Analysis Overview
SHA256
f51c81ec5c615651109c343acc8f7a712a78801b83fabd0b0925a2abde9629ff
Threat Level: Known bad
The file 0A4bnyb9ltzha9k.zip was found to be: Known bad.
Malicious Activity Summary
Emotet
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2023-03-08 07:41
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-03-08 07:40
Reported
2023-03-08 07:45
Platform
win7-20230220-en
Max time kernel
149s
Max time network
157s
Command Line
Signatures
Emotet
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1420 wrote to memory of 268 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\system32\regsvr32.exe |
| PID 1420 wrote to memory of 268 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\system32\regsvr32.exe |
| PID 1420 wrote to memory of 268 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\system32\regsvr32.exe |
| PID 1420 wrote to memory of 268 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\system32\regsvr32.exe |
| PID 1420 wrote to memory of 268 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\system32\regsvr32.exe |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\d43w33NCMhh4esEWRu9shhpECdd2BAg.dll
C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\QQiixqLQLjOtSPtU\XIXSUzKhD.dll"
Network
| Country | Destination | Domain | Proto |
| FR | 91.121.146.47:8080 | 91.121.146.47 | tcp |
| US | 66.228.32.31:7080 | tcp | |
| KR | 182.162.143.56:443 | 182.162.143.56 | tcp |
| BR | 187.63.160.88:80 | 187.63.160.88 | tcp |
| US | 167.172.199.165:8080 | 167.172.199.165 | tcp |
| DE | 164.90.222.65:443 | 164.90.222.65 | tcp |
| US | 104.168.155.143:8080 | 104.168.155.143 | tcp |
| KG | 91.207.28.33:8080 | 91.207.28.33 | tcp |
| US | 72.15.201.15:8080 | 72.15.201.15 | tcp |
| KR | 183.111.227.137:8080 | 183.111.227.137 | tcp |
| IN | 103.132.242.26:8080 | 103.132.242.26 | tcp |
| GB | 159.65.88.10:8080 | 159.65.88.10 | tcp |
| DE | 173.212.193.249:8080 | 173.212.193.249 | tcp |
| ES | 82.223.21.224:8080 | 82.223.21.224 | tcp |
| JP | 172.105.226.75:8080 | 172.105.226.75 | tcp |
| AU | 103.43.75.120:443 | 103.43.75.120 | tcp |
Files
memory/1420-54-0x0000000001DC0000-0x0000000001E70000-memory.dmp
memory/1420-56-0x0000000180000000-0x000000018002D000-memory.dmp
memory/1420-59-0x0000000000130000-0x0000000000131000-memory.dmp
memory/268-60-0x0000000001E40000-0x0000000001EF0000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-03-08 07:40
Reported
2023-03-08 07:45
Platform
win10v2004-20230220-en
Max time kernel
149s
Max time network
155s
Command Line
Signatures
Emotet
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5056 wrote to memory of 3324 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\system32\regsvr32.exe |
| PID 5056 wrote to memory of 3324 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\system32\regsvr32.exe |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\d43w33NCMhh4esEWRu9shhpECdd2BAg.dll
C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\PasdjQmaiQgMYT\VzSFsIOhVNyt.dll"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 120.124.109.100.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.188.119.100.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 151.185.67.100.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 85.99.73.100.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.45.85.100.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.53.73.100.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 187.154.117.100.in-addr.arpa | udp |
| US | 20.189.173.11:443 | tcp | |
| FR | 91.121.146.47:8080 | 91.121.146.47 | tcp |
| US | 8.8.8.8:53 | 47.146.121.91.in-addr.arpa | udp |
| US | 66.228.32.31:7080 | tcp | |
| US | 8.8.8.8:53 | 62.156.88.100.in-addr.arpa | udp |
| KR | 182.162.143.56:443 | 182.162.143.56 | tcp |
| US | 8.8.8.8:53 | 56.143.162.182.in-addr.arpa | udp |
| BR | 187.63.160.88:80 | 187.63.160.88 | tcp |
| US | 8.8.8.8:53 | 88.160.63.187.in-addr.arpa | udp |
| US | 167.172.199.165:8080 | 167.172.199.165 | tcp |
| US | 8.8.8.8:53 | 165.199.172.167.in-addr.arpa | udp |
| DE | 164.90.222.65:443 | 164.90.222.65 | tcp |
| US | 8.8.8.8:53 | 65.222.90.164.in-addr.arpa | udp |
| US | 104.168.155.143:8080 | 104.168.155.143 | tcp |
| US | 8.8.8.8:53 | 143.155.168.104.in-addr.arpa | udp |
| KG | 91.207.28.33:8080 | 91.207.28.33 | tcp |
| US | 8.8.8.8:53 | 33.28.207.91.in-addr.arpa | udp |
| US | 72.15.201.15:8080 | 72.15.201.15 | tcp |
| US | 8.8.8.8:53 | 15.201.15.72.in-addr.arpa | udp |
| KR | 183.111.227.137:8080 | 183.111.227.137 | tcp |
| US | 8.8.8.8:53 | 137.227.111.183.in-addr.arpa | udp |
| IN | 103.132.242.26:8080 | 103.132.242.26 | tcp |
| GB | 159.65.88.10:8080 | 159.65.88.10 | tcp |
| US | 8.8.8.8:53 | 10.88.65.159.in-addr.arpa | udp |
| DE | 173.212.193.249:8080 | 173.212.193.249 | tcp |
| US | 8.8.8.8:53 | 249.193.212.173.in-addr.arpa | udp |
| ES | 82.223.21.224:8080 | 82.223.21.224 | tcp |
| US | 8.8.8.8:53 | 224.21.223.82.in-addr.arpa | udp |
| JP | 172.105.226.75:8080 | 172.105.226.75 | tcp |
| US | 8.8.8.8:53 | 75.226.105.172.in-addr.arpa | udp |
| AU | 103.43.75.120:443 | 103.43.75.120 | tcp |
| US | 8.8.8.8:53 | 120.75.43.103.in-addr.arpa | udp |
| US | 167.172.253.162:8080 | 167.172.253.162 | tcp |
| US | 8.8.8.8:53 | 162.253.172.167.in-addr.arpa | udp |
| KR | 1.234.2.232:8080 | 1.234.2.232 | tcp |
| US | 8.8.8.8:53 | 232.2.234.1.in-addr.arpa | udp |
| SG | 159.89.202.34:443 | 159.89.202.34 | tcp |
Files
memory/5056-133-0x0000000180000000-0x000000018002D000-memory.dmp
memory/5056-136-0x0000000000D60000-0x0000000000D61000-memory.dmp
memory/3324-140-0x0000000000400000-0x00000000004B0000-memory.dmp