General
Target
Filesize
Completed
Task
6424a22ef999dfca274849a100d9a2a26fce073d34f9f0c299227199c6b47790.dll
532KB
14-05-2022 14:51
behavioral1
Score
10/10
MD5
SHA1
SHA256
SHA256
91f3a23aa875671455aca03126e34769
f2ad391cf7f205a8e5dc086daa3cd470c99c413b
6424a22ef999dfca274849a100d9a2a26fce073d34f9f0c299227199c6b47790
acfec2fe543f285cb4439e496dcd86c09ef1ef1fc035cee3f56e93a4ee9efa79026c20a928bd7e232369a8e71a2c445af3a8c065c7c3bb5d0baeaf041cd124d7
Malware Config
Signatures 5
Filter: none
-
Emotet
Description
Emotet is a trojan that is primarily spread through spam emails.
Tags
-
suricata: ET MALWARE W32/Emotet CnC Beacon 3
Description
suricata: ET MALWARE W32/Emotet CnC Beacon 3
Tags
-
Suspicious behavior: EnumeratesProcessesregsvr32.exe
Reported IOCs
pid process 2780 regsvr32.exe 2780 regsvr32.exe -
Suspicious behavior: RenamesItselfregsvr32.exe
Reported IOCs
pid process 2504 regsvr32.exe -
Suspicious use of WriteProcessMemoryregsvr32.exe
Reported IOCs
description pid process target process PID 2504 wrote to memory of 2780 2504 regsvr32.exe regsvr32.exe PID 2504 wrote to memory of 2780 2504 regsvr32.exe regsvr32.exe
Processes 2
-
C:\Windows\system32\regsvr32.exePID:2504regsvr32 /s C:\Users\Admin\AppData\Local\Temp\6424a22ef999dfca274849a100d9a2a26fce073d34f9f0c299227199c6b47790.dllSuspicious behavior: RenamesItselfSuspicious use of WriteProcessMemory
-
C:\Windows\system32\regsvr32.exePID:2780C:\Windows\system32\regsvr32.exe "C:\Windows\system32\Rkntp\lBCowglDqIHGMRW.dll"Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Replay Monitor
00:00
00:00
Downloads
-
memory/2504-118-0x0000000180000000-0x0000000180030000-memory.dmp
-
memory/2780-123-0x0000000000000000-mapping.dmp
Title
Loading data