Edit tour
Windows
Analysis Report
zzkCIdCoDt.exe
Overview
General Information
| Sample Name: | zzkCIdCoDt.exe (renamed file extension from exe to dll) |
| Analysis ID: | 745008 |
| MD5: | e383dda8987435a6a3950aa9a6909b2c |
| SHA1: | 8b3982937eddd443b671161e04c80a2ed5e68818 |
| SHA256: | 8c1db84c9f86675e3487960e5275fdf2e690b53eff1879e2d72673463fe1055a |
| Tags: | dllexe |
| Infos: |  |
 | |
Detection
Emotet
| Score: | 84 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Multi AV Scanner detection for submitted file
Yara detected Emotet
System process connects to network (likely due to code injection or exploit)
Snort IDS alert for network traffic
Creates an autostart registry key pointing to binary in C:\Windows
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Tries to load missing DLLs
Drops PE files to the windows directory (C:\Windows)
Checks for debuggers (devices)
Connects to several IPs in different countries
Registers a DLL
Found large amount of non-executed APIs
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)
Classification
- System is w10x64
loaddll64.exe (PID: 5224 cmdline: loaddll64. exe "C:\Us ers\user\D esktop\zzk CIdCoDt.dl l" MD5: C676FC0263EDD17D4CE7D644B8F3FCD6) 
conhost.exe (PID: 5236 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - cmd.exe (PID: 2068 cmdline:
cmd.exe /C rundll32. exe "C:\Us ers\user\D esktop\zzk CIdCoDt.dl l",#1 MD5: 4E2ACF4F8A396486AB4268C94A6A245F) 
rundll32.exe (PID: 5456 cmdline: rundll32.e xe "C:\Use rs\user\De sktop\zzkC IdCoDt.dll ",#1 MD5: 73C519F050C20580F8A62C849D49215A) - regsvr32.exe (PID: 5160 cmdline:
C:\Windows \system32\ regsvr32.e xe "C:\Win dows\syste m32\AmhzcK VtZLl\siQP BMdwCPAb.d ll" MD5: D78B75FC68247E8A63ACBA846182740E) - regsvr32.exe (PID: 5452 cmdline:
regsvr32.e xe /s C:\U sers\user\ Desktop\zz kCIdCoDt.d ll MD5: D78B75FC68247E8A63ACBA846182740E) - regsvr32.exe (PID: 5144 cmdline:
C:\Windows \system32\ regsvr32.e xe "C:\Win dows\syste m32\QxWCKZ stQphkP\eg knjpoziqlz VL.dll" MD5: D78B75FC68247E8A63ACBA846182740E) - regsvr32.exe (PID: 5144 cmdline:
C:\Windows \system32\ regsvr32.e xe" "C:\Wi ndows\syst em32\Amhzc KVtZLl\siQ PBMdwCPAb. dll MD5: D78B75FC68247E8A63ACBA846182740E) - regsvr32.exe (PID: 3796 cmdline:
C:\Windows \system32\ regsvr32.e xe "C:\Use rs\user\Ap pData\Loca l\UOEgTmwb pKANXEqN\K ElhycJrzKC pLgeP.dll" MD5: D78B75FC68247E8A63ACBA846182740E) 
MpCmdRun.exe (PID: 3968 cmdline: "C:\Progra m Files\Wi ndows Defe nder\mpcmd run.exe" - wdenable MD5: A267555174BFA53844371226F482B86B) - conhost.exe (PID: 2072 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - rundll32.exe (PID: 5488 cmdline:
rundll32.e xe C:\User s\user\Des ktop\zzkCI dCoDt.dll, DllRegiste rServer MD5: 73C519F050C20580F8A62C849D49215A) - regsvr32.exe (PID: 736 cmdline:
C:\Windows \system32\ regsvr32.e xe "C:\Win dows\syste m32\BlngRI TsHraAEaQW w\tRWuLwwW wn.dll" MD5: D78B75FC68247E8A63ACBA846182740E) - regsvr32.exe (PID: 3044 cmdline:
C:\Windows \system32\ regsvr32.e xe "C:\Win dows\syste m32\CXPSzC IcOMY\wxJW jHQhm.dll" MD5: D78B75FC68247E8A63ACBA846182740E)
- cleanup
{"C2 list": ["172.105.115.71:8080", "218.38.121.17:443", "186.250.48.5:443", "103.71.99.57:8080", "85.214.67.203:8080", "85.25.120.45:8080", "139.196.72.155:8080", "103.85.95.4:8080", "198.199.70.22:8080", "209.239.112.82:8080", "78.47.204.80:443", "36.67.23.59:443", "104.244.79.94:443", "62.171.178.147:8080", "195.77.239.39:8080", "103.56.149.105:8080", "80.211.107.116:8080", "93.104.209.107:8080", "174.138.33.49:7080", "202.28.34.99:8080", "178.62.112.199:8080", "114.79.130.68:443", "118.98.72.86:443", "103.41.204.169:8080", "178.238.225.252:8080", "83.229.80.93:8080", "46.101.98.60:8080", "82.98.180.154:7080", "87.106.97.83:7080", "196.44.98.190:8080", "139.59.80.108:8080", "103.224.241.74:8080", "103.254.12.236:7080", "185.148.169.10:8080", "165.22.254.236:8080", "37.44.244.177:8080", "54.37.228.122:443", "51.75.33.122:443", "128.199.217.206:443", "188.165.79.151:443", "210.57.209.142:8080", "160.16.143.191:8080", "175.126.176.79:8080", "202.134.4.210:7080", "103.126.216.86:443", "190.145.8.4:443", "128.199.242.164:8080", "64.227.55.231:8080"], "Public Key": ["RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0UPxu9nIvAI4=", "RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCWof1h9lMsAJA="]}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
| JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
| JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
| JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
| JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
| Click to see the 7 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
| JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
| JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
| JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
| JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
| Click to see the 7 entries | ||||
⊘No Sigma rule has matched
| Timestamp: | 192.168.2.3115.178.55.2249700802404304 11/13/22-17:16:57.501080 |
| SID: | 2404304 |
| Source Port: | 49700 |
| Destination Port: | 80 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Virustotal: | Perma Link | ||
| Source: | Malware Configuration Extractor: | ||
| Source: | Code function: | 0_2_00007FFC28919410 | |
| Source: | Code function: | 3_2_00007FFC28919410 | |
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_00007FFC2890C334 | |
| Source: | Code function: | 3_2_00007FFC2890C334 | |
Networking | |
|---|
| Source: | Network Connect: | Jump to behavior | ||
| Source: | Network Connect: | Jump to behavior | ||
| Source: | Snort IDS: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | |||