Analysis
-
max time kernel
110s -
max time network
167s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
16-11-2021 21:16
Static task
static1
General
-
Target
4e404990be8acebe35b309e2b498b266e72ae20f24718d08e7fb729abd186b43.dll
-
Size
252KB
-
MD5
d8508848ae1b76693a0e74944c6b0104
-
SHA1
37be1eac49e9fd747bb0405d2d1b1f8481923b80
-
SHA256
4e404990be8acebe35b309e2b498b266e72ae20f24718d08e7fb729abd186b43
-
SHA512
8b75be9397ceb212abb027c80773e511a2c8955b7fbbe73c5b7df2468162247ae92fc52dffc8eeaf20910660bc88657b3b1351cb7dd62c478cb17b80a60ca880
Malware Config
Extracted
emotet
Epoch4
81.0.236.93:443
94.177.248.64:443
66.42.55.5:7080
103.8.26.103:8080
185.184.25.237:8080
45.76.176.10:8080
188.93.125.116:8080
103.8.26.102:8080
178.79.147.66:8080
58.227.42.236:80
45.118.135.203:7080
103.75.201.2:443
195.154.133.20:443
45.142.114.231:8080
212.237.5.209:443
207.38.84.195:8080
104.251.214.46:8080
138.185.72.26:8080
51.68.175.8:8080
210.57.217.132:8080
Signatures
-
Blocklisted process makes network request 4 IoCs
Processes:
rundll32.exeflow pid process 17 1320 rundll32.exe 21 1320 rundll32.exe 28 1320 rundll32.exe 29 1320 rundll32.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 1320 rundll32.exe 1320 rundll32.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 656 wrote to memory of 2300 656 rundll32.exe rundll32.exe PID 656 wrote to memory of 2300 656 rundll32.exe rundll32.exe PID 656 wrote to memory of 2300 656 rundll32.exe rundll32.exe PID 2300 wrote to memory of 1320 2300 rundll32.exe rundll32.exe PID 2300 wrote to memory of 1320 2300 rundll32.exe rundll32.exe PID 2300 wrote to memory of 1320 2300 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\4e404990be8acebe35b309e2b498b266e72ae20f24718d08e7fb729abd186b43.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\4e404990be8acebe35b309e2b498b266e72ae20f24718d08e7fb729abd186b43.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe "C:\Users\Admin\AppData\Local\Temp\4e404990be8acebe35b309e2b498b266e72ae20f24718d08e7fb729abd186b43.dll",Control_RunDLL3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses