Analysis
-
max time kernel
110s -
max time network
112s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
11-12-2021 06:52
Static task
static1
General
-
Target
89c4d4e861e3eb13fb44c480b16c153607567c8ab9f1b92406068da572ba99d4.dll
-
Size
258KB
-
MD5
bb4d3a77a41464b84cab99d71ac73e63
-
SHA1
d9a2ec5dd6ca369c4f4fb908005f5f45ee81c9b7
-
SHA256
89c4d4e861e3eb13fb44c480b16c153607567c8ab9f1b92406068da572ba99d4
-
SHA512
0927e491424e32f7b55fa0bdd630f88dbae5a10ce30cf042c8c041156f5c9341ba1090e5faadc8e31d80dc5f5bc2a14e6fff8080d955e384791da030ee68cc31
Malware Config
Extracted
emotet
Epoch5
209.239.112.82:8080
116.124.128.206:8080
45.63.5.129:443
128.199.192.135:8080
51.178.61.60:443
168.197.250.14:80
177.72.80.14:7080
51.210.242.234:8080
142.4.219.173:8080
78.47.204.80:443
78.46.73.125:443
37.44.244.177:8080
37.59.209.141:8080
104.131.62.48:8080
190.90.233.66:443
185.148.168.220:8080
185.148.168.15:8080
62.171.178.147:8080
191.252.103.16:80
54.38.242.185:443
85.214.67.203:8080
217.182.143.207:443
159.69.237.188:443
210.57.209.142:8080
54.37.228.122:443
207.148.81.119:8080
195.77.239.39:8080
66.42.57.149:443
195.154.146.35:443
Signatures
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
regsvr32.exeregsvr32.exedescription pid process target process PID 3896 wrote to memory of 1992 3896 regsvr32.exe regsvr32.exe PID 3896 wrote to memory of 1992 3896 regsvr32.exe regsvr32.exe PID 3896 wrote to memory of 1992 3896 regsvr32.exe regsvr32.exe PID 1992 wrote to memory of 2676 1992 regsvr32.exe rundll32.exe PID 1992 wrote to memory of 2676 1992 regsvr32.exe rundll32.exe PID 1992 wrote to memory of 2676 1992 regsvr32.exe rundll32.exe
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\89c4d4e861e3eb13fb44c480b16c153607567c8ab9f1b92406068da572ba99d4.dll1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\89c4d4e861e3eb13fb44c480b16c153607567c8ab9f1b92406068da572ba99d4.dll2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe "C:\Users\Admin\AppData\Local\Temp\89c4d4e861e3eb13fb44c480b16c153607567c8ab9f1b92406068da572ba99d4.dll",DllRegisterServer3⤵