Analysis
-
max time kernel
107s -
max time network
143s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
16-11-2021 21:28
Static task
static1
General
-
Target
aa0cf6d8572ade34d30c81f5a33b64b0aab21364041da243a2ab6514ad14eeee.dll
-
Size
252KB
-
MD5
5e037644cd1474f78e626eeae22e78af
-
SHA1
c7d8bb99139a45c1dadc46a05911c45306304d8a
-
SHA256
aa0cf6d8572ade34d30c81f5a33b64b0aab21364041da243a2ab6514ad14eeee
-
SHA512
d64c8e3192d20a2985f132107856721d2311dd1786bb7bb376a4530b16ba739e0153467d7aaad57220c2e9764c6e244b2d82263cabfa525c1b6a45ae0b4dc620
Malware Config
Extracted
emotet
Epoch4
81.0.236.93:443
94.177.248.64:443
66.42.55.5:7080
103.8.26.103:8080
185.184.25.237:8080
45.76.176.10:8080
188.93.125.116:8080
103.8.26.102:8080
178.79.147.66:8080
58.227.42.236:80
45.118.135.203:7080
103.75.201.2:443
195.154.133.20:443
45.142.114.231:8080
212.237.5.209:443
207.38.84.195:8080
104.251.214.46:8080
138.185.72.26:8080
51.68.175.8:8080
210.57.217.132:8080
Signatures
-
suricata: ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex/Trickbot CnC)
suricata: ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex/Trickbot CnC)
-
suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata: ET MALWARE W32/Emotet CnC Beacon 3
-
Blocklisted process makes network request 3 IoCs
Processes:
rundll32.exeflow pid process 15 3700 rundll32.exe 22 3700 rundll32.exe 23 3700 rundll32.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 3700 rundll32.exe 3700 rundll32.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2452 wrote to memory of 2648 2452 rundll32.exe rundll32.exe PID 2452 wrote to memory of 2648 2452 rundll32.exe rundll32.exe PID 2452 wrote to memory of 2648 2452 rundll32.exe rundll32.exe PID 2648 wrote to memory of 3700 2648 rundll32.exe rundll32.exe PID 2648 wrote to memory of 3700 2648 rundll32.exe rundll32.exe PID 2648 wrote to memory of 3700 2648 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\aa0cf6d8572ade34d30c81f5a33b64b0aab21364041da243a2ab6514ad14eeee.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\aa0cf6d8572ade34d30c81f5a33b64b0aab21364041da243a2ab6514ad14eeee.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe "C:\Users\Admin\AppData\Local\Temp\aa0cf6d8572ade34d30c81f5a33b64b0aab21364041da243a2ab6514ad14eeee.dll",Control_RunDLL3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses