Analysis
-
max time kernel
78s -
max time network
132s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
18-01-2022 20:29
Static task
static1
Behavioral task
behavioral1
Sample
emotet_exe_e5_79bb9f766979b24f701f4a753ad2916beb27f491f4eb5ba52e41a238c3bf8f3c_2022-01-18__202828.exe.dll
Resource
win7-en-20211208
General
-
Target
emotet_exe_e5_79bb9f766979b24f701f4a753ad2916beb27f491f4eb5ba52e41a238c3bf8f3c_2022-01-18__202828.exe.dll
-
Size
408KB
-
MD5
cd71a85555b5b3a8eee243f025edeade
-
SHA1
6fa69205d02f43832fc02efff9155675e61d0475
-
SHA256
79bb9f766979b24f701f4a753ad2916beb27f491f4eb5ba52e41a238c3bf8f3c
-
SHA512
20e1e46d023452faa7ea32a54ab13f79ba45efef4faa1923ef5bd5e0d2f2379f928be74fe396334b770c52f098b9b98d4eefc79989bea76f867b02bf789e1057
Malware Config
Extracted
emotet
Epoch5
45.138.98.34:80
69.16.218.101:8080
51.210.242.234:8080
185.148.168.220:8080
142.4.219.173:8080
54.38.242.185:443
191.252.103.16:80
104.131.62.48:8080
62.171.178.147:8080
217.182.143.207:443
168.197.250.14:80
37.44.244.177:8080
66.42.57.149:443
210.57.209.142:8080
159.69.237.188:443
116.124.128.206:8080
128.199.192.135:8080
195.154.146.35:443
185.148.168.15:8080
195.77.239.39:8080
207.148.81.119:8080
85.214.67.203:8080
190.90.233.66:443
78.46.73.125:443
78.47.204.80:443
37.59.209.141:8080
54.37.228.122:443
Signatures
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
regsvr32.exeregsvr32.exedescription pid process target process PID 4052 wrote to memory of 1508 4052 regsvr32.exe regsvr32.exe PID 4052 wrote to memory of 1508 4052 regsvr32.exe regsvr32.exe PID 4052 wrote to memory of 1508 4052 regsvr32.exe regsvr32.exe PID 1508 wrote to memory of 1864 1508 regsvr32.exe rundll32.exe PID 1508 wrote to memory of 1864 1508 regsvr32.exe rundll32.exe PID 1508 wrote to memory of 1864 1508 regsvr32.exe rundll32.exe
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\emotet_exe_e5_79bb9f766979b24f701f4a753ad2916beb27f491f4eb5ba52e41a238c3bf8f3c_2022-01-18__202828.exe.dll1⤵
- Suspicious use of WriteProcessMemory
PID:4052 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\emotet_exe_e5_79bb9f766979b24f701f4a753ad2916beb27f491f4eb5ba52e41a238c3bf8f3c_2022-01-18__202828.exe.dll2⤵
- Suspicious use of WriteProcessMemory
PID:1508 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe "C:\Users\Admin\AppData\Local\Temp\emotet_exe_e5_79bb9f766979b24f701f4a753ad2916beb27f491f4eb5ba52e41a238c3bf8f3c_2022-01-18__202828.exe.dll",DllRegisterServer3⤵PID:1864
-
-