Analysis
-
max time kernel
201s -
max time network
255s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
08-07-2022 17:42
Static task
static1
Behavioral task
behavioral1
Sample
b9872a5377f05a9873b3d21bf39c765c291f1e3d492489649f95a9c21a3e0bec.dll
Resource
win7-20220414-en
General
-
Target
b9872a5377f05a9873b3d21bf39c765c291f1e3d492489649f95a9c21a3e0bec.dll
-
Size
187KB
-
MD5
8dbaa6d9e7dfee655cf29a58a32c4063
-
SHA1
9b1b2e285d7075dd63a67b3a95701fb6d9a86852
-
SHA256
b9872a5377f05a9873b3d21bf39c765c291f1e3d492489649f95a9c21a3e0bec
-
SHA512
345fcf8fe5c2248dfbc0c0bf6e8f316621938d91d3e90cd24e712c916eb6ebea644948d91b01383402d07c1df03698ecb46ccc60d8629902a87a6231e926858b
Malware Config
Extracted
emotet
Epoch1
5.2.136.90:80
186.147.237.3:8080
138.197.99.250:8080
167.71.148.58:443
211.215.18.93:8080
187.162.248.237:80
1.226.84.243:8080
110.39.160.38:443
5.196.35.138:7080
59.148.253.194:8080
45.16.226.117:443
95.76.153.115:80
181.61.182.143:80
46.43.2.95:8080
188.135.15.49:80
81.215.230.173:443
45.4.32.50:80
81.214.253.80:443
94.176.234.118:443
212.71.237.140:8080
70.32.84.74:8080
68.183.190.199:8080
192.232.229.53:4143
213.52.74.198:80
12.163.208.58:80
172.245.248.239:8080
1.234.65.61:80
84.5.104.93:80
181.30.61.163:443
190.247.139.101:80
82.48.39.246:80
191.223.36.170:80
190.24.243.186:80
190.251.216.100:80
186.146.13.184:443
105.209.235.113:8080
197.232.36.108:80
192.232.229.54:7080
152.170.79.100:80
45.184.103.73:80
191.241.233.198:80
172.104.169.32:8080
152.169.22.67:80
12.162.84.2:8080
200.24.255.23:80
185.183.16.47:80
202.134.4.210:7080
209.236.123.42:8080
62.84.75.50:80
201.143.224.27:80
185.94.252.27:443
190.64.88.186:443
149.202.72.142:7080
122.201.23.45:443
51.15.7.145:80
170.81.48.2:80
178.250.54.208:8080
70.32.115.157:8080
51.255.165.160:8080
104.131.41.185:8080
155.186.9.160:80
87.106.46.107:8080
177.23.7.151:80
35.143.99.174:80
81.213.175.132:80
80.15.100.37:80
85.214.26.7:8080
201.75.62.86:80
181.124.51.88:80
217.13.106.14:8080
202.79.24.136:443
177.85.167.10:80
138.97.60.140:8080
186.177.174.163:80
201.241.127.190:80
82.208.146.142:7080
50.28.51.143:8080
137.74.106.111:7080
31.27.59.105:80
111.67.12.221:8080
190.114.254.163:8080
111.67.12.222:8080
93.149.120.214:80
190.210.246.253:80
168.121.4.238:80
68.183.170.114:8080
192.175.111.212:7080
46.101.58.37:8080
190.195.129.227:8090
60.93.23.51:80
83.169.21.32:7080
178.211.45.66:8080
181.136.190.86:80
190.162.232.138:80
188.225.32.231:7080
138.97.60.141:7080
187.162.250.23:443
110.39.162.2:443
191.182.6.118:80
184.66.18.83:80
190.136.176.89:80
190.45.24.210:80
46.105.114.137:8080
2.80.112.146:80
Signatures
-
Blocklisted process makes network request 6 IoCs
Processes:
rundll32.exeflow pid process 21 4928 rundll32.exe 32 4928 rundll32.exe 50 4928 rundll32.exe 69 4928 rundll32.exe 76 4928 rundll32.exe 84 4928 rundll32.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
rundll32.exepid process 4928 rundll32.exe 4928 rundll32.exe 4928 rundll32.exe 4928 rundll32.exe 4928 rundll32.exe 4928 rundll32.exe 4928 rundll32.exe 4928 rundll32.exe 4928 rundll32.exe 4928 rundll32.exe 4928 rundll32.exe 4928 rundll32.exe 4928 rundll32.exe 4928 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 4844 wrote to memory of 4928 4844 rundll32.exe rundll32.exe PID 4844 wrote to memory of 4928 4844 rundll32.exe rundll32.exe PID 4844 wrote to memory of 4928 4844 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b9872a5377f05a9873b3d21bf39c765c291f1e3d492489649f95a9c21a3e0bec.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b9872a5377f05a9873b3d21bf39c765c291f1e3d492489649f95a9c21a3e0bec.dll,#12⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses