Analysis
-
max time kernel
287s -
max time network
299s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
17-03-2023 14:58
Behavioral task
behavioral1
Sample
emotet.dll
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
emotet.dll
Resource
win10v2004-20230220-en
General
-
Target
emotet.dll
-
Size
144KB
-
MD5
939198ab85520f8fa042349eb83d64d1
-
SHA1
3e8c0f7e6e55f5fece2339ec9c4c52cf9270e582
-
SHA256
0c681fdfe86923929453a713de6b2bf30fabe979ca0130f8a0a75a77a5c015f6
-
SHA512
b478d4d2841a4ba0a4e021caf21fd7c07b75b51efe514d2c226313a45f89d2e3ff322f3bebfd53d97c0cb28c9383dbca5f3616dcabc1ac3f678d7de4f8e11272
-
SSDEEP
3072:t+DIgZx6B1Bx4Megsbd26KkltYBw91mH67rc8Xw4vQobyU:Gz6BW7bw6ZlKBwnmHaotpSyU
Malware Config
Extracted
emotet
Epoch5
51.178.61.60:443
168.197.250.14:80
45.79.33.48:8080
196.44.98.190:8080
177.72.80.14:7080
51.210.242.234:8080
185.148.169.10:8080
142.4.219.173:8080
78.47.204.80:443
78.46.73.125:443
37.44.244.177:8080
37.59.209.141:8080
191.252.103.16:80
54.38.242.185:443
85.214.67.203:8080
54.37.228.122:443
207.148.81.119:8080
195.77.239.39:8080
66.42.57.149:443
195.154.146.35:443
Signatures
-
Blocklisted process makes network request 24 IoCs
Processes:
rundll32.exeflow pid process 3 1384 rundll32.exe 5 1384 rundll32.exe 6 1384 rundll32.exe 7 1384 rundll32.exe 8 1384 rundll32.exe 9 1384 rundll32.exe 11 1384 rundll32.exe 12 1384 rundll32.exe 13 1384 rundll32.exe 14 1384 rundll32.exe 15 1384 rundll32.exe 16 1384 rundll32.exe 18 1384 rundll32.exe 19 1384 rundll32.exe 20 1384 rundll32.exe 23 1384 rundll32.exe 24 1384 rundll32.exe 25 1384 rundll32.exe 27 1384 rundll32.exe 28 1384 rundll32.exe 31 1384 rundll32.exe 32 1384 rundll32.exe 33 1384 rundll32.exe 34 1384 rundll32.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
rundll32.exepid process 1384 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
rundll32.exedescription pid process target process PID 1304 wrote to memory of 1384 1304 rundll32.exe rundll32.exe PID 1304 wrote to memory of 1384 1304 rundll32.exe rundll32.exe PID 1304 wrote to memory of 1384 1304 rundll32.exe rundll32.exe PID 1304 wrote to memory of 1384 1304 rundll32.exe rundll32.exe PID 1304 wrote to memory of 1384 1304 rundll32.exe rundll32.exe PID 1304 wrote to memory of 1384 1304 rundll32.exe rundll32.exe PID 1304 wrote to memory of 1384 1304 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\emotet.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1304 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\emotet.dll,#12⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:1384
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1384-54-0x0000000000170000-0x0000000000199000-memory.dmpFilesize
164KB