General
Target
Filesize
Completed
Task
b1db12097fe3b1f2672ad5130fdac72dbb23de1318f7fa6c25758f586c7dbaf7.dll
532KB
14-05-2022 14:50
behavioral1
Score
10/10
MD5
SHA1
SHA256
SHA256
727f543dde9ff81bf066e2713eda2776
372bf93fbd57ebeefea7b2d01355f3a966199653
b1db12097fe3b1f2672ad5130fdac72dbb23de1318f7fa6c25758f586c7dbaf7
ed31b322834fc56f8cb28add37ddc613c7474ec129a8c790ac220ec95915a4546a7ede122a67e4f1227e74b78df5c2cef978059a5e84d9eb7ce539fef782c110
Malware Config
Signatures 5
Filter: none
-
Emotet
Description
Emotet is a trojan that is primarily spread through spam emails.
Tags
-
suricata: ET MALWARE W32/Emotet CnC Beacon 3
Description
suricata: ET MALWARE W32/Emotet CnC Beacon 3
Tags
-
Suspicious behavior: EnumeratesProcessesregsvr32.exe
Reported IOCs
pid process 436 regsvr32.exe 436 regsvr32.exe -
Suspicious behavior: RenamesItselfregsvr32.exe
Reported IOCs
pid process 3380 regsvr32.exe -
Suspicious use of WriteProcessMemoryregsvr32.exe
Reported IOCs
description pid process target process PID 3380 wrote to memory of 436 3380 regsvr32.exe regsvr32.exe PID 3380 wrote to memory of 436 3380 regsvr32.exe regsvr32.exe
Processes 2
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\b1db12097fe3b1f2672ad5130fdac72dbb23de1318f7fa6c25758f586c7dbaf7.dllSuspicious behavior: RenamesItselfSuspicious use of WriteProcessMemory
-
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe "C:\Windows\system32\GsEtgwbICIYH\EBPmdvq.dll"Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Replay Monitor
00:00
00:00
Downloads
-
memory/436-121-0x0000000000000000-mapping.dmp
-
memory/3380-116-0x0000000180000000-0x0000000180030000-memory.dmp
Title
Loading data