Analysis
-
max time kernel
59s -
max time network
115s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
10-04-2023 10:09
Static task
static1
Behavioral task
behavioral1
Sample
52ff2415b68afcc866b43eca046c3c9dce4535cf5cfb6d708efc1ca0fd3e1e7b.dll
Resource
win7-20230220-en
General
-
Target
52ff2415b68afcc866b43eca046c3c9dce4535cf5cfb6d708efc1ca0fd3e1e7b.dll
-
Size
216KB
-
MD5
b0be1a8f052808add496c879ad361fec
-
SHA1
72326bac487e5d2c9e5b12abacb84d0213f9c27c
-
SHA256
52ff2415b68afcc866b43eca046c3c9dce4535cf5cfb6d708efc1ca0fd3e1e7b
-
SHA512
8fa61c1e199dcaba0dfe0559e5eda62a547fc289ccf0ee357c36e7768f30e7ee16a3175c8d8924ed96d144b1af485efd3754aa419ac36415e775c01dc67e85e3
-
SSDEEP
3072:lZ6B8Yv529XVNWfb3ClcrIzp9SWXeA3f4jfsun6C7jtom6Xaplwz:lG8j7Wz3vrIiWOAvUfsun6Cycwz
Malware Config
Extracted
emotet
Epoch5
174.136.15.27:8080
185.122.58.89:443
66.42.57.149:443
159.69.237.188:443
78.47.204.80:443
54.38.242.185:443
37.44.244.177:8080
185.148.168.220:8080
217.182.143.207:443
198.199.98.78:8080
139.196.72.155:8080
59.148.253.194:443
195.77.239.39:8080
210.57.209.142:8080
128.199.192.135:8080
173.203.78.138:443
62.171.178.147:8080
85.214.67.203:8080
185.148.168.15:8080
191.252.103.16:80
190.90.233.66:443
185.184.25.78:8080
207.148.81.119:8080
104.131.62.48:8080
78.46.73.125:443
37.59.209.141:8080
118.98.72.86:443
54.37.228.122:443
168.197.250.14:80
93.104.208.37:8080
54.37.106.167:8080
116.124.128.206:8080
194.9.172.107:8080
203.153.216.46:443
195.154.146.35:443
103.41.204.169:8080
Signatures
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
regsvr32.exeregsvr32.exedescription pid process target process PID 1220 wrote to memory of 1092 1220 regsvr32.exe regsvr32.exe PID 1220 wrote to memory of 1092 1220 regsvr32.exe regsvr32.exe PID 1220 wrote to memory of 1092 1220 regsvr32.exe regsvr32.exe PID 1092 wrote to memory of 2076 1092 regsvr32.exe rundll32.exe PID 1092 wrote to memory of 2076 1092 regsvr32.exe rundll32.exe PID 1092 wrote to memory of 2076 1092 regsvr32.exe rundll32.exe
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\52ff2415b68afcc866b43eca046c3c9dce4535cf5cfb6d708efc1ca0fd3e1e7b.dll1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\52ff2415b68afcc866b43eca046c3c9dce4535cf5cfb6d708efc1ca0fd3e1e7b.dll2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe "C:\Users\Admin\AppData\Local\Temp\52ff2415b68afcc866b43eca046c3c9dce4535cf5cfb6d708efc1ca0fd3e1e7b.dll",DllRegisterServer3⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1092-133-0x0000000010000000-0x0000000010026000-memory.dmpFilesize
152KB