Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

qhcqqxpx.dll

windows7_x64

10

qhcqqxpx.dll

windows10-2004_x64

10

Analysis

  • max time kernel
    120s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    10/05/2022, 05:58 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    qhcqqxpx.dll

  • Size

    664KB

  • MD5

    5c8b15dfdd2f021a32f8f0372bd11c3e

  • SHA1

    cb9ee23e2870751cfda17a689b8bddace918d506

  • SHA256

    f7ab0e91e0a5e8b63612255501ef463653879d563a0672e892755ddf3bda0fd0

  • SHA512

    e93ebaac8548e07a32e63f35e25aec5e531116f3d40e04fda059793ec78ed3b49ffe23e34732e74fa6aeeeaa4944bfab298844828fabe84fb131c022161e92de

Score
10/10
emotetepoch4bankersuricatatrojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch4

C2

149.56.128.192:443

120.50.40.183:80

160.16.218.63:8080

217.182.25.250:8080

119.193.124.41:7080

103.75.201.2:443

195.201.151.129:8080

131.100.24.231:80

159.65.88.10:8080

1.234.21.73:7080

5.9.116.246:8080

103.75.201.4:443

176.104.106.96:8080

138.185.72.26:8080

212.237.17.99:8080

72.15.201.15:8080

103.43.46.182:443

207.38.84.195:8080

46.55.222.11:443

1.234.2.232:8080
eck1.plain
1
-----BEGIN PUBLIC KEY-----
2
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE86M1tQ4uK/Q1Vs0KTCk+fPEQ3cuw
3
TyCz+gIgzky2DB5Elr60DubJW5q9Tr2dj8/gEFs0TIIEJgLTuqzx+58sdg==
4
-----END PUBLIC KEY-----
ecs1.plain
1
-----BEGIN PUBLIC KEY-----
2
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEQF90tsTY3Aw9HwZ6N9y5+be9Xoov
3
pqHyD6F5DRTl9THosAoePIs/e5AdJiYxhmV8Gq3Zw1ysSPBghxjZdDxY+Q==
4
-----END PUBLIC KEY-----

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

    trojanbankeremotet
  • suricata: ET MALWARE W32/Emotet CnC Beacon 3

    suricata: ET MALWARE W32/Emotet CnC Beacon 3

    suricata
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\qhcqqxpx.dll
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1800
    • C:\Windows\SysWOW64\regsvr32.exe
      /s C:\Users\Admin\AppData\Local\Temp\qhcqqxpx.dll
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:896

Network

  • flag-ca
    GET
    https://149.56.128.192/idQSfqnXROwWytxXnriWHWg
    regsvr32.exe
    Remote address:
    149.56.128.192:443
    Request
    GET /idQSfqnXROwWytxXnriWHWg HTTP/1.1
    Cookie: sle=GvgaaTg9kphYI6QoUTPrL4fXceZFWDzuqYcHXXf84/k9f8ZG1wbA1pzzrA1xxe7prlRGvsfksWmmAKBdOMcHpH7lIM6766uIocq/MkifJo4Uzs8IZv280dpbNZ2cwuCt4Nkq+KujbiA/8ntwjrLYgfmR4lPMxc8wXcpPyWOCpreJoPybfCFuJ+Bd1sgH/tzDaSKApkNsIUGM2vZITKSkNGbPkxIsDbb+FYficP8AnvDTOHr4XG6xufXzKrOlEG6N1MpboUmaHjfOlnxsfTCjCBFROY8VYge7piwYhFmeHaJOBXzviGM8cgynmsbVScM3tb8/ckTgfziQ9N2UZH4/UfUwFsO+vP0Gv1eQ
    Host: 149.56.128.192
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 404 Not Found
    Server: nginx
    Date: Tue, 10 May 2022 06:05:12 GMT
    Content-Type: text/html
    Content-Length: 162
    Connection: keep-alive
  • flag-kr
    GET
    https://119.193.124.41:7080/lGxLImUuQftekeLBDNZTMmDvgyitvYuIoIxlNsVkdjodghraWallIRX
    regsvr32.exe
    Remote address:
    119.193.124.41:7080
    Request
    GET /lGxLImUuQftekeLBDNZTMmDvgyitvYuIoIxlNsVkdjodghraWallIRX HTTP/1.1
    Cookie: d=GvgaaTg9kphYI6QoUTPrL4fXceZFWDzuqYcHXXf84/k9f8ZG1wbA1pzzrA1xxe7prlRGvsfksWmmAKBdOMcHpH7lIM6766uIocq/MkifJo4Uzs8IZv280dpbNZ2cwuCt4Nkq+KujbiA/8ntwjrLYgfmR4lPMxc8wXcpPyWOCpreJoPybfCFuJ+Bd1sgH/tzDaSKApkNsIUGM2vZITKSkNPgXAA/nNW9sffVRl53b8gyoO55qoUMY219SVNfs3Zs8+uq/IObhzFZjd3TPzw==
    Host: 119.193.124.41:7080
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Tue, 10 May 2022 06:05:54 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
  • 149.56.128.192:443
    https://149.56.128.192/idQSfqnXROwWytxXnriWHWg
    tls, http
    regsvr32.exe
    1.4kB
     2.5kB
     11
    10

    HTTP Request

    GET https://149.56.128.192/idQSfqnXROwWytxXnriWHWg

    HTTP Response

    404
  • 120.50.40.183:80
    regsvr32.exe
    152 B
     3
  • 120.50.40.183:80
    regsvr32.exe
    152 B
     3
  • 160.16.218.63:8080
    regsvr32.exe
    152 B
     3
  • 160.16.218.63:8080
    regsvr32.exe
    152 B
     3
  • 217.182.25.250:8080
    regsvr32.exe
    152 B
     120 B
     3
    3
  • 217.182.25.250:8080
    regsvr32.exe
    152 B
     120 B
     3
    3
  • 119.193.124.41:7080
    https://119.193.124.41:7080/lGxLImUuQftekeLBDNZTMmDvgyitvYuIoIxlNsVkdjodghraWallIRX
    tls, http
    regsvr32.exe
    1.2kB
     2.7kB
     8
    9

    HTTP Request

    GET https://119.193.124.41:7080/lGxLImUuQftekeLBDNZTMmDvgyitvYuIoIxlNsVkdjodghraWallIRX

    HTTP Response

    200
No results found

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/896-56-0x0000000074E91000-0x0000000074E93000-memory.dmp

    Filesize

    8KB

    Download

  • memory/896-57-0x00000000001B0000-0x00000000001D8000-memory.dmp

    Filesize

    160KB

    Download

  • memory/1800-54-0x000007FEFBA91000-0x000007FEFBA93000-memory.dmp

    Filesize

    8KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.