8154634cf63366e94e2550188d6936858b24fc17ec8a2290f9c4f35d01d29c2b

General

Target

SecuriteInfo.com.Heur.Pack.Emotet.3.27704.83.exe
Size

140KB
MD5

9ba8d7669017fbd7c2677d235be96ca9
SHA1

c56c670e725bca22732e5c72131d766566a0dffa
SHA256

8154634cf63366e94e2550188d6936858b24fc17ec8a2290f9c4f35d01d29c2b
SHA512

3762ef7df0e1d3fda30254901efd30f6350adf7abb18a4d9417cbdda3a50cc583af6199f66c86169dd6598f29918a3deb0366ee41b6c5859c15734c650725cb0

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

nmthkgj.exe

pid process

3892 nmthkgj.exe

pid	process
3892	nmthkgj.exe

Drops file in Windows directory 2 IoCs

Processes:

SecuriteInfo.com.Heur.Pack.Emotet.3.27704.83.exe

description	ioc	process
File created	C:\Windows\Tasks\nmthkgj.job	SecuriteInfo.com.Heur.Pack.Emotet.3.27704.83.exe
File opened for modification	C:\Windows\Tasks\nmthkgj.job	SecuriteInfo.com.Heur.Pack.Emotet.3.27704.83.exe

Looks up external IP address via web service 6 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

87 api.ipify.org
7 api.ipify.org
8 api.ipify.org
38 api.ipify.org
54 api.ipify.org
86 api.ipify.org

flow	ioc
87	api.ipify.org
7	api.ipify.org
8	api.ipify.org
38	api.ipify.org
54	api.ipify.org
86	api.ipify.org

Program crash 7 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3952	3588	WerFault.exe	SecuriteInfo.com.Heur.Pack.Emotet.3.27704.83.exe
3312	3892	WerFault.exe	nmthkgj.exe
3184	3892	WerFault.exe	nmthkgj.exe
3596	3588	WerFault.exe	SecuriteInfo.com.Heur.Pack.Emotet.3.27704.83.exe
736	3588	WerFault.exe	SecuriteInfo.com.Heur.Pack.Emotet.3.27704.83.exe
2728	3892	WerFault.exe	nmthkgj.exe
3264	3892	WerFault.exe	nmthkgj.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

description	pid	process
Token: SeRestorePrivilege	3952	WerFault.exe
Token: SeBackupPrivilege	3952	WerFault.exe
Token: SeDebugPrivilege	3952	WerFault.exe
Token: SeDebugPrivilege	3312	WerFault.exe
Token: SeDebugPrivilege	3184	WerFault.exe
Token: SeDebugPrivilege	3596	WerFault.exe
Token: SeDebugPrivilege	736	WerFault.exe
Token: SeDebugPrivilege	2728	WerFault.exe
Token: SeDebugPrivilege	3264	WerFault.exe

Suspicious behavior: EnumeratesProcesses 93 IoCs

Processes:

