Analysis
-
max time kernel
53s -
max time network
140s -
platform
windows10_x64 -
resource
win10-20220414-en -
submitted
14-05-2022 14:31
Static task
static1
General
-
Target
50d35a243faf64b345bdb0cc0059b0d7a21912e97ac166e874708715cfd457ba.dll
-
Size
532KB
-
MD5
6bd614ca9f3b13f8e01a954269870701
-
SHA1
86081a830e9e5996c2742aea687f8582dda217eb
-
SHA256
50d35a243faf64b345bdb0cc0059b0d7a21912e97ac166e874708715cfd457ba
-
SHA512
1f9ba7bcb285195e5634311c1de798cb81d014a238f46ad9fee9e1d3e4b1cc4ac1f904454464a4e2531f9315fb5fdb88dc62e610b97a780d2662f8e21a4d8166
Malware Config
Signatures
-
suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata: ET MALWARE W32/Emotet CnC Beacon 3
-
Suspicious behavior: EnumeratesProcesses ⋅ 2 IoCs
Processes:
regsvr32.exepid process 2480 regsvr32.exe 2480 regsvr32.exe -
Suspicious behavior: RenamesItself ⋅ 1 IoCs
Processes:
regsvr32.exepid process 788 regsvr32.exe -
Suspicious use of WriteProcessMemory ⋅ 2 IoCs
Processes:
regsvr32.exedescription pid process target process PID 788 wrote to memory of 2480 788 regsvr32.exe regsvr32.exe PID 788 wrote to memory of 2480 788 regsvr32.exe regsvr32.exe
Processes
-
C:\Windows\system32\regsvr32.exePID:788regsvr32 /s C:\Users\Admin\AppData\Local\Temp\50d35a243faf64b345bdb0cc0059b0d7a21912e97ac166e874708715cfd457ba.dllSuspicious behavior: RenamesItselfSuspicious use of WriteProcessMemory
-
C:\Windows\system32\regsvr32.exePID:2480C:\Windows\system32\regsvr32.exe "C:\Windows\system32\ShqSLhBSn\cOgHln.dll"Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Replay Monitor
00:00
00:00
Loading data