Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
29-02-2024 07:57
Static task
static1
Behavioral task
behavioral1
Sample
5c506cebf00abf66534d216bcee0352cbf287d84a1b2e35797592e18b4969880.dll
Resource
win7-20240221-en
General
-
Target
5c506cebf00abf66534d216bcee0352cbf287d84a1b2e35797592e18b4969880.dll
-
Size
745KB
-
MD5
ae55d18385b78f233c8af987cc7e86e9
-
SHA1
b6964a23bb4d0f40b1efec899274c5c4264b2a93
-
SHA256
5c506cebf00abf66534d216bcee0352cbf287d84a1b2e35797592e18b4969880
-
SHA512
fe7ebe4b09ec45ef47f3bf7e9ffea9364109a7a98bf452fc9f3f69ee39ae31478c779de5a8e69ae0730a87a17869ac76701bfab401fe140c20c2c51bf922729a
-
SSDEEP
12288:pw/seyLAdTA2tSgy/O+TSKZUWozyFl/yg4dIh2t+ZxmmPqVZ7Y1nrJS:i/18kTAY72TSYB/ygn2Xma7+rM
Malware Config
Extracted
emotet
Epoch5
45.138.98.34:80
69.16.218.101:8080
51.210.242.234:8080
185.148.168.220:8080
142.4.219.173:8080
54.38.242.185:443
191.252.103.16:80
104.131.62.48:8080
62.171.178.147:8080
217.182.143.207:443
168.197.250.14:80
37.44.244.177:8080
66.42.57.149:443
210.57.209.142:8080
159.69.237.188:443
116.124.128.206:8080
128.199.192.135:8080
195.154.146.35:443
185.148.168.15:8080
195.77.239.39:8080
207.148.81.119:8080
85.214.67.203:8080
190.90.233.66:443
78.46.73.125:443
78.47.204.80:443
37.59.209.141:8080
54.37.228.122:443
Signatures
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
regsvr32.exeregsvr32.exedescription pid process target process PID 4708 wrote to memory of 3720 4708 regsvr32.exe regsvr32.exe PID 4708 wrote to memory of 3720 4708 regsvr32.exe regsvr32.exe PID 4708 wrote to memory of 3720 4708 regsvr32.exe regsvr32.exe PID 3720 wrote to memory of 2524 3720 regsvr32.exe rundll32.exe PID 3720 wrote to memory of 2524 3720 regsvr32.exe rundll32.exe PID 3720 wrote to memory of 2524 3720 regsvr32.exe rundll32.exe
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\5c506cebf00abf66534d216bcee0352cbf287d84a1b2e35797592e18b4969880.dll1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\5c506cebf00abf66534d216bcee0352cbf287d84a1b2e35797592e18b4969880.dll2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe "C:\Users\Admin\AppData\Local\Temp\5c506cebf00abf66534d216bcee0352cbf287d84a1b2e35797592e18b4969880.dll",DllRegisterServer3⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3720-0-0x0000000002B00000-0x0000000002B28000-memory.dmpFilesize
160KB