Analysis
-
max time kernel
118s -
max time network
131s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
21-01-2022 11:07
Static task
static1
General
-
Target
7d72fdbed9a86147fb479486a47359fb87aafe82aa7386f741359b37031885c1.dll
-
Size
636KB
-
MD5
44e8d47c83255d9db2d1968b0c6f4e9f
-
SHA1
388411cd38c8b7bdc9c8ff5c5260597350658b5d
-
SHA256
7d72fdbed9a86147fb479486a47359fb87aafe82aa7386f741359b37031885c1
-
SHA512
66813b51d7590be429d99ca0f1557cc0bc43fd1bcde39c7ee5e93bec9e7f736bb24b37e5cc8c9b021dfcd7512a323a521a26945ad3c461a9a0ea307cf06d01fe
Malware Config
Extracted
emotet
Epoch5
45.138.98.34:80
69.16.218.101:8080
51.210.242.234:8080
185.148.168.220:8080
142.4.219.173:8080
54.38.242.185:443
191.252.103.16:80
104.131.62.48:8080
62.171.178.147:8080
217.182.143.207:443
168.197.250.14:80
37.44.244.177:8080
66.42.57.149:443
210.57.209.142:8080
159.69.237.188:443
116.124.128.206:8080
128.199.192.135:8080
195.154.146.35:443
185.148.168.15:8080
195.77.239.39:8080
207.148.81.119:8080
85.214.67.203:8080
190.90.233.66:443
78.46.73.125:443
78.47.204.80:443
37.59.209.141:8080
54.37.228.122:443
Signatures
-
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2568 wrote to memory of 2836 2568 regsvr32.exe 68 PID 2568 wrote to memory of 2836 2568 regsvr32.exe 68 PID 2568 wrote to memory of 2836 2568 regsvr32.exe 68 PID 2836 wrote to memory of 3824 2836 regsvr32.exe 69 PID 2836 wrote to memory of 3824 2836 regsvr32.exe 69 PID 2836 wrote to memory of 3824 2836 regsvr32.exe 69
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\7d72fdbed9a86147fb479486a47359fb87aafe82aa7386f741359b37031885c1.dll1⤵
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\7d72fdbed9a86147fb479486a47359fb87aafe82aa7386f741359b37031885c1.dll2⤵
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe "C:\Users\Admin\AppData\Local\Temp\7d72fdbed9a86147fb479486a47359fb87aafe82aa7386f741359b37031885c1.dll",DllRegisterServer3⤵PID:3824
-
-