Analysis

  • max time kernel
    55s
  • max time network
    147s
  • platform
    windows10_x64
  • resource
    win10-20220414-en
  • submitted
    14-05-2022 15:00

General

  • Target

    0ec2a2a227dc8820d737aa67cfa11181ec34259042b4db0fb73f07ae04dec26a.dll

  • Size

    538KB

  • MD5

    53990c7d6660491c7af59f78b3e22ce4

  • SHA1

    10b09872c66094eca925a126a4d58a922a77f513

  • SHA256

    0ec2a2a227dc8820d737aa67cfa11181ec34259042b4db0fb73f07ae04dec26a

  • SHA512

    85ded2299faf9ce69d65bca6b6211068cd62cc2c94fe1d64c7b6d2d52994c61a706ff59629bae1406164ae942c1ac41bc214199fdc41c9b704c49948c0ecbd51

Malware Config

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

  • suricata: ET MALWARE W32/Emotet CnC Beacon 3

    suricata: ET MALWARE W32/Emotet CnC Beacon 3

  • Suspicious behavior: EnumeratesProcesses ⋅ 2 IoCs
  • Suspicious behavior: RenamesItself ⋅ 1 IoCs
  • Suspicious use of WriteProcessMemory ⋅ 2 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\0ec2a2a227dc8820d737aa67cfa11181ec34259042b4db0fb73f07ae04dec26a.dll
    Suspicious behavior: RenamesItself
    Suspicious use of WriteProcessMemory
    PID:3984
    • C:\Windows\system32\regsvr32.exe
      C:\Windows\system32\regsvr32.exe "C:\Windows\system32\SGEKAwfjWVrIfv\eMcK.dll"
      Suspicious behavior: EnumeratesProcesses
      PID:1016

Network

MITRE ATT&CK Matrix

Collection

    Command and Control

      Credential Access

        Defense Evasion

          Discovery

            Execution

              Exfiltration

                Impact

                  Initial Access

                    Lateral Movement

                      Persistence

                        Privilege Escalation

                          Replay Monitor

                          00:00 00:00

                          Downloads

                          • memory/1016-121-0x0000000000000000-mapping.dmp
                          • memory/3984-116-0x0000000180000000-0x0000000180032000-memory.dmp