Analysis
-
max time kernel
106s -
max time network
118s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
07-12-2021 12:58
Static task
static1
General
-
Target
524a9e06b31e11059fa226ea043a1349f236e6b93048a133443f52c218a30b79.dll
-
Size
749KB
-
MD5
b778e600e9183d06b24975f1408b2ac4
-
SHA1
53fde293771ee296ceb1dfb44c1658d2e4801778
-
SHA256
524a9e06b31e11059fa226ea043a1349f236e6b93048a133443f52c218a30b79
-
SHA512
6b77faae1bee7a2e49547f7db7a7ec87112e848a22cb6257e6a3816c5b77138ea4aa5789612c352785ee3218cf294c4011f7d3a16cad708320de362922c23e44
Malware Config
Extracted
emotet
Epoch5
209.239.112.82:8080
116.124.128.206:8080
45.63.5.129:443
128.199.192.135:8080
51.178.61.60:443
168.197.250.14:80
177.72.80.14:7080
51.210.242.234:8080
142.4.219.173:8080
78.47.204.80:443
78.46.73.125:443
37.44.244.177:8080
37.59.209.141:8080
104.131.62.48:8080
190.90.233.66:443
185.148.168.220:8080
185.148.168.15:8080
62.171.178.147:8080
191.252.103.16:80
54.38.242.185:443
85.214.67.203:8080
217.182.143.207:443
159.69.237.188:443
210.57.209.142:8080
54.37.228.122:443
207.148.81.119:8080
195.77.239.39:8080
66.42.57.149:443
195.154.146.35:443
Signatures
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
regsvr32.exeregsvr32.exedescription pid process target process PID 3056 wrote to memory of 3816 3056 regsvr32.exe regsvr32.exe PID 3056 wrote to memory of 3816 3056 regsvr32.exe regsvr32.exe PID 3056 wrote to memory of 3816 3056 regsvr32.exe regsvr32.exe PID 3816 wrote to memory of 4092 3816 regsvr32.exe rundll32.exe PID 3816 wrote to memory of 4092 3816 regsvr32.exe rundll32.exe PID 3816 wrote to memory of 4092 3816 regsvr32.exe rundll32.exe
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\524a9e06b31e11059fa226ea043a1349f236e6b93048a133443f52c218a30b79.dll1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\524a9e06b31e11059fa226ea043a1349f236e6b93048a133443f52c218a30b79.dll2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe "C:\Users\Admin\AppData\Local\Temp\524a9e06b31e11059fa226ea043a1349f236e6b93048a133443f52c218a30b79.dll",DllRegisterServer3⤵