Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

65fd241e71...f3.dll

windows7-x64

10

65fd241e71...f3.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    138s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    20/11/2024, 18:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    65fd241e717c262a22dd48a74029fa834be2e7f60531493f7fa9aa80ea4e27f3.dll

  • Size

    364KB

  • MD5

    cf0ee4f2b82a1acc36e2f4e3ab8919c0

  • SHA1

    0346459eafc4cb3c28cbb6628b630de21f463fec

  • SHA256

    65fd241e717c262a22dd48a74029fa834be2e7f60531493f7fa9aa80ea4e27f3

  • SHA512

    69066548c922d3d72116a9a81547a51521599a105e9be95829a35204ab72a267043ca50eaa99e2d174444e488a6a9fd38e081ece94c9402c87417f582a9814a3

  • SSDEEP

    6144:EbmRW/X22TR72tKbxGeykesyj1BQr6blJLUDblVpM54WWBKWuSIZ5ib0wj:E42Gi7/ypRBQrgI5M54riZYbf

Score
10/10
emotetepoch5bankertrojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch5

C2

93.104.209.107:8080

195.154.146.35:443

202.134.4.210:7080

185.148.168.220:8080

68.183.93.250:443

175.126.176.79:8080

203.153.216.46:443

202.28.34.99:8080

210.57.209.142:8080

36.67.23.59:443

159.69.237.188:443

207.148.81.119:8080

54.38.143.246:7080

45.71.195.104:8080

103.56.149.105:8080

78.46.73.125:443

85.214.67.203:8080

66.42.57.149:443

51.68.141.164:8080

54.37.106.167:8080
ecs1.plain
eck1.plain

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

    trojanbankeremotet
  • Emotet family
    emotet
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\65fd241e717c262a22dd48a74029fa834be2e7f60531493f7fa9aa80ea4e27f3.dll
    1⤵
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:2384
    • C:\Windows\system32\regsvr32.exe
      C:\Windows\system32\regsvr32.exe "C:\Windows\system32\KQfOeNyCohTww\niXb.dll"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:2780

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2384-0-0x0000000180000000-0x0000000180032000-memory.dmp

    Filesize

    200KB

    Download

  • memory/2384-3-0x00000000002C0000-0x00000000002C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2384-4-0x000007FEF7F60000-0x000007FEF7FC1000-memory.dmp

    Filesize

    388KB

    Download

  • memory/2780-8-0x0000000180000000-0x0000000180032000-memory.dmp

    Filesize

    200KB

    Download

  • memory/2780-9-0x000007FEF7F00000-0x000007FEF7F61000-memory.dmp

    Filesize

    388KB

    Download

  • memory/2780-11-0x000007FEF7F00000-0x000007FEF7F61000-memory.dmp

    Filesize

    388KB

    Download

  • memory/2780-12-0x000007FEF7F00000-0x000007FEF7F61000-memory.dmp

    Filesize

    388KB

    Download

  • memory/2780-17-0x000007FEF7F00000-0x000007FEF7F61000-memory.dmp

    Filesize

    388KB

    Download

  • memory/2780-18-0x000007FEF7F00000-0x000007FEF7F61000-memory.dmp

    Filesize

    388KB

    Download