Analysis
-
max time kernel
55s -
max time network
147s -
platform
windows10_x64 -
resource
win10-20220414-en -
submitted
14-05-2022 15:00
Static task
static1
General
-
Target
0ec2a2a227dc8820d737aa67cfa11181ec34259042b4db0fb73f07ae04dec26a.dll
-
Size
538KB
-
MD5
53990c7d6660491c7af59f78b3e22ce4
-
SHA1
10b09872c66094eca925a126a4d58a922a77f513
-
SHA256
0ec2a2a227dc8820d737aa67cfa11181ec34259042b4db0fb73f07ae04dec26a
-
SHA512
85ded2299faf9ce69d65bca6b6211068cd62cc2c94fe1d64c7b6d2d52994c61a706ff59629bae1406164ae942c1ac41bc214199fdc41c9b704c49948c0ecbd51
Malware Config
Signatures
-
suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata: ET MALWARE W32/Emotet CnC Beacon 3
-
Suspicious behavior: EnumeratesProcesses ⋅ 2 IoCs
Processes:
regsvr32.exepid process 1016 regsvr32.exe 1016 regsvr32.exe -
Suspicious behavior: RenamesItself ⋅ 1 IoCs
Processes:
regsvr32.exepid process 3984 regsvr32.exe -
Suspicious use of WriteProcessMemory ⋅ 2 IoCs
Processes:
regsvr32.exedescription pid process target process PID 3984 wrote to memory of 1016 3984 regsvr32.exe regsvr32.exe PID 3984 wrote to memory of 1016 3984 regsvr32.exe regsvr32.exe
Processes
-
C:\Windows\system32\regsvr32.exePID:3984regsvr32 /s C:\Users\Admin\AppData\Local\Temp\0ec2a2a227dc8820d737aa67cfa11181ec34259042b4db0fb73f07ae04dec26a.dllSuspicious behavior: RenamesItselfSuspicious use of WriteProcessMemory
-
C:\Windows\system32\regsvr32.exePID:1016C:\Windows\system32\regsvr32.exe "C:\Windows\system32\SGEKAwfjWVrIfv\eMcK.dll"Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Replay Monitor
00:00
00:00
Loading data