Analysis
-
max time kernel
50s -
max time network
138s -
platform
windows10_x64 -
resource
win10-20220414-en -
submitted
14-05-2022 15:15
Static task
static1
General
-
Target
cf05c6240a8cba90e48c7aafdbd3dee5a48602e6779c12435f863c81c364ec48.dll
-
Size
532KB
-
MD5
984f91d3323cd783e1d7197a7aa04e05
-
SHA1
8a235e2c3354839d9b736139e996d6052d6d396f
-
SHA256
cf05c6240a8cba90e48c7aafdbd3dee5a48602e6779c12435f863c81c364ec48
-
SHA512
02e67a57f5de989034359cb6816c2f3b3c142c8648e1f1f02e78ef9c0b334f71b23d740c539e65cf6ce9361aa84980d0f91016459df70f856ca71abadfa98b3a
Malware Config
Signatures
-
suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata: ET MALWARE W32/Emotet CnC Beacon 3
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
regsvr32.exepid process 4296 regsvr32.exe 4296 regsvr32.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
regsvr32.exepid process 3892 regsvr32.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
regsvr32.exedescription pid process target process PID 3892 wrote to memory of 4296 3892 regsvr32.exe regsvr32.exe PID 3892 wrote to memory of 4296 3892 regsvr32.exe regsvr32.exe
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\cf05c6240a8cba90e48c7aafdbd3dee5a48602e6779c12435f863c81c364ec48.dll1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe "C:\Windows\system32\WBiKQdSQlnxm\oKCpwWMQTDJ.dll"2⤵
- Suspicious behavior: EnumeratesProcesses