Analysis
-
max time kernel
75s -
max time network
141s -
platform
windows10_x64 -
resource
win10-20220414-en -
submitted
14-05-2022 14:19
Static task
static1
General
-
Target
f1c7ecdd62c8c9f90a069672c17201fb35d4ae5779703c1c78d7704159c287eb.dll
-
Size
532KB
-
MD5
5c0d7de45c5c82490180f3b60ab7ec0a
-
SHA1
3e57d65e10e26106dc9a4ad81b2c45bb57267eab
-
SHA256
f1c7ecdd62c8c9f90a069672c17201fb35d4ae5779703c1c78d7704159c287eb
-
SHA512
60f1c66c52ae0d91cc8cc5f8ce2270ba712be4f99efe96ff323e587e22f32e16a86eb0099bd340d8754ac7c55ffc9918016061588337027ea4d6981179103df9
Malware Config
Signatures
-
suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata: ET MALWARE W32/Emotet CnC Beacon 3
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
regsvr32.exepid process 636 regsvr32.exe 636 regsvr32.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
regsvr32.exepid process 3124 regsvr32.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
regsvr32.exedescription pid process target process PID 3124 wrote to memory of 636 3124 regsvr32.exe regsvr32.exe PID 3124 wrote to memory of 636 3124 regsvr32.exe regsvr32.exe
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\f1c7ecdd62c8c9f90a069672c17201fb35d4ae5779703c1c78d7704159c287eb.dll1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe "C:\Windows\system32\SVvOqfdCB\fOLfa.dll"2⤵
- Suspicious behavior: EnumeratesProcesses