WerFault.exeSecuriteInfo.com.Heur.Pack.Emotet.3.27704.83.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	process
3952	WerFault.exe
3952	WerFault.exe
3952	WerFault.exe
3952	WerFault.exe
3952	WerFault.exe
3952	WerFault.exe
3952	WerFault.exe
3952	WerFault.exe
3952	WerFault.exe
3952	WerFault.exe
3952	WerFault.exe
3952	WerFault.exe
3952	WerFault.exe
3588	SecuriteInfo.com.Heur.Pack.Emotet.3.27704.83.exe
3588	SecuriteInfo.com.Heur.Pack.Emotet.3.27704.83.exe
3312	WerFault.exe
3312	WerFault.exe
3312	WerFault.exe
3312	WerFault.exe
3312	WerFault.exe
3312	WerFault.exe
3312	WerFault.exe
3312	WerFault.exe
3312	WerFault.exe
3312	WerFault.exe
3312	WerFault.exe
3312	WerFault.exe
3312	WerFault.exe
3184	WerFault.exe
3184	WerFault.exe
3184	WerFault.exe
3184	WerFault.exe
3184	WerFault.exe
3184	WerFault.exe
3184	WerFault.exe
3184	WerFault.exe
3184	WerFault.exe
3184	WerFault.exe
3184	WerFault.exe
3184	WerFault.exe
3184	WerFault.exe
3596	WerFault.exe
3596	WerFault.exe
3596	WerFault.exe
3596	WerFault.exe
3596	WerFault.exe
3596	WerFault.exe
3596	WerFault.exe
3596	WerFault.exe
3596	WerFault.exe
3596	WerFault.exe
3596	WerFault.exe
3596	WerFault.exe
3596	WerFault.exe
736	WerFault.exe
736	WerFault.exe
736	WerFault.exe
736	WerFault.exe
736	WerFault.exe
736	WerFault.exe
736	WerFault.exe
736	WerFault.exe
736	WerFault.exe
736	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.Pack.Emotet.3.27704.83.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.Pack.Emotet.3.27704.83.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:3588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3588 -s 544
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:3952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3588 -s 860
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:3596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3588 -s 872
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:736

C:\ProgramData\ujffcw\nmthkgj.exe
C:\ProgramData\ujffcw\nmthkgj.exe start
1⤵
- Executes dropped EXE
PID:3892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3892 -s 536
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:3312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3892 -s 716
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:3184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3892 -s 680
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3892 -s 880
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:3264

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\ujffcw\nmthkgj.exe

Download Submit
C:\ProgramData\ujffcw\nmthkgj.exe

Download Submit
memory/736-26-0x0000000005150000-0x0000000005151000-memory.dmp

Filesize
4KB

Download
memory/736-23-0x0000000004920000-0x0000000004921000-memory.dmp

Filesize
4KB

Download
memory/2728-30-0x0000000004070000-0x0000000004071000-memory.dmp

Filesize
4KB

Download
memory/2728-27-0x00000000038C0000-0x00000000038C1000-memory.dmp

Filesize
4KB

Download
memory/3184-14-0x0000000003480000-0x0000000003481000-memory.dmp

Filesize
4KB

Download
memory/3184-18-0x0000000003C70000-0x0000000003C71000-memory.dmp

Filesize
4KB

Download
memory/3184-17-0x0000000003880000-0x0000000003881000-memory.dmp

Filesize
4KB

Download
memory/3264-35-0x0000000003CC0000-0x0000000003CC1000-memory.dmp

Filesize
4KB

Download
memory/3264-31-0x00000000034D0000-0x00000000034D1000-memory.dmp

Filesize
4KB

Download
memory/3312-13-0x00000000034E0000-0x00000000034E1000-memory.dmp

Filesize
4KB

Download
memory/3312-10-0x0000000002DB0000-0x0000000002DB1000-memory.dmp

Filesize
4KB

Download
memory/3588-0-0x0000000003682000-0x0000000003683000-memory.dmp

Filesize
4KB

Download
memory/3588-1-0x0000000005250000-0x0000000005251000-memory.dmp

Filesize
4KB

Download
memory/3596-19-0x0000000004360000-0x0000000004361000-memory.dmp

Filesize
4KB

Download
memory/3596-22-0x0000000004890000-0x0000000004891000-memory.dmp

Filesize
4KB

Download
memory/3892-9-0x0000000003DA0000-0x0000000003DA1000-memory.dmp

Filesize
4KB

Download
memory/3892-8-0x000000000339C000-0x000000000339D000-memory.dmp

Filesize
4KB

Download
memory/3952-5-0x0000000004D90000-0x0000000004D91000-memory.dmp

Filesize
4KB

Download
memory/3952-3-0x0000000004660000-0x0000000004661000-memory.dmp

Filesize
4KB

Download
memory/3952-2-0x0000000004660000-0x0000000004661000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads