Analysis
-
max time kernel
75s -
max time network
89s -
platform
windows10_x64 -
resource
win10-20220414-en -
submitted
21-05-2022 19:18
Static task
static1
General
-
Target
dc6a2af3f9d7567ef1dbbdaa68b27b5456f291d0a70f47c60c5a51e46dc8d5a7.dll
-
Size
356KB
-
MD5
264495d75635de3bfc28366a19ff8fee
-
SHA1
edeaa33cbbc051cfcfac7708ba6d26278b090bc0
-
SHA256
dc6a2af3f9d7567ef1dbbdaa68b27b5456f291d0a70f47c60c5a51e46dc8d5a7
-
SHA512
8e9629cf179784d0742bd15d4f363b5ba38ceced0e3d1298e3c727a7e28f3c72b0b62dc5c375aad331ca8d2237d6fe3a99851a45821b9611d7747df821fcd4e6
Malware Config
Extracted
emotet
Epoch4
212.24.98.99:8080
51.91.76.89:8080
94.23.45.86:4143
101.50.0.91:8080
103.43.75.120:443
212.237.17.99:8080
158.69.222.101:443
51.254.140.238:7080
1.234.2.232:8080
91.207.28.33:8080
167.172.253.162:8080
45.235.8.30:8080
115.68.227.76:8080
134.122.66.193:8080
89.29.244.7:443
197.242.150.244:8080
164.68.99.3:8080
5.9.116.246:8080
1.234.21.73:7080
131.100.24.231:80
185.4.135.165:8080
72.15.201.15:8080
206.189.28.199:8080
203.114.109.124:443
149.56.131.28:8080
45.176.232.124:443
103.75.201.2:443
58.227.42.236:80
53.61.228.110:19290
172.104.251.154:8080
82.165.152.127:8080
45.118.115.99:8080
201.94.166.162:443
103.70.28.102:8080
213.241.20.155:443
129.232.188.93:443
146.59.226.45:443
173.82.82.196:8080
209.97.163.214:443
159.65.88.10:8080
159.65.140.115:443
160.16.142.56:8080
151.106.112.196:8080
107.170.39.149:8080
77.81.247.144:8080
173.239.37.178:8080
173.212.193.249:8080
163.44.196.120:8080
150.95.66.124:8080
152.136.229.39:8080
196.218.30.83:443
183.111.227.137:8080
119.193.124.41:7080
188.44.20.25:443
79.137.35.198:8080
102.222.215.74:443
110.232.117.186:8080
46.55.222.11:443
103.132.242.26:8080
159.89.202.34:443
153.126.146.25:7080
209.126.98.206:8080
82.223.21.224:8080
Signatures
-
suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata: ET MALWARE W32/Emotet CnC Beacon 3
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
regsvr32.exepid process 1316 regsvr32.exe 1316 regsvr32.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
regsvr32.exepid process 2100 regsvr32.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
regsvr32.exedescription pid process target process PID 2100 wrote to memory of 1316 2100 regsvr32.exe regsvr32.exe PID 2100 wrote to memory of 1316 2100 regsvr32.exe regsvr32.exe
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\dc6a2af3f9d7567ef1dbbdaa68b27b5456f291d0a70f47c60c5a51e46dc8d5a7.dll
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe "C:\Windows\system32\EvVdGdJRA\NFarHvlCuOqw.dll"
- Suspicious behavior: EnumeratesProcesses