Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

ca73149836...51.dll

windows7-x64

10

ca73149836...51.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    141s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    20/11/2024, 17:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ca73149836b7c2e449f4921792d5e3b282a77d1f9a565f5cef6f7fc93aaf9b51.dll

  • Size

    658KB

  • MD5

    edbb374abe29b8513773dec435539dc2

  • SHA1

    6ceff02f01fce6d8e9f6fedd0e64a84422a19b92

  • SHA256

    ca73149836b7c2e449f4921792d5e3b282a77d1f9a565f5cef6f7fc93aaf9b51

  • SHA512

    120796679d40939e2f310f054153e4acfacf627346237dba6000cfbaf141f153aa036b7a7779c7bb22c7a29c8fa78bfc6a08de4a0e478a4f83ecbee48bbb21fa

  • SSDEEP

    12288:V4wcc2MydZgRd9aa8l85Qr0t6DZ32QcbplMyVJqhBgyXBaZe+yEltg/BQ4LJlnfp:V4wcc2WRd9aaKDhAkyVJ4BaZAnJln1kI

Score
10/10
emotetepoch5bankertrojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch5

C2

175.126.176.79:8080

165.22.254.68:443

116.124.128.206:8080

202.29.239.162:443

103.71.99.57:8080

88.217.172.165:8080

93.104.209.107:8080

104.244.79.94:443

196.44.98.190:8080

85.214.67.203:8080

85.25.120.45:8080

54.37.228.122:443

103.41.204.169:8080

165.232.185.110:8080

195.77.239.39:8080

36.67.23.59:443

59.148.253.194:443

103.85.95.4:8080

157.230.99.206:8080

139.196.72.155:8080
ecs1.plain
eck1.plain

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

    trojanbankeremotet
  • Emotet family
    emotet
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\ca73149836b7c2e449f4921792d5e3b282a77d1f9a565f5cef6f7fc93aaf9b51.dll
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:2508
    • C:\Windows\system32\regsvr32.exe
      C:\Windows\system32\regsvr32.exe "C:\Windows\system32\SSbUTa\XoOanlFUb.dll"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:2524

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2508-5-0x0000000000150000-0x0000000000151000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2508-2-0x0000000180000000-0x000000018002B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/2508-0-0x00000000005F0000-0x000000000069A000-memory.dmp

    Filesize

    680KB

    Download

  • memory/2508-6-0x00000000005F0000-0x000000000069A000-memory.dmp

    Filesize

    680KB

    Download

  • memory/2524-7-0x0000000001D50000-0x0000000001DFA000-memory.dmp

    Filesize

    680KB

    Download

  • memory/2524-12-0x0000000001D50000-0x0000000001DFA000-memory.dmp

    Filesize

    680KB

    Download

  • memory/2524-14-0x0000000001D50000-0x0000000001DFA000-memory.dmp

    Filesize

    680KB

    Download

  • memory/2524-16-0x0000000001D50000-0x0000000001DFA000-memory.dmp

    Filesize

    680KB

    Download