Analysis
-
max time kernel
145s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
16-03-2023 15:24
Static task
static1
Behavioral task
behavioral1
Sample
27c6e6bc4b46148fb4dcc6a6a9346914.dll
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
27c6e6bc4b46148fb4dcc6a6a9346914.dll
Resource
win10v2004-20230220-en
Behavioral task
behavioral3
Sample
bfc060937dc90b273eccb6825145f298.dll
Resource
win7-20230220-en
General
-
Target
bfc060937dc90b273eccb6825145f298.dll
-
Size
309KB
-
MD5
bfc060937dc90b273eccb6825145f298
-
SHA1
c156c00c7e918f0cb7363614fb1f177c90d8108a
-
SHA256
2f39c2879989ddd7f9ecf52b6232598e5595f8bf367846ff188c9dfbf1251253
-
SHA512
cc1fee19314b0a0f9e292fa84f6e98f087033d77db937848dda1da0c88f49997866cba5465df04bf929b810b42fdb81481341064c4565c9b6272fa7f3b473ac5
-
SSDEEP
6144:cwNQMQTlfdUPABVy559hhR3iP7TfPYbrF1EFVw0todxKROsCt:rNbadDBkZ6rPeEFizdxxsCt
Malware Config
Extracted
emotet
Epoch4
164.68.99.3:8080
164.90.222.65:443
186.194.240.217:443
1.234.2.232:8080
103.75.201.2:443
187.63.160.88:80
147.139.166.154:8080
91.207.28.33:8080
5.135.159.50:443
153.92.5.27:8080
213.239.212.5:443
103.43.75.120:443
159.65.88.10:8080
167.172.253.162:8080
153.126.146.25:7080
119.59.103.152:8080
107.170.39.149:8080
183.111.227.137:8080
159.89.202.34:443
110.232.117.186:8080
129.232.188.93:443
172.105.226.75:8080
197.242.150.244:8080
188.44.20.25:443
66.228.32.31:7080
91.121.146.47:8080
202.129.205.3:8080
45.176.232.124:443
160.16.142.56:8080
94.23.45.86:4143
95.217.221.146:8080
72.15.201.15:8080
167.172.199.165:8080
115.68.227.76:8080
139.59.126.41:443
185.4.135.165:8080
79.137.35.198:8080
206.189.28.199:8080
163.44.196.120:8080
201.94.166.162:443
104.168.155.143:8080
173.212.193.249:8080
45.235.8.30:8080
169.57.156.166:8080
149.56.131.28:8080
182.162.143.56:443
103.132.242.26:8080
82.223.21.224:8080
Signatures
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
regsvr32.exeregsvr32.exepid process 1388 regsvr32.exe 1636 regsvr32.exe 1636 regsvr32.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
regsvr32.exepid process 1388 regsvr32.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
regsvr32.exedescription pid process target process PID 1388 wrote to memory of 1636 1388 regsvr32.exe regsvr32.exe PID 1388 wrote to memory of 1636 1388 regsvr32.exe regsvr32.exe PID 1388 wrote to memory of 1636 1388 regsvr32.exe regsvr32.exe PID 1388 wrote to memory of 1636 1388 regsvr32.exe regsvr32.exe PID 1388 wrote to memory of 1636 1388 regsvr32.exe regsvr32.exe
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\bfc060937dc90b273eccb6825145f298.dll1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe "C:\Windows\system32\GcIMCAiiUW\JXgEREUZDGtHKDJ.dll"2⤵
- Suspicious behavior: EnumeratesProcesses