Analysis
-
max time kernel
119s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
20-11-2024 22:16
Static task
static1
Behavioral task
behavioral1
Sample
6a27500d8ce157907664c4fbaf63490f74c8fc70e386fbd711f1c1d4ef9c866c.dll
Resource
win7-20240903-en
General
-
Target
6a27500d8ce157907664c4fbaf63490f74c8fc70e386fbd711f1c1d4ef9c866c.dll
-
Size
596KB
-
MD5
d5dc93dd2f5ad9311319dbd918d0cba7
-
SHA1
3a81a4f13400bb0f020b58f1ac3e43764dc2b02b
-
SHA256
6a27500d8ce157907664c4fbaf63490f74c8fc70e386fbd711f1c1d4ef9c866c
-
SHA512
d3d34237b87587283da630b2bc27d05633e4687acdc18934ac111c0bb810ad4f107a412517dacc1964204d8198d4007f6fb454a013685cd86c446bf81691f21a
-
SSDEEP
6144:8B4oWMvCBs0YaUG7qJFzR4Dpw0yHz4MmjOfg54hOSRhnID3FQizX5+IgtidXX5+o:8uLMviuaUsqTd45yHz4Mmj/STe5
Malware Config
Extracted
emotet
Epoch5
185.244.166.137:443
185.168.130.138:443
59.148.253.194:443
78.46.73.125:443
195.77.239.39:8080
104.131.62.48:8080
69.16.218.101:8080
203.153.216.46:443
195.154.146.35:443
190.90.233.66:443
191.252.103.16:80
37.44.244.177:8080
168.197.250.14:80
116.124.128.206:8080
54.37.228.122:443
159.69.237.188:443
85.214.67.203:8080
210.57.209.142:8080
78.47.204.80:443
185.148.168.220:8080
142.4.219.173:8080
85.25.120.45:8080
128.199.192.135:8080
66.42.57.149:443
62.171.178.147:8080
54.38.242.185:443
217.182.143.207:443
185.148.168.15:8080
37.59.209.141:8080
207.148.81.119:8080
Signatures
-
Emotet family
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
regsvr32.exerundll32.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
regsvr32.exeregsvr32.exedescription pid Process procid_target PID 2788 wrote to memory of 2808 2788 regsvr32.exe 31 PID 2788 wrote to memory of 2808 2788 regsvr32.exe 31 PID 2788 wrote to memory of 2808 2788 regsvr32.exe 31 PID 2788 wrote to memory of 2808 2788 regsvr32.exe 31 PID 2788 wrote to memory of 2808 2788 regsvr32.exe 31 PID 2788 wrote to memory of 2808 2788 regsvr32.exe 31 PID 2788 wrote to memory of 2808 2788 regsvr32.exe 31 PID 2808 wrote to memory of 2792 2808 regsvr32.exe 32 PID 2808 wrote to memory of 2792 2808 regsvr32.exe 32 PID 2808 wrote to memory of 2792 2808 regsvr32.exe 32 PID 2808 wrote to memory of 2792 2808 regsvr32.exe 32 PID 2808 wrote to memory of 2792 2808 regsvr32.exe 32 PID 2808 wrote to memory of 2792 2808 regsvr32.exe 32 PID 2808 wrote to memory of 2792 2808 regsvr32.exe 32
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\6a27500d8ce157907664c4fbaf63490f74c8fc70e386fbd711f1c1d4ef9c866c.dll1⤵
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\6a27500d8ce157907664c4fbaf63490f74c8fc70e386fbd711f1c1d4ef9c866c.dll2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe "C:\Users\Admin\AppData\Local\Temp\6a27500d8ce157907664c4fbaf63490f74c8fc70e386fbd711f1c1d4ef9c866c.dll",DllRegisterServer3⤵
- System Location Discovery: System Language Discovery
PID:2792
-
-