Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    144s
  • max time network
    146s
  • platform
    windows10-1703_x64
  • resource
    win10-20220812-en
  • resource tags

    arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
  • submitted
    04/11/2022, 18:49 UTC

General

  • Target

    907f0aef33e327e3a6ef953548beb950622473e82dae060a4fe5b76a55a43e5f.dll

  • Size

    887KB

  • MD5

    d9a07944f3ea275a3eda4d345d110a56

  • SHA1

    3b847bb8106fbdefad65449810b2b897bda7b163

  • SHA256

    907f0aef33e327e3a6ef953548beb950622473e82dae060a4fe5b76a55a43e5f

  • SHA512

    a4f24dc3c8847800be2ba1971287ee2df8b813a3ce9ee5c2703b2ec78335904ef6da7b57c9a58aa99ce0831bcefc4c740105a242ecc6950dd6b6c6fcc4b9df8e

  • SSDEEP

    12288:A0BQgtzAxM8q6BkmkxisTsxwJzCQ6TZ56lu4Vp4y1F9SFXCwQ7bk:Ar6zAxVq6Bkm7saIzCXTZxUJFcK

Malware Config

Extracted

Family

emotet

Botnet

Epoch5

C2

178.238.225.252:8080

139.196.72.155:8080

36.67.23.59:443

103.56.149.105:8080

37.44.244.177:8080

85.25.120.45:8080

202.134.4.210:7080

78.47.204.80:443

83.229.80.93:8080

93.104.209.107:8080

80.211.107.116:8080

165.22.254.236:8080

104.244.79.94:443

185.148.169.10:8080

190.145.8.4:443

175.126.176.79:8080

139.59.80.108:8080

188.165.79.151:443

128.199.217.206:443

64.227.55.231:8080

ecs1.plain
1
-----BEGIN PUBLIC KEY-----
2
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE9C8agzYaJ1GMJPLKqOyFrlJZUXVI
3
lAZwAnOq6JrEKHtWCQ+8CHuAIXqmKH6WRbnDw1wmdM/YvqKFH36nqC2VNA==
4
-----END PUBLIC KEY-----
eck1.plain
1
-----BEGIN PUBLIC KEY-----
2
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE2DWT12OLUMXfzeFp+bE2AJubVDsW
3
NqJdRC6yODDYRzYuuNL0i2rI2Ex6RUQaBvqPOL7a+wCWnIQszh42gCRQlg==
4
-----END PUBLIC KEY-----

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\907f0aef33e327e3a6ef953548beb950622473e82dae060a4fe5b76a55a43e5f.dll
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:2016
    • C:\Windows\system32\regsvr32.exe
      C:\Windows\system32\regsvr32.exe "C:\Windows\system32\YRTRgdIIt\YjZGmkrHITl.dll"
      2⤵
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      PID:2240

Network

  • flag-kr
    GET
    https://218.38.121.17/
    regsvr32.exe
    Remote address:
    218.38.121.17:443
    Request
    GET / HTTP/1.1
    Connection: Keep-Alive
    Cookie: KNDTJCjmA=O9S8oOlZdaL7Vi+3V9CJkZ7i/3JWxfxQAMJN+G1LPmM1FOHdxhjTJ6Lr3Z2VAI7mC6cW+cHlkHR/IK3+MiJmFvRZDytuCgA0RPx5bEqelsLxzC60MU2fx68LvyxE4iA+RRDVyrq/pmo7V2U7WmFEStZUbMZbiWT6AmszrYcIVVVMd1D20FAeVHOSr7XAVLjcM+tX/7kpytP/ALG2UKqPEWguliHrahtC/yCBRGAN6h9l93EQpyjVeYONbNNUUmBV/n7pepduL8ZEqtWyBCy1i+oKI9KEHiFpaF6FktKCBOY+tPSbtcphUU2s8XfEHvHF8LXeeuG/w7PIQCbZCSOTbqnK
    Host: 218.38.121.17
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Fri, 04 Nov 2022 18:50:22 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
  • 52.168.117.170:443
    322 B
    7
  • 218.38.121.17:443
    https://218.38.121.17/
    tls, http
    regsvr32.exe
    1.2kB
    2.6kB
    11
    11

    HTTP Request

    GET https://218.38.121.17/

    HTTP Response

    200
  • 87.248.202.1:80
    322 B
    7
No results found

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2016-120-0x00000000025F0000-0x0000000002620000-memory.dmp

    Filesize

    192KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.