Analysis
-
max time kernel
42s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
08-02-2023 09:55
Static task
static1
Behavioral task
behavioral1
Sample
62b4e33474fa6ef9e22b8f22b1918315e6ecb6d18066d3b1e7a29181d29323f6.dll
Resource
win7-20220812-en
General
-
Target
62b4e33474fa6ef9e22b8f22b1918315e6ecb6d18066d3b1e7a29181d29323f6.dll
-
Size
514KB
-
MD5
5397887cac09d8d9f50871894ada5dfb
-
SHA1
67a4b778ddc036e85d64585965f2cb2fb9bc699d
-
SHA256
62b4e33474fa6ef9e22b8f22b1918315e6ecb6d18066d3b1e7a29181d29323f6
-
SHA512
55a5655e5d7ed6f84ad024eb1b58c0ffc31e957c16782acd49b3cc1a3b0515ff7e742c1247fd2dae9ebe11989f21bdc4c08a8dd9b7c2b4db51bfafb194a675f7
-
SSDEEP
6144:LVvauc175GwSlLaD0adqHQFHQFHQFHQFHQZcH+J8aLi/ZnZLtO/ydWp3kklPSiNO:LViuc175Gw/DtcUKmvJSYCQqTI
Malware Config
Extracted
emotet
Epoch5
198.199.126.144:443
103.42.57.17:8080
195.154.146.35:443
104.131.62.48:8080
116.124.128.206:8080
54.38.242.185:443
217.182.143.207:443
66.42.57.149:443
185.148.168.220:8080
37.44.244.177:8080
78.47.204.80:443
173.203.78.138:443
190.90.233.66:443
203.153.216.46:443
54.37.106.167:8080
194.9.172.107:8080
168.197.250.14:80
185.184.25.78:8080
191.252.103.16:80
159.69.237.188:443
85.214.67.203:8080
78.46.73.125:443
59.148.253.194:443
118.98.72.86:443
62.171.178.147:8080
195.77.239.39:8080
185.148.168.15:8080
139.196.72.155:8080
54.37.228.122:443
37.59.209.141:8080
198.199.98.78:8080
93.104.208.37:8080
103.41.204.169:8080
128.199.192.135:8080
210.57.209.142:8080
207.148.81.119:8080
Signatures
-
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
regsvr32.exeregsvr32.exedescription pid process target process PID 1956 wrote to memory of 1948 1956 regsvr32.exe regsvr32.exe PID 1956 wrote to memory of 1948 1956 regsvr32.exe regsvr32.exe PID 1956 wrote to memory of 1948 1956 regsvr32.exe regsvr32.exe PID 1956 wrote to memory of 1948 1956 regsvr32.exe regsvr32.exe PID 1956 wrote to memory of 1948 1956 regsvr32.exe regsvr32.exe PID 1956 wrote to memory of 1948 1956 regsvr32.exe regsvr32.exe PID 1956 wrote to memory of 1948 1956 regsvr32.exe regsvr32.exe PID 1948 wrote to memory of 1524 1948 regsvr32.exe rundll32.exe PID 1948 wrote to memory of 1524 1948 regsvr32.exe rundll32.exe PID 1948 wrote to memory of 1524 1948 regsvr32.exe rundll32.exe PID 1948 wrote to memory of 1524 1948 regsvr32.exe rundll32.exe PID 1948 wrote to memory of 1524 1948 regsvr32.exe rundll32.exe PID 1948 wrote to memory of 1524 1948 regsvr32.exe rundll32.exe PID 1948 wrote to memory of 1524 1948 regsvr32.exe rundll32.exe
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\62b4e33474fa6ef9e22b8f22b1918315e6ecb6d18066d3b1e7a29181d29323f6.dll1⤵
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\62b4e33474fa6ef9e22b8f22b1918315e6ecb6d18066d3b1e7a29181d29323f6.dll2⤵
- Suspicious use of WriteProcessMemory
PID:1948 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe "C:\Users\Admin\AppData\Local\Temp\62b4e33474fa6ef9e22b8f22b1918315e6ecb6d18066d3b1e7a29181d29323f6.dll",DllRegisterServer3⤵PID:1524
-
-