Analysis
-
max time kernel
141s -
max time network
139s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
12/11/2024, 21:41
Static task
static1
Behavioral task
behavioral1
Sample
78df4389ff2cc22877d80516f34c3907caf2a21b7826a87827d52266921d2695.dll
Resource
win7-20240903-en
General
-
Target
78df4389ff2cc22877d80516f34c3907caf2a21b7826a87827d52266921d2695.dll
-
Size
654KB
-
MD5
933899a73ab33ba0cc28d54a8e8ba8bb
-
SHA1
a92e8449aa9ed76c6e1b0dec84e8445aee904f5e
-
SHA256
78df4389ff2cc22877d80516f34c3907caf2a21b7826a87827d52266921d2695
-
SHA512
7e0f01a65d63525e118f22dba4284d9f17892bfedf657a4e0e0da86678bc790bd005c38879776de730b0b51d33d1fe27d523b07174c314f08654e7963370a09b
-
SSDEEP
12288:Y4wcc2MydZgRd9aa8l85Qr0t6DZ32QcbplMyVJqhOLYqNr85M3doZtw29ke8QNG0:Y4wcc2WRd9aaKDhAkyVJ4JqNr85M3doX
Malware Config
Extracted
emotet
Epoch4
149.56.131.28:8080
72.15.201.15:8080
207.148.79.14:8080
82.165.152.127:8080
46.55.222.11:443
213.241.20.155:443
163.44.196.120:8080
51.254.140.238:7080
107.170.39.149:8080
188.44.20.25:443
82.223.21.224:8080
172.104.251.154:8080
164.68.99.3:8080
101.50.0.91:8080
129.232.188.93:443
173.212.193.249:8080
103.132.242.26:8080
186.194.240.217:443
37.187.115.122:8080
91.207.28.33:8080
134.122.66.193:8080
1.234.2.232:8080
103.75.201.2:443
196.218.30.83:443
5.9.116.246:8080
103.70.28.102:8080
41.73.252.195:443
158.69.222.101:443
209.97.163.214:443
185.4.135.165:8080
115.68.227.76:8080
203.114.109.124:443
159.65.140.115:443
110.232.117.186:8080
51.91.76.89:8080
64.227.100.222:8080
150.95.66.124:8080
209.126.98.206:8080
153.126.146.25:7080
45.186.16.18:443
131.100.24.231:80
146.59.226.45:443
160.16.142.56:8080
167.172.253.162:8080
183.111.227.137:8080
119.193.124.41:7080
45.118.115.99:8080
159.89.202.34:443
51.161.73.194:443
212.24.98.99:8080
45.176.232.124:443
206.189.28.199:8080
197.242.150.244:8080
103.43.75.120:443
201.94.166.162:443
151.106.112.196:8080
157.245.196.132:443
159.65.88.10:8080
94.23.45.86:4143
79.137.35.198:8080
1.234.21.73:7080
45.235.8.30:8080
Signatures
-
Emotet family
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2264 regsvr32.exe 2772 regsvr32.exe 2772 regsvr32.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2264 regsvr32.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 2264 wrote to memory of 2772 2264 regsvr32.exe 30 PID 2264 wrote to memory of 2772 2264 regsvr32.exe 30 PID 2264 wrote to memory of 2772 2264 regsvr32.exe 30 PID 2264 wrote to memory of 2772 2264 regsvr32.exe 30 PID 2264 wrote to memory of 2772 2264 regsvr32.exe 30
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\78df4389ff2cc22877d80516f34c3907caf2a21b7826a87827d52266921d2695.dll1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe "C:\Windows\system32\ReZyP\pkGeIuXct.dll"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2772
-