Analysis
-
max time kernel
137s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
26-02-2024 21:57
Static task
static1
Behavioral task
behavioral1
Sample
a51d37ca247a557b10b0392a1e2d9a3c2a9808f0346e2a56c145aa091edbe7a6.dll
Resource
win7-20240221-en
General
-
Target
a51d37ca247a557b10b0392a1e2d9a3c2a9808f0346e2a56c145aa091edbe7a6.dll
-
Size
380KB
-
MD5
7d553192201f0f9500ebbe24ee0ff1a5
-
SHA1
8d653752409bac25759183ce9a5032f87f637525
-
SHA256
a51d37ca247a557b10b0392a1e2d9a3c2a9808f0346e2a56c145aa091edbe7a6
-
SHA512
24271cba7b7718819e5fbe77e5c65aa1f87fa73db73203072b7bf40377b2a73fb409b9a44ad638562ab8e0f35d8475e8abe8afbb4d7e17a1d8ca107b7c41a10a
-
SSDEEP
6144:wcvynX8aBmTd9m6qH4YCfPvogjav1iP/I4y8OQLZxUHfy11:/vynLkTbm2og7HHZ6y
Malware Config
Extracted
emotet
Epoch4
104.131.11.205:443
138.197.109.175:8080
187.84.80.182:443
79.143.187.147:443
189.232.46.161:443
51.91.76.89:8080
103.43.46.182:443
206.189.28.199:8080
45.176.232.124:443
107.182.225.142:8080
72.15.201.15:8080
209.250.246.206:443
164.68.99.3:8080
160.16.142.56:8080
134.122.66.193:8080
45.118.115.99:8080
183.111.227.137:8080
209.126.98.206:8080
1.234.2.232:8080
159.65.88.10:8080
5.9.116.246:8080
82.165.152.127:8080
197.242.150.244:8080
212.24.98.99:8080
185.8.212.130:7080
51.254.140.238:7080
119.193.124.41:7080
103.132.242.26:8080
50.30.40.196:8080
188.44.20.25:443
101.50.0.91:8080
167.172.253.162:8080
185.157.82.211:8080
167.99.115.35:8080
196.218.30.83:443
216.158.226.206:443
176.56.128.118:443
146.59.226.45:443
212.237.17.99:8080
129.232.188.93:443
173.212.193.249:8080
189.126.111.200:7080
103.70.28.102:8080
46.55.222.11:443
158.69.222.101:443
79.172.212.216:8080
151.106.112.196:8080
192.99.251.50:443
103.75.201.2:443
51.91.7.5:8080
1.234.21.73:7080
58.227.42.236:80
153.126.146.25:7080
201.94.166.162:443
172.104.251.154:8080
110.232.117.186:8080
159.8.59.82:8080
176.104.106.96:8080
203.114.109.124:443
131.100.24.231:80
Signatures
-
Loads dropped DLL 1 IoCs
Processes:
regsvr32.exepid process 2708 regsvr32.exe -
Drops file in System32 directory 1 IoCs
Processes:
regsvr32.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Ktsjwbvnrgxc\dxpgshmz.pnt regsvr32.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
regsvr32.exepid process 2708 regsvr32.exe 2708 regsvr32.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
regsvr32.exepid process 2916 regsvr32.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
regsvr32.exeregsvr32.exedescription pid process target process PID 3408 wrote to memory of 2916 3408 regsvr32.exe regsvr32.exe PID 3408 wrote to memory of 2916 3408 regsvr32.exe regsvr32.exe PID 3408 wrote to memory of 2916 3408 regsvr32.exe regsvr32.exe PID 2916 wrote to memory of 2708 2916 regsvr32.exe regsvr32.exe PID 2916 wrote to memory of 2708 2916 regsvr32.exe regsvr32.exe PID 2916 wrote to memory of 2708 2916 regsvr32.exe regsvr32.exe
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\a51d37ca247a557b10b0392a1e2d9a3c2a9808f0346e2a56c145aa091edbe7a6.dll1⤵
- Suspicious use of WriteProcessMemory
PID:3408 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\a51d37ca247a557b10b0392a1e2d9a3c2a9808f0346e2a56c145aa091edbe7a6.dll2⤵
- Drops file in System32 directory
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\SysWOW64\regsvr32.exeC:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Ktsjwbvnrgxc\dxpgshmz.pnt"3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2708
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1312 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:81⤵PID:1836
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\Ktsjwbvnrgxc\dxpgshmz.pntFilesize
380KB
MD57d553192201f0f9500ebbe24ee0ff1a5
SHA18d653752409bac25759183ce9a5032f87f637525
SHA256a51d37ca247a557b10b0392a1e2d9a3c2a9808f0346e2a56c145aa091edbe7a6
SHA51224271cba7b7718819e5fbe77e5c65aa1f87fa73db73203072b7bf40377b2a73fb409b9a44ad638562ab8e0f35d8475e8abe8afbb4d7e17a1d8ca107b7c41a10a
-
memory/2708-4-0x0000000002850000-0x0000000002874000-memory.dmpFilesize
144KB
-
memory/2916-0-0x00000000025C0000-0x00000000025E4000-memory.dmpFilesize
144KB