Analysis Overview
SHA256
26fc0d6eed9e7407645faf0efabd6fb6b5af9ccf9c386013acfaf05c5e4690a1
Threat Level: Known bad
The file 26fc0d6eed9e7407645faf0efabd6fb6b5af9ccf9c386013acfaf05c5e4690a1 was found to be: Known bad.
Malicious Activity Summary
Emotet
Emotet family
Blocklisted process makes network request
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-12 21:41
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-12 21:41
Reported
2024-11-12 21:44
Platform
win7-20240903-en
Max time kernel
145s
Max time network
150s
Command Line
Signatures
Emotet
Emotet family
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\26fc0d6eed9e7407645faf0efabd6fb6b5af9ccf9c386013acfaf05c5e4690a1.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\26fc0d6eed9e7407645faf0efabd6fb6b5af9ccf9c386013acfaf05c5e4690a1.dll,#1
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe "C:\Users\Admin\AppData\Local\Temp\26fc0d6eed9e7407645faf0efabd6fb6b5af9ccf9c386013acfaf05c5e4690a1.dll",Control_RunDLL
Network
| Country | Destination | Domain | Proto |
| PL | 91.200.186.228:443 | tcp | |
| PL | 91.200.186.228:443 | tcp | |
| ZA | 41.76.108.46:8080 | tcp | |
| ZA | 41.76.108.46:8080 | tcp | |
| FR | 188.165.214.166:7080 | tcp | |
| FR | 188.165.214.166:7080 | tcp | |
| BR | 191.252.196.221:8080 | tcp | |
| BR | 191.252.196.221:8080 | tcp | |
| MY | 103.8.26.103:8080 | tcp | |
| MY | 103.8.26.103:8080 | tcp | |
| TR | 185.184.25.237:8080 | tcp |
Files
memory/2664-0-0x0000000000270000-0x0000000000294000-memory.dmp
memory/2664-2-0x0000000000340000-0x0000000000368000-memory.dmp
memory/2752-8-0x00000000002E0000-0x0000000000308000-memory.dmp
memory/2752-12-0x00000000002E0000-0x0000000000308000-memory.dmp
memory/2752-15-0x0000000000370000-0x0000000000398000-memory.dmp
memory/2752-33-0x0000000002670000-0x0000000002698000-memory.dmp
memory/2752-39-0x00000000026D0000-0x00000000026F8000-memory.dmp
memory/2752-27-0x00000000022F0000-0x0000000002318000-memory.dmp
memory/2752-21-0x0000000002290000-0x00000000022B8000-memory.dmp
memory/2752-45-0x0000000002A40000-0x0000000002A68000-memory.dmp
memory/2752-51-0x0000000002C30000-0x0000000002C58000-memory.dmp
memory/2752-57-0x0000000002CE0000-0x0000000002D08000-memory.dmp
memory/2752-63-0x0000000002E80000-0x0000000002EA8000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-12 21:41
Reported
2024-11-12 21:44
Platform
win10v2004-20241007-en
Max time kernel
144s
Max time network
152s
Command Line
Signatures
Emotet
Emotet family
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1560 wrote to memory of 2164 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1560 wrote to memory of 2164 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1560 wrote to memory of 2164 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2164 wrote to memory of 3340 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2164 wrote to memory of 3340 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2164 wrote to memory of 3340 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\26fc0d6eed9e7407645faf0efabd6fb6b5af9ccf9c386013acfaf05c5e4690a1.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\26fc0d6eed9e7407645faf0efabd6fb6b5af9ccf9c386013acfaf05c5e4690a1.dll,#1
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe "C:\Users\Admin\AppData\Local\Temp\26fc0d6eed9e7407645faf0efabd6fb6b5af9ccf9c386013acfaf05c5e4690a1.dll",Control_RunDLL
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| PL | 91.200.186.228:443 | tcp | |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| ZA | 41.76.108.46:8080 | tcp | |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| FR | 188.165.214.166:7080 | tcp | |
| BR | 191.252.196.221:8080 | tcp | |
| MY | 103.8.26.103:8080 | tcp | |
| TR | 185.184.25.237:8080 | tcp | |
| MY | 103.8.26.102:8080 | tcp | |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| GB | 178.79.147.66:8080 | tcp | |
| KR | 58.227.42.236:80 | tcp | |
| SG | 45.118.135.203:7080 | tcp | |
| AU | 103.75.201.2:443 | tcp |
Files
memory/2164-0-0x0000000002520000-0x0000000002548000-memory.dmp
memory/2164-8-0x0000000000E20000-0x0000000000E31000-memory.dmp
memory/3340-4-0x0000000002A90000-0x0000000002AB8000-memory.dmp
memory/3340-9-0x0000000002A90000-0x0000000002AB8000-memory.dmp
memory/3340-11-0x0000000003130000-0x0000000003158000-memory.dmp
memory/3340-18-0x0000000003330000-0x0000000003358000-memory.dmp
memory/3340-14-0x00000000032D0000-0x00000000032F8000-memory.dmp
memory/3340-22-0x0000000003410000-0x0000000003438000-memory.dmp
memory/3340-26-0x00000000034F0000-0x0000000003518000-memory.dmp
memory/3340-30-0x0000000003600000-0x0000000003628000-memory.dmp
memory/3340-34-0x0000000000D10000-0x0000000000D38000-memory.dmp
memory/3340-38-0x0000000000DB0000-0x0000000000DD8000-memory.dmp