Analysis
-
max time kernel
62s -
max time network
61s -
platform
windows10_x64 -
resource
win10-de-20211104 -
submitted
25-11-2021 16:58
Static task
static1
General
-
Target
4d44dcc8024109b1a74df59ef836f5a7566b0b380313e3362daaa7b7f5fa12a0.dll
-
Size
653KB
-
MD5
d5a09eaaaea0632901d361169bb13fab
-
SHA1
3322a36e92c74cf7156e5b321af3ffeb6c3fcf74
-
SHA256
4d44dcc8024109b1a74df59ef836f5a7566b0b380313e3362daaa7b7f5fa12a0
-
SHA512
12113aa6247f5e92cf1848a3a6dfac972349e2bddb42fc91d2dffac7be0d2a1324c2578dfce72ca5a1ff52619d7a87056ddd106ba834b1e94089679d7e97df44
Malware Config
Extracted
emotet
Epoch5
51.178.61.60:443
168.197.250.14:80
45.79.33.48:8080
196.44.98.190:8080
177.72.80.14:7080
51.210.242.234:8080
185.148.169.10:8080
142.4.219.173:8080
78.47.204.80:443
78.46.73.125:443
37.44.244.177:8080
37.59.209.141:8080
191.252.103.16:80
54.38.242.185:443
85.214.67.203:8080
54.37.228.122:443
207.148.81.119:8080
195.77.239.39:8080
66.42.57.149:443
195.154.146.35:443
Signatures
-
suricata: ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex/Trickbot CnC)
suricata: ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex/Trickbot CnC)
-
suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata: ET MALWARE W32/Emotet CnC Beacon 3
-
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exeflow pid process 10 1232 rundll32.exe 11 1232 rundll32.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 1232 rundll32.exe 1232 rundll32.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 916 wrote to memory of 504 916 rundll32.exe rundll32.exe PID 916 wrote to memory of 504 916 rundll32.exe rundll32.exe PID 916 wrote to memory of 504 916 rundll32.exe rundll32.exe PID 504 wrote to memory of 1232 504 rundll32.exe rundll32.exe PID 504 wrote to memory of 1232 504 rundll32.exe rundll32.exe PID 504 wrote to memory of 1232 504 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\4d44dcc8024109b1a74df59ef836f5a7566b0b380313e3362daaa7b7f5fa12a0.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\4d44dcc8024109b1a74df59ef836f5a7566b0b380313e3362daaa7b7f5fa12a0.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe "C:\Users\Admin\AppData\Local\Temp\4d44dcc8024109b1a74df59ef836f5a7566b0b380313e3362daaa7b7f5fa12a0.dll",Control_RunDLL3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncConfig.exe"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncConfig.exe"1⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/504-118-0x0000000000000000-mapping.dmp
-
memory/504-119-0x0000000004E10000-0x0000000004E38000-memory.dmpFilesize
160KB
-
memory/1232-122-0x0000000000000000-mapping.dmp
-
memory/1232-123-0x0000000004B80000-0x0000000004BA8000-memory.dmpFilesize
160KB
-
memory/1232-126-0x0000000005120000-0x0000000005148000-memory.dmpFilesize
160KB
-
memory/1232-129-0x0000000005420000-0x0000000005448000-memory.dmpFilesize
160KB
-
memory/1232-132-0x0000000005500000-0x0000000005528000-memory.dmpFilesize
160KB
-
memory/1232-135-0x00000000055E0000-0x0000000005608000-memory.dmpFilesize
160KB
-
memory/1232-138-0x00000000056C0000-0x00000000056E8000-memory.dmpFilesize
160KB
-
memory/1232-141-0x00000000057B0000-0x00000000057D8000-memory.dmpFilesize
160KB