Analysis
-
max time kernel
43s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 19:37
Static task
static1
Behavioral task
behavioral1
Sample
e5f0f5d4c1442cc58b6158b9b57c8c14.dll
Resource
win7-20220414-en
General
-
Target
e5f0f5d4c1442cc58b6158b9b57c8c14.dll
-
Size
362KB
-
MD5
e5f0f5d4c1442cc58b6158b9b57c8c14
-
SHA1
18a3648972bdd70daf58b212333597776b15feeb
-
SHA256
6c2daa91aaccfb40d514b2904b70a147c437f926ae43323d6b6c92504a5388ee
-
SHA512
6662fec933fe89bbc81ecdcdf7fae9cd84b71a035fa351c81d17cb5be1d7b7777bb7863deed4884c96d317afba5eb112ec6e9ac48c0c08ac4d9a96034a103ce0
Malware Config
Extracted
emotet
Epoch5
194.9.172.107:8080
66.42.57.149:443
165.22.73.229:8080
202.29.239.162:443
76.189.152.228:1645
59.185.164.123:8382
115.19.43.159:30377
104.248.225.227:8080
54.38.242.185:443
103.133.214.242:8080
78.47.204.80:443
210.57.209.142:8080
103.41.204.169:8080
118.98.72.86:443
88.217.172.165:8080
87.106.97.83:7080
85.25.120.45:8080
195.77.239.39:8080
37.44.244.177:8080
36.67.23.59:443
93.41.142.108:30345
42.6.66.255:39545
160.16.143.191:7080
38.217.125.207:49663
54.38.143.246:7080
159.69.237.188:443
68.183.93.250:443
54.37.228.122:443
190.90.233.66:443
37.59.209.141:8080
29.146.139.51:30005
18.37.240.161:6409
178.62.112.199:8080
59.148.253.194:443
196.44.98.190:8080
79.235.8.209:58224
202.28.34.99:8080
78.46.73.125:443
51.68.141.164:8080
207.148.81.119:8080
93.104.209.107:8080
185.148.168.220:8080
100.21.231.107:63582
103.85.95.4:8080
62.171.178.147:8080
175.126.176.79:8080
134.122.119.23:8080
202.134.4.210:7080
116.124.128.206:8080
45.71.195.104:8080
110.235.83.107:7080
103.56.149.105:8080
68.183.91.111:8080
119.44.217.160:39748
5.56.132.177:8080
195.154.146.35:443
217.182.143.207:443
54.37.106.167:8080
85.214.67.203:8080
90.63.125.244:30283
188.225.32.231:4143
103.42.58.120:7080
139.196.72.155:8080
Signatures
-
suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata: ET MALWARE W32/Emotet CnC Beacon 3
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
regsvr32.exepid process 1632 regsvr32.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
regsvr32.exepid process 1828 regsvr32.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
regsvr32.exedescription pid process target process PID 1828 wrote to memory of 1632 1828 regsvr32.exe regsvr32.exe PID 1828 wrote to memory of 1632 1828 regsvr32.exe regsvr32.exe PID 1828 wrote to memory of 1632 1828 regsvr32.exe regsvr32.exe PID 1828 wrote to memory of 1632 1828 regsvr32.exe regsvr32.exe PID 1828 wrote to memory of 1632 1828 regsvr32.exe regsvr32.exe
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\e5f0f5d4c1442cc58b6158b9b57c8c14.dll1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe "C:\Windows\system32\NribPWokYWiYTK\hOgjXLxVRamVz.dll"2⤵
- Suspicious behavior: EnumeratesProcesses