emotet | hxxp://46[.]22[.]199[.]21/assets/660086_537319/

General

Target

http://46.22.199.21/assets/660086_537319/

Score

10^/10

emotet epoch5 banker macro suricata trojan xlm

Malware Config

Extracted

Language

xlm4.0

Source

URLs

xlm40.dropper

http://avionxpress.com/lp/T9b1Bga4FdDfP5HI/

Extracted

Family

emotet

Botnet

Epoch5

C2

45.138.98.34:80

69.16.218.101:8080

51.210.242.234:8080

185.148.168.220:8080

142.4.219.173:8080

54.38.242.185:443

191.252.103.16:80

104.131.62.48:8080

62.171.178.147:8080

217.182.143.207:443

168.197.250.14:80

37.44.244.177:8080

66.42.57.149:443

210.57.209.142:8080

159.69.237.188:443

116.124.128.206:8080

128.199.192.135:8080

195.154.146.35:443

185.148.168.15:8080

195.77.239.39:8080

eck1.plain

ecs1.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rundll32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	1404	4376	rundll32.exe	EXCEL.EXE

suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata
Blocklisted process makes network request 4 IoCs

Processes:

rundll32.exe

flow pid process

185 1496 rundll32.exe
189 1496 rundll32.exe
190 1496 rundll32.exe
191 1496 rundll32.exe
Downloads MZ/PE file

flow	pid	process
185	1496	rundll32.exe
189	1496	rundll32.exe
190	1496	rundll32.exe
191	1496	rundll32.exe

Suspicious Office macro 1 IoCs

Office document equipped with 4.0 macros.

macro xlm

Processes:

resource	yara_rule
C:\Users\Admin\Downloads\Xyyj_87.xlsm	office_xlm_macros

Loads dropped DLL 2 IoCs

Processes:

rundll32.exerundll32.exe

pid process

1404 rundll32.exe
2860 rundll32.exe
Drops file in System32 directory 1 IoCs

Processes:

rundll32.exe

description ioc process

File opened for modification C:\Windows\SysWOW64\Psdghtoiclo\qjbi.dqk rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1404	rundll32.exe
2860	rundll32.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\Psdghtoiclo\qjbi.dqk	rundll32.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXEfirefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exeEXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Modifies registry class 2 IoCs

Processes:

chrome.exefirefox.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

4376 EXCEL.EXE

pid	process
4376	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

chrome.exechrome.exechrome.exechrome.exechrome.exechrome.exerundll32.exechrome.exe

pid	process
2288	chrome.exe
2288	chrome.exe
1328	chrome.exe
1328	chrome.exe
1404	chrome.exe
1404	chrome.exe
356	chrome.exe
356	chrome.exe
5116	chrome.exe
5116	chrome.exe
4172	chrome.exe
4172	chrome.exe
1496	rundll32.exe
1496	rundll32.exe
4640	chrome.exe
4640	chrome.exe
4640	chrome.exe
4640	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

chrome.exe

pid process

1328 chrome.exe
1328 chrome.exe
1328 chrome.exe
1328 chrome.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

firefox.exe

description	pid	process
Token: SeDebugPrivilege	3208	firefox.exe
Token: SeDebugPrivilege	3208	firefox.exe
Token: SeDebugPrivilege	3208	firefox.exe
Token: SeDebugPrivilege	3208	firefox.exe
Token: SeDebugPrivilege	3208	firefox.exe
Token: SeDebugPrivilege	3208	firefox.exe
Token: SeDebugPrivilege	3208	firefox.exe
Token: SeDebugPrivilege	3208	firefox.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exefirefox.exe

pid	process
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
3208	firefox.exe
3208	firefox.exe
3208	firefox.exe
3208	firefox.exe
1328	chrome.exe
1328	chrome.exe

Suspicious use of SendNotifyMessage 59 IoCs

Processes:

chrome.exefirefox.exe

pid	process
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
3208	firefox.exe
3208	firefox.exe
3208	firefox.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe

