Analysis
-
max time kernel
125s -
max time network
125s -
platform
windows10_x64 -
resource
win10-en-20211104 -
submitted
16-11-2021 22:22
Static task
static1
General
-
Target
854ad91e0601e4701d57e94d541f23ca2b6942756ead0d11ccd24a504b60306f.dll
-
Size
252KB
-
MD5
f07e70524c15b4afbc8e31346f9e3d37
-
SHA1
a9cb6d444cfcd777432e65af844c099ecf49e188
-
SHA256
854ad91e0601e4701d57e94d541f23ca2b6942756ead0d11ccd24a504b60306f
-
SHA512
daea662a790d5505b7002f7325e92a41e4f4ad074cdfca019e0041204bc285f66b97e58e371d6f134f8f143907844877c213933d146c345b3542fb1076ce5a8b
Malware Config
Extracted
emotet
Epoch4
81.0.236.93:443
94.177.248.64:443
66.42.55.5:7080
103.8.26.103:8080
185.184.25.237:8080
45.76.176.10:8080
188.93.125.116:8080
103.8.26.102:8080
178.79.147.66:8080
58.227.42.236:80
45.118.135.203:7080
103.75.201.2:443
195.154.133.20:443
45.142.114.231:8080
212.237.5.209:443
207.38.84.195:8080
104.251.214.46:8080
138.185.72.26:8080
51.68.175.8:8080
210.57.217.132:8080
Signatures
-
suricata: ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex/Trickbot CnC)
suricata: ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex/Trickbot CnC)
-
suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata: ET MALWARE W32/Emotet CnC Beacon 3
-
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exeflow pid process 23 1376 rundll32.exe 26 1376 rundll32.exe -
Drops file in System32 directory 1 IoCs
Processes:
rundll32.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Lwtwkvsly\oyysbplqnyqu.xwq rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 1376 rundll32.exe 1376 rundll32.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
rundll32.exepid process 800 rundll32.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
rundll32.exerundll32.exerundll32.exerundll32.exedescription pid process target process PID 3768 wrote to memory of 492 3768 rundll32.exe rundll32.exe PID 3768 wrote to memory of 492 3768 rundll32.exe rundll32.exe PID 3768 wrote to memory of 492 3768 rundll32.exe rundll32.exe PID 492 wrote to memory of 800 492 rundll32.exe rundll32.exe PID 492 wrote to memory of 800 492 rundll32.exe rundll32.exe PID 492 wrote to memory of 800 492 rundll32.exe rundll32.exe PID 800 wrote to memory of 1244 800 rundll32.exe rundll32.exe PID 800 wrote to memory of 1244 800 rundll32.exe rundll32.exe PID 800 wrote to memory of 1244 800 rundll32.exe rundll32.exe PID 1244 wrote to memory of 1376 1244 rundll32.exe rundll32.exe PID 1244 wrote to memory of 1376 1244 rundll32.exe rundll32.exe PID 1244 wrote to memory of 1376 1244 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\854ad91e0601e4701d57e94d541f23ca2b6942756ead0d11ccd24a504b60306f.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3768 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\854ad91e0601e4701d57e94d541f23ca2b6942756ead0d11ccd24a504b60306f.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:492 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe "C:\Users\Admin\AppData\Local\Temp\854ad91e0601e4701d57e94d541f23ca2b6942756ead0d11ccd24a504b60306f.dll",Control_RunDLL3⤵
- Drops file in System32 directory
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:800 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Lwtwkvsly\oyysbplqnyqu.xwq",zemOaAVwuZItst4⤵
- Suspicious use of WriteProcessMemory
PID:1244 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Lwtwkvsly\oyysbplqnyqu.xwq",Control_RunDLL5⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:1376
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/492-118-0x0000000000000000-mapping.dmp
-
memory/492-120-0x0000000010000000-0x0000000010028000-memory.dmpFilesize
160KB
-
memory/800-119-0x0000000000000000-mapping.dmp
-
memory/1244-121-0x0000000000000000-mapping.dmp
-
memory/1376-122-0x0000000000000000-mapping.dmp