Analysis
-
max time kernel
118s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
23-03-2024 19:58
Static task
static1
Behavioral task
behavioral1
Sample
4c29066cd91c1834e7e15d4a891517151bc58835d4cf57dfd86fddc5bf4e0f77.dll
Resource
win7-20240221-en
General
-
Target
4c29066cd91c1834e7e15d4a891517151bc58835d4cf57dfd86fddc5bf4e0f77.dll
-
Size
784KB
-
MD5
0944574a90a00beeadaabebbb244ac38
-
SHA1
508bf95bbd3f92d6f4e75478937ba6efbd310dd8
-
SHA256
4c29066cd91c1834e7e15d4a891517151bc58835d4cf57dfd86fddc5bf4e0f77
-
SHA512
e1d9919de84e15617b0000f5d16397fa0a8484acdd0b2e1896974aeb92284a84464b26fc5f3f71cdd301e6a76edfda9aba833eaf013b02779f3ef64ca9646cee
-
SSDEEP
12288:aA9e3OrvpgqjtQFecC6dddifiHxoB3rNd9CDr:blrvpgqj2FefQc3rLoD
Malware Config
Extracted
emotet
Epoch5
185.244.166.137:443
185.168.130.138:443
59.148.253.194:443
78.46.73.125:443
195.77.239.39:8080
104.131.62.48:8080
69.16.218.101:8080
203.153.216.46:443
195.154.146.35:443
190.90.233.66:443
191.252.103.16:80
37.44.244.177:8080
168.197.250.14:80
116.124.128.206:8080
54.37.228.122:443
159.69.237.188:443
85.214.67.203:8080
210.57.209.142:8080
78.47.204.80:443
185.148.168.220:8080
142.4.219.173:8080
85.25.120.45:8080
128.199.192.135:8080
66.42.57.149:443
62.171.178.147:8080
54.38.242.185:443
217.182.143.207:443
185.148.168.15:8080
37.59.209.141:8080
207.148.81.119:8080
Signatures
-
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
regsvr32.exeregsvr32.exedescription pid process target process PID 2924 wrote to memory of 2876 2924 regsvr32.exe regsvr32.exe PID 2924 wrote to memory of 2876 2924 regsvr32.exe regsvr32.exe PID 2924 wrote to memory of 2876 2924 regsvr32.exe regsvr32.exe PID 2924 wrote to memory of 2876 2924 regsvr32.exe regsvr32.exe PID 2924 wrote to memory of 2876 2924 regsvr32.exe regsvr32.exe PID 2924 wrote to memory of 2876 2924 regsvr32.exe regsvr32.exe PID 2924 wrote to memory of 2876 2924 regsvr32.exe regsvr32.exe PID 2876 wrote to memory of 2316 2876 regsvr32.exe rundll32.exe PID 2876 wrote to memory of 2316 2876 regsvr32.exe rundll32.exe PID 2876 wrote to memory of 2316 2876 regsvr32.exe rundll32.exe PID 2876 wrote to memory of 2316 2876 regsvr32.exe rundll32.exe PID 2876 wrote to memory of 2316 2876 regsvr32.exe rundll32.exe PID 2876 wrote to memory of 2316 2876 regsvr32.exe rundll32.exe PID 2876 wrote to memory of 2316 2876 regsvr32.exe rundll32.exe
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\4c29066cd91c1834e7e15d4a891517151bc58835d4cf57dfd86fddc5bf4e0f77.dll1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\4c29066cd91c1834e7e15d4a891517151bc58835d4cf57dfd86fddc5bf4e0f77.dll2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe "C:\Users\Admin\AppData\Local\Temp\4c29066cd91c1834e7e15d4a891517151bc58835d4cf57dfd86fddc5bf4e0f77.dll",DllRegisterServer3⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2876-0-0x00000000001C0000-0x00000000001E7000-memory.dmpFilesize
156KB