Overview

overview

10

Static

static

1

xpng5kkgI.dll

windows7-x64

10

xpng5kkgI.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230621-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-06-2023 12:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    xpng5kkgI.dll

  • Size

    348KB

  • MD5

    dca3f0a3eecf16ac4b72615d712112e9

  • SHA1

    909870e8ea76626fbe13e2c960560c2a165bd102

  • SHA256

    b5abacf24ae5aa96016c09f71a78d0121fff396d6154740eab622c4751e1764f

  • SHA512

    4bb8558e76f78b1078526952420789552930119fff8a8163d86e809186bcc7f2d2b78ee1475bc2d143648a1e890da841f0dd24704a3a1b93783b686cd95dd510

  • SSDEEP

    3072:oa99Ky1S0SD8MHjO73Ba01/H/7FlwZ2RJJBvX+WUEAQbb:oaGy1nS8MHi7xai73JtkWUEAKb

Score
10/10
emotetepoch1bankertrojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch1

C2

181.10.46.92:80

2.58.16.88:8080

206.189.232.2:8080

178.250.54.208:8080

167.71.148.58:443

202.134.4.210:7080

187.162.248.237:80

78.206.229.130:80

85.214.26.7:8080

5.196.35.138:7080

1.226.84.243:8080

110.39.162.2:443

185.183.16.47:80

152.231.89.226:80

138.97.60.141:7080

94.176.234.118:443

46.101.58.37:8080

93.146.143.191:80

70.32.84.74:8080

137.74.106.111:7080
rsa_pubkey.plain

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

    trojanbankeremotet
  • Blocklisted process makes network request 6 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\xpng5kkgI.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4952
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\xpng5kkgI.dll,#1
      2⤵
      • Drops file in System32 directory
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:4892
      • C:\Windows\SysWOW64\rundll32.exe
        C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Ftzjwyexj\fndbwxca.rnq",KczqJElC
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2044
        • C:\Windows\SysWOW64\rundll32.exe
          C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Ftzjwyexj\fndbwxca.rnq",#1
          4⤵
          • Blocklisted process makes network request
          • Loads dropped DLL
          • Suspicious behavior: EnumeratesProcesses
          PID:4116

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\Ftzjwyexj\fndbwxca.rnq
    Filesize

    348KB

    MD5

    dca3f0a3eecf16ac4b72615d712112e9

    SHA1

    909870e8ea76626fbe13e2c960560c2a165bd102

    SHA256

    b5abacf24ae5aa96016c09f71a78d0121fff396d6154740eab622c4751e1764f

    SHA512

    4bb8558e76f78b1078526952420789552930119fff8a8163d86e809186bcc7f2d2b78ee1475bc2d143648a1e890da841f0dd24704a3a1b93783b686cd95dd510

    Download Submit

  • C:\Windows\SysWOW64\Ftzjwyexj\fndbwxca.rnq
    Filesize

    348KB

    MD5

    dca3f0a3eecf16ac4b72615d712112e9

    SHA1

    909870e8ea76626fbe13e2c960560c2a165bd102

    SHA256

    b5abacf24ae5aa96016c09f71a78d0121fff396d6154740eab622c4751e1764f

    SHA512

    4bb8558e76f78b1078526952420789552930119fff8a8163d86e809186bcc7f2d2b78ee1475bc2d143648a1e890da841f0dd24704a3a1b93783b686cd95dd510

    Download Submit

  • memory/2044-139-0x0000000010000000-0x0000000010024000-memory.dmp

    Filesize

    144KB

    Download

  • memory/4116-141-0x0000000010000000-0x0000000010024000-memory.dmp

    Filesize

    144KB

    Download

  • memory/4116-142-0x0000000010000000-0x0000000010024000-memory.dmp

    Filesize

    144KB

    Download

  • memory/4116-144-0x0000000010000000-0x0000000010024000-memory.dmp

    Filesize

    144KB

    Download

  • memory/4892-133-0x00000000025F0000-0x0000000002611000-memory.dmp

    Filesize

    132KB

    Download

  • memory/4892-134-0x0000000010000000-0x0000000010024000-memory.dmp

    Filesize

    144KB

    Download

  • memory/4892-137-0x0000000010000000-0x0000000010024000-memory.dmp

    Filesize

    144KB

    Download