Analysis
-
max time kernel
294s -
max time network
310s -
platform
windows10_x64 -
resource
win10-20220223-en -
submitted
26-03-2022 17:41
Static task
static1
General
-
Target
emotet_exe_e4_2bf2f5f5fb6a3c64dfc092635d375da850b403c35fadabe4d74377d1c2b77938_2022-03-26__174059.dll
-
Size
612KB
-
MD5
a631883d397ad88c0744e4405a66a1ab
-
SHA1
a95c8dd6b8a275d3360799a632a3ab71dc4bc0f9
-
SHA256
2bf2f5f5fb6a3c64dfc092635d375da850b403c35fadabe4d74377d1c2b77938
-
SHA512
09b42a766077a14f802d7a1aee64a4e24166b3e1ea1438138e990e9508b70960b96230946cc2955e92986c93c1c12ab5bad629831592c24587abdf2ede02db83
Malware Config
Extracted
emotet
Epoch4
70.36.102.35:443
92.240.254.110:8080
51.91.76.89:8080
217.182.25.250:8080
119.193.124.41:7080
45.142.114.231:8080
176.56.128.118:443
51.254.140.238:7080
173.212.193.249:8080
131.100.24.231:80
188.44.20.25:443
1.234.2.232:8080
153.126.146.25:7080
51.91.7.5:8080
151.106.112.196:8080
46.55.222.11:443
107.182.225.142:8080
82.165.152.127:8080
212.237.17.99:8080
195.201.151.129:8080
197.242.150.244:8080
103.43.46.182:443
206.188.212.92:8080
196.218.30.83:443
5.9.116.246:8080
185.157.82.211:8080
176.104.106.96:8080
159.65.88.10:8080
212.24.98.99:8080
209.250.246.206:443
45.118.135.203:7080
50.116.54.215:443
178.79.147.66:8080
72.15.201.15:8080
101.50.0.91:8080
103.75.201.2:443
31.24.158.56:8080
146.59.226.45:443
110.232.117.186:8080
138.185.72.26:8080
45.176.232.124:443
189.126.111.200:7080
129.232.188.93:443
158.69.222.101:443
164.68.99.3:8080
209.126.98.206:8080
58.227.42.236:80
203.114.109.124:443
195.154.133.20:443
192.99.251.50:443
1.234.21.73:7080
50.30.40.196:8080
216.158.226.206:443
185.8.212.130:7080
159.8.59.82:8080
45.118.115.99:8080
167.99.115.35:8080
79.172.212.216:8080
Signatures
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
regsvr32.exepid process 3732 regsvr32.exe 3732 regsvr32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
regsvr32.exedescription pid process target process PID 3508 wrote to memory of 3732 3508 regsvr32.exe regsvr32.exe PID 3508 wrote to memory of 3732 3508 regsvr32.exe regsvr32.exe PID 3508 wrote to memory of 3732 3508 regsvr32.exe regsvr32.exe
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\emotet_exe_e4_2bf2f5f5fb6a3c64dfc092635d375da850b403c35fadabe4d74377d1c2b77938_2022-03-26__174059.dll1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\emotet_exe_e4_2bf2f5f5fb6a3c64dfc092635d375da850b403c35fadabe4d74377d1c2b77938_2022-03-26__174059.dll2⤵
- Suspicious behavior: EnumeratesProcesses