Analysis
-
max time kernel
52s -
max time network
147s -
platform
windows10_x64 -
resource
win10-20220414-en -
submitted
21-05-2022 18:56
Static task
static1
General
-
Target
bc1579d2e43f07b843f2a67179661adf92e7a00a9244977403c3e5fe6d8c73c5.dll
-
Size
362KB
-
MD5
ee276bc731b3c22eed456fc00950fdab
-
SHA1
ed1abb336ba83b844498345cf6baacdeed8af8d6
-
SHA256
bc1579d2e43f07b843f2a67179661adf92e7a00a9244977403c3e5fe6d8c73c5
-
SHA512
52d59c3a8392a9641550e041940c85c363cf41c8f0441ee0037671eabb3a31339e99fe45cdea4e729d6549ecbd3a9fa634adb70b1f84e9f180e5a11116716e7d
Malware Config
Extracted
emotet
Epoch5
194.9.172.107:8080
66.42.57.149:443
165.22.73.229:8080
202.29.239.162:443
76.189.152.228:1645
59.185.164.123:8382
115.19.43.159:30377
104.248.225.227:8080
54.38.242.185:443
103.133.214.242:8080
78.47.204.80:443
210.57.209.142:8080
103.41.204.169:8080
118.98.72.86:443
88.217.172.165:8080
87.106.97.83:7080
85.25.120.45:8080
195.77.239.39:8080
37.44.244.177:8080
36.67.23.59:443
93.41.142.108:30345
42.6.66.255:39545
160.16.143.191:7080
38.217.125.207:49663
54.38.143.246:7080
159.69.237.188:443
68.183.93.250:443
54.37.228.122:443
190.90.233.66:443
37.59.209.141:8080
29.146.139.51:30005
18.37.240.161:6409
178.62.112.199:8080
59.148.253.194:443
196.44.98.190:8080
79.235.8.209:58224
202.28.34.99:8080
78.46.73.125:443
51.68.141.164:8080
207.148.81.119:8080
93.104.209.107:8080
185.148.168.220:8080
100.21.231.107:63582
103.85.95.4:8080
62.171.178.147:8080
175.126.176.79:8080
134.122.119.23:8080
202.134.4.210:7080
116.124.128.206:8080
45.71.195.104:8080
110.235.83.107:7080
103.56.149.105:8080
68.183.91.111:8080
119.44.217.160:39748
5.56.132.177:8080
195.154.146.35:443
217.182.143.207:443
54.37.106.167:8080
85.214.67.203:8080
90.63.125.244:30283
188.225.32.231:4143
103.42.58.120:7080
139.196.72.155:8080
Signatures
-
suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata: ET MALWARE W32/Emotet CnC Beacon 3
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
regsvr32.exepid process 64 regsvr32.exe 64 regsvr32.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
regsvr32.exepid process 2264 regsvr32.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
regsvr32.exedescription pid process target process PID 2264 wrote to memory of 64 2264 regsvr32.exe regsvr32.exe PID 2264 wrote to memory of 64 2264 regsvr32.exe regsvr32.exe
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\bc1579d2e43f07b843f2a67179661adf92e7a00a9244977403c3e5fe6d8c73c5.dll
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe "C:\Windows\system32\SBqyIz\imSXRqxfOkF.dll"
- Suspicious behavior: EnumeratesProcesses