Analysis
-
max time kernel
52s -
max time network
134s -
platform
windows10_x64 -
resource
win10-20220414-en -
submitted
14-05-2022 14:55
Static task
static1
General
-
Target
d74de65c8608bf588c0fd01c9e92fdd8bdda4053d655a117aa4ac2f1b7219082.dll
-
Size
532KB
-
MD5
3f517537110e23a56ee90633156086b8
-
SHA1
188433f70c252b6c64d4e17c95cfe297217519f8
-
SHA256
d74de65c8608bf588c0fd01c9e92fdd8bdda4053d655a117aa4ac2f1b7219082
-
SHA512
d398270c7b21d7d630959eaea34046bc16e14b7d9b1e47c8dc7cfdb0c5b03f65cbdc2221881637d3ec2bebda63aa1d61157e317b35ddf83b7cca12f15beb245d
Malware Config
Signatures
-
suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata: ET MALWARE W32/Emotet CnC Beacon 3
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
regsvr32.exepid process 360 regsvr32.exe 360 regsvr32.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
regsvr32.exepid process 804 regsvr32.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
regsvr32.exedescription pid process target process PID 804 wrote to memory of 360 804 regsvr32.exe regsvr32.exe PID 804 wrote to memory of 360 804 regsvr32.exe regsvr32.exe
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\d74de65c8608bf588c0fd01c9e92fdd8bdda4053d655a117aa4ac2f1b7219082.dll1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe "C:\Windows\system32\FHmffmOieM\gytgfzyioRuitTn.dll"2⤵
- Suspicious behavior: EnumeratesProcesses