Analysis
-
max time kernel
51s -
max time network
144s -
platform
windows10_x64 -
resource
win10-20220414-en -
submitted
21-05-2022 18:41
Static task
static1
General
-
Target
bdddbc80d0c5710f27014b2349a1e4ea30652e7730ac239856b39d60f6977e9d.dll
-
Size
362KB
-
MD5
369df1a17132b39825ed5692d0fbf1dd
-
SHA1
ae4727f7c5c3fc1a16403b6e297dce954d9c3a6a
-
SHA256
bdddbc80d0c5710f27014b2349a1e4ea30652e7730ac239856b39d60f6977e9d
-
SHA512
46ef6f7c0e5d0796d72a03a0aa2c8a4e3f288551ba498750170cb35b1366d0a39d1969599af4b90cb8c7153c5fe1ceed22c448c721bcc0f8ae56ee119f33ed96
Malware Config
Extracted
emotet
Epoch5
194.9.172.107:8080
66.42.57.149:443
165.22.73.229:8080
202.29.239.162:443
76.189.152.228:1645
59.185.164.123:8382
115.19.43.159:30377
104.248.225.227:8080
54.38.242.185:443
103.133.214.242:8080
78.47.204.80:443
210.57.209.142:8080
103.41.204.169:8080
118.98.72.86:443
88.217.172.165:8080
87.106.97.83:7080
85.25.120.45:8080
195.77.239.39:8080
37.44.244.177:8080
36.67.23.59:443
93.41.142.108:30345
42.6.66.255:39545
160.16.143.191:7080
38.217.125.207:49663
54.38.143.246:7080
159.69.237.188:443
68.183.93.250:443
54.37.228.122:443
190.90.233.66:443
37.59.209.141:8080
29.146.139.51:30005
18.37.240.161:6409
178.62.112.199:8080
59.148.253.194:443
196.44.98.190:8080
79.235.8.209:58224
202.28.34.99:8080
78.46.73.125:443
51.68.141.164:8080
207.148.81.119:8080
93.104.209.107:8080
185.148.168.220:8080
100.21.231.107:63582
103.85.95.4:8080
62.171.178.147:8080
175.126.176.79:8080
134.122.119.23:8080
202.134.4.210:7080
116.124.128.206:8080
45.71.195.104:8080
110.235.83.107:7080
103.56.149.105:8080
68.183.91.111:8080
119.44.217.160:39748
5.56.132.177:8080
195.154.146.35:443
217.182.143.207:443
54.37.106.167:8080
85.214.67.203:8080
90.63.125.244:30283
188.225.32.231:4143
103.42.58.120:7080
139.196.72.155:8080
Signatures
-
suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata: ET MALWARE W32/Emotet CnC Beacon 3
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
regsvr32.exepid process 4088 regsvr32.exe 4088 regsvr32.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
regsvr32.exepid process 3212 regsvr32.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
regsvr32.exedescription pid process target process PID 3212 wrote to memory of 4088 3212 regsvr32.exe regsvr32.exe PID 3212 wrote to memory of 4088 3212 regsvr32.exe regsvr32.exe
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\bdddbc80d0c5710f27014b2349a1e4ea30652e7730ac239856b39d60f6977e9d.dll
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe "C:\Windows\system32\BubvLUJPRrCXoh\eSUMqbTThnS.dll"
- Suspicious behavior: EnumeratesProcesses