Analysis
-
max time kernel
141s -
max time network
156s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
12/11/2024, 20:50
Static task
static1
Behavioral task
behavioral1
Sample
75ff61f385a42087673590937a2da8a8caca589fc5882bc0e1367240fe6ba983.dll
Resource
win7-20241010-en
General
-
Target
75ff61f385a42087673590937a2da8a8caca589fc5882bc0e1367240fe6ba983.dll
-
Size
654KB
-
MD5
366d239dcb95f4e4c7113ffc3d1b56b9
-
SHA1
915fcc7b5ecf773f14d081f0afcdcbe3297a4289
-
SHA256
75ff61f385a42087673590937a2da8a8caca589fc5882bc0e1367240fe6ba983
-
SHA512
e3b95a9b86ee1cd023787b27dbe71274ae66833c3bda708ca151eb4e912d3f77b75664569b0331b067aa64f803d34f07f5670ef74d22973a3d26d9e06cf9024b
-
SSDEEP
12288:Y4wcc2MydZgRd9aa8l85Qr0t6DZ32QcbplMyVJqhoLYqNr85M3doZtw29ke8QNG0:Y4wcc2WRd9aaKDhAkyVJ4TqNr85M3doX
Malware Config
Extracted
emotet
Epoch4
149.56.131.28:8080
72.15.201.15:8080
207.148.79.14:8080
82.165.152.127:8080
46.55.222.11:443
213.241.20.155:443
163.44.196.120:8080
51.254.140.238:7080
107.170.39.149:8080
188.44.20.25:443
82.223.21.224:8080
172.104.251.154:8080
164.68.99.3:8080
101.50.0.91:8080
129.232.188.93:443
173.212.193.249:8080
103.132.242.26:8080
186.194.240.217:443
37.187.115.122:8080
91.207.28.33:8080
134.122.66.193:8080
1.234.2.232:8080
103.75.201.2:443
196.218.30.83:443
5.9.116.246:8080
103.70.28.102:8080
41.73.252.195:443
158.69.222.101:443
209.97.163.214:443
185.4.135.165:8080
115.68.227.76:8080
203.114.109.124:443
159.65.140.115:443
110.232.117.186:8080
51.91.76.89:8080
64.227.100.222:8080
150.95.66.124:8080
209.126.98.206:8080
153.126.146.25:7080
45.186.16.18:443
131.100.24.231:80
146.59.226.45:443
160.16.142.56:8080
167.172.253.162:8080
183.111.227.137:8080
119.193.124.41:7080
45.118.115.99:8080
159.89.202.34:443
51.161.73.194:443
212.24.98.99:8080
45.176.232.124:443
206.189.28.199:8080
197.242.150.244:8080
103.43.75.120:443
201.94.166.162:443
151.106.112.196:8080
157.245.196.132:443
159.65.88.10:8080
94.23.45.86:4143
79.137.35.198:8080
1.234.21.73:7080
45.235.8.30:8080
Signatures
-
Emotet family
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2772 regsvr32.exe 2784 regsvr32.exe 2784 regsvr32.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2772 regsvr32.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 2772 wrote to memory of 2784 2772 regsvr32.exe 30 PID 2772 wrote to memory of 2784 2772 regsvr32.exe 30 PID 2772 wrote to memory of 2784 2772 regsvr32.exe 30 PID 2772 wrote to memory of 2784 2772 regsvr32.exe 30 PID 2772 wrote to memory of 2784 2772 regsvr32.exe 30
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\75ff61f385a42087673590937a2da8a8caca589fc5882bc0e1367240fe6ba983.dll1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe "C:\Windows\system32\HhBBHiTLpVDAHBo\pEGAlkIAUOP.dll"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2784
-