Analysis
-
max time kernel
54s -
max time network
136s -
platform
windows10_x64 -
resource
win10-20220414-en -
submitted
14-05-2022 15:12
Static task
static1
General
-
Target
dafb5f37a27401ffd091a26ed5817a7183a85f27884fabe4b7bdac2b7bd37243.dll
-
Size
532KB
-
MD5
0d2b2d79b9ef5a3c48a0b2ad38d9ee85
-
SHA1
a7d40ff2a40388e5d16e7891e275aaf7cdf26baf
-
SHA256
dafb5f37a27401ffd091a26ed5817a7183a85f27884fabe4b7bdac2b7bd37243
-
SHA512
f794ccd4d891f5d95e5b45cc87c63163b43cd81c7f91a3d31e8e82715cf06f44ebf9c95cd639bba22cd979d0c1b289e9b24eabeb9a3dc302ca4be40afc07a4a3
Malware Config
Signatures
-
suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata: ET MALWARE W32/Emotet CnC Beacon 3
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
regsvr32.exepid process 2064 regsvr32.exe 2064 regsvr32.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
regsvr32.exepid process 3696 regsvr32.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
regsvr32.exedescription pid process target process PID 3696 wrote to memory of 2064 3696 regsvr32.exe regsvr32.exe PID 3696 wrote to memory of 2064 3696 regsvr32.exe regsvr32.exe
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\dafb5f37a27401ffd091a26ed5817a7183a85f27884fabe4b7bdac2b7bd37243.dll1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe "C:\Windows\system32\WSQeGznUsSbLGQis\wIHqeOXzsU.dll"2⤵
- Suspicious behavior: EnumeratesProcesses