Analysis
-
max time kernel
147s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
27-02-2024 02:36
Static task
static1
Behavioral task
behavioral1
Sample
c9fa5ff5c96152add509bbc32a117d6135273a2cb607ba5877b62133591285aa.dll
Resource
win7-20240221-en
General
-
Target
c9fa5ff5c96152add509bbc32a117d6135273a2cb607ba5877b62133591285aa.dll
-
Size
608KB
-
MD5
53735aa47a2c5388f24f1cdc6dae7ec8
-
SHA1
d763d8a787264200dedef07e79add54d5d42f8f4
-
SHA256
c9fa5ff5c96152add509bbc32a117d6135273a2cb607ba5877b62133591285aa
-
SHA512
885f0c04f5f0b69409ffad1eedacf240cdd70ebd83c890b96bd5aa7e3e40c78c4bf463e7302308d36a1882df9392fd4b0893dcb760e3a8650bc251fa8719443a
-
SSDEEP
6144:x42k6LwFPw91EDbkUE39P7pyADYzqlEDFmZ4s3wADhcvIpxUIVZFoEXlbeZhp4ga:x409qDb109PdyOYzq3/3fVbeFTi40
Malware Config
Extracted
emotet
Epoch4
8.9.11.48:443
144.76.186.55:7080
45.118.115.99:8080
51.254.140.238:7080
162.214.50.39:7080
119.235.255.201:8080
103.75.201.4:443
164.68.99.3:8080
178.79.147.66:8080
192.95.56.148:8080
81.0.236.90:443
45.118.135.203:7080
131.100.24.231:80
41.76.108.46:8080
45.142.114.231:8080
82.165.152.127:8080
45.176.232.124:443
50.116.54.215:443
162.243.175.63:443
216.158.226.206:443
195.154.133.20:443
212.237.17.99:8080
103.75.201.2:443
212.237.5.209:443
200.17.134.35:7080
185.157.82.211:8080
144.76.186.49:8080
212.237.56.116:7080
31.24.158.56:8080
104.251.214.46:8080
110.232.117.186:8080
46.55.222.11:443
159.8.59.82:8080
158.69.222.101:443
176.104.106.96:8080
107.182.225.142:8080
58.227.42.236:80
203.114.109.124:443
173.212.193.249:8080
79.172.212.216:8080
159.89.230.105:443
160.16.102.168:80
178.128.83.165:80
212.24.98.99:8080
207.38.84.195:8080
153.126.203.229:8080
217.182.143.207:443
129.232.188.93:443
138.185.72.26:8080
Signatures
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
regsvr32.exeregsvr32.exedescription pid process target process PID 1576 wrote to memory of 4904 1576 regsvr32.exe regsvr32.exe PID 1576 wrote to memory of 4904 1576 regsvr32.exe regsvr32.exe PID 1576 wrote to memory of 4904 1576 regsvr32.exe regsvr32.exe PID 4904 wrote to memory of 3260 4904 regsvr32.exe rundll32.exe PID 4904 wrote to memory of 3260 4904 regsvr32.exe rundll32.exe PID 4904 wrote to memory of 3260 4904 regsvr32.exe rundll32.exe
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\c9fa5ff5c96152add509bbc32a117d6135273a2cb607ba5877b62133591285aa.dll1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\c9fa5ff5c96152add509bbc32a117d6135273a2cb607ba5877b62133591285aa.dll2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe "C:\Users\Admin\AppData\Local\Temp\c9fa5ff5c96152add509bbc32a117d6135273a2cb607ba5877b62133591285aa.dll",DllRegisterServer3⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4904-0-0x0000000002B30000-0x0000000002B58000-memory.dmpFilesize
160KB