Analysis
-
max time kernel
17s -
max time network
67s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
24-11-2020 15:21
Static task
static1
Behavioral task
behavioral1
Sample
22052e.dll
Resource
win7v20201028
General
-
Target
22052e.dll
-
Size
58KB
-
MD5
a74d845c1a8fa5aa08fa50b763df5280
-
SHA1
93696c16595d6d8d829d7364d1f8d721a2422932
-
SHA256
4d269510f7daaf159b8e10c8b976ace9de19756d54b3ace7a00afd7c3ba4023c
-
SHA512
799aa2dc166c23831d6600c5f5c31c6cecc2c9d4f623e0b01a1e0dcc6889162fde2938c7053b2de2057f3139854cea9d1b74dc609451bb56f9a81bb527f4e959
Malware Config
Extracted
emotet
Epoch3
115.79.119.206:443
91.74.148.90:443
103.229.72.197:8080
91.121.200.35:8080
188.226.165.170:8080
180.198.105.177:80
203.153.216.178:7080
143.95.101.72:8080
202.29.237.113:8080
163.53.204.180:443
37.46.129.215:8080
183.91.3.63:80
192.210.217.94:8080
74.208.173.91:8080
91.75.75.46:80
172.96.190.154:8080
177.130.51.198:80
178.33.167.120:8080
185.142.236.163:443
50.116.78.109:8080
139.59.12.63:8080
144.64.132.82:80
103.93.220.182:80
198.20.228.9:8080
192.163.221.191:8080
200.243.153.66:80
188.166.220.180:7080
201.102.218.101:80
78.90.78.210:80
27.82.13.10:80
8.4.9.137:8080
192.241.220.183:8080
2.82.75.215:80
190.180.65.104:80
41.185.29.128:8080
5.79.70.250:8080
115.79.59.157:80
91.83.93.103:443
103.229.73.17:8080
75.127.14.170:8080
190.85.46.52:7080
121.117.147.153:443
73.55.128.120:80
172.105.78.244:8080
58.94.58.13:80
117.2.139.117:443
79.133.6.236:8080
113.203.238.130:80
190.191.169.169:80
27.78.27.110:443
60.108.128.186:80
195.201.56.70:8080
109.99.146.210:8080
103.80.51.61:8080
175.103.38.146:80
186.146.229.172:80
178.254.36.182:8080
115.79.195.246:80
185.208.226.142:8080
109.13.179.195:80
94.52.168.188:80
190.18.184.113:80
2.58.16.86:8080
152.32.75.74:443
54.38.143.245:8080
77.74.78.80:443
46.32.229.152:8080
37.205.9.252:7080
190.147.84.191:443
139.59.61.215:443
58.27.215.3:8080
179.5.118.12:80
46.105.131.68:8080
180.148.4.130:8080
120.51.34.254:80
162.144.145.58:8080
190.194.12.132:80
186.222.53.247:8080
223.17.215.76:80
73.100.19.104:80
110.37.224.243:80
203.56.191.129:8080
190.192.39.136:80
157.7.164.178:8081
116.202.10.123:8080
36.91.44.183:80
Signatures
-
Emotet Payload 1 IoCs
Detects Emotet payload in memory.
Processes:
resource yara_rule behavioral2/memory/4772-1-0x0000000000820000-0x0000000000830000-memory.dmp emotet -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
rundll32.exepid process 4772 rundll32.exe 4772 rundll32.exe 4772 rundll32.exe 4772 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 4760 wrote to memory of 4772 4760 rundll32.exe rundll32.exe PID 4760 wrote to memory of 4772 4760 rundll32.exe rundll32.exe PID 4760 wrote to memory of 4772 4760 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\22052e.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\22052e.dll,#12⤵
- Suspicious behavior: EnumeratesProcesses