Suspicious use of SetWindowsHookEx 17 IoCs

Processes:

firefox.exeEXCEL.EXE

pid	process
3208	firefox.exe
4376	EXCEL.EXE
4376	EXCEL.EXE
4376	EXCEL.EXE
4376	EXCEL.EXE
4376	EXCEL.EXE
4376	EXCEL.EXE
4376	EXCEL.EXE
4376	EXCEL.EXE
4376	EXCEL.EXE
4376	EXCEL.EXE
4376	EXCEL.EXE
4376	EXCEL.EXE
4376	EXCEL.EXE
4376	EXCEL.EXE
4376	EXCEL.EXE
4376	EXCEL.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 1328 wrote to memory of 3724	1328	chrome.exe	chrome.exe
PID 1328 wrote to memory of 3724	1328	chrome.exe	chrome.exe
PID 1328 wrote to memory of 1536	1328	chrome.exe	chrome.exe
PID 1328 wrote to memory of 1536	1328	chrome.exe	chrome.exe
PID 1328 wrote to memory of 1536	1328	chrome.exe	chrome.exe
PID 1328 wrote to memory of 1536	1328	chrome.exe	chrome.exe
PID 1328 wrote to memory of 1536	1328	chrome.exe	chrome.exe
PID 1328 wrote to memory of 1536	1328	chrome.exe	chrome.exe
PID 1328 wrote to memory of 1536	1328	chrome.exe	chrome.exe
PID 1328 wrote to memory of 1536	1328	chrome.exe	chrome.exe
PID 1328 wrote to memory of 1536	1328	chrome.exe	chrome.exe
PID 1328 wrote to memory of 1536	1328	chrome.exe	chrome.exe
PID 1328 wrote to memory of 1536	1328	chrome.exe	chrome.exe
PID 1328 wrote to memory of 1536	1328	chrome.exe	chrome.exe
PID 1328 wrote to memory of 1536	1328	chrome.exe	chrome.exe
PID 1328 wrote to memory of 1536	1328	chrome.exe	chrome.exe
PID 1328 wrote to memory of 1536	1328	chrome.exe	chrome.exe
PID 1328 wrote to memory of 1536	1328	chrome.exe	chrome.exe
PID 1328 wrote to memory of 1536	1328	chrome.exe	chrome.exe
PID 1328 wrote to memory of 1536	1328	chrome.exe	chrome.exe
PID 1328 wrote to memory of 1536	1328	chrome.exe	chrome.exe
PID 1328 wrote to memory of 1536	1328	chrome.exe	chrome.exe
PID 1328 wrote to memory of 1536	1328	chrome.exe	chrome.exe
PID 1328 wrote to memory of 1536	1328	chrome.exe	chrome.exe
PID 1328 wrote to memory of 1536	1328	chrome.exe	chrome.exe
PID 1328 wrote to memory of 1536	1328	chrome.exe	chrome.exe
PID 1328 wrote to memory of 1536	1328	chrome.exe	chrome.exe
PID 1328 wrote to memory of 1536	1328	chrome.exe	chrome.exe
PID 1328 wrote to memory of 1536	1328	chrome.exe	chrome.exe
PID 1328 wrote to memory of 1536	1328	chrome.exe	chrome.exe
PID 1328 wrote to memory of 1536	1328	chrome.exe	chrome.exe
PID 1328 wrote to memory of 1536	1328	chrome.exe	chrome.exe
PID 1328 wrote to memory of 1536	1328	chrome.exe	chrome.exe
PID 1328 wrote to memory of 1536	1328	chrome.exe	chrome.exe
PID 1328 wrote to memory of 1536	1328	chrome.exe	chrome.exe
PID 1328 wrote to memory of 1536	1328	chrome.exe	chrome.exe
PID 1328 wrote to memory of 1536	1328	chrome.exe	chrome.exe
PID 1328 wrote to memory of 1536	1328	chrome.exe	chrome.exe
PID 1328 wrote to memory of 1536	1328	chrome.exe	chrome.exe
PID 1328 wrote to memory of 1536	1328	chrome.exe	chrome.exe
PID 1328 wrote to memory of 1536	1328	chrome.exe	chrome.exe
PID 1328 wrote to memory of 1536	1328	chrome.exe	chrome.exe
PID 1328 wrote to memory of 2288	1328	chrome.exe	chrome.exe
PID 1328 wrote to memory of 2288	1328	chrome.exe	chrome.exe
PID 1328 wrote to memory of 1624	1328	chrome.exe	chrome.exe
PID 1328 wrote to memory of 1624	1328	chrome.exe	chrome.exe
PID 1328 wrote to memory of 1624	1328	chrome.exe	chrome.exe
PID 1328 wrote to memory of 1624	1328	chrome.exe	chrome.exe
PID 1328 wrote to memory of 1624	1328	chrome.exe	chrome.exe
PID 1328 wrote to memory of 1624	1328	chrome.exe	chrome.exe
PID 1328 wrote to memory of 1624	1328	chrome.exe	chrome.exe
PID 1328 wrote to memory of 1624	1328	chrome.exe	chrome.exe
PID 1328 wrote to memory of 1624	1328	chrome.exe	chrome.exe
PID 1328 wrote to memory of 1624	1328	chrome.exe	chrome.exe
PID 1328 wrote to memory of 1624	1328	chrome.exe	chrome.exe
PID 1328 wrote to memory of 1624	1328	chrome.exe	chrome.exe
PID 1328 wrote to memory of 1624	1328	chrome.exe	chrome.exe
PID 1328 wrote to memory of 1624	1328	chrome.exe	chrome.exe
PID 1328 wrote to memory of 1624	1328	chrome.exe	chrome.exe
PID 1328 wrote to memory of 1624	1328	chrome.exe	chrome.exe
PID 1328 wrote to memory of 1624	1328	chrome.exe	chrome.exe
PID 1328 wrote to memory of 1624	1328	chrome.exe	chrome.exe
PID 1328 wrote to memory of 1624	1328	chrome.exe	chrome.exe
PID 1328 wrote to memory of 1624	1328	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" http://46.22.199.21/assets/660086_537319/
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1328

