Analysis
-
max time kernel
148s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
20-11-2024 18:49
Static task
static1
Behavioral task
behavioral1
Sample
1dd26f40fb8de877805eddfc65875a46cafc49950b93e234b08b0da7e12038eb.dll
Resource
win7-20240903-en
General
-
Target
1dd26f40fb8de877805eddfc65875a46cafc49950b93e234b08b0da7e12038eb.dll
-
Size
653KB
-
MD5
f84f6037679b13b820598a1cabe7a545
-
SHA1
0c8cd51a8c6bee429b5c51ea9c712a844d3126a6
-
SHA256
1dd26f40fb8de877805eddfc65875a46cafc49950b93e234b08b0da7e12038eb
-
SHA512
dafe6b1370aae3a648faa7f88b4954c7805411722ad3d4e9297eb84d0dcfe954f5816bc986c0c2c3962015cb2d4ebbfc5b8d520402656fd027333def4f864611
-
SSDEEP
12288:lcQKcc2Tlb6Ky9aa9lNeSrjNMYps1ribNaygIH5gHQGEAfv7lwzWTSrOpBVkU8Qn:lcQKcc2Fy9aa4Y+gYygIZgHQnoWyiOpd
Malware Config
Extracted
emotet
Epoch5
78.47.204.80:443
212.83.184.188:8080
36.67.23.59:443
128.199.217.206:443
103.56.149.105:8080
202.29.239.162:443
68.183.91.111:8080
104.244.79.94:443
64.227.55.231:8080
157.230.99.206:8080
165.232.185.110:8080
103.71.99.57:8080
103.126.216.86:443
88.217.172.165:8080
103.41.204.169:8080
87.106.97.83:7080
85.25.120.45:8080
188.225.32.231:4143
118.98.72.86:443
178.62.112.199:8080
210.57.209.142:8080
62.171.178.147:8080
37.44.244.177:8080
54.37.228.122:443
202.28.34.99:8080
103.254.12.236:7080
196.44.98.190:8080
59.148.253.194:443
85.214.67.203:8080
195.77.239.39:8080
173.249.25.219:443
103.85.95.4:8080
175.126.176.79:8080
157.245.111.0:8080
93.104.209.107:8080
139.196.72.155:8080
54.37.106.167:8080
165.22.254.236:8080
116.124.128.206:8080
103.224.241.74:8080
202.134.4.210:7080
104.248.225.227:8080
Signatures
-
Emotet family
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
regsvr32.exeregsvr32.exepid Process 2112 regsvr32.exe 2976 regsvr32.exe 2976 regsvr32.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
regsvr32.exepid Process 2112 regsvr32.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
regsvr32.exedescription pid Process procid_target PID 2112 wrote to memory of 2976 2112 regsvr32.exe 30 PID 2112 wrote to memory of 2976 2112 regsvr32.exe 30 PID 2112 wrote to memory of 2976 2112 regsvr32.exe 30 PID 2112 wrote to memory of 2976 2112 regsvr32.exe 30 PID 2112 wrote to memory of 2976 2112 regsvr32.exe 30
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\1dd26f40fb8de877805eddfc65875a46cafc49950b93e234b08b0da7e12038eb.dll1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe "C:\Windows\system32\QlVLPy\eyftvCLYUDREMcO.dll"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2976
-