Analysis
-
max time kernel
94s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20-11-2024 21:42
Static task
static1
Behavioral task
behavioral1
Sample
331b51308db7942b6d6742aaec07baa41cd91c0cfdd35af49815292c088ca743.dll
Resource
win7-20241023-en
General
-
Target
331b51308db7942b6d6742aaec07baa41cd91c0cfdd35af49815292c088ca743.dll
-
Size
745KB
-
MD5
ae30cc95b01c5bcbd5d82302b569a330
-
SHA1
0676ff782a2dba7d31ae5f7367dab60675ffdbd1
-
SHA256
331b51308db7942b6d6742aaec07baa41cd91c0cfdd35af49815292c088ca743
-
SHA512
5db4256e556b16d1cfe6e4b792e1b1fe8c7914993b17375e203175e92a6ffad2dad0a9eb420948d2816b75dc8ced7af838a76ecb9d372105063397e2636f4831
-
SSDEEP
12288:2pFqjrndvdv8yPUBOGuEc54GbOXqqJD2uXyZrxkAGkv2xN71WTxo:2pF2jdx8J654GbOXqfPBmN4TW
Malware Config
Extracted
emotet
Epoch4
172.104.227.98:443
31.207.89.74:8080
46.55.222.11:443
41.76.108.46:8080
103.8.26.103:8080
185.184.25.237:8080
103.8.26.102:8080
203.114.109.124:443
45.118.115.99:8080
178.79.147.66:8080
58.227.42.236:80
45.118.135.203:7080
103.75.201.2:443
195.154.133.20:443
192.254.71.210:443
45.142.114.231:8080
212.237.5.209:443
207.38.84.195:8080
104.251.214.46:8080
212.237.17.99:8080
212.237.56.116:7080
216.158.226.206:443
110.232.117.186:8080
158.69.222.101:443
107.182.225.142:8080
176.104.106.96:8080
81.0.236.90:443
50.116.54.215:443
138.185.72.26:8080
51.68.175.8:8080
210.57.217.132:8080
Signatures
-
Emotet family
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4512 wrote to memory of 2148 4512 regsvr32.exe 82 PID 4512 wrote to memory of 2148 4512 regsvr32.exe 82 PID 4512 wrote to memory of 2148 4512 regsvr32.exe 82 PID 2148 wrote to memory of 1016 2148 regsvr32.exe 83 PID 2148 wrote to memory of 1016 2148 regsvr32.exe 83 PID 2148 wrote to memory of 1016 2148 regsvr32.exe 83
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\331b51308db7942b6d6742aaec07baa41cd91c0cfdd35af49815292c088ca743.dll1⤵
- Suspicious use of WriteProcessMemory
PID:4512 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\331b51308db7942b6d6742aaec07baa41cd91c0cfdd35af49815292c088ca743.dll2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe "C:\Users\Admin\AppData\Local\Temp\331b51308db7942b6d6742aaec07baa41cd91c0cfdd35af49815292c088ca743.dll",DllRegisterServer3⤵
- System Location Discovery: System Language Discovery
PID:1016
-
-