Analysis Overview
SHA256
954187de69a83fc226a89b2dde4e8711e2bf798345a6ffce753575a9f59c3ac9
Threat Level: Known bad
The file 954187de69a83fc226a89b2dde4e8711e2bf798345a6ffce753575a9f59c3ac9 was found to be: Known bad.
Malicious Activity Summary
Emotet
Emotet family
Blocklisted process makes network request
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 17:39
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 17:39
Reported
2024-11-13 17:42
Platform
win7-20240903-en
Max time kernel
148s
Max time network
148s
Command Line
Signatures
Emotet
Emotet family
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\954187de69a83fc226a89b2dde4e8711e2bf798345a6ffce753575a9f59c3ac9.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\954187de69a83fc226a89b2dde4e8711e2bf798345a6ffce753575a9f59c3ac9.dll,#1
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe "C:\Users\Admin\AppData\Local\Temp\954187de69a83fc226a89b2dde4e8711e2bf798345a6ffce753575a9f59c3ac9.dll",Control_RunDLL
Network
| Country | Destination | Domain | Proto |
| FR | 51.178.61.60:443 | tcp | |
| FR | 51.178.61.60:443 | tcp | |
| AR | 168.197.250.14:80 | tcp | |
| AR | 168.197.250.14:80 | tcp | |
| US | 45.79.33.48:8080 | tcp | |
| US | 45.79.33.48:8080 | tcp | |
| GH | 196.44.98.190:8080 | tcp | |
| GH | 196.44.98.190:8080 | tcp | |
| BR | 177.72.80.14:7080 | tcp |
Files
memory/2328-0-0x0000000000260000-0x0000000000284000-memory.dmp
memory/2328-2-0x0000000000340000-0x0000000000368000-memory.dmp
memory/2244-8-0x0000000000200000-0x0000000000228000-memory.dmp
memory/2244-12-0x0000000000200000-0x0000000000228000-memory.dmp
memory/2244-15-0x00000000003C0000-0x00000000003E8000-memory.dmp
memory/2244-21-0x0000000000880000-0x00000000008A8000-memory.dmp
memory/2244-27-0x0000000000DE0000-0x0000000000E08000-memory.dmp
memory/2244-33-0x0000000000EB0000-0x0000000000ED8000-memory.dmp
memory/2244-39-0x00000000027B0000-0x00000000027D8000-memory.dmp
memory/2244-45-0x0000000002A20000-0x0000000002A48000-memory.dmp
memory/2244-51-0x0000000002AD0000-0x0000000002AF8000-memory.dmp
memory/2244-63-0x0000000002CB0000-0x0000000002CD8000-memory.dmp
memory/2244-57-0x0000000002B30000-0x0000000002B58000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 17:39
Reported
2024-11-13 17:42
Platform
win10v2004-20241007-en
Max time kernel
145s
Max time network
149s
Command Line
Signatures
Emotet
Emotet family
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4632 wrote to memory of 4616 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4632 wrote to memory of 4616 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4632 wrote to memory of 4616 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4616 wrote to memory of 2556 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4616 wrote to memory of 2556 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4616 wrote to memory of 2556 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\954187de69a83fc226a89b2dde4e8711e2bf798345a6ffce753575a9f59c3ac9.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\954187de69a83fc226a89b2dde4e8711e2bf798345a6ffce753575a9f59c3ac9.dll,#1
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe "C:\Users\Admin\AppData\Local\Temp\954187de69a83fc226a89b2dde4e8711e2bf798345a6ffce753575a9f59c3ac9.dll",Control_RunDLL
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| FR | 51.178.61.60:443 | tcp | |
| AR | 168.197.250.14:80 | tcp | |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 45.79.33.48:8080 | tcp | |
| GH | 196.44.98.190:8080 | tcp | |
| BR | 177.72.80.14:7080 | tcp | |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| FR | 51.210.242.234:8080 | tcp | |
| DE | 185.148.169.10:8080 | tcp | |
| CA | 142.4.219.173:8080 | tcp | |
| DE | 78.47.204.80:443 | tcp | |
| DE | 78.46.73.125:443 | tcp | |
| US | 8.8.8.8:53 | 208.143.182.52.in-addr.arpa | udp |
Files
memory/4616-0-0x0000000000920000-0x0000000000948000-memory.dmp
memory/2556-4-0x0000000001570000-0x0000000001598000-memory.dmp
memory/2556-8-0x0000000001570000-0x0000000001598000-memory.dmp
memory/2556-9-0x00000000034C0000-0x00000000034E8000-memory.dmp
memory/2556-13-0x0000000003660000-0x0000000003688000-memory.dmp
memory/2556-17-0x00000000036C0000-0x00000000036E8000-memory.dmp
memory/2556-21-0x00000000037A0000-0x00000000037C8000-memory.dmp
memory/2556-25-0x00000000038B0000-0x00000000038D8000-memory.dmp
memory/2556-29-0x00000000039B0000-0x00000000039D8000-memory.dmp
memory/2556-33-0x0000000003AA0000-0x0000000003AC8000-memory.dmp
memory/2556-37-0x0000000003B80000-0x0000000003BA8000-memory.dmp
memory/2556-41-0x00000000013E0000-0x0000000001408000-memory.dmp
memory/2556-45-0x00000000014D0000-0x00000000014F8000-memory.dmp
memory/2556-49-0x0000000003560000-0x0000000003588000-memory.dmp
memory/2556-53-0x0000000003930000-0x0000000003958000-memory.dmp