emotet | 4000772a9f50e0ea5b033e2a35247a82a9eb989c29e1cf48bcf127f3508d5889

Analysis

max time kernel
146s
max time network
153s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
03-11-2022 01:53

Target

c7ac6d138ce783fada68cf7d442e88cc.dll
Size

629KB
MD5

c7ac6d138ce783fada68cf7d442e88cc
SHA1

3b9649106fe37c010119ccb88681cbf9f5cf62f3
SHA256

4000772a9f50e0ea5b033e2a35247a82a9eb989c29e1cf48bcf127f3508d5889
SHA512

789a57656506fc0756fa33958a8c0b3356235abc5f91e4c046362a7432b3e2e67f68ec9bb68e37814ed53aa91483935c9398442e9fde995574af4c854f1776c5
SSDEEP

12288:6tGis7p49VmD3OjG7QbBtLq5WhNye5JHKVu6cig1Doa:6tGis1T3OjueLlhd5NKAD3

Score

10^/10

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Suspicious behavior: EnumeratesProcesses 3 IoCs

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1900	regsvr32.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 1900 wrote to memory of 1620	1900	regsvr32.exe	27
PID 1900 wrote to memory of 1620	1900	regsvr32.exe	27
PID 1900 wrote to memory of 1620	1900	regsvr32.exe	27
PID 1900 wrote to memory of 1620	1900	regsvr32.exe	27
PID 1900 wrote to memory of 1620	1900	regsvr32.exe	27

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\c7ac6d138ce783fada68cf7d442e88cc.dll
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1900
- C:\Windows\system32\regsvr32.exe
  C:\Windows\system32\regsvr32.exe "C:\Windows\system32\JCEUMWppGnjgWvYx\oAkd.dll"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1620

memory/1900-54-0x000007FEFBEE1000-0x000007FEFBEE3000-memory.dmp

Filesize
8KB

Download
memory/1900-55-0x0000000180000000-0x000000018002F000-memory.dmp

Filesize
188KB

Download