Analysis
-
max time kernel
145s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
13-06-2023 14:05
Static task
static1
Behavioral task
behavioral1
Sample
08995099.dll
Resource
win7-20230220-en
General
-
Target
08995099.dll
-
Size
252KB
-
MD5
30891d20c065fe6378c9b2568c73a7f0
-
SHA1
76fffb0ef26bacf0925de63886cf12e911e8793a
-
SHA256
3897dbbf619853c8f37abb9e653487ea12a38b1f1e2d02d5bbd3ccf8e4e4a8a5
-
SHA512
06e7fb5bdaed8fcb65232112502724d5e9aba4b12da5a7553f217ecda7919d9df6d4d47e5173e41352e9fa984cd0c3cbfa8dd0d4be00127feb13b72a560dc9e0
-
SSDEEP
3072:PtgItJoMl9eJ02kGuBDhk3VsbwVBQdP6ZkiaoZa74jZUUzdDIm6O80MTcdfokHJm:OHK9eSBFA+bwVB35tMTc5ocEFWTBiz
Malware Config
Extracted
emotet
Epoch4
81.0.236.93:443
94.177.248.64:443
66.42.55.5:7080
103.8.26.103:8080
185.184.25.237:8080
45.76.176.10:8080
188.93.125.116:8080
103.8.26.102:8080
178.79.147.66:8080
58.227.42.236:80
45.118.135.203:7080
103.75.201.2:443
195.154.133.20:443
45.142.114.231:8080
212.237.5.209:443
207.38.84.195:8080
104.251.214.46:8080
138.185.72.26:8080
51.68.175.8:8080
210.57.217.132:8080
Signatures
-
Blocklisted process makes network request 10 IoCs
Processes:
rundll32.exeflow pid process 18 5036 rundll32.exe 30 5036 rundll32.exe 36 5036 rundll32.exe 38 5036 rundll32.exe 39 5036 rundll32.exe 41 5036 rundll32.exe 46 5036 rundll32.exe 48 5036 rundll32.exe 49 5036 rundll32.exe 51 5036 rundll32.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 5036 rundll32.exe 5036 rundll32.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 4636 wrote to memory of 840 4636 rundll32.exe rundll32.exe PID 4636 wrote to memory of 840 4636 rundll32.exe rundll32.exe PID 4636 wrote to memory of 840 4636 rundll32.exe rundll32.exe PID 840 wrote to memory of 5036 840 rundll32.exe rundll32.exe PID 840 wrote to memory of 5036 840 rundll32.exe rundll32.exe PID 840 wrote to memory of 5036 840 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\08995099.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\08995099.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe "C:\Users\Admin\AppData\Local\Temp\08995099.dll",Control_RunDLL3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/840-133-0x00000000007C0000-0x00000000007E8000-memory.dmpFilesize
160KB
-
memory/840-134-0x00000000007C0000-0x00000000007E8000-memory.dmpFilesize
160KB
-
memory/5036-135-0x0000000001240000-0x0000000001268000-memory.dmpFilesize
160KB
-
memory/5036-136-0x0000000001240000-0x0000000001268000-memory.dmpFilesize
160KB
-
memory/5036-137-0x0000000001240000-0x0000000001268000-memory.dmpFilesize
160KB