Analysis
-
max time kernel
143s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
12/11/2024, 20:44
Static task
static1
Behavioral task
behavioral1
Sample
7082395f27d34681bea27596ada09116ec37c9abfd2c75cd9ae3e0b5ddde3bdd.dll
Resource
win7-20240903-en
General
-
Target
7082395f27d34681bea27596ada09116ec37c9abfd2c75cd9ae3e0b5ddde3bdd.dll
-
Size
180KB
-
MD5
76be42c50499e03c77578bd7013498a2
-
SHA1
53801180e22cd80925f512f704b1dcde2445c51e
-
SHA256
7082395f27d34681bea27596ada09116ec37c9abfd2c75cd9ae3e0b5ddde3bdd
-
SHA512
dc2fdebdedd14cb8771ecb458e12576fe85c35db665bbfd37f2a5b8f866a199d7f38ea95d639f2c1d97d5d527dd40630bbe5e85561576214500155db9142286c
-
SSDEEP
3072:rpjfmFcO4J8FYMh1PAzu8GmeR8dk5pL/rRn/02QBgjVcoe5Uy5i6zNL4ZNgzPKcQ:rR+WW6u8QKkXzN/09gjV/eey5/NsAziz
Malware Config
Extracted
emotet
Epoch5
78.47.204.80:443
212.83.184.188:8080
36.67.23.59:443
128.199.217.206:443
103.56.149.105:8080
202.29.239.162:443
68.183.91.111:8080
104.244.79.94:443
64.227.55.231:8080
157.230.99.206:8080
165.232.185.110:8080
103.71.99.57:8080
103.126.216.86:443
88.217.172.165:8080
103.41.204.169:8080
87.106.97.83:7080
85.25.120.45:8080
188.225.32.231:4143
118.98.72.86:443
178.62.112.199:8080
210.57.209.142:8080
62.171.178.147:8080
37.44.244.177:8080
54.37.228.122:443
202.28.34.99:8080
103.254.12.236:7080
196.44.98.190:8080
59.148.253.194:443
85.214.67.203:8080
195.77.239.39:8080
173.249.25.219:443
103.85.95.4:8080
175.126.176.79:8080
157.245.111.0:8080
93.104.209.107:8080
139.196.72.155:8080
54.37.106.167:8080
165.22.254.236:8080
116.124.128.206:8080
103.224.241.74:8080
202.134.4.210:7080
104.248.225.227:8080
Signatures
-
Emotet family
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2852 regsvr32.exe 2336 regsvr32.exe 2336 regsvr32.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2852 regsvr32.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 2852 wrote to memory of 2336 2852 regsvr32.exe 28 PID 2852 wrote to memory of 2336 2852 regsvr32.exe 28 PID 2852 wrote to memory of 2336 2852 regsvr32.exe 28 PID 2852 wrote to memory of 2336 2852 regsvr32.exe 28 PID 2852 wrote to memory of 2336 2852 regsvr32.exe 28
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\7082395f27d34681bea27596ada09116ec37c9abfd2c75cd9ae3e0b5ddde3bdd.dll1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe "C:\Windows\system32\XnsbSlsEq\RbekgsY.dll"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2336
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b