Analysis
-
max time kernel
42s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
23-06-2022 12:29
Static task
static1
Behavioral task
behavioral1
Sample
e92d6fe151c2d3ec6d7c5c59bbac7921cae3928997c9ab679c8f979281eb2f97.dll
Resource
win7-20220414-en
General
-
Target
e92d6fe151c2d3ec6d7c5c59bbac7921cae3928997c9ab679c8f979281eb2f97.dll
-
Size
260KB
-
MD5
57465b9050586666e9dfb6059747c710
-
SHA1
caf0879cc2db2d7e663e25a6e0304377208b479f
-
SHA256
e92d6fe151c2d3ec6d7c5c59bbac7921cae3928997c9ab679c8f979281eb2f97
-
SHA512
80265804b10851dfa6fd6e4204b54e227637153e9226027d5fc88c2716f0553e0438a6f03ecbd246ca2f2be05a455a127a999f10b0cdbd5f0a92f424f7bf02d9
Malware Config
Extracted
emotet
62.171.178.147:8080
128.199.217.206:443
85.25.120.45:8080
157.230.99.206:8080
46.101.234.246:8080
196.44.98.190:8080
202.134.4.210:7080
54.37.106.167:8080
175.126.176.79:8080
104.244.79.94:443
103.71.99.57:8080
88.217.172.165:8080
104.248.225.227:8080
198.199.70.22:8080
64.227.55.231:8080
128.199.242.164:8080
195.77.239.39:8080
118.98.72.86:443
54.37.228.122:443
157.245.111.0:8080
85.214.67.203:8080
37.187.114.15:8080
103.41.204.169:8080
46.101.98.60:8080
210.57.209.142:8080
188.225.32.231:4143
87.106.97.83:7080
103.85.95.4:8080
103.224.241.74:8080
190.145.8.4:443
165.22.254.236:8080
139.196.72.155:8080
202.28.34.99:8080
190.107.19.179:443
78.47.204.80:443
202.29.239.162:443
178.62.112.199:8080
103.254.12.236:7080
103.56.149.105:8080
36.67.23.59:443
93.104.209.107:8080
77.72.149.48:8080
68.183.91.111:8080
103.126.216.86:443
116.124.128.206:8080
37.44.244.177:8080
165.232.185.110:8080
Signatures
-
suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata: ET MALWARE W32/Emotet CnC Beacon 3
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
regsvr32.exeregsvr32.exepid process 2016 regsvr32.exe 1772 regsvr32.exe 1772 regsvr32.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
regsvr32.exepid process 2016 regsvr32.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
regsvr32.exedescription pid process target process PID 2016 wrote to memory of 1772 2016 regsvr32.exe regsvr32.exe PID 2016 wrote to memory of 1772 2016 regsvr32.exe regsvr32.exe PID 2016 wrote to memory of 1772 2016 regsvr32.exe regsvr32.exe PID 2016 wrote to memory of 1772 2016 regsvr32.exe regsvr32.exe PID 2016 wrote to memory of 1772 2016 regsvr32.exe regsvr32.exe
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\e92d6fe151c2d3ec6d7c5c59bbac7921cae3928997c9ab679c8f979281eb2f97.dll1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe "C:\Windows\system32\Rknks\QGrW.dll"2⤵
- Suspicious behavior: EnumeratesProcesses