Analysis
-
max time kernel
120s -
max time network
130s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
16-11-2021 21:10
Static task
static1
General
-
Target
6fdefaab1410971f4c7aa60128b0f668a030d2b9f95054837ddbd05ab3ec5ccc.dll
-
Size
252KB
-
MD5
ab2dbba2ce3bec8b866b35b272370991
-
SHA1
4f3d1ef92c653b20a9e48b535b211272c914a5fb
-
SHA256
6fdefaab1410971f4c7aa60128b0f668a030d2b9f95054837ddbd05ab3ec5ccc
-
SHA512
6d09d292819b227117d6d13913307f9d1c6c93efe0cedf0e23423bc4d028c89d826ede5b8d8144acfe23e0934b4306c9ada2b64d1f4ffbd70f0b9f326805fecd
Malware Config
Extracted
emotet
Epoch4
81.0.236.93:443
94.177.248.64:443
66.42.55.5:7080
103.8.26.103:8080
185.184.25.237:8080
45.76.176.10:8080
188.93.125.116:8080
103.8.26.102:8080
178.79.147.66:8080
58.227.42.236:80
45.118.135.203:7080
103.75.201.2:443
195.154.133.20:443
45.142.114.231:8080
212.237.5.209:443
207.38.84.195:8080
104.251.214.46:8080
138.185.72.26:8080
51.68.175.8:8080
210.57.217.132:8080
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exeflow pid process 18 488 rundll32.exe 25 488 rundll32.exe -
Drops file in System32 directory 1 IoCs
Processes:
rundll32.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Bnjkksfp\gtmsxxjbawdcvek.bfj rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 488 rundll32.exe 488 rundll32.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
rundll32.exepid process 3988 rundll32.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
rundll32.exerundll32.exerundll32.exerundll32.exedescription pid process target process PID 2680 wrote to memory of 2108 2680 rundll32.exe rundll32.exe PID 2680 wrote to memory of 2108 2680 rundll32.exe rundll32.exe PID 2680 wrote to memory of 2108 2680 rundll32.exe rundll32.exe PID 2108 wrote to memory of 3988 2108 rundll32.exe rundll32.exe PID 2108 wrote to memory of 3988 2108 rundll32.exe rundll32.exe PID 2108 wrote to memory of 3988 2108 rundll32.exe rundll32.exe PID 3988 wrote to memory of 1184 3988 rundll32.exe rundll32.exe PID 3988 wrote to memory of 1184 3988 rundll32.exe rundll32.exe PID 3988 wrote to memory of 1184 3988 rundll32.exe rundll32.exe PID 1184 wrote to memory of 488 1184 rundll32.exe rundll32.exe PID 1184 wrote to memory of 488 1184 rundll32.exe rundll32.exe PID 1184 wrote to memory of 488 1184 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6fdefaab1410971f4c7aa60128b0f668a030d2b9f95054837ddbd05ab3ec5ccc.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6fdefaab1410971f4c7aa60128b0f668a030d2b9f95054837ddbd05ab3ec5ccc.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe "C:\Users\Admin\AppData\Local\Temp\6fdefaab1410971f4c7aa60128b0f668a030d2b9f95054837ddbd05ab3ec5ccc.dll",Control_RunDLL3⤵
- Drops file in System32 directory
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Bnjkksfp\gtmsxxjbawdcvek.bfj",pSjEzlqQw4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Bnjkksfp\gtmsxxjbawdcvek.bfj",Control_RunDLL5⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/488-119-0x0000000000000000-mapping.dmp
-
memory/1184-118-0x0000000000000000-mapping.dmp
-
memory/2108-115-0x0000000000000000-mapping.dmp
-
memory/2108-117-0x0000000010000000-0x0000000010028000-memory.dmpFilesize
160KB
-
memory/3988-116-0x0000000000000000-mapping.dmp