Analysis
-
max time kernel
19s -
max time network
69s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
24-11-2020 15:26
Static task
static1
Behavioral task
behavioral1
Sample
240000.dll
Resource
win7v20201028
General
-
Target
240000.dll
-
Size
58KB
-
MD5
e057356bb0d280a9ce7568f7563fde2b
-
SHA1
cea88224bb82dfca71799d3e667f532820c21270
-
SHA256
d6a88cbe2b699edc2062f03734f63335b72ad9107adf64e07fac4b7c9fd62319
-
SHA512
88669ca2c02e552599b8ccf59a4e515d5257c1424b6b64a7fcf677cbee6b9d254928cdf43c42241195ea747eb9e9194f7ba6e92c1a81a95cb1ef8cdfa7f14602
Malware Config
Extracted
emotet
Epoch3
115.79.119.206:443
91.74.148.90:443
103.229.72.197:8080
91.121.200.35:8080
188.226.165.170:8080
180.198.105.177:80
203.153.216.178:7080
143.95.101.72:8080
202.29.237.113:8080
163.53.204.180:443
37.46.129.215:8080
183.91.3.63:80
192.210.217.94:8080
74.208.173.91:8080
91.75.75.46:80
172.96.190.154:8080
177.130.51.198:80
178.33.167.120:8080
185.142.236.163:443
50.116.78.109:8080
139.59.12.63:8080
144.64.132.82:80
103.93.220.182:80
198.20.228.9:8080
192.163.221.191:8080
200.243.153.66:80
188.166.220.180:7080
201.102.218.101:80
78.90.78.210:80
27.82.13.10:80
8.4.9.137:8080
192.241.220.183:8080
2.82.75.215:80
190.180.65.104:80
41.185.29.128:8080
5.79.70.250:8080
115.79.59.157:80
91.83.93.103:443
103.229.73.17:8080
75.127.14.170:8080
190.85.46.52:7080
121.117.147.153:443
73.55.128.120:80
172.105.78.244:8080
58.94.58.13:80
117.2.139.117:443
79.133.6.236:8080
113.203.238.130:80
190.191.169.169:80
27.78.27.110:443
60.108.128.186:80
195.201.56.70:8080
109.99.146.210:8080
103.80.51.61:8080
175.103.38.146:80
186.146.229.172:80
178.254.36.182:8080
115.79.195.246:80
185.208.226.142:8080
109.13.179.195:80
94.52.168.188:80
190.18.184.113:80
2.58.16.86:8080
152.32.75.74:443
54.38.143.245:8080
77.74.78.80:443
46.32.229.152:8080
37.205.9.252:7080
190.147.84.191:443
139.59.61.215:443
58.27.215.3:8080
179.5.118.12:80
46.105.131.68:8080
180.148.4.130:8080
120.51.34.254:80
162.144.145.58:8080
190.194.12.132:80
186.222.53.247:8080
223.17.215.76:80
73.100.19.104:80
110.37.224.243:80
203.56.191.129:8080
190.192.39.136:80
157.7.164.178:8081
116.202.10.123:8080
36.91.44.183:80
Signatures
-
Emotet Payload 1 IoCs
Detects Emotet payload in memory.
Processes:
resource yara_rule behavioral2/memory/992-1-0x0000000000400000-0x0000000000410000-memory.dmp emotet -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
rundll32.exepid process 992 rundll32.exe 992 rundll32.exe 992 rundll32.exe 992 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 640 wrote to memory of 992 640 rundll32.exe rundll32.exe PID 640 wrote to memory of 992 640 rundll32.exe rundll32.exe PID 640 wrote to memory of 992 640 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\240000.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\240000.dll,#12⤵
- Suspicious behavior: EnumeratesProcesses