General
Target
Filesize
Completed
Task
3ebf4a590d63162883c7fb3b8ab890339cea65734ff6861b30a281720fa1351a.dll
532KB
14-05-2022 15:09
behavioral1
Score
10/10
MD5
SHA1
SHA256
SHA256
dd9345eb27f70592e324fa05e2b0c77c
32da549b966da329a43106fa3cbdc64ba376957f
3ebf4a590d63162883c7fb3b8ab890339cea65734ff6861b30a281720fa1351a
d82bc8be7a059e386f317a20a970f0b44039a868f7e0b4323a0bf539cb42eda0ece00d5afaa58312e9a64118ff02597b3e94395c68a7231ec61aa8c62b1e45c5
Malware Config
Signatures 5
Filter: none
-
Emotet
Description
Emotet is a trojan that is primarily spread through spam emails.
Tags
-
suricata: ET MALWARE W32/Emotet CnC Beacon 3
Description
suricata: ET MALWARE W32/Emotet CnC Beacon 3
Tags
-
Suspicious behavior: EnumeratesProcessesregsvr32.exe
Reported IOCs
pid process 436 regsvr32.exe 436 regsvr32.exe -
Suspicious behavior: RenamesItselfregsvr32.exe
Reported IOCs
pid process 3380 regsvr32.exe -
Suspicious use of WriteProcessMemoryregsvr32.exe
Reported IOCs
description pid process target process PID 3380 wrote to memory of 436 3380 regsvr32.exe regsvr32.exe PID 3380 wrote to memory of 436 3380 regsvr32.exe regsvr32.exe
Processes 2
-
C:\Windows\system32\regsvr32.exePID:3380regsvr32 /s C:\Users\Admin\AppData\Local\Temp\3ebf4a590d63162883c7fb3b8ab890339cea65734ff6861b30a281720fa1351a.dllSuspicious behavior: RenamesItselfSuspicious use of WriteProcessMemory
-
C:\Windows\system32\regsvr32.exePID:436C:\Windows\system32\regsvr32.exe "C:\Windows\system32\MnXLFBAXdeB\zIuAuVKY.dll"Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Replay Monitor
00:00
00:00
Downloads
-
memory/436-121-0x0000000000000000-mapping.dmp
-
memory/3380-116-0x0000000180000000-0x0000000180030000-memory.dmp
Title
Loading data