Analysis

  • max time kernel
    138s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-11-2024 19:12

General

  • Target

    dffed6c5a66a9160064bb871e7eff65016f6490738daef4efeaab69aa9e5ae39.dll

  • Size

    516KB

  • MD5

    d1cfff953f52bdaa4e7baccd695d3601

  • SHA1

    cd64a9447638328904eeb67a900d8721da817426

  • SHA256

    dffed6c5a66a9160064bb871e7eff65016f6490738daef4efeaab69aa9e5ae39

  • SHA512

    f7a71b8b2858ec79e7d9d5835e14c8c0602202800b9400ef7da13ab57afb9dd92fe56c824069af5931016a6d157a725961c856ddd804bea0a0a79e9fce7de9a3

  • SSDEEP

    6144:mW1239bnTe+0Qv7NSEBj43USaI6Y/jOpxHRikSYI+QALgIJ1divndEXkn:mW1e9PeexPBjvKSpuvYI+TLgs1dcEXk

Malware Config

Extracted

Family

emotet

Botnet

Epoch5

C2

202.28.34.99:8080

80.211.107.116:8080

175.126.176.79:8080

218.38.121.17:443

139.196.72.155:8080

103.71.99.57:8080

87.106.97.83:7080

178.62.112.199:8080

64.227.55.231:8080

46.101.98.60:8080

54.37.228.122:443

128.199.217.206:443

190.145.8.4:443

209.239.112.82:8080

85.214.67.203:8080

198.199.70.22:8080

128.199.242.164:8080

178.238.225.252:8080

103.85.95.4:8080

103.126.216.86:443

eck1.plain
1
-----BEGIN PUBLIC KEY-----
2
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE2DWT12OLUMXfzeFp+bE2AJubVDsW
3
NqJdRC6yODDYRzYuuNL0i2rI2Ex6RUQaBvqPOL7a+wCWnIQszh42gCRQlg==
4
-----END PUBLIC KEY-----
ecs1.plain
1
-----BEGIN PUBLIC KEY-----
2
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE9C8agzYaJ1GMJPLKqOyFrlJZUXVI
3
lAZwAnOq6JrEKHtWCQ+8CHuAIXqmKH6WRbnDw1wmdM/YvqKFH36nqC2VNA==
4
-----END PUBLIC KEY-----

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

  • Emotet family
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\dffed6c5a66a9160064bb871e7eff65016f6490738daef4efeaab69aa9e5ae39.dll
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:1716
    • C:\Windows\system32\regsvr32.exe
      C:\Windows\system32\regsvr32.exe "C:\Windows\system32\OlNnzClzgAVqLdbW\OLJWOVys.dll"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:3124

Network

  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    28.118.140.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    28.118.140.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.210.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.210.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    73.159.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    73.159.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    171.39.242.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    171.39.242.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    197.87.175.4.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    197.87.175.4.in-addr.arpa
    IN PTR
    Response
  • flag-kr
    POST
    https://218.38.121.17/vcovrxzsj/oqltci/
    regsvr32.exe
    Remote address:
    218.38.121.17:443
    Request
    POST /vcovrxzsj/oqltci/ HTTP/1.1
    Connection: Keep-Alive
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 348
    Host: 218.38.121.17
  • flag-us
    DNS
    83.210.23.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    83.210.23.2.in-addr.arpa
    IN PTR
    Response
    83.210.23.2.in-addr.arpa
    IN PTR
    a2-23-210-83deploystaticakamaitechnologiescom
  • flag-us
    DNS
    17.121.38.218.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    17.121.38.218.in-addr.arpa
    IN PTR
    Response
  • 115.178.55.22:80
    regsvr32.exe
    260 B
    200 B
    5
    5
  • 172.105.115.71:8080
    regsvr32.exe
    208 B
    4
  • 218.38.121.17:443
    https://218.38.121.17/vcovrxzsj/oqltci/
    tls, http
    regsvr32.exe
    1.2kB
    1.9kB
    9
    6

    HTTP Request

    POST https://218.38.121.17/vcovrxzsj/oqltci/
  • 186.250.48.5:443
    regsvr32.exe
    260 B
    200 B
    5
    5
  • 103.71.99.57:8080
    regsvr32.exe
    208 B
    4
  • 85.214.67.203:8080
    regsvr32.exe
    208 B
    4
  • 85.25.120.45:8080
    regsvr32.exe
    208 B
    4
  • 139.196.72.155:8080
    regsvr32.exe
    208 B
    4
  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    66 B
    90 B
    1
    1

    DNS Request

    8.8.8.8.in-addr.arpa

  • 8.8.8.8:53
    28.118.140.52.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    28.118.140.52.in-addr.arpa

  • 8.8.8.8:53
    172.210.232.199.in-addr.arpa
    dns
    74 B
    128 B
    1
    1

    DNS Request

    172.210.232.199.in-addr.arpa

  • 8.8.8.8:53
    73.159.190.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    73.159.190.20.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
    144 B
    1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    197.87.175.4.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    197.87.175.4.in-addr.arpa

  • 8.8.8.8:53
    171.39.242.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    171.39.242.20.in-addr.arpa

  • 8.8.8.8:53
    83.210.23.2.in-addr.arpa
    dns
    70 B
    133 B
    1
    1

    DNS Request

    83.210.23.2.in-addr.arpa

  • 8.8.8.8:53
    17.121.38.218.in-addr.arpa
    dns
    72 B
    143 B
    1
    1

    DNS Request

    17.121.38.218.in-addr.arpa

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1716-0-0x0000000180000000-0x000000018002E000-memory.dmp

    Filesize

    184KB

  • memory/1716-3-0x00000000015E0000-0x00000000015E1000-memory.dmp

    Filesize

    4KB

  • memory/1716-7-0x00007FFEE04B0000-0x00007FFEE0539000-memory.dmp

    Filesize

    548KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.