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xd4,0xd8,0xdc,0xb0,0xe0,0x7ffc057c4f50,0x7ffc057c4f60,0x7ffc057c4f70
2⤵
PID:3724

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1508,4425612948791497671,15778683116793576460,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1492 /prefetch:2
2⤵
PID:1536

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1508,4425612948791497671,15778683116793576460,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1848 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2288

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1508,4425612948791497671,15778683116793576460,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2300 /prefetch:8
2⤵
PID:1624

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1508,4425612948791497671,15778683116793576460,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2700 /prefetch:1
2⤵
PID:2096

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1508,4425612948791497671,15778683116793576460,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2692 /prefetch:1
2⤵
PID:2384

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1508,4425612948791497671,15778683116793576460,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4120 /prefetch:8
2⤵
PID:2260

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1508,4425612948791497671,15778683116793576460,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4544 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1404

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1508,4425612948791497671,15778683116793576460,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5164 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:356

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1508,4425612948791497671,15778683116793576460,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4884 /prefetch:8
2⤵
PID:4948

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1508,4425612948791497671,15778683116793576460,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4472 /prefetch:8
2⤵
PID:5080

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1508,4425612948791497671,15778683116793576460,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4256 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5116

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1508,4425612948791497671,15778683116793576460,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4260 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4172

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1508,4425612948791497671,15778683116793576460,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5104 /prefetch:8
2⤵
PID:3968

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1508,4425612948791497671,15778683116793576460,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1360 /prefetch:8
2⤵
PID:4428

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1508,4425612948791497671,15778683116793576460,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4332 /prefetch:8
2⤵
PID:4464

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1508,4425612948791497671,15778683116793576460,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4440 /prefetch:8
2⤵
PID:4512

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1508,4425612948791497671,15778683116793576460,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4144 /prefetch:8
2⤵
PID:4568

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1508,4425612948791497671,15778683116793576460,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4444 /prefetch:8
2⤵
PID:4536

