Analysis

  • max time kernel
    143s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-06-2024 20:17

General

  • Target

    b2a1f3c18c864d52b8f7b81a333d51f14687ab0ecc4bc3eddc75b878ff4c9861.dll

  • Size

    1.1MB

  • MD5

    442cfb9a511e845c428c7bda24cdde4c

  • SHA1

    b8e669af6c42be23706076305aafdd68878419f0

  • SHA256

    b2a1f3c18c864d52b8f7b81a333d51f14687ab0ecc4bc3eddc75b878ff4c9861

  • SHA512

    62f6dbfbba475f991dddd209b38c0765b2e501a06fb9836f473221aedcf626f77ed4867d709053ac1df96f3b6b2f3c013602d53f6e3b55b4fd20863b0d64047e

  • SSDEEP

    12288:hxhQ0pWageSXJ0JF0EdcDZKh8SbCpdNVTEMJdHuN3LafJSrN:hDQhXJ1Td2CpdNVT/uNEsN

Malware Config

Extracted

Family

emotet

Botnet

Epoch4

C2

175.107.196.192:80

156.67.219.84:7080

159.8.59.82:8080

119.235.255.201:8080

31.24.158.56:8080

212.237.17.99:8080

45.118.135.203:7080

45.176.232.124:443

129.232.188.93:443

58.227.42.236:80

162.214.50.39:7080

176.104.106.96:8080

153.126.203.229:8080

162.243.175.63:443

138.185.72.26:8080

50.116.54.215:443

50.30.40.196:8080

178.79.147.66:8080

203.114.109.124:443

82.165.152.127:8080

eck1.plain
ecs1.plain

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\b2a1f3c18c864d52b8f7b81a333d51f14687ab0ecc4bc3eddc75b878ff4c9861.dll
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2256
    • C:\Windows\SysWOW64\regsvr32.exe
      /s C:\Users\Admin\AppData\Local\Temp\b2a1f3c18c864d52b8f7b81a333d51f14687ab0ecc4bc3eddc75b878ff4c9861.dll
      2⤵
      • Drops file in System32 directory
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:1544
      • C:\Windows\SysWOW64\regsvr32.exe
        C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Dsfiawrbfxjt\watf.ukh"
        3⤵
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        PID:4556

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\Dsfiawrbfxjt\watf.ukh
    Filesize

    1.1MB

    MD5

    442cfb9a511e845c428c7bda24cdde4c

    SHA1

    b8e669af6c42be23706076305aafdd68878419f0

    SHA256

    b2a1f3c18c864d52b8f7b81a333d51f14687ab0ecc4bc3eddc75b878ff4c9861

    SHA512

    62f6dbfbba475f991dddd209b38c0765b2e501a06fb9836f473221aedcf626f77ed4867d709053ac1df96f3b6b2f3c013602d53f6e3b55b4fd20863b0d64047e

  • memory/1544-0-0x0000000002F50000-0x0000000002F76000-memory.dmp
    Filesize

    152KB

  • memory/1544-3-0x0000000010000000-0x0000000010119000-memory.dmp
    Filesize

    1.1MB

  • memory/4556-5-0x0000000002730000-0x0000000002756000-memory.dmp
    Filesize

    152KB