Analysis
-
max time kernel
271s -
max time network
282s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
12-01-2022 00:50
Static task
static1
General
-
Target
emotet_exe_e5_1dfd85d0e34bf65f3f725338ce6f05da53f6e58d1906829ded80e2bf62b92610_2022-01-12__005000._exe.dll
-
Size
258KB
-
MD5
60ee3c02f7fa06551a21356b22aebf0c
-
SHA1
2a8a5db225efa976e9597718776024154e58cad2
-
SHA256
1dfd85d0e34bf65f3f725338ce6f05da53f6e58d1906829ded80e2bf62b92610
-
SHA512
48ff5746ecf02ab5dbf50d9d5b00f7d3fceeb62a620aef85c4b9466d56b9529971c686c0a88d7d2e4e4f43093e2cd318913d4d16d7e18d2236ccdbe235bcb8ec
Malware Config
Extracted
emotet
Epoch5
209.239.112.82:8080
116.124.128.206:8080
45.63.5.129:443
128.199.192.135:8080
51.178.61.60:443
168.197.250.14:80
177.72.80.14:7080
51.210.242.234:8080
142.4.219.173:8080
78.47.204.80:443
78.46.73.125:443
37.44.244.177:8080
37.59.209.141:8080
104.131.62.48:8080
190.90.233.66:443
185.148.168.220:8080
185.148.168.15:8080
62.171.178.147:8080
191.252.103.16:80
54.38.242.185:443
85.214.67.203:8080
217.182.143.207:443
159.69.237.188:443
210.57.209.142:8080
54.37.228.122:443
207.148.81.119:8080
195.77.239.39:8080
66.42.57.149:443
195.154.146.35:443
Signatures
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
regsvr32.exeregsvr32.exedescription pid process target process PID 3716 wrote to memory of 3604 3716 regsvr32.exe regsvr32.exe PID 3716 wrote to memory of 3604 3716 regsvr32.exe regsvr32.exe PID 3716 wrote to memory of 3604 3716 regsvr32.exe regsvr32.exe PID 3604 wrote to memory of 2232 3604 regsvr32.exe rundll32.exe PID 3604 wrote to memory of 2232 3604 regsvr32.exe rundll32.exe PID 3604 wrote to memory of 2232 3604 regsvr32.exe rundll32.exe
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\emotet_exe_e5_1dfd85d0e34bf65f3f725338ce6f05da53f6e58d1906829ded80e2bf62b92610_2022-01-12__005000._exe.dll1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\emotet_exe_e5_1dfd85d0e34bf65f3f725338ce6f05da53f6e58d1906829ded80e2bf62b92610_2022-01-12__005000._exe.dll2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe "C:\Users\Admin\AppData\Local\Temp\emotet_exe_e5_1dfd85d0e34bf65f3f725338ce6f05da53f6e58d1906829ded80e2bf62b92610_2022-01-12__005000._exe.dll",DllRegisterServer3⤵