Analysis
-
max time kernel
140s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
19-01-2023 18:58
Static task
static1
Behavioral task
behavioral1
Sample
c12ab21809e1dd265788e91e18807d66.dll
Resource
win7-20221111-en
General
-
Target
c12ab21809e1dd265788e91e18807d66.dll
-
Size
600KB
-
MD5
c12ab21809e1dd265788e91e18807d66
-
SHA1
2d3bdbcc09ae379dedadbcd27efecb7c36afbff0
-
SHA256
7eecd4165c6be116e7106a91251705efdd07da4f55fc7eee70bf89ec8a768fcc
-
SHA512
b36dd4e3204916a075c7369532ab9ec1c3bb1a902ec7c8e5078b8e2e547732f6e32524177b74938e5b710f07d8b8caed2195e8dbfa6ec70e895ef47fc33e7b31
-
SSDEEP
12288:l4WjRiEKWKhqyuYzqtNNH2AyKK6cl788IO/:9KWKh/ZqtT2AJuQBO
Malware Config
Extracted
emotet
Epoch5
103.42.57.17:8080
93.104.208.37:8080
195.154.146.35:443
62.171.178.147:8080
37.59.209.141:8080
139.196.72.155:8080
37.44.244.177:8080
191.252.103.16:80
217.182.143.207:443
128.199.192.135:8080
103.41.204.169:8080
185.148.168.15:8080
168.197.250.14:80
78.46.73.125:443
194.9.172.107:8080
185.148.168.220:8080
118.98.72.86:443
54.37.106.167:8080
78.47.204.80:443
159.69.237.188:443
116.124.128.206:8080
59.148.253.194:443
85.214.67.203:8080
185.184.25.78:8080
173.203.78.138:443
54.37.228.122:443
198.199.98.78:8080
195.77.239.39:8080
210.57.209.142:8080
66.42.57.149:443
104.131.62.48:8080
54.38.242.185:443
190.90.233.66:443
207.148.81.119:8080
203.153.216.46:443
Signatures
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
regsvr32.exeregsvr32.exedescription pid process target process PID 1116 wrote to memory of 4712 1116 regsvr32.exe regsvr32.exe PID 1116 wrote to memory of 4712 1116 regsvr32.exe regsvr32.exe PID 1116 wrote to memory of 4712 1116 regsvr32.exe regsvr32.exe PID 4712 wrote to memory of 2212 4712 regsvr32.exe rundll32.exe PID 4712 wrote to memory of 2212 4712 regsvr32.exe rundll32.exe PID 4712 wrote to memory of 2212 4712 regsvr32.exe rundll32.exe
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\c12ab21809e1dd265788e91e18807d66.dll1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\c12ab21809e1dd265788e91e18807d66.dll2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe "C:\Users\Admin\AppData\Local\Temp\c12ab21809e1dd265788e91e18807d66.dll",DllRegisterServer3⤵