deb0cfb5c77774ef5d31ee2bf659d0e325639c28052518b4b163e3a7fdd2433b | Triage

Resubmissions

27-01-2024 16:55

240127-vfahfsaaan 10

14-07-2022 04:18

220714-ew83ysgah8 10

Analysis

max time kernel
51s
max time network
143s
platform
windows10_x64
resource
win10-20220414-en
submitted
14-07-2022 04:18

Sharing

Report Analysis Logs

General

Target

deb0cfb5c77774ef5d31ee2bf659d0e325639c28052518b4b163e3a7fdd2433b.dll
Size

831KB
MD5

02d43b3fbc2df4a71703485c7fd5f8c9
SHA1

bc6c3dc830107a26919610e8fd632f5a28672ece
SHA256

deb0cfb5c77774ef5d31ee2bf659d0e325639c28052518b4b163e3a7fdd2433b
SHA512

82671c5a730950dda666a3bbc24fa1e3d5bf1c0e18ee977df4e599ba46fb2108d60e4c8c02082a79bd5534731eef88274318139203b010b391c603f77da01c84

Score

10^/10

suricata

Malware Config

Signatures

suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

regsvr32.exeregsvr32.exe

pid process

1280 regsvr32.exe
1280 regsvr32.exe
1612 regsvr32.exe
1612 regsvr32.exe
1612 regsvr32.exe
1612 regsvr32.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

regsvr32.exe

pid process

1280 regsvr32.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

regsvr32.exe

description	pid	process	target process
PID 1280 wrote to memory of 1612	1280	regsvr32.exe	regsvr32.exe
PID 1280 wrote to memory of 1612	1280	regsvr32.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\deb0cfb5c77774ef5d31ee2bf659d0e325639c28052518b4b163e3a7fdd2433b.dll
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1280

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\CeubRHrpZtf\kuGZ.dll"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1612

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1612-121-0x0000000000000000-mapping.dmp

Download