Analysis
-
max time kernel
134s -
max time network
141s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
15-06-2024 20:17
Static task
static1
Behavioral task
behavioral1
Sample
b2a1f3c18c864d52b8f7b81a333d51f14687ab0ecc4bc3eddc75b878ff4c9861.dll
Resource
win7-20240508-en
General
-
Target
b2a1f3c18c864d52b8f7b81a333d51f14687ab0ecc4bc3eddc75b878ff4c9861.dll
-
Size
1.1MB
-
MD5
442cfb9a511e845c428c7bda24cdde4c
-
SHA1
b8e669af6c42be23706076305aafdd68878419f0
-
SHA256
b2a1f3c18c864d52b8f7b81a333d51f14687ab0ecc4bc3eddc75b878ff4c9861
-
SHA512
62f6dbfbba475f991dddd209b38c0765b2e501a06fb9836f473221aedcf626f77ed4867d709053ac1df96f3b6b2f3c013602d53f6e3b55b4fd20863b0d64047e
-
SSDEEP
12288:hxhQ0pWageSXJ0JF0EdcDZKh8SbCpdNVTEMJdHuN3LafJSrN:hDQhXJ1Td2CpdNVT/uNEsN
Malware Config
Extracted
emotet
Epoch4
175.107.196.192:80
156.67.219.84:7080
159.8.59.82:8080
119.235.255.201:8080
31.24.158.56:8080
212.237.17.99:8080
45.118.135.203:7080
45.176.232.124:443
129.232.188.93:443
58.227.42.236:80
162.214.50.39:7080
176.104.106.96:8080
153.126.203.229:8080
162.243.175.63:443
138.185.72.26:8080
50.116.54.215:443
50.30.40.196:8080
178.79.147.66:8080
203.114.109.124:443
82.165.152.127:8080
79.172.212.216:8080
103.134.85.85:80
178.128.83.165:80
216.158.226.206:443
103.75.201.2:443
51.254.140.238:7080
45.142.114.231:8080
107.182.225.142:8080
81.0.236.90:443
46.55.222.11:443
164.68.99.3:8080
185.157.82.211:8080
131.100.24.231:80
212.24.98.99:8080
217.182.143.207:443
212.237.56.116:7080
45.118.115.99:8080
158.69.222.101:443
207.38.84.195:8080
41.76.108.46:8080
173.212.193.249:8080
103.75.201.4:443
195.154.133.20:443
110.232.117.186:8080
Signatures
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
regsvr32.exepid process 2772 regsvr32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
regsvr32.exedescription pid process target process PID 2084 wrote to memory of 2772 2084 regsvr32.exe regsvr32.exe PID 2084 wrote to memory of 2772 2084 regsvr32.exe regsvr32.exe PID 2084 wrote to memory of 2772 2084 regsvr32.exe regsvr32.exe PID 2084 wrote to memory of 2772 2084 regsvr32.exe regsvr32.exe PID 2084 wrote to memory of 2772 2084 regsvr32.exe regsvr32.exe PID 2084 wrote to memory of 2772 2084 regsvr32.exe regsvr32.exe PID 2084 wrote to memory of 2772 2084 regsvr32.exe regsvr32.exe
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\b2a1f3c18c864d52b8f7b81a333d51f14687ab0ecc4bc3eddc75b878ff4c9861.dll1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\b2a1f3c18c864d52b8f7b81a333d51f14687ab0ecc4bc3eddc75b878ff4c9861.dll2⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2772-0-0x00000000003F0000-0x0000000000416000-memory.dmpFilesize
152KB