Analysis
-
max time kernel
122s -
max time network
131s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
18-01-2022 20:29
Static task
static1
General
-
Target
4e6d18fbbc7a4a5d3e318087cc708f33a20c2f7f7028599a98997b24af338365.dll
-
Size
408KB
-
MD5
e67ff7dce31ab593fa38d8eee6a30594
-
SHA1
866e65540ed4dc5c82af2f843afc935798698545
-
SHA256
4e6d18fbbc7a4a5d3e318087cc708f33a20c2f7f7028599a98997b24af338365
-
SHA512
87748bef9c4bd14f99193033801248a1d1ba91bbf5ba64c1e7d47c27ea8b182c68c0a80e62e0c5c8e39e01e03608baf7d8d0498eb05731e7844efb079e64d91d
Malware Config
Extracted
emotet
Epoch5
45.138.98.34:80
69.16.218.101:8080
51.210.242.234:8080
185.148.168.220:8080
142.4.219.173:8080
54.38.242.185:443
191.252.103.16:80
104.131.62.48:8080
62.171.178.147:8080
217.182.143.207:443
168.197.250.14:80
37.44.244.177:8080
66.42.57.149:443
210.57.209.142:8080
159.69.237.188:443
116.124.128.206:8080
128.199.192.135:8080
195.154.146.35:443
185.148.168.15:8080
195.77.239.39:8080
207.148.81.119:8080
85.214.67.203:8080
190.90.233.66:443
78.46.73.125:443
78.47.204.80:443
37.59.209.141:8080
54.37.228.122:443
Signatures
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
regsvr32.exeregsvr32.exedescription pid process target process PID 2468 wrote to memory of 2720 2468 regsvr32.exe regsvr32.exe PID 2468 wrote to memory of 2720 2468 regsvr32.exe regsvr32.exe PID 2468 wrote to memory of 2720 2468 regsvr32.exe regsvr32.exe PID 2720 wrote to memory of 2744 2720 regsvr32.exe rundll32.exe PID 2720 wrote to memory of 2744 2720 regsvr32.exe rundll32.exe PID 2720 wrote to memory of 2744 2720 regsvr32.exe rundll32.exe
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\4e6d18fbbc7a4a5d3e318087cc708f33a20c2f7f7028599a98997b24af338365.dll1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\4e6d18fbbc7a4a5d3e318087cc708f33a20c2f7f7028599a98997b24af338365.dll2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe "C:\Users\Admin\AppData\Local\Temp\4e6d18fbbc7a4a5d3e318087cc708f33a20c2f7f7028599a98997b24af338365.dll",DllRegisterServer3⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2720-118-0x0000000004BF0000-0x0000000004C18000-memory.dmpFilesize
160KB