Analysis
-
max time kernel
51s -
max time network
137s -
platform
windows10_x64 -
resource
win10-20220414-en -
submitted
14-05-2022 14:48
Static task
static1
General
-
Target
b1db12097fe3b1f2672ad5130fdac72dbb23de1318f7fa6c25758f586c7dbaf7.dll
-
Size
532KB
-
MD5
727f543dde9ff81bf066e2713eda2776
-
SHA1
372bf93fbd57ebeefea7b2d01355f3a966199653
-
SHA256
b1db12097fe3b1f2672ad5130fdac72dbb23de1318f7fa6c25758f586c7dbaf7
-
SHA512
ed31b322834fc56f8cb28add37ddc613c7474ec129a8c790ac220ec95915a4546a7ede122a67e4f1227e74b78df5c2cef978059a5e84d9eb7ce539fef782c110
Malware Config
Signatures
-
suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata: ET MALWARE W32/Emotet CnC Beacon 3
-
Suspicious behavior: EnumeratesProcesses ⋅ 2 IoCs
Processes:
regsvr32.exepid process 436 regsvr32.exe 436 regsvr32.exe -
Suspicious behavior: RenamesItself ⋅ 1 IoCs
Processes:
regsvr32.exepid process 3380 regsvr32.exe -
Suspicious use of WriteProcessMemory ⋅ 2 IoCs
Processes:
regsvr32.exedescription pid process target process PID 3380 wrote to memory of 436 3380 regsvr32.exe regsvr32.exe PID 3380 wrote to memory of 436 3380 regsvr32.exe regsvr32.exe
Processes
-
C:\Windows\system32\regsvr32.exePID:3380regsvr32 /s C:\Users\Admin\AppData\Local\Temp\b1db12097fe3b1f2672ad5130fdac72dbb23de1318f7fa6c25758f586c7dbaf7.dllSuspicious behavior: RenamesItselfSuspicious use of WriteProcessMemory
-
C:\Windows\system32\regsvr32.exePID:436C:\Windows\system32\regsvr32.exe "C:\Windows\system32\GsEtgwbICIYH\EBPmdvq.dll"Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Replay Monitor
00:00
00:00
Loading data