emotet | 0c38f099c1febdf8c4480b9d495f87208d7d87481ac7e7373fbe80b0f67d62aa

Analysis

max time kernel
146s
max time network
152s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03/11/2022, 14:53

Target

bb408943cf7a5c92227d66e79679483b.dll
Size

818KB
MD5

bb408943cf7a5c92227d66e79679483b
SHA1

4c110a221cd7f43494c796e38b0ae4d3298f4e2c
SHA256

0c38f099c1febdf8c4480b9d495f87208d7d87481ac7e7373fbe80b0f67d62aa
SHA512

61497e8d9fb7e92807f9a1e4585472a3bea62f845f5eebf25d0a571c8a124b1c46e794705231cef72108cf470c406e22aa4bbdc914b776272b576b2c30f70aba
SSDEEP

12288:NdewIvxiRO9n6DPBt9bu8X+L81JcZl1rox48/2aS4/2YX:NYwIvxFMXn+L8zcZ7rewC2Y

Score

10^/10

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Suspicious behavior: EnumeratesProcesses 3 IoCs

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1652	regsvr32.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 1652 wrote to memory of 1784	1652	regsvr32.exe	28
PID 1652 wrote to memory of 1784	1652	regsvr32.exe	28
PID 1652 wrote to memory of 1784	1652	regsvr32.exe	28
PID 1652 wrote to memory of 1784	1652	regsvr32.exe	28
PID 1652 wrote to memory of 1784	1652	regsvr32.exe	28

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\bb408943cf7a5c92227d66e79679483b.dll
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1652
- C:\Windows\system32\regsvr32.exe
  C:\Windows\system32\regsvr32.exe "C:\Windows\system32\SOvjxuYIWw\NJnbMsm.dll"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1784

memory/1652-54-0x000007FEFBE11000-0x000007FEFBE13000-memory.dmp

Filesize
8KB

Download
memory/1652-55-0x0000000180000000-0x0000000180030000-memory.dmp

Filesize
192KB

Download