Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
20-11-2024 23:17
Static task
static1
Behavioral task
behavioral1
Sample
6644bc0bd833cb22637b5d141bf7063dcd77d28f3885450a751de34ed3774b15.dll
Resource
win7-20240903-en
General
-
Target
6644bc0bd833cb22637b5d141bf7063dcd77d28f3885450a751de34ed3774b15.dll
-
Size
758KB
-
MD5
a54e4fefa0577655b345a4656fc6d66f
-
SHA1
850164ecffbe8e0c9362976d91a31e3747201609
-
SHA256
6644bc0bd833cb22637b5d141bf7063dcd77d28f3885450a751de34ed3774b15
-
SHA512
d6da9fd74ea70af2acff96639169775074d82d91a745b6553a0b4e12ecacc7f93a9b7c440fc922cd70ac36abb592a94c081ca2586375480292468111e051a051
-
SSDEEP
12288:lBseOTwOg957PAMTEFv49thrFcmxLFwD7wGcXbtzbEOpUDlBxawsoei4:keOTwOUPnTC49LJxJwaCOpUD7Ioei4
Malware Config
Extracted
emotet
Epoch5
103.42.57.17:8080
93.104.208.37:8080
195.154.146.35:443
62.171.178.147:8080
37.59.209.141:8080
139.196.72.155:8080
37.44.244.177:8080
191.252.103.16:80
217.182.143.207:443
128.199.192.135:8080
103.41.204.169:8080
185.148.168.15:8080
168.197.250.14:80
78.46.73.125:443
194.9.172.107:8080
185.148.168.220:8080
118.98.72.86:443
54.37.106.167:8080
78.47.204.80:443
159.69.237.188:443
116.124.128.206:8080
59.148.253.194:443
85.214.67.203:8080
185.184.25.78:8080
173.203.78.138:443
54.37.228.122:443
198.199.98.78:8080
195.77.239.39:8080
210.57.209.142:8080
66.42.57.149:443
104.131.62.48:8080
54.38.242.185:443
190.90.233.66:443
207.148.81.119:8080
203.153.216.46:443
Signatures
-
Emotet family
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
regsvr32.exerundll32.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
regsvr32.exeregsvr32.exedescription pid process target process PID 2628 wrote to memory of 3068 2628 regsvr32.exe regsvr32.exe PID 2628 wrote to memory of 3068 2628 regsvr32.exe regsvr32.exe PID 2628 wrote to memory of 3068 2628 regsvr32.exe regsvr32.exe PID 2628 wrote to memory of 3068 2628 regsvr32.exe regsvr32.exe PID 2628 wrote to memory of 3068 2628 regsvr32.exe regsvr32.exe PID 2628 wrote to memory of 3068 2628 regsvr32.exe regsvr32.exe PID 2628 wrote to memory of 3068 2628 regsvr32.exe regsvr32.exe PID 3068 wrote to memory of 2892 3068 regsvr32.exe rundll32.exe PID 3068 wrote to memory of 2892 3068 regsvr32.exe rundll32.exe PID 3068 wrote to memory of 2892 3068 regsvr32.exe rundll32.exe PID 3068 wrote to memory of 2892 3068 regsvr32.exe rundll32.exe PID 3068 wrote to memory of 2892 3068 regsvr32.exe rundll32.exe PID 3068 wrote to memory of 2892 3068 regsvr32.exe rundll32.exe PID 3068 wrote to memory of 2892 3068 regsvr32.exe rundll32.exe
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\6644bc0bd833cb22637b5d141bf7063dcd77d28f3885450a751de34ed3774b15.dll1⤵
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\6644bc0bd833cb22637b5d141bf7063dcd77d28f3885450a751de34ed3774b15.dll2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe "C:\Users\Admin\AppData\Local\Temp\6644bc0bd833cb22637b5d141bf7063dcd77d28f3885450a751de34ed3774b15.dll",DllRegisterServer3⤵
- System Location Discovery: System Language Discovery
PID:2892
-
-