0c681fdfe86923929453a713de6b2bf30fabe979ca0130f8a0a75a77a5c015f6 | Triage

Analysis

max time kernel
286s
max time network
298s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
17-03-2023 14:58

Sharing

Report Analysis Logs

General

Target

emotet.dll
Size

144KB
MD5

939198ab85520f8fa042349eb83d64d1
SHA1

3e8c0f7e6e55f5fece2339ec9c4c52cf9270e582
SHA256

0c681fdfe86923929453a713de6b2bf30fabe979ca0130f8a0a75a77a5c015f6
SHA512

b478d4d2841a4ba0a4e021caf21fd7c07b75b51efe514d2c226313a45f89d2e3ff322f3bebfd53d97c0cb28c9383dbca5f3616dcabc1ac3f678d7de4f8e11272
SSDEEP

3072:t+DIgZx6B1Bx4Megsbd26KkltYBw91mH67rc8Xw4vQobyU:Gz6BW7bw6ZlKBwnmHaotpSyU

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 24 IoCs

Processes:

rundll32.exe

flow	pid	process
32	4836	rundll32.exe
43	4836	rundll32.exe
44	4836	rundll32.exe
46	4836	rundll32.exe
56	4836	rundll32.exe
57	4836	rundll32.exe
58	4836	rundll32.exe
60	4836	rundll32.exe
65	4836	rundll32.exe
66	4836	rundll32.exe
68	4836	rundll32.exe
70	4836	rundll32.exe
72	4836	rundll32.exe
75	4836	rundll32.exe
86	4836	rundll32.exe
87	4836	rundll32.exe
88	4836	rundll32.exe
89	4836	rundll32.exe
90	4836	rundll32.exe
91	4836	rundll32.exe
93	4836	rundll32.exe
98	4836	rundll32.exe
99	4836	rundll32.exe
100	4836	rundll32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exe

pid process

4836 rundll32.exe
4836 rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 644 wrote to memory of 4836	644	rundll32.exe	rundll32.exe
PID 644 wrote to memory of 4836	644	rundll32.exe	rundll32.exe
PID 644 wrote to memory of 4836	644	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\emotet.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:644

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\emotet.dll,#1
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:4836

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...