Analysis
-
max time kernel
132s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
02-04-2024 09:52
Static task
static1
Behavioral task
behavioral1
Sample
bf274f8c9ba0a2e9b51cc341688a1bc827e21e3d52f152bf49380123f70b2a59.dll
Resource
win7-20240221-en
General
-
Target
bf274f8c9ba0a2e9b51cc341688a1bc827e21e3d52f152bf49380123f70b2a59.dll
-
Size
197KB
-
MD5
19b0124f2e4f223113bb11a84765a6c3
-
SHA1
d27bfe2481c74fe0c213456ad3906e96097ab4c6
-
SHA256
bf274f8c9ba0a2e9b51cc341688a1bc827e21e3d52f152bf49380123f70b2a59
-
SHA512
c9bd86474c8500d948d7c1af660f60af00cffee8f6525785ad916a669c87386ad23c5955dc8e2dbe666cbdc57b46c4d1e813ced09a61920aeb4f17bc520cd602
-
SSDEEP
3072:7zrlNwFBuQ+i2ro9Ux4huw/mY2EeTyDcqsAX8QaCQ5IS39mLSnwKl:7zPkBvoroGIRe+7sAXMCQL3ImwK
Malware Config
Extracted
emotet
Epoch3
125.0.215.60:80
163.53.204.180:443
89.163.210.141:8080
203.157.152.9:7080
157.245.145.87:443
82.78.179.117:443
85.247.144.202:80
37.46.129.215:8080
110.37.224.243:80
192.210.217.94:8080
2.82.75.215:80
69.159.11.38:443
188.166.220.180:7080
103.93.220.182:80
198.20.228.9:8080
91.75.75.46:80
88.247.30.64:80
189.211.214.19:443
203.160.167.243:80
178.33.167.120:8080
178.254.36.182:8080
70.32.89.105:8080
103.80.51.61:8080
54.38.143.245:8080
113.203.238.130:80
50.116.78.109:8080
195.201.56.70:8080
109.99.146.210:8080
75.127.14.170:8080
172.193.14.201:80
203.56.191.129:8080
157.7.164.178:8081
46.32.229.152:8080
78.90.78.210:80
116.202.10.123:8080
189.34.18.252:8080
114.158.126.84:80
201.193.160.196:80
79.133.6.236:8080
202.29.237.113:8080
203.153.216.178:7080
172.96.190.154:8080
74.208.173.91:8080
139.59.61.215:443
117.2.139.117:443
24.230.124.78:80
5.83.32.101:80
139.5.101.203:80
8.4.9.137:8080
120.51.34.254:80
188.226.165.170:8080
91.83.93.103:443
183.91.3.63:80
192.241.220.183:8080
190.18.184.113:80
2.58.16.86:8080
5.79.70.250:8080
113.161.176.235:80
46.105.131.68:8080
223.17.215.76:80
186.146.229.172:80
186.96.170.61:80
121.117.147.153:443
192.163.221.191:8080
139.59.12.63:8080
115.79.195.246:80
172.104.46.84:8080
180.52.66.193:80
185.208.226.142:8080
152.32.75.74:443
143.95.101.72:8080
47.150.238.196:80
201.212.201.127:8080
190.85.46.52:7080
182.73.7.59:8080
178.62.254.156:8080
195.159.28.244:8080
103.229.73.17:8080
103.124.152.221:80
180.148.4.130:8080
60.108.128.186:80
110.172.180.180:8080
162.144.145.58:8080
37.205.9.252:7080
185.142.236.163:443
27.78.27.110:443
58.27.215.3:8080
Signatures
-
Blocklisted process makes network request 6 IoCs
Processes:
rundll32.exeflow pid process 3 3040 rundll32.exe 7 3040 rundll32.exe 8 3040 rundll32.exe 11 3040 rundll32.exe 12 3040 rundll32.exe 15 3040 rundll32.exe -
Drops file in System32 directory 1 IoCs
Processes:
rundll32.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Owsfsdl\fgfvbb.xwe rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
rundll32.exepid process 3040 rundll32.exe 3040 rundll32.exe 3040 rundll32.exe 3040 rundll32.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
rundll32.exepid process 2652 rundll32.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1220 wrote to memory of 2652 1220 rundll32.exe rundll32.exe PID 1220 wrote to memory of 2652 1220 rundll32.exe rundll32.exe PID 1220 wrote to memory of 2652 1220 rundll32.exe rundll32.exe PID 1220 wrote to memory of 2652 1220 rundll32.exe rundll32.exe PID 1220 wrote to memory of 2652 1220 rundll32.exe rundll32.exe PID 1220 wrote to memory of 2652 1220 rundll32.exe rundll32.exe PID 1220 wrote to memory of 2652 1220 rundll32.exe rundll32.exe PID 2652 wrote to memory of 3040 2652 rundll32.exe rundll32.exe PID 2652 wrote to memory of 3040 2652 rundll32.exe rundll32.exe PID 2652 wrote to memory of 3040 2652 rundll32.exe rundll32.exe PID 2652 wrote to memory of 3040 2652 rundll32.exe rundll32.exe PID 2652 wrote to memory of 3040 2652 rundll32.exe rundll32.exe PID 2652 wrote to memory of 3040 2652 rundll32.exe rundll32.exe PID 2652 wrote to memory of 3040 2652 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\bf274f8c9ba0a2e9b51cc341688a1bc827e21e3d52f152bf49380123f70b2a59.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\bf274f8c9ba0a2e9b51cc341688a1bc827e21e3d52f152bf49380123f70b2a59.dll,#12⤵
- Drops file in System32 directory
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Owsfsdl\fgfvbb.xwe",Control_RunDLL3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses