Analysis

  • max time kernel
    51s
  • max time network
    144s
  • platform
    windows10_x64
  • resource
    win10-20220414-en
  • submitted
    21-05-2022 18:41

General

  • Target

    bdddbc80d0c5710f27014b2349a1e4ea30652e7730ac239856b39d60f6977e9d.dll

  • Size

    362KB

  • MD5

    369df1a17132b39825ed5692d0fbf1dd

  • SHA1

    ae4727f7c5c3fc1a16403b6e297dce954d9c3a6a

  • SHA256

    bdddbc80d0c5710f27014b2349a1e4ea30652e7730ac239856b39d60f6977e9d

  • SHA512

    46ef6f7c0e5d0796d72a03a0aa2c8a4e3f288551ba498750170cb35b1366d0a39d1969599af4b90cb8c7153c5fe1ceed22c448c721bcc0f8ae56ee119f33ed96

Malware Config

Extracted

Family

emotet

Botnet

Epoch5

C2

194.9.172.107:8080

66.42.57.149:443

165.22.73.229:8080

202.29.239.162:443

76.189.152.228:1645

59.185.164.123:8382

115.19.43.159:30377

104.248.225.227:8080

54.38.242.185:443

103.133.214.242:8080

78.47.204.80:443

210.57.209.142:8080

103.41.204.169:8080

118.98.72.86:443

88.217.172.165:8080

87.106.97.83:7080

85.25.120.45:8080

195.77.239.39:8080

37.44.244.177:8080

36.67.23.59:443

eck1.plain
eck1.plain

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

  • suricata: ET MALWARE W32/Emotet CnC Beacon 3

    suricata: ET MALWARE W32/Emotet CnC Beacon 3

  • Suspicious behavior: EnumeratesProcesses ⋅ 2 IoCs
  • Suspicious behavior: RenamesItself ⋅ 1 IoCs
  • Suspicious use of WriteProcessMemory ⋅ 2 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\bdddbc80d0c5710f27014b2349a1e4ea30652e7730ac239856b39d60f6977e9d.dll
    Suspicious behavior: RenamesItself
    Suspicious use of WriteProcessMemory
    PID:3212
    • C:\Windows\system32\regsvr32.exe
      C:\Windows\system32\regsvr32.exe "C:\Windows\system32\BubvLUJPRrCXoh\eSUMqbTThnS.dll"
      Suspicious behavior: EnumeratesProcesses
      PID:4088

Network

MITRE ATT&CK Matrix

Collection

    Command and Control

      Credential Access

        Defense Evasion

          Discovery

            Execution

              Exfiltration

                Impact

                  Initial Access

                    Lateral Movement

                      Persistence

                        Privilege Escalation

                          Replay Monitor

                          00:00 00:00

                          Downloads

                          • memory/3212-116-0x0000000180000000-0x0000000180031000-memory.dmp
                          • memory/4088-121-0x0000000000000000-mapping.dmp