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1508,4425612948791497671,15778683116793576460,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5412 /prefetch:8
2⤵
PID:4624

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1508,4425612948791497671,15778683116793576460,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5328 /prefetch:1
2⤵
PID:4960

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1508,4425612948791497671,15778683116793576460,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5440 /prefetch:1
2⤵
PID:2220

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1508,4425612948791497671,15778683116793576460,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4276 /prefetch:8
2⤵
PID:5084

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1508,4425612948791497671,15778683116793576460,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2148 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4640

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1508,4425612948791497671,15778683116793576460,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1420 /prefetch:8
2⤵
PID:4140

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1508,4425612948791497671,15778683116793576460,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4984 /prefetch:8
2⤵
PID:4628

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1508,4425612948791497671,15778683116793576460,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=852 /prefetch:8
2⤵
PID:1952

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1508,4425612948791497671,15778683116793576460,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5392 /prefetch:8
2⤵
PID:4208

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1508,4425612948791497671,15778683116793576460,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4848 /prefetch:8
2⤵
PID:4204

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1508,4425612948791497671,15778683116793576460,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4996 /prefetch:8
2⤵
PID:1188

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1976

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {c82192ee-6cb5-4bc0-9ef0-fb818773790a} -Embedding
1⤵
PID:3636

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:3508

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3208

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3208.0.1227077872\1194099761" -parentBuildID 20200403170909 -prefsHandle 1536 -prefMapHandle 1528 -prefsLen 1 -prefMapSize 219680 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3208 "\\.\pipe\gecko-crash-server-pipe.3208" 1612 gpu
3⤵
PID:812

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3208.3.562706911\889131196" -childID 1 -isForBrowser -prefsHandle 2248 -prefMapHandle 2244 -prefsLen 122 -prefMapSize 219680 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3208 "\\.\pipe\gecko-crash-server-pipe.3208" 2256 tab
3⤵
PID:1616

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3208.13.1409011108\791269983" -childID 2 -isForBrowser -prefsHandle 2840 -prefMapHandle 2836 -prefsLen 988 -prefMapSize 219680 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3208 "\\.\pipe\gecko-crash-server-pipe.3208" 2720 tab
3⤵
PID:1252

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3208.20.513868182\1143493300" -childID 3 -isForBrowser -prefsHandle 3540 -prefMapHandle 3124 -prefsLen 6979 -prefMapSize 219680 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3208 "\\.\pipe\gecko-crash-server-pipe.3208" 3552 tab
3⤵
PID:4240

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Downloads\Xyyj_87.xlsm"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4376

C:\Windows\SysWow64\rundll32.exe
C:\Windows\SysWow64\rundll32.exe ..\ourl.ocx,D"&"l"&"lR"&"egister"&"Serve"&"r
2⤵
- Process spawned unexpected child process
- Loads dropped DLL
PID:1404

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe "C:\Users\Admin\ourl.ocx",DllRegisterServer
3⤵
- Loads dropped DLL
- Drops file in System32 directory
PID:2860

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Psdghtoiclo\qjbi.dqk",fmOBxsrdTgKJiD
4⤵
PID:4544

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Psdghtoiclo\qjbi.dqk",DllRegisterServer
5⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:1496

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

3

T1082

Query Registry

2

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Downloads\Xyyj_87.xlsm
MD5
5a8fa49e1cd7e07b7ff5e3fcc0377a47

SHA1
ce476bdd4b8dc12cbbc20ecadfc3963b52ccc180

SHA256
31b22b3bfa7d0ca56d5da96fa37279dcfa197f6ab4caf533a51cb8bdcd5d90ec

SHA512
2cc8a654aa02445203e56107e407027b880123b0630724b8ec86162142b954fe25b1d04e0cd66c6d99663becf36513bac4da2ac3cf95b936d9b9198e77bdf415

