Analysis
-
max time kernel
51s -
max time network
144s -
platform
windows10_x64 -
resource
win10-20220414-en -
submitted
21-05-2022 18:41
Static task
static1
General
-
Target
bdddbc80d0c5710f27014b2349a1e4ea30652e7730ac239856b39d60f6977e9d.dll
-
Size
362KB
-
MD5
369df1a17132b39825ed5692d0fbf1dd
-
SHA1
ae4727f7c5c3fc1a16403b6e297dce954d9c3a6a
-
SHA256
bdddbc80d0c5710f27014b2349a1e4ea30652e7730ac239856b39d60f6977e9d
-
SHA512
46ef6f7c0e5d0796d72a03a0aa2c8a4e3f288551ba498750170cb35b1366d0a39d1969599af4b90cb8c7153c5fe1ceed22c448c721bcc0f8ae56ee119f33ed96
Malware Config
Extracted
Family |
emotet |
Botnet |
Epoch5 |
C2 |
194.9.172.107:8080 66.42.57.149:443 165.22.73.229:8080 202.29.239.162:443 76.189.152.228:1645 59.185.164.123:8382 115.19.43.159:30377 104.248.225.227:8080 54.38.242.185:443 103.133.214.242:8080 78.47.204.80:443 210.57.209.142:8080 103.41.204.169:8080 118.98.72.86:443 88.217.172.165:8080 87.106.97.83:7080 85.25.120.45:8080 195.77.239.39:8080 37.44.244.177:8080 36.67.23.59:443 93.41.142.108:30345 42.6.66.255:39545 160.16.143.191:7080 38.217.125.207:49663 54.38.143.246:7080 159.69.237.188:443 68.183.93.250:443 54.37.228.122:443 190.90.233.66:443 37.59.209.141:8080 29.146.139.51:30005 18.37.240.161:6409 178.62.112.199:8080 59.148.253.194:443 196.44.98.190:8080 79.235.8.209:58224 202.28.34.99:8080 78.46.73.125:443 51.68.141.164:8080 207.148.81.119:8080 93.104.209.107:8080 185.148.168.220:8080 100.21.231.107:63582 103.85.95.4:8080 62.171.178.147:8080 175.126.176.79:8080 134.122.119.23:8080 202.134.4.210:7080 116.124.128.206:8080 45.71.195.104:8080 110.235.83.107:7080 103.56.149.105:8080 68.183.91.111:8080 119.44.217.160:39748 5.56.132.177:8080 195.154.146.35:443 217.182.143.207:443 54.37.106.167:8080 85.214.67.203:8080 90.63.125.244:30283 188.225.32.231:4143 103.42.58.120:7080 139.196.72.155:8080 |
eck1.plain |
|
eck1.plain |
|
Signatures
-
suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata: ET MALWARE W32/Emotet CnC Beacon 3
-
Suspicious behavior: EnumeratesProcesses ⋅ 2 IoCs
Processes:
regsvr32.exepid process 4088 regsvr32.exe 4088 regsvr32.exe -
Suspicious behavior: RenamesItself ⋅ 1 IoCs
Processes:
regsvr32.exepid process 3212 regsvr32.exe -
Suspicious use of WriteProcessMemory ⋅ 2 IoCs
Processes:
regsvr32.exedescription pid process target process PID 3212 wrote to memory of 4088 3212 regsvr32.exe regsvr32.exe PID 3212 wrote to memory of 4088 3212 regsvr32.exe regsvr32.exe
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\bdddbc80d0c5710f27014b2349a1e4ea30652e7730ac239856b39d60f6977e9d.dllSuspicious behavior: RenamesItselfSuspicious use of WriteProcessMemory
-
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe "C:\Windows\system32\BubvLUJPRrCXoh\eSUMqbTThnS.dll"Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation