Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

feed199d88...29.dll

windows7-x64

10

feed199d88...29.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/11/2024, 17:49 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    feed199d881bf81988cf09377815c87479d8467bf24d66dc7172cb2f31f5c029.dll

  • Size

    887KB

  • MD5

    ef487a16129eb5dcc4e1a3598d4ab025

  • SHA1

    3ee5b3d2b80970be0c981cad0c13f3018d251695

  • SHA256

    feed199d881bf81988cf09377815c87479d8467bf24d66dc7172cb2f31f5c029

  • SHA512

    0d31c9f2a1b575f75920c328f5247387917d15622f1f4bf1ea62ab42f2e0884d3189c12955b77fcd9936c225e48979ec2adc4761d212c4d3a3f4232760534787

  • SSDEEP

    12288:A0BQgtzAxM8q6BkmkxisTsxwJzCQ6TZ56lu4Vp4y1F9SFXCwQobk:Ar6zAxVq6Bkm7saIzCXTZxUJFcF

Score
10/10
emotetepoch5bankertrojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch5

C2

178.238.225.252:8080

139.196.72.155:8080

36.67.23.59:443

103.56.149.105:8080

37.44.244.177:8080

85.25.120.45:8080

202.134.4.210:7080

78.47.204.80:443

83.229.80.93:8080

93.104.209.107:8080

80.211.107.116:8080

165.22.254.236:8080

104.244.79.94:443

185.148.169.10:8080

190.145.8.4:443

175.126.176.79:8080

139.59.80.108:8080

188.165.79.151:443

128.199.217.206:443

64.227.55.231:8080
ecs1.plain
1
-----BEGIN PUBLIC KEY-----
2
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE9C8agzYaJ1GMJPLKqOyFrlJZUXVI
3
lAZwAnOq6JrEKHtWCQ+8CHuAIXqmKH6WRbnDw1wmdM/YvqKFH36nqC2VNA==
4
-----END PUBLIC KEY-----
eck1.plain
1
-----BEGIN PUBLIC KEY-----
2
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE2DWT12OLUMXfzeFp+bE2AJubVDsW
3
NqJdRC6yODDYRzYuuNL0i2rI2Ex6RUQaBvqPOL7a+wCWnIQszh42gCRQlg==
4
-----END PUBLIC KEY-----

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

    trojanbankeremotet
  • Emotet family
    emotet
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\feed199d881bf81988cf09377815c87479d8467bf24d66dc7172cb2f31f5c029.dll
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:848
    • C:\Windows\system32\regsvr32.exe
      C:\Windows\system32\regsvr32.exe "C:\Windows\system32\XYBkysGeaDus\uLKR.dll"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:2928

Network

  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    241.150.49.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    241.150.49.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    219.135.221.88.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    219.135.221.88.in-addr.arpa
    IN PTR
    Response
    219.135.221.88.in-addr.arpa
    IN PTR
    a88-221-135-219deploystaticakamaitechnologiescom
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    140.32.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    140.32.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    200.163.202.172.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    200.163.202.172.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    18.31.95.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    18.31.95.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    41.110.86.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    41.110.86.104.in-addr.arpa
    IN PTR
    Response
    41.110.86.104.in-addr.arpa
    IN PTR
    a104-86-110-41deploystaticakamaitechnologiescom
  • flag-kr
    GET
    https://218.38.121.17/
    regsvr32.exe
    Remote address:
    218.38.121.17:443
    Request
    GET / HTTP/1.1
    Connection: Keep-Alive
    Cookie: QdW=cVidc4Detpdd4mjhUZaGb2h/cXKt+V4oUtc7PXuQVKeTPZercmVnygTpXQefPAG0E2UrYLAJUpnAkHnIn3oxVIYun389gR/SWHF6QvsdCOJb2kG3MELM4GracfIQmRjXxPRJA7B1kRrK8VkCUjaRXQdR2/2r9MBuevrdhDEvfhN4bEhhEfNK51NROH8TCANobnhx3hESCLtqe+NiLHYAzPbUMk82DfS/JVU+Nu4oT+AhoDcudczaH/uM07GlzzcSvpNqD8J7jAayVyQBza02/dgObxD7qSG9ZLXULIhTIbl/13PmS0jQIu6hxjSKGh0HI9xqenHxP3s=
    Host: 218.38.121.17
  • flag-us
    DNS
    17.121.38.218.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    17.121.38.218.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    218.135.221.88.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    218.135.221.88.in-addr.arpa
    IN PTR
    Response
    218.135.221.88.in-addr.arpa
    IN PTR
    a88-221-135-218deploystaticakamaitechnologiescom
  • flag-us
    DNS
    101.209.201.84.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    101.209.201.84.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    22.236.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    22.236.111.52.in-addr.arpa
    IN PTR
    Response
  • 218.38.121.17:443
    https://218.38.121.17/
    tls, http
    regsvr32.exe
    1.0kB
     1.9kB
     8
    6

    HTTP Request

    GET https://218.38.121.17/
  • 186.250.48.5:443
    regsvr32.exe
    260 B
     200 B
     5
    5
  • 80.211.107.116:8080
    regsvr32.exe
    208 B
     4
  • 174.138.33.49:7080
    regsvr32.exe
    208 B
     4
  • 165.22.254.236:8080
    regsvr32.exe
    208 B
     4
  • 185.148.169.10:8080
    regsvr32.exe
    260 B
     200 B
     5
    5
  • 62.171.178.147:8080
    regsvr32.exe
    260 B
     160 B
     5
    4
  • 128.199.217.206:443
    regsvr32.exe
    260 B
     200 B
     5
    5
  • 210.57.209.142:8080
    regsvr32.exe
    156 B
     3
  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    66 B
     90 B
     1
    1

    DNS Request

    8.8.8.8.in-addr.arpa

  • 8.8.8.8:53
    241.150.49.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    241.150.49.20.in-addr.arpa

  • 8.8.8.8:53
    219.135.221.88.in-addr.arpa
    dns
    73 B
     139 B
     1
    1

    DNS Request

    219.135.221.88.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    140.32.126.40.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    140.32.126.40.in-addr.arpa

  • 8.8.8.8:53
    200.163.202.172.in-addr.arpa
    dns
    74 B
     160 B
     1
    1

    DNS Request

    200.163.202.172.in-addr.arpa

  • 8.8.8.8:53
    18.31.95.13.in-addr.arpa
    dns
    70 B
     144 B
     1
    1

    DNS Request

    18.31.95.13.in-addr.arpa

  • 8.8.8.8:53
    41.110.86.104.in-addr.arpa
    dns
    72 B
     137 B
     1
    1

    DNS Request

    41.110.86.104.in-addr.arpa

  • 8.8.8.8:53
    17.121.38.218.in-addr.arpa
    dns
    72 B
     143 B
     1
    1

    DNS Request

    17.121.38.218.in-addr.arpa

  • 8.8.8.8:53
    218.135.221.88.in-addr.arpa
    dns
    73 B
     139 B
     1
    1

    DNS Request

    218.135.221.88.in-addr.arpa

  • 8.8.8.8:53
    101.209.201.84.in-addr.arpa
    dns
    73 B
     133 B
     1
    1

    DNS Request

    101.209.201.84.in-addr.arpa

  • 8.8.8.8:53
    22.236.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    22.236.111.52.in-addr.arpa

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/848-0-0x0000000000A50000-0x0000000000A51000-memory.dmp

    Filesize

    4KB

    Download

  • memory/848-1-0x0000000002500000-0x0000000002530000-memory.dmp

    Filesize

    192KB

    Download

  • memory/848-4-0x0000000180000000-0x00000001800E4000-memory.dmp

    Filesize

    912KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.