Download Submit
C:\Users\Admin\ourl.ocx
MD5
562dab32542a479f5047898e2db9dfa4

SHA1
3123cba17796285c7176e333d6c46eedb74c5f7d

SHA256
7b996a7128a06f089f0b4a46465ef2027383b348f8577d25e77a12f65877dec5

SHA512
16898a79955cec1723c8f731df380c603f80ae44d96f3a40206d926af31c52633c5f27ded975d89afec849403ae83bcc8543882c74cdc83f920c1c16084c9994

Download Submit
\??\pipe\crashpad_1328_FJXRYMWDPVDTRWNZ
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\ourl.ocx
MD5
562dab32542a479f5047898e2db9dfa4

SHA1
3123cba17796285c7176e333d6c46eedb74c5f7d

SHA256
7b996a7128a06f089f0b4a46465ef2027383b348f8577d25e77a12f65877dec5

SHA512
16898a79955cec1723c8f731df380c603f80ae44d96f3a40206d926af31c52633c5f27ded975d89afec849403ae83bcc8543882c74cdc83f920c1c16084c9994

Download Submit
\Users\Admin\ourl.ocx
MD5
562dab32542a479f5047898e2db9dfa4

SHA1
3123cba17796285c7176e333d6c46eedb74c5f7d

SHA256
7b996a7128a06f089f0b4a46465ef2027383b348f8577d25e77a12f65877dec5

SHA512
16898a79955cec1723c8f731df380c603f80ae44d96f3a40206d926af31c52633c5f27ded975d89afec849403ae83bcc8543882c74cdc83f920c1c16084c9994

Download Submit
memory/1404-266-0x0000000004C10000-0x0000000004C38000-memory.dmp

Filesize
160KB

Download
memory/1496-311-0x0000000005110000-0x0000000005138000-memory.dmp

Filesize
160KB

Download
memory/1496-292-0x0000000004800000-0x0000000004828000-memory.dmp

Filesize
160KB

Download
memory/1496-295-0x0000000004E70000-0x0000000004E98000-memory.dmp

Filesize
160KB

Download
memory/1496-307-0x0000000004F50000-0x0000000004F78000-memory.dmp

Filesize
160KB

Download
memory/1496-309-0x0000000005030000-0x0000000005058000-memory.dmp

Filesize
160KB

Download
memory/1496-313-0x00000000051F0000-0x0000000005218000-memory.dmp

Filesize
160KB

Download
memory/1496-315-0x00000000052D0000-0x00000000052F8000-memory.dmp

Filesize
160KB

Download
memory/2860-288-0x0000000005150000-0x0000000005178000-memory.dmp

Filesize
160KB

Download
memory/2860-275-0x0000000004E90000-0x0000000004EB8000-memory.dmp

Filesize
160KB

Download
memory/2860-277-0x0000000004F10000-0x0000000004F38000-memory.dmp

Filesize
160KB

Download
memory/2860-279-0x0000000004F90000-0x0000000004FB8000-memory.dmp

Filesize
160KB

Download
memory/2860-286-0x0000000004FF0000-0x0000000005018000-memory.dmp

Filesize
160KB

Download
memory/2860-273-0x0000000004A30000-0x0000000004A58000-memory.dmp

Filesize
160KB

Download
memory/4376-130-0x00007FFBCF620000-0x00007FFBCF630000-memory.dmp

Filesize
64KB

Download
memory/4376-129-0x00007FFBCF620000-0x00007FFBCF630000-memory.dmp

Filesize
64KB

Download
memory/4376-120-0x00007FFBD30C0000-0x00007FFBD30D0000-memory.dmp

Filesize
64KB

Download
memory/4376-119-0x00007FFBD30C0000-0x00007FFBD30D0000-memory.dmp

Filesize
64KB

Download
memory/4376-118-0x00007FFBD30C0000-0x00007FFBD30D0000-memory.dmp

Filesize
64KB

Download
memory/4376-117-0x00007FFBD30C0000-0x00007FFBD30D0000-memory.dmp

Filesize
64KB

Download
memory/4376-116-0x00007FFBD30C0000-0x00007FFBD30D0000-memory.dmp

Filesize
64KB

Download
memory/4544-289-0x0000000004810000-0x0000000004838000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads