Analysis
-
max time kernel
56s -
max time network
143s -
platform
windows10_x64 -
resource
win10-20220414-en -
submitted
14-05-2022 14:34
Static task
static1
General
-
Target
635ccf1f52659dc0fc22202b71e35cc515af7758c5245840c19b4268e39ba418.dll
-
Size
532KB
-
MD5
e02086ad8eb7a01f8ac5013ac6dd426f
-
SHA1
79a0c8a628bd369b10fb24080108ba9fdb70e85b
-
SHA256
635ccf1f52659dc0fc22202b71e35cc515af7758c5245840c19b4268e39ba418
-
SHA512
be67b8be3e8042d2e904685bcfcfb5e6b49bf002e73e14b8fcef2b0c87681e141bca29526ff9f1ea0c157bbb60d81c19a3efff8ddd1e8606da33c401f2adbbe4
Malware Config
Signatures
-
suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata: ET MALWARE W32/Emotet CnC Beacon 3
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
regsvr32.exepid process 1248 regsvr32.exe 1248 regsvr32.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
regsvr32.exepid process 2092 regsvr32.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
regsvr32.exedescription pid process target process PID 2092 wrote to memory of 1248 2092 regsvr32.exe regsvr32.exe PID 2092 wrote to memory of 1248 2092 regsvr32.exe regsvr32.exe
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\635ccf1f52659dc0fc22202b71e35cc515af7758c5245840c19b4268e39ba418.dll1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe "C:\Windows\system32\FrGwblCscNVC\fHSnkwyqQFuat.dll"2⤵
- Suspicious behavior: EnumeratesProcesses