Analysis
-
max time kernel
145s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
17-11-2022 08:56
Static task
static1
Behavioral task
behavioral1
Sample
021a1efecc97353b727a20c791d45de30535a6df9086ceecd7c2d950d4ddc1fe.dll
Resource
win7-20221111-en
General
-
Target
021a1efecc97353b727a20c791d45de30535a6df9086ceecd7c2d950d4ddc1fe.dll
-
Size
252KB
-
MD5
f1af783cf914d837baa223b58dc55671
-
SHA1
317b63257544201ef7ee47b8287cbe6aec145b8c
-
SHA256
021a1efecc97353b727a20c791d45de30535a6df9086ceecd7c2d950d4ddc1fe
-
SHA512
685e065693e1d386a6e9e6a720f2af72f26cacc912820e0ca5080bb2d07c94a2f77c2e33e2734d9a9a87ce60585a068e4052f181a65ea96f2c87753aee88a779
-
SSDEEP
6144:ndH09uYgR7OJSuwuZc2HEaYTy7beWTBdgm:dHJtlec2HEaYTXWT/N
Malware Config
Extracted
emotet
Epoch4
91.200.186.228:443
191.252.196.221:8080
94.177.248.64:443
66.42.55.5:7080
103.8.26.103:8080
185.184.25.237:8080
103.8.26.102:8080
178.79.147.66:8080
58.227.42.236:80
45.118.135.203:7080
103.75.201.2:443
195.154.133.20:443
45.142.114.231:8080
212.237.5.209:443
207.38.84.195:8080
104.251.214.46:8080
212.237.17.99:8080
212.237.56.116:7080
216.158.226.206:443
110.232.117.186:8080
158.69.222.101:443
107.182.225.142:8080
176.104.106.96:8080
81.0.236.90:443
50.116.54.215:443
138.185.72.26:8080
51.68.175.8:8080
210.57.217.132:8080
Signatures
-
Blocklisted process makes network request 11 IoCs
Processes:
rundll32.exeflow pid process 11 2204 rundll32.exe 14 2204 rundll32.exe 18 2204 rundll32.exe 29 2204 rundll32.exe 30 2204 rundll32.exe 33 2204 rundll32.exe 36 2204 rundll32.exe 38 2204 rundll32.exe 39 2204 rundll32.exe 40 2204 rundll32.exe 41 2204 rundll32.exe -
Loads dropped DLL 2 IoCs
Processes:
rundll32.exerundll32.exepid process 3876 rundll32.exe 2204 rundll32.exe -
Drops file in System32 directory 1 IoCs
Processes:
rundll32.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Wrwsgncpru\hoqyrmuitqavemx.zxk rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 2204 rundll32.exe 2204 rundll32.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
rundll32.exepid process 3628 rundll32.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
rundll32.exerundll32.exerundll32.exerundll32.exedescription pid process target process PID 2888 wrote to memory of 3704 2888 rundll32.exe rundll32.exe PID 2888 wrote to memory of 3704 2888 rundll32.exe rundll32.exe PID 2888 wrote to memory of 3704 2888 rundll32.exe rundll32.exe PID 3704 wrote to memory of 3628 3704 rundll32.exe rundll32.exe PID 3704 wrote to memory of 3628 3704 rundll32.exe rundll32.exe PID 3704 wrote to memory of 3628 3704 rundll32.exe rundll32.exe PID 3628 wrote to memory of 3876 3628 rundll32.exe rundll32.exe PID 3628 wrote to memory of 3876 3628 rundll32.exe rundll32.exe PID 3628 wrote to memory of 3876 3628 rundll32.exe rundll32.exe PID 3876 wrote to memory of 2204 3876 rundll32.exe rundll32.exe PID 3876 wrote to memory of 2204 3876 rundll32.exe rundll32.exe PID 3876 wrote to memory of 2204 3876 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\021a1efecc97353b727a20c791d45de30535a6df9086ceecd7c2d950d4ddc1fe.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\021a1efecc97353b727a20c791d45de30535a6df9086ceecd7c2d950d4ddc1fe.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe "C:\Users\Admin\AppData\Local\Temp\021a1efecc97353b727a20c791d45de30535a6df9086ceecd7c2d950d4ddc1fe.dll",Control_RunDLL3⤵
- Drops file in System32 directory
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Wrwsgncpru\hoqyrmuitqavemx.zxk",wRJL4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Wrwsgncpru\hoqyrmuitqavemx.zxk",Control_RunDLL5⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\Wrwsgncpru\hoqyrmuitqavemx.zxkFilesize
252KB
MD5f1af783cf914d837baa223b58dc55671
SHA1317b63257544201ef7ee47b8287cbe6aec145b8c
SHA256021a1efecc97353b727a20c791d45de30535a6df9086ceecd7c2d950d4ddc1fe
SHA512685e065693e1d386a6e9e6a720f2af72f26cacc912820e0ca5080bb2d07c94a2f77c2e33e2734d9a9a87ce60585a068e4052f181a65ea96f2c87753aee88a779
-
C:\Windows\SysWOW64\Wrwsgncpru\hoqyrmuitqavemx.zxkFilesize
252KB
MD5f1af783cf914d837baa223b58dc55671
SHA1317b63257544201ef7ee47b8287cbe6aec145b8c
SHA256021a1efecc97353b727a20c791d45de30535a6df9086ceecd7c2d950d4ddc1fe
SHA512685e065693e1d386a6e9e6a720f2af72f26cacc912820e0ca5080bb2d07c94a2f77c2e33e2734d9a9a87ce60585a068e4052f181a65ea96f2c87753aee88a779
-
memory/2204-139-0x0000000000000000-mapping.dmp
-
memory/2204-141-0x0000000010000000-0x0000000010028000-memory.dmpFilesize
160KB
-
memory/2204-142-0x0000000010000000-0x0000000010028000-memory.dmpFilesize
160KB
-
memory/3628-133-0x0000000000000000-mapping.dmp
-
memory/3628-135-0x0000000010000000-0x0000000010028000-memory.dmpFilesize
160KB
-
memory/3628-137-0x0000000010000000-0x0000000010028000-memory.dmpFilesize
160KB
-
memory/3704-132-0x0000000000000000-mapping.dmp
-
memory/3704-134-0x0000000010000000-0x0000000010028000-memory.dmpFilesize
160KB
-
memory/3876-136-0x0000000000000000-mapping.dmp