9047205341c574e0566ec063d75eb5639a3cbe780a19

Analysis

max time kernel
149s
max time network
153s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03/11/2022, 01:20

Target

af9805508a8d713d6124ce20ad8fbe94.dll
Size

727KB
MD5

af9805508a8d713d6124ce20ad8fbe94
SHA1

09d838cedcef04ff54fbacb612f60d23f41466ea
SHA256

3570ac965e8704aa56dc9047205341c574e0566ec063d75eb5639a3cbe780a19
SHA512

870d1b66ed3efbc7b4928317993387875ab19ccd41e63416bbcf739aa195de1bab9f45a66e03a06eddbae463d89984e39e9d04d8d1233a936c8d7ca4e3a27d69
SSDEEP

12288:ezhsu7PWe6Fth9tmzQS+37pzGIz/mXpo1z+NSjq+DsCJqzfo:ktR6rhjmzhsT/Yg6cjtJqzf

Score

10^/10

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Suspicious behavior: EnumeratesProcesses 3 IoCs

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1184	regsvr32.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 1184 wrote to memory of 1612	1184	regsvr32.exe	26
PID 1184 wrote to memory of 1612	1184	regsvr32.exe	26
PID 1184 wrote to memory of 1612	1184	regsvr32.exe	26
PID 1184 wrote to memory of 1612	1184	regsvr32.exe	26
PID 1184 wrote to memory of 1612	1184	regsvr32.exe	26

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\af9805508a8d713d6124ce20ad8fbe94.dll
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1184
- C:\Windows\system32\regsvr32.exe
  C:\Windows\system32\regsvr32.exe "C:\Windows\system32\RZOArHzXEJsML\phxZmtMBsCuh.dll"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1612

memory/1184-54-0x000007FEFB7D1000-0x000007FEFB7D3000-memory.dmp

Filesize
8KB

Download
memory/1184-55-0x0000000180000000-0x0000000180030000-memory.dmp

Filesize
192